CJEU RULING: HOW TO BALANCE TRADE SECRETS AND GDPR COMPLIANCE?

On February 27, 2025, the Court of Justice of the European Union (CJEU) issued a landmark ruling (Case C-203/22, Dun & Bradstreet Austria) clarifying how a data controller must disclose information in the context of an automated decision to allow the data subject to understand the assessment made about them. This ruling tackles the delicate balance between the transparency required by the GDPR and the protection of trade secrets invoked by the data controller.

I. CONTEXT AND STAKES OF THE CASE

1. Original dispute in Austria: A mobile phone operator refused to enter into a contract with a customer based on a creditworthiness score (automated assessment) provided by Dun & Bradstreet Austria. The affected individual contested this decision, arguing that they had not received clear information about the reasons and underlying logic behind this rating.

2. Appeal to the CJEU: After several rulings by Austrian courts, Dun & Bradstreet argued that providing detailed information would require them to disclose their trade secrets. The case reached the CJEU, which clarified the scope of Article 15 of the GDPR (right of access) and its interplay with confidential business information.

II. KEY TAKEAWAYS FROM THE RULING

1. Required level of explanation:

- The data controller must describe the actual process and principles applied so that the individual can understand which personal data were used and how.

- It may be appropriate to indicate how a modification of the personal data in question would have led to a different result.

- However, simply providing the algorithm itself is not considered sufficiently concise and understandable to clarify the decision-making logic.

2. Transparency requirements:

- The GDPR (Articles 13 to 15) requires data controllers to provide meaningful information about the logic and impact of an automated decision, especially when it significantly affects the individual.

- The goal is to allow the data subject to challenge the decision or request human intervention, as outlined in the provisions on automated decision-making (Article 22 GDPR).

3. Role of the data protection authority or court:

- If the data controller believes that certain elements fall under trade secrets or include protected third-party data, they must submit this information to the data protection authority (e.g., CNIL in France) or the competent court.

- It is then up to this authority or judge to balance the different interests at stake (the data subject's rights, protection of trade secrets, third-party rights) and determine the exact scope of the right of access.

4. Rejection of a blanket exclusion:

- The CJEU ruled that the GDPR opposes the application of a national law that would automatically exclude the right of access whenever disclosure could jeopardize a trade secret.

- A case-by-case assessment is therefore mandatory: refusing to disclose any information simply because it might reveal a business secret is not permissible.

III. BALANCING TRADE SECRETS AND DATA SUBJECT RIGHTS

1. A balancing act: The ruling highlights the need to strike a fair balance between the transparency required by the GDPR and the protection of confidential information essential to business competitiveness.

2. Increased obligations for data controllers:

- They must prepare in advance clear and intelligible documentation explaining how their scoring models operate (especially in creditworthiness assessments).

- They must be ready to disclose, if necessary, more sensitive information (e.g., weighting parameters, coefficients, thresholds) to the data protection authority or a judge, who will then decide whether and to what extent this information should be shared.

3. Practical implications: Data controllers using artificial intelligence or automated scoring tools must ensure they:

- Document their internal processes to be able to provide a clear explanation of decision-making.

- Implement protocols that allow them to extract the necessary explanation without revealing the entire algorithm.

- Consult data protection authorities to avoid legal risks associated with refusing to disclose certain information.

CONCLUSION

This CJEU ruling confirms that in the case of automated decision-making, the transparency obligations imposed by the GDPR override any blanket refusal to disclose information based on the protection of trade secrets. Data controllers must therefore be prepared to provide individuals with a real and understandable explanation of how the algorithm works, including the impact that different input data would have had on the outcome. However, the Court acknowledges that it is up to data protection authorities or courts to define the scope of this right of access when disclosing sensitive information could compromise legitimate interests (third-party data, industrial secrets, etc.). This carefully calibrated balance reflects the EU’s commitment to protecting fundamental rights in the digital space while maintaining an environment conducive to innovation and business competitiveness.

For more information: [Full CJEU ruling, February 27, 2025](https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-02/cp250022en.pdf)

#GDPR #CJEU #TradeSecrets #DataProtection #Euroscope