Mrs. B – Court Ruling (Austria, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a credit assessment company must provide meaningful information about the logic of its automated decisions. The company had withheld this information, citing trade secrets, but the court upheld the individual's right to understand how decisions about their creditworthiness were made. This case underscores the importance of transparency in automated decision-making under GDPR.
What happened
A credit assessment company failed to disclose the logic behind its automated creditworthiness decisions, citing trade secrets.
Who was affected
An individual whose creditworthiness was assessed by an automated system without clear information on the decision-making process.
What the authority found
The court ruled that the company violated GDPR by not providing meaningful information about the logic of its automated decisions.
Why this matters
This ruling emphasizes the GDPR's requirement for transparency in automated decision-making, even when trade secrets are involved. Companies using algorithms for decisions should ensure they can explain the logic to affected individuals.
GDPR Articles Cited
The Austrian DPA decided that the data controller specialising in credit assessments (C. Ges.m.b.H.) had to disclose meaningful information about the logic involved in the automated decision-making process concerning the data subject's data on the issue of her creditworthiness despite the algorithm being protected by trade secrets. This decision was then appealed by the data controller to the Federal Administrative Court (Bundesverwaltungsgericht - BVwG). Reportedly, such algorithms may be protected under Article 2(1) Directive 2016/943. The right to access personal information in an automated decision under Article 15(1)(h) GDPR is given additional meaning in enabling the data subject to contest such a decision under Article 22(3) GDPR. Thus, the Federal Administrative Court upheld that the data controller had infringed the data subject’s right to access her data related to an automated decision since the controller did not provide meaningful information on the logic involved in the decision under Article 15(1)(h) GDPR. However, after the ruling, the data controller did not provide further information. Hence, the data subject made an application for enforcement to the enforcement authority, the Vienna City Council, which did not fulfil its obligation and used a power it was not entitled to, as it found that the controller had already sufficiently fulfilled its obligation to provide information, despite the controller not providing any further information. According to Austrian law, since the data controller's complaint against the decision of the executing authority was admissible, and the executing authority did not fulfil its obligation, the administrative courts of first instance must, therefore, take a decision in the present proceedings instead of the executing authority. In light of this, the Regional Administrative Court Vienna (Verwaltungsgericht Wien - VGW) attempted to answer the question of whether a data controller can refuse to provide the data subjec
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Mrs. B in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Mrs. B - Austria (2022). Retrieved from cookiefines.eu
Last updated: