Balancing access and trade secrets in automated credit-scoring

CK v Dun & Bradstreet Austria shows why laws and practices that treat trade secrets as an automatic shield against a key GDPR provision are due for revision, writes Diogo Antunes of Inventa.

CK v Dun & Bradstreet Austria—case no. C-203/22 from the Court of Justice of the European Union (CJEU)—arises from a dispute in Austria over access to “meaningful information about the logic involved” in an automated credit-scoring process.

The City Council of Vienna was dealing with the enforcement of a court order that required Dun & Bradstreet Austria (D&B), a credit-assessment company, to provide CK (an individual) with an explanation of the procedure and principles actually applied when profiling her personal data to generate a credit score.

The scoring had been used by a mobile telephony provider to refuse to conclude or renew a contract with CK. D&B provided only limited explanations and invoked trade-secret protection, according to Austrian law, also generally limited access where business or trade secrets could be affected.

Faced with conflicting norms and competing rights, the administrative court Verwaltungsgericht Wien referred multiple questions to the CJEU on the scope of GDPR Article 15(1)(h), its relationship with Article 22, and the interface with trade-secret protection. The court delivered its judgment on February 27, 2025.

Legal framework and questions referred to the CJEU

Key instruments

• GDPR—Article 15(1)(h) (right of access to meaningful information about the logic involved in automated decision-making, plus the significance and envisaged consequences); Article 22 (decisions based solely on automated processing, including profiling, and related safeguards).
• Directive (EU) 2016/943—Article 2(1) (definition of a trade secret) and the framework for protecting undisclosed know-how and business information.
• Austrian Data Protection Act (DSG)—§ 4(6), which as a rule excluded Article 15 GDPR access if disclosure would compromise a business or trade secret.

Questions

Before turning to the specific questions, it is worth clarifying why the Austrian court considered a reference necessary. The dispute exposed a tension between two competing legal imperatives:

• On the one hand, the data subject’s right of access under the GDPR, which explicitly grants “meaningful information about the logic involved” in automated decision-making (Article 15(1)(h)), and safeguards against fully automated decisions (Article 22).
• On the other hand, the protection of trade secrets under both EU law, Directive 2016/943, and Austrian law (§ 4(6) DSG, which appeared to provide for an almost automatic exclusion of access where disclosure would risk revealing business secrets.

The Verwaltungsgericht Wien therefore asked the CJEU to determine the content and limits of Article 15(1)(h), its relationship with Article 22, and the extent to which trade-secret protection can restrict disclosure.

These issues crystallised into four broad groups of questions.

(i) What must “meaningful information” contain under Article 15(1)(h)?

Whether the controller is required to give an explanation of the procedure and principles effectively applied when using the data subject’s personal data to generate a result, including an indication of the data used, the manner of their use, and the criteria or rationale applied, provided in a concise, transparent, intelligible and easily accessible form, but without the need to disclose a mathematical formula or the complete algorithm.

(ii) Link to Article 22(3) GDPR safeguards

Whether the Article 15(1)(h) information must be sufficient to let the data subject express their point of view and contest the automated decision effectively.

(iii) Accuracy checks and third-party data

Whether “meaningful information” must be broad enough to verify the accuracy of the data used and, where that verification would reveal third-party personal data or trade secrets, whether a “black-box” solution is lawful, for example the disclosure to the supervisory authority or a court, which then balances rights and decides what, if anything, can be shared with the data subject.

(iv) Compatibility of a general trade-secret carve-out

Whether a national rule like § 4(6) DSG, which as a rule denies access where trade secrets are at stake, is compatible with EU law or whether the GDPR instead requires a case-by-case proportionality test overseen by a supervisory authority or court, avoiding a blanket refusal of all information.

Judgment: five key takeaways

(1) Article 15(1)(h) GDPR is a real right to an explanation.

The court confirms that “meaningful information about the logic involved” requires a substantive account of the procedure and principles actually applied to generate the score, and must be delivered in a concise, transparent, intelligible and easily accessible form. It is more than boilerplate, though it does not compel disclosure of source code or exact formulas.

(2) Access enables Article 22 safeguards.

The explanation provided under Article 15(1)(h) must be sufficiently concrete to let the data subject understand the decision, verify inputs, and effectively contest it thus activating the Article 22(3) rights to express a view and seek human review.

(3) Accuracy checks without over-exposure.

Where verifying accuracy risks revealing third-party personal data or protected material, the controller must submit the full materials to the supervisory authority or a court. That body then performs a case-by-case balancing and tailors what can be shared (e.g., summaries, redactions, anonymisation). A blanket refusal is not permitted.

(4) Trade secrets do not operate as a veto.

The court rejects any approach that treats trade secrets as an automatic bar to access. Confidentiality is preserved procedurally, not by denying the right: authorities/courts can review full content and order controlled disclosure proportionate to the competing interests.

(5) National carve-outs must yield to EU law.

A domestic rule like § 4(6) DSG which, “as a rule”, excluded access where business secrets might be affected is incompatible with the GDPR. Member states must ensure individualised proportionality rather than categorical exclusions

Overview

CK v D&B resolves a structural tension at the heart of automated decision-making. How to give the data subject a real chance to understand and contest a score while not destroying legitimate confidentiality?

The court’s answer is neither a demand for source code nor a licence to stonewall. Instead, it is a functional right to explanation, grounded in Articles 15(1)(h) and 22 GDPR, delivered through proportionate procedural controls rather than blanket secrecy.

“Meaningful information about the logic involved” is not satisfied by generalities. Controllers must provide a substantive account of the procedure and principles applied in the individual case, in a concise, transparent, intelligible and easily accessible form. In practice, a compliant explanation should identify:

• the types of personal data actually used to produce the score;
• the main criteria/variables considered, and a qualitative indication of their relative influence on the outcome;
• the rationale connecting those criteria to the specific result; and
• the significance and envisaged consequences of the score for the data subject.
• This does not entail handing over source code, proprietary formulas, or model files; the focus is on understandability and contestability of the decision, not reverse-engineering the system.

Trade secrets and third-party data do not operate as a veto. When disclosure risks exposing protected material, the controller must place the full materials before the supervisory authority or a court.

That forum conducts a case-by-case balancing and may order controlled disclosure. The court thus rejects a binary secrecy/transparency model and endorses a graduated toolkit of safeguards.

A domestic provision that as a rule denies access whenever trade or business secrets are implicated, as with § 4(6) DSG is incompatible with the GDPR framework. Member states must ensure individualised proportionality, supervised by an authority or court, rather than categorical exclusions.

The laws and practices that treat “trade secrets” as an automatic shield against Article 15(1)(h) are due for revision.

Diogo Antunes is a legal manager at Inventa, and can be contacted at dantunes@inventa.com.