In a case resulting in a recent decision of the Austrian Federal Administrative Court, the Court and the Austrian supervisory authority (Datenschutzbehörde) offered insightful interpretations of the General Data Protection Regulation (GDPR), particularly focusing on Article 15’s right of access. Most interestingly, the Court held that a data controller must inform the data subject, at his or her request, about the existence of automated decision-making, including profiling, even if the processing does not produce legal effects or similarly significantly affect the data subject.
The case involved a multifaceted logistics and postal service provider also engaged in the publication of addresses and direct marketing.
Article 15.1(c): right to obtain information on the recipients or categories of recipients
The Datenschutzbehörde, in its decision of 28 May 2020, challenged the controller’s view that compliance with paragraph (c) – the right to know the recipients or categories of recipients of personal data – could be satisfied solely through disclosing recipient categories. Drawing from the Court of Justice of the European Union’s (CJEU) judgment in Case C 154/21, the Datenschutzbehörde underscored the necessity of revealing actual recipient identities, except where such identification is impracticable or the data subject’s access requests are demonstrably unfounded or excessive.
This interpretation echoes Article 29 Working Party 29 Guidelines on Transparency, which, in the context of Articles 13 and 14 of GDPR and in accordance with the principle of fairness, advocates for direct naming of recipients. Where categories are used, they must be detailed and specific, outlining the type, activities, industry, and location of the recipient.
In response to the decision of the Datenschutzbehörde, the controller provided specific details about the data recipients, thus obviating the need for the Austrian Court to address this aspect further.
Article 15.1(h): right to obtain information on automated decision-making, including profiling
Article 15.1(h) of the GDPR provides for the right to obtain certain information concerning automated decision-making, including profiling, where such decision-making has legal effects on data subjects or similarly significantly affects them. This pertains to decisions with a substantial impact on an individual’s rights, like credit decisions, eligibility for benefits, or employment opportunities.
The supervisory authority held that the controller was fully obligated to meet the requirements of paragraph (h), including providing detailed information to the data subject about the logic involved as well as the significance and the envisaged consequences of the automated decision-making. This stance was based on the assessment that the controller’s activities produced legal or similarly significant effects on the data subject and thus fell within the scope of automated decision-making as defined under Article 22 of the GDPR.
However, the Austrian Court found no evidence that the controller’s automated decision-making in this specific case produced legal or similarly significant effects on the data subject. Despite this, the Court concluded that the controller was still required to disclose information about the existence of automated decision-making or profiling, if conducted. In contrast, the controller was not obliged to provide in-depth information about the logic, significance, and envisaged consequences of such processing. That obligation, according to the Court, is only applicable to decision-making processes that have legal or similarly significant effects on the data subject, in line with Article 22.
The Court’s interpretation, that the controller must inform the data subject at his or her request about the existence of automated decision-making, including profiling, even if the processing does not produce legal effects or similarly significantly affects the data subject, is not immediately evident from a straightforward reading of Article 15.1(h).
At the same time, such interpretation aligns to a certain extent with the Article 29 Working Party Guidelines on Automated Individual Decision Making and Profiling. Specifically, in the context of Articles 13.2(f) and 14.2(g) – which mirror Article 15.1(h) in relation to privacy notices – these guidelines encourage data controllers, as a matter of good practice, to include in their privacy notices all relevant information as outlined in Article 15.1(h). This encompasses the existence of automated decision-making and profiling, the logic involved, the significance, and the envisaged consequences of the processing, even where such profiling activities do not strictly adhere to the criteria (“legal or similarly significant effects”) of Article 22.
The Austrian Court´s decision is limited to the interpretation of Article 15.1(h) and does not delve into whether the same view would apply within the context of privacy notices. However, there appears to be no apparent reason for a divergent interpretation. Considering that caveat, it is noteworthy how the Court expanded upon the aforementioned recommendation by Article 29 Working Party. The Court clarified that providing information about the existence of automated decision-making/profiling is a legal obligation under the right of access, rather than merely a recommended practice.
This obligation reflects the fundamental principles of the GDPR—fairness and transparency—which should govern all types of data processing. Adhering to these principles ensures that data subjects are not adversely affected by the processing of their personal data. Therefore, the disclosure of details about the existence of automated decision-making and/or profiling, irrespective of the effects of that decision-making, i.e. profiling, is not only advisable but also a mandated requirement under this interpretation.
This case illustrates the importance of understanding GDPR not just through its literal text but within the broader context of its guiding principles. The interpretations by the Austrian Datenschutzbehörde and the Federal Administrative Court highlight the evolving nature of data protection law and the need for a nuanced approach to compliance.