Banking, Creditworthiness, Automated decision-making relating to natural persons, Court of Justice of the European Union, First Chamber, judgment of 07 December 2023, case C‑634/21

Credit scores

Interpretation of Article 6 (1) and Article 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016, L 119, p. 1, and corrigendum in OJ 2018, L 127, p. 2; hereinafter: the «GDPR».

Union law

Recital 71 of the GDPR; Article 4 of that regulation, entitled “Definitions”; Article 5 of the same regulation, entitled “Principles applicable to the processing of personal data”, provides:

Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 22 – Automated decision-making relating to natural persons – Companies providing business information – Automated calculation of a probability ratio relating to the capacity of a person to honor payment commitments in the future (“scoring”) – Use of this probability rate by third parties»

Passim

52   In this regard, it should be noted that, as noted by the Advocate General in paragraph 31 of that Opinion, Article 22(1) of the GDPR confers on the data subject the ‘right’ not to be the subject of a decision based exclusively on automated processing, including profiling. This provision establishes a principle prohibition, the violation of which does not need to be asserted individually by such a person.

53   In fact, as follows from the combined provisions of Article 22, paragraph 2, of the GDPR and recital 71 of that regulation, the adoption of a decision based exclusively on automated processing is authorized only in the cases referred to in that Article 22, paragraph 2, i.e. if such a decision is necessary for the conclusion or performance of a contract between the interested party and a data controller (letter a)], if it is authorized by Union or Member State law to which the data subject is subject data controller [letter b)], or is based on the explicit consent of the interested party [letter c)].

54   Furthermore, Article 22 of the GDPR provides, in paragraph 2, letter b) and paragraph 3, that appropriate measures must be provided for to safeguard the rights, freedoms and legitimate interests of the data subject. In the cases referred to in Article 22(2)(a) and (c) of that Regulation, the data controller shall at least implement the data subject’s right to obtain human intervention, to express his or her opinion and to contest the decision.

55   Moreover, in accordance with Article 22(4) of the GDPR, it is only in certain specific cases that decisions based solely on automated processing, pursuant to Article 22, may be based on the special categories of personal data referred to in Article 9(1) of that Regulation.

56   Moreover, in the case of adopting a decision based solely on automated processing, such as that referred to in Article 22(1) of the GDPR, on the one hand, the data controller is subject to additional information obligations under Article 13(2)(f) and Article 14(2)(g) of that Regulation. On the other hand, the interested party enjoys, pursuant to Article 15, paragraph 1, letter h) of the said regulation, the right to obtain from the data controller, among other things, «significant information on the logic used, as well as the importance and expected consequences of such processing for the data subject”.

57    Such more stringent requirements regarding the lawfulness of an automated decision-making process as well as the additional information obligations of the data controller and the related additional access rights of the data subject are explained by the purpose pursued by Article 22 of the GDPR, which consists in protect individuals against specific risks to their rights and freedoms arising from automated processing of personal data, including profiling.

58    Indeed, such processing involves, as is clear from recital 71 of the GDPR, the evaluation of personal aspects relating to the natural person affected by such processing, in particular for the purpose of analyzing or predicting aspects concerning professional performance, economic situation, health, the personal preferences or interests, reliability or behaviour, location or movements of the interested party.

59    According to this recital, such specific risks may undermine the legitimate interests and rights of the data subject, in particular taking into account the potential discriminatory effects against natural persons on the basis of racial or ethnic origin, political opinions, religion or personal beliefs, trade union membership, genetic status, health status or sexual orientation. Therefore, again according to said recital, it is necessary to provide adequate guarantees and ensure correct and transparent processing with respect for the interested party, in particular through the use of appropriate mathematical or statistical procedures for profiling and through the application of adequate technical and organizational measures in order to minimize the risk of errors.

65    As regards, more specifically, Article 22(2)(b) of the GDPR, to which the referring court refers, it follows from the very wording of that provision that the national law which authorizes the adoption of a decision based solely on automated processing must specify adequate measures to protect the rights, freedoms and legitimate interests of the interested party.

66    In light of recital 71 of the GDPR, such measures must include, in particular, the obligation for the data controller to use appropriate mathematical or statistical procedures for profiling, to implement appropriate technical and organizational measures in order to ensure that the factors that lead to inaccuracies in the data are rectified and the risk of errors is minimized and in order to guarantee the security of personal data in a manner that takes into account the potential risks existing for the interests and rights of the interested party and to prevent, between other, discriminatory effects towards him. These measures also include at least the right of the interested party to obtain human intervention, to express his opinion and to contest the decision taken against him.

67    It should also be noted that, in accordance with the settled jurisprudence of the Court, any processing of personal data must, on the one hand, comply with the principles relating to data processing established in Article 5 of the GDPR and, on the other hand, in light, in particular, of the principle of lawfulness of processing, provided for in paragraph 1(a) of that article, satisfy one of the conditions of lawfulness of processing listed in Article 6 of that regulation (judgment of 20 October 2022, Digi, C-77 /21, EU:C:2022:805, paragraph 49 and case law cited therein). The data controller must be able to demonstrate compliance with these principles, in accordance with the principle of liability set out in Article 5(2) of that regulation (see, to this effect, judgment of 20 October 2022, Digi, C -77/21, EU:C:2022:805, paragraph 24).

68   Therefore, in the event that the law of a Member State authorizes, in accordance with Article 22(2)(b) of the GDPR, the adoption of a decision based exclusively on automated processing, such processing must comply with no only the conditions established by the latter provision and by Article 22(4) of that Regulation, but also the requirements established by Articles 5 and 6 of that Regulation. Therefore, Member States cannot adopt, pursuant to Article 22(2)(b) of the GDPR, legislation authorizing profiling in breach of the requirements established by those Articles 5 and 6, as interpreted by the jurisprudence of the Court.

70    Furthermore, as regards more specifically Article 6(1)(f) of the GDPR, Member States may not, pursuant to Article 22(2)(b) of that Regulation, deviate from the requirements resulting from the case law of the Court arising from the judgment of 7 December 2023, SCHUFA Holding, C 26/22 and C 64/22, (Discharge) (EU:C:2023:xxx), in particular by definitively establishing the outcome of the balancing of the rights and interests at stake (see, to that effect, judgment of 19 October 2016, Breyer, C 582/14, EU:C:2016:779, paragraph 62).

73     In light of all the foregoing considerations, the first question must be answered by stating that Article 22(1) of the GDPR must be interpreted as meaning that the automated calculation, by a company providing commercial information, of a rate probability based on personal data relating to a person and concerning the latter’s ability to honor payment commitments in the future constitutes ‘automated decision-making relating to natural persons’, within the meaning of that provision, if from that probability depends decisively on the stipulation, execution or termination of a contractual relationship with that person by a third party, to whom this probability rate is communicated.

the Court (First Section) declares:

Article 22 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that: the automated calculation, by a company providing commercial information, of a probability rate based on personal data relating to a person and concerning the latter’s ability to honor payment commitments in the future constitutes ‘automated decision-making relating to natural persons’, within the meaning of that provision, if the stipulation, l execution or termination of a contractual relationship with that person by a third party, to whom this probability rate is communicated.

Source Curia