Dun & Bradstreet Austria GmbH – CJEU Judgment (Austria, 2025)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
A mobile phone operator refused to enter into a contract with the data subject. The reason for that was alleged lack of sufficient creditworthiness. The phone operator verified the data subject creditworthiness using services of Dun & Bradstreet Austria GmbH (previously: Bisnode Austria GmbH). The data subject requested the Austrian DPAto obtain the information on the logic involved in automated decision-making performed by Dun & Bradstreet. The DPA ordered Dun & Bradstreet to disclose that information. Dun & Bradstreet appealed the DPA decision with Federal Administrative Court (Bundesverwaltungsgericht - BVwG). The court partially upheld the DPA decision. Dun & Bradstreet violated Article 15(1)(h) GDPR because they didn’t disclose neither the information requested by the data subject, nor sufficient reasons justifying the request rejection. Within the enforcement proceedings the City Council of Vienna, acting as an enforcing authority, rejected the case, claiming Dun & Bradstreet already provided the data subject with the information. The data subject challenged the City Council decision before Viennese Administrative Court (Verwaltungsgericht Wien - VGW). Due to doubts regarding interpretation of Article 15(1)(h) GDPR this court ourt decided to stay the proceedings and refer the following questions to the CJEU for a preliminary ruling: # What requirements as to content does information provided need to satisfy in order to be regarded as sufficiently “meaningful” within the meaning of Article 15(1)(h) GDPR? # Is the right of access granted by Article 15(1)(h) GDPR related to the rights guaranteed by Article 22(3) GDPR to express one’s point of view and to challenge an automated decision taken within the meaning of Article 22 GDPR in so far as the scope of the information to be provided on the basis of an access request within the meaning of Article 15(1)(h) GDPR is only sufficiently “meaningful” if the party requesting access and the data subject for the purpos
GDPR Articles Cited
A mobile phone operator refused to enter into a contract with the data subject. The reason for that was alleged lack of sufficient creditworthiness. The phone operator verified the data subject creditworthiness using services of Dun & Bradstreet Austria GmbH (previously: Bisnode Austria GmbH). The data subject requested the Austrian DPAto obtain the information on the logic involved in automated decision-making performed by Dun & Bradstreet. The DPA ordered Dun & Bradstreet to disclose that information. Dun & Bradstreet appealed the DPA decision with Federal Administrative Court (Bundesverwaltungsgericht - BVwG). The court partially upheld the DPA decision. Dun & Bradstreet violated Article 15(1)(h) GDPR because they didn’t disclose neither the information requested by the data subject, nor sufficient reasons justifying the request rejection. Within the enforcement proceedings the City Council of Vienna, acting as an enforcing authority, rejected the case, claiming Dun & Bradstreet already provided the data subject with the information. The data subject challenged the City Council decision before Viennese Administrative Court (Verwaltungsgericht Wien - VGW). Due to doubts regarding interpretation of Article 15(1)(h) GDPR this court ourt decided to stay the proceedings and refer the following questions to the CJEU for a preliminary ruling: # What requirements as to content does information provided need to satisfy in order to be regarded as sufficiently “meaningful” within the meaning of Article 15(1)(h) GDPR? # Is the right of access granted by Article 15(1)(h) GDPR related to the rights guaranteed by Article 22(3) GDPR to express one’s point of view and to challenge an automated decision taken within the meaning of Article 22 GDPR in so far as the scope of the information to be provided on the basis of an access request within the meaning of Article 15(1)(h) GDPR is only sufficiently “meaningful” if the party requesting access and the data subject for the purpos
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for Dun & Bradstreet Austria GmbH in AT
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
27 February 2025
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-8276About this data
Cite as: Cookie Fines. Dun & Bradstreet Austria GmbH - Austria (2025). Retrieved from cookiefines.eu
Last updated: