Providing information about scoring and automated decision-making is among the most complex issues in data protection law. While data subjects can request information about evaluation logics under Article 15(1)(h) GDPR, companies often invoke trade secrets or the absence of such automated decision-making. In this context, the Austrian Administrative Court (VwGH) recently ruled on an appeal by the Data Protection Authority (DSB).
The affected individual filed a complaint with the Data Protection Authority (DSB) against an address publisher. The address publisher had allegedly provided incomplete information regarding the origin of the data and the automated decision-making process, specifically the logic involved in statistically extrapolated affinities. The DSB partially upheld the complaint and ordered the publisher to disclose the data sources and provide an explanation of how the affinity calculations were performed. The publisher appealed to the Federal Administrative Court (BVwG), which dismissed the appeal as unfounded.
On official appeal by the Data Protection Authority (DSB), the Administrative Court (VwGH) overturned the decision of the Federal Administrative Court (BVwG) on the grounds of illegality and emphasized that, before examining the legitimate interest in legal protection, the scope of the right to information under Article 15(1)(h) GDPR must be clarified. This right requires automated decision-making within the meaning of Article 22(1) GDPR, which fulfills three cumulative elements: a decision, purely automated processing (including profiling), and legal effects or significant impairment.
The decisive factor is whether the profiling result significantly influences a decision made by a third party and similarly affects the data subject – as the ECJ clarified in cases C-634/21 (SCHUFA) and C-203/22. The Federal Administrative Court (BVwG) did not specifically examine these requirements, which is why a preliminary determination is necessary before the scope of the information (e.g., parameters, weightings) can be assessed. The BVwG's ruling was therefore overturned.
In practice, this means a certain degree of protection for companies against excessive disclosure obligations. Only when automated decision-making within the meaning of Article 22 GDPR is involved does the special right of access under Article 15(1)(h) GDPR apply, and only then does the question arise as to what information about the logic, scope, and intended effects must be provided. This ensures GDPR compliance for credit ratings, risk scores, and similar systems.
Even in light of this decision, companies are well advised to examine their compliance with documentation obligations in detail. Furthermore, an internal classification of algorithmic processes is recommended. Whether these processes are used merely to support human decision-making or for fully automated decision-making has far-reaching consequences for the scope of the right to information.
VwGH 17.12.2025, Ro 2023/04/0029