The European Court of Justice (CJEU) concluded that in the case of automated decision-making, the controller must provide the data subject with information about the process and the rules actually applied in the decision-making process, under the General Data Protection Regulation (GDPR).
The Court noted that if sensitive business secrets were affected by the information provided, the controller must provide the relevant court or data protection authority with the information in question so that the scope of the individual’s rights of access to their personal data can be assessed.
The ruling further strengthens individuals’ rights when it comes to automated decision-making and requires increased transparency in the processing of personal data.
Decision of the European Court of Justice.
https://island.is/s/personuvernd/frett/upplysingaskylda-vid-sjalfvirka-akvoerdunartoeku