VGW - VGW-101/042/791/2020-44: Difference between revisions
m (Wrong order in an abbreviation) |
m (Wrong order in an abbreviation of the title summary.) |
||
Line 70: | Line 70: | ||
}} | }} | ||
The | The VGW requests a CJEU preliminary ruling on questions related to disclosing information to the data subject under [[Article 15 GDPR#1h|Article 15(1)(h) GDPR]] when such information is protected by trade secrets. | ||
== English Summary == | == English Summary == |
Revision as of 22:26, 7 November 2022
VGW - VGW-101/042/791/2020-44 | |
---|---|
Court: | VGW (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 15(1)(h) GDPR Article 22(3) GDPR Article 2(1) Directive 2016/943 Article 47 Charter of Fundamental Rights of the European Union |
Decided: | 11.02.2022 |
Published: | |
Parties: | Mrs. B C. Ges.m.b.H. |
National Case Number/Name: | VGW-101/042/791/2020-44 |
European Case Law Identifier: | |
Appeal from: | BVwG W256 2217011-1/11E |
Appeal to: | Not appealed |
Original Language(s): | German |
Original Source: | RIS (in German) |
Initial Contributor: | Carla von Lueder |
The VGW requests a CJEU preliminary ruling on questions related to disclosing information to the data subject under Article 15(1)(h) GDPR when such information is protected by trade secrets.
English Summary
Facts
Mrs. B, the data subject, requested access to meaningful information about the logic involved in an instance of automated decision-making by a data controller specialising in credit assessments (C. Ges.m.b.H.). She received only partial information with the justification that the algorithm was protected by trade secrets. Such algorithms may be protected under Article 2(1) Directive 2016/943. The right to access personal information in an automated decision under Article 15(1)(h) is given additional meaning in enabling the data subject to contest such a decision under Article 22(3) GDPR. In an earlier ruling, the Federal Administrative Court (Bundesverwaltungsgericht - BVwG) held that the data controller had infringed the data subject’s right to access their data related to an automated decision, since it did not provide meaningful information on the logic involved in the decision under Article 15(1)(h) GDPR.
Upon appeal, the Regonal Administrative Court Vienna (Verwaltungsgericht Wien - VGW) attempts to answer the question whether a data controller can refuse to provide the data subject with meaningful information related to the use of algorithms for automated decision-making under Article 15(1)(h) GDPR where (parts of) such algorithms are protected by trade secrets.
Holding
The VGW maintains that the rights under Article 15(1)(h) GDPR and Article 22(3) GDPR must enable the data subject to question the validity of the information received, as well as assess whether it corresponds with profiling on them. However, it identifies a tension where the information requested by a data subject and required for their understanding of an automated decision stems from an algorithm protected under EU trade secrets law.
The VGW suggests the possibility of alleviating this tension by disclosing the information concerned only to the relevant authority or court and letting them determine whether a trade secret under Article 2(1) Directive 2016/943 is present as well as whether the data corresponds to information required to be provided under Article 15(1) GDPR.
The VGW holds that refusing to provide such information could constitute a violation of Article 47 CFR and can therefore only be narrowly justified, whilst maintaining that there is insufficient existing EU law and guidance to provide a clear answer on this matter.
Thus, the central question it poses to the CJEU for a preliminary ruling is whether information on the functioning of the profiling must be disclosed to the data subject where such information is protected by trade secrets.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
In the matter of Ms. A. B.’s appeal against the decision of the City of Vienna Municipal Department 6 – Collection and Enforcement Service, dated January 13, 2020, Zl. ..., regarding the rejection of the application for execution, the Vienna Administrative Court is submitting a preliminary ruling application to the Court of Justice of the European Union on the following questions:1. Which substantive requirements must a given piece of information meet in order to be considered sufficiently "meaningful" within the meaning of Article 15 (1) (h) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in the Processing of personal data, the free movement of data and the repeal of Directive 95/46/EC (General Data Protection Regulation, DS-GVO) to be classified? Are - if necessary while maintaining an existing trade secret - in the case of profiling by the person responsible in the context of providing information to the "Involved logic" basically also the information essential for enabling the traceability of the result of the automated decision in individual cases, including in particular 1) the disclosure of the processed data of the person concerned, 2) the disclosure of the parts of the profiling that are necessary to enable traceability located algorithm and 3) the relevant ich information for the development of the connection between the processed information and the valuation that has taken place, are to be disclosed? In cases involving profiling, the person entitled to information within the meaning of Article 15 (1) (h) of the General Data Protection Regulation (GDPR) also in the event of an objection to a trade secret, to provide the following information on the specific processing relating to him in order to enable him to safeguard his rights under Article 22 (3) of the General Data Protection Regulation (GDPR): a) Transmission of any pseudonymised information, in particular the manner in which the data of the data subject is processed, which allows compliance with the General Data Protection Regulation (GDPR) to be checked, b) making available the input data used for profiling, c) the parameters and input variables, welc he was used in the evaluation determination, d) the influence of these parameters and input variables on the calculated assessment, e) Information on the creation of the parameters or entrance variables, f) explanation, which is why the person authorized to provide information in the sense of Basic Regulation (DS-GVO) was assigned to a specific evaluation result, and description of which statement was associated with this evaluation, g) list of profile categories and explanation of which evaluation statement is associated with each of the profile categories2) Is this by Art. 15 para. 1 lit h General Data Protection Regulation (GDPR) with the rights guaranteed by Art. 22 Para. Article 22 of the General Data Protection Regulation (GDPR) insofar as the scope of the information to be provided on the basis of a request for information within the meaning of Article 15 (1) (h) of the General Data Protection Regulation (GDPR) is only sufficiently "meaningful". is when the person requesting information and the data subject within the meaning of Article 15 (1) (h) of the General Data Protection Regulation (GDPR) is enabled to exercise the rights guaranteed by Article 22 (3) of the General Data Protection Regulation (GDPR). to present his own point of view and to combat the automated decision affecting him within the meaning of Article 22 of the General Data Protection Regulation (GDPR) actually, profoundly and promisingly?3a) Is Article 15 (1) lit. h of the General Data Protection Regulation (GDPR) GVO) to be interpreted in such a way that "meaningful information" within the meaning of this provision can only be assumed if this information is so extensive that the person entitled to information within the meaning of Article 15 (1) lit t. h General Data Protection Regulation (GDPR), it is possible to determine whether this information provided also corresponds to the facts, i.e. whether the specifically requested automated decision is actually based on the information disclosed?3b) If so: What should you do if the correctness of the information provided by a person responsible can only be checked if the data of third parties protected by the General Data Protection Regulation (GDPR) is also given to the person entitled to information within the meaning of Article 15 (1) lit. h of the General Data Protection Regulation (GDPR) must be brought to attention (black box)? Can this tension between the right to information within the meaning of Article 15 (1) of the General Data Protection Regulation (GDPR) and the data protection rights of third parties also be resolved by only providing the authority or be disclosed to the court, so that the authority or the court has to check independently whether the data disclosed by these third parties corresponds to the facts? 3c) If so: What are the rights of the person entitled to information within the meaning of Article 15 (1) (h) of the General Data Protection Regulation (GDPR) if it is necessary to guarantee the protection of third-party rights within the meaning of Article 15 (4) of the General Data Protection Regulation (GDPR) GMO) through the creation of the black box mentioned under point 3b)?Are the persons entitled to information within the meaning of Article 15 (1) lit the correctness of the decision-making by the person responsible within the meaning of Article 15 (1) of the General Data Protection Regulation (GDPR) to disclose data of other persons in pseudonymised form?4a) What should you do if the information to be provided within the meaning of Article 15 (1) 1 lit. h General Data Protection Regulation (GDPR) also the requirements of a trade secret within the meaning of Article 2 Z 1 of Directive (EU) 2016/943 of 06/08/2016 on the protection of confidential information know-how and confidential business information (business secrets) against illegal acquisition, illegal use and disclosure, L 157/1 (know-how guideline) fulfilled? Can the tension between the right to information guaranteed by Art. 15 (1) (h) General Data Protection Regulation (GDPR) and the right protected by the Know-How Directive to non-disclosure of a trade secret be resolved by the fact that the information classified as a trade secret within the meaning of Art 2 Z 1 of the Know-How Directive is disclosed exclusively to the authority or the court, so that the authority or the court must independently check whether there is a trade secret within the meaning of Article 2 Z 1 of the Know-How Directive can be assumed, and whether the information provided by the person responsible within the meaning of Article 15 (1) of the General Data Protection Regulation (GDPR) corresponds to the facts.4b) If so: What are the rights of the person entitled to information within the meaning of Article 15 (1) lit. Basic Regulation (DS-GVO) in the event that it is necessary to guarantee the protection of third-party rights within the meaning of Article 15 (4) of the General Data Protection Regulation (DS-GVO) by creating the black box mentioned under point 4a)?Are (also) in this case a discrepancy between the information to be disclosed to the authority or the court and the information to be given to the person entitled to information within the meaning of Article 15 Paragraph 1 lit. h of the General Data Protection Regulation (GDPR), in cases involving profiling, to the person entitled to information within the meaning of Article 15 Paragraph 1 lit. h of the General Data Protection Regulation (GDPR), in any case the following To provide information on the specific processing that affects him in order to enable him to fully protect his rights under Article 22 (3) of the General Data Protection Regulation (GDPR): a) Transmission of any pseudonymised information, in particular on the way the data is processed of the data subject who is verifying compliance with the General Data Protection Regulation (GDPR) e rlauben, b) for provision of the input data used for profil creation, c) the parameters and input variables used in the evaluation determination, d) The influence of these parameters and input variables on the calculated assessment, e) Information on the form of parameter or . Input variables, f) explanation as to why the person entitled to information within the meaning of Article 15 (1) lit and explanation of which rating statement is associated with each of the profile categories5) Is by the provision of Art. 15 Para Scope of the information to be provided pursuant to Article 15(1)(h) of the General Data Protection Regulation is limited.If so, how is this right to information restricted by Article 15(4) of the General Data Protection Regulation and what is the scope of the restriction in each case to be determined?6) Is the provision of § 4 para. 6 Data Protection Act, according to which "the right of the data subject to information pursuant to Art. 15 General Data Protection Regulation (GDPR) vis-à-vis a person responsible, notwithstanding other legal restrictions, generally does not (exist) if the provision of this information results in a business or Trade secrets of the person responsible or third parties would be endangered," compatible with the requirements of Article 15 (1) in conjunction with Article 22 (3) of the General Data Protection Regulation (GDPR). If so, under what conditions does such a compatibility exist? Justification: 1) Relevant facts: Appeal proceedings are pending at the Administrative Court of Vienna, which is the application of Ms. B. for the execution of the decision of the Federal Administrative Court of October 23, 2019, Zl. W256 2217011-1 /11E, underlying. In this finding, the Federal Administrative Court found that C. Ges.m.b.H., a company specializing in issuing credit ratings, violated Ms. B.'s right to information under the GDPR when C. Ges.m.b.H. Ms. B. has not provided any meaningful information about the logic involved in automated decision-making relating to Ms. B.'s data or at least has sufficiently justified why C. Ges.m.b.H. cannot provide this information. In addition, the C. Ges.m.b.H. instructed to provide Ms. B. with meaningful information about the logic involved in the automated decision-making concerning Ms. B.'s data within two weeks, or to provide sufficient reasons why the C. Ges.m.b.H. cannot provide this information. This decision of the Federal Administrative Court is final and enforceable under domestic law. With this finding, the Federal Administrative Court ruled on a complaint by C. Ges.m.b.H. against a decision of the (Austrian) data protection authority, with which the C. Ges.m.b.H. has been obliged to disclose meaningful information about the logic involved in the automated decision-making relating to Ms. B.'s data on the question of her creditworthiness. This procedure by the data protection authority was based on a corresponding application by Ms. B. The reason for this application was that Ms. B. was refused by a mobile phone operator the conclusion or extension of a mobile phone contract, which would have led to a monthly payment of only 10 euros, on the grounds that she did not have sufficient (financial) creditworthiness. This assumed poor creditworthiness of Ms. B. was countered by a C. Ges.m.b.H. automated credit assessment. It is also relevant for the present proceedings that in the proceedings before the data protection authority and before the Federal Administrative Court, C. Ges.m.b.H. only provided little meaningful information about the data processed concerning Ms. B. and the assessment logic carried out by automated means. According to this information, however, the automated rating of Ms. B. (allegedly) certified her as having a particularly high credit rating. This information is in obvious contradiction to the mobile operator's conclusion from the actually determined rating, so that it can be assumed with high probability that the C. Ges.m.b.H. before the data protection authority as well as the Federal Administrative Court (i.S.d. Art. 15 Para. 1 lit. h in conjunction with Art. 22 Para. 3 DS-GVO insufficient) information is contrary to the facts .m.b.H. has refused to provide further information about the logic involved in the processing of Ms. B.'s data, pointing to the existence of a trade secret worthy of protection with regard to the algorithm on which the processing is based. According to the information in the company register, C. Ges. m.b.H. merged with D. Ges.m.b.H., FN ... on September 29, 2021, which, due to the universal legal succession associated with the merger, is now a party involved in the complaint proceedings in question. Since C. Ges.m.b.H. or the D. Ges.m.b.H., FN ..., has not provided any further information since the issuance of this decision, their application for execution is in any case also permissible rejected on the grounds that the C. Ges.m.b.H. has already adequately fulfilled its obligation to provide information. This statement was made despite the fact that C. Ges.m.b.H. had not provided any further information after the above-cited decision of the Federal Administrative Court was issued. Under domestic law, therefore, the enforcement authority has exercised a power to which it is not entitled, particularly since the enforcement authority has to enforce an enforceable court or authority decision by way of execution and therefore has no power to rule on whether, in its opinion, the court or authority Should have come to a different decision. According to Austrian law, the administrative courts of first instance (apart from the exceptions that do not exist in the present case) have the right to appeal in the event of a permissible appeal against an official decision based on the factual and legal situation at the time of the court decision decide that the decision of the authorities was correct (in this case the appeal is to be dismissed), or to decide on the content of the subject of the decision themselves e has obviously not fulfilled its obligation, the requesting court has to make the decision in the complaint proceedings in question according to the Austrian legal situation (§ 28 Austrian VwGVG) instead of the executing authority, to which the executing authority would already have been obliged. In the case at hand, the executing authority would have been obliged to issue a notice entitled “enforcement order”. With this "enforcement order" it should have been determined which specific actions the C. Ges.m.b.H. or now the D. Ges.m.b.H., FN ..., has been obligated by the above-mentioned finding of the Federal Administrative Court. In the event that it is possible for the enforcement authority to make such a determination, the provision of these actions by the C. Ges .m.b.H. or now the D. Ges.m.b.H., FN ..., had to be prescribed. or now by the D. Ges.m.b.H., FN ..., actions owed (within the meaning of § 5 para. 1 Austrian Administrative Enforcement Act) not justifiable, therefore not by a person other than the C. Ges.m.b.H. or now the D. Ges.m.b.H., FN ..., are performable actions, in the event of non-compliance with these owed actions, a coercive penalty due daily, which is to be paid until the obligation is fulfilled, would have to be determined. These determinations are therefore must now be taken by the requesting court. In this "enforcement order", the requesting court must first determine which specific actions the C. Ges.m.b.H. has been obligated by the above-mentioned finding of the Federal Administrative Court. This "investigation" raised two preliminary questions. First, there was the mandatory preliminary question, whether it is at all possible to determine which specific action the C. Ges.m.b.H. or now the D. Ges.m.b.H., FN ..., has been obliged by the above-mentioned decision of the Federal Administrative Court. Secondly, it seemed absolutely necessary to determine how the following phrases of the GDPR are to be interpreted: a) the phrase "meaningful information about the logic involved and the scope and intended effects of such processing for the data subject" in Art. 15 para. 1 lit. h DS-GVO, b) the phrase "the rights and freedoms of other persons" in Article 15 (4) DS-GVO, c) the phrase "In the cases mentioned in paragraph 2 letters a and c the person responsible shall take appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention on the part of the person responsible, to express his or her point of view and to contest the decision." in Art. 22 Para. 3 General Data Protection Regulation (GDPR), and d) the phrases "according to which logic the automatic processing of personal data takes place and what the consequences of such e Processing” and “This right should not interfere with the rights and freedoms of others, such as trade secrets or intellectual property rights and in particular copyright in software. However, this must not result in the data subject being denied any information.” in recital 63 of the General Data Protection Regulation (GDPR). Regarding the first of these two preliminary questions to be determined, it should be noted that under Austrian law an “enforcement order” is a executing authority has to be determined so precisely that there is no doubt as to which specific action must be taken. The owed action is therefore to be specified so specifically that it is clear which specific action is owed, and thus it is also clear whether or, if so, when this owed action has been performed. The finding of the Federal Administrative Court, which the C. Ges .m.b.H. or now by the D. Ges.m.b.H., FN ..., now in the enforcement proceedings, is now not so clear and concrete that it is clear to a non-expert which concrete action is owed. From the declaration of commitment of this finding, it is therefore not yet clear what specific actions C. Ges.m.b.H. or now by D. Ges.m.b.H., FN ..., are to be set in order to comply with the obligation to act stipulated in this finding. According to Austrian law, such an (apparently unspecified) obligation to act does not harm if the respective specialist groups in the are able to determine which specific action was prescribed with this (apparently unspecified) mandatory obligation to act. Since this specification was not a legal issue in the present case, but a question to be clarified only by a competent expert, the requesting court has the for the present problem highly competent university professor Dr. E. von der F. was appointed as an expert. With the expert opinion received on February 3, 2022, he determined that the obligation to act prescribed by the Federal Administrative Court in his finding of C. Ges.m.b.H. or now the D. Ges.m.b.H., FN ..., is sufficiently clear and can therefore also be specified in an executable manner. According to this report, this is the C. Ges.m.b.H. or now the D. Ges.m.b.H., FN ..., the prescribed duty to act can only be specified in an enforceable manner and the compliance with the prescribed duty to act can only be verified by the enforcement bodies (and the applicant for execution) if the C. Ges.m.b.H. or now the D. Ges.m.b.H., FN ..., in addition to the specifically processed data, also announces the detailed calculation rule, which makes the specific calculation process on which the rating is based comprehensible. According to the expert opinion, such a traceability is only given in the specific case if the part of the algorithm used by company C. is disclosed that was used specifically to calculate this rating. This calculation rule is to be disclosed in the form of a simple mathematical formula, which was used to calculate the rating in the present case. At a minimum, this formula must use all of the data used for the calculation. In order to understand the true as well as the possible influence of each factor, the valuation function must be documented in extracts for each piece of information that goes into the calculation. In this case, the valuation function is that function which is generated from the discrete information forming a factor (birthday, home address, gender, etc.) by assigning a numerical value. This must be done in such a way that, in addition to the result (therefore the announcement of the numerical value specifically assigned to each factor), the value range and the value neighborhood of the respective factor, i.e. the next following value range including evaluation assignment or the next preceding value range including evaluation assignment, based on the available information (therefore from which specific information on the specific data area the value assigned to this information increases or decreases in a specific way). The value range of a value means the minimum and maximum expression of the values that can be assigned to a respective factor. Proximity of values refers to those numeric values in the value range that lead to different evaluations (assignments of another numeric value) for neighboring instances of information for the first time. The entire formula given for the assessment of Ms. B., if one uses both the valuations (assignments of the specific numerical values to the respective factors) of the data, which according to the C. Ges.m.b.H. were stored by Ms. B., as well as any additional values that are not based on stored data, in any case deliver the (numerical) result that was also determined in the numerical evaluation of Ms. B., and this numerical evaluation value must also do so at the same time the conclusion reached from this result with regard to Ms. B. appear to be comprehensible. Only by means of such a representation can the automated decision-making process for Ms. B. be understood in the specific case. Decisive for the assessment of the correctness of the disclosed processed data and The formula by which these were processed is therefore knowledge of the following minimum information: 1. Concrete factors used (therefore information about Ms. B., which was processed as part of factor formation),2. the mathematical formula into which all information relevant for the calculation of the rating in question can be entered in the form of numerical values, so that the formula then produces the rating in question,3. specific value assigned to each of the factors Ms. B.4. Announcement of the intervals within which different data on the same factor are given the same value (interval rating or discrete rating or index/cadastral rating). In this context, interval rating means that a coherent range of values (such as age, weight , etc.) is converted into a factor in such a way that intervals of data values are mapped onto the same factor value; discrete scoring means that a numeric data value is transformed into the factor value using a formula; Index/Cadastral scoring means that the data values are converted to the factor score by looking them up in a table, cadastre or similar data structure. Accordingly, according to this expert opinion, the following is to be prescribed in the enforcement order: "1.1 A mathematical formula must be specified in which all information relevant to the calculation of the rating in question can be entered in the form of numerical values, so that the formula then calculates the rating in question has as a result. At a minimum, the formula must use all of the information provided in the original report to calculate the value. All values used in the formula must be explained in a comprehensible manner, especially those that are not derived directly from the information stored about Mrs. B. 1.2 The valuation functions of all values used in this formula are to be documented in the manner specified in point 1, based on the example of the forms included in the appendix to this report (templates for documenting the valuation functions).(...) In order to ensure the correctness of the excerpts of the documentation presented To prove valuation functions, the complete valuation functions must be described in a suitable form. For interval valuations and discrete valuations, these are complete tables that completely document the connection between information and valuation. Cadastral or index functions are to be submitted in a similar form, for example as a plan with recognizable values.” According to the report submitted, only these in points 1.1 and 1.2. formulated obligations that the person entitled to information within the meaning of Article 15 Paragraph 1 lit ) is enabled by this information to exercise the rights guaranteed by Art. 22 Para In order to ensure that this minimum information can be checked for correctness, the following additional information must also be provided by C. Ges.m.b.H. or now the D. Ges.m.b.H., FN ... to provide further information: "The data processor in question must create and submit a list of all information on person scorings that was provided in the period of six months before and six months after the calculation of Ms. B.'s scoring, and which were created using the same calculation rule. This list must contain at least 100 person scores. Should this list contain fewer than 100 person scores, the list should be expanded to include cases before and after the six-month period until it contains 100 cases. As proof and to enable the verification of the correctness of these cases, company C. must also state on whose behalf this scoring was calculated or when and to whom this information was given in each case. These 100 cases must be fully documented using the procedure described in point 1. Alternatively, the list can be submitted to the court with a request that the court select a smaller number of cases, but at least 25, to be documented using the procedure described in point 1. All results of the calculation of the scoring of these comparative cases that deviate from what would be expected on the basis of the calculation rule documented in point 1 must be justified in detail by company C. If this documentation gives rise to doubts that the in point 1 If the calculation rule (hence the formula) described (therefore claimed) by the processor does not apply, an expert must be given qualified access to the information-processing systems, by means of which the documented personal scoring and the scoring for Fr. B. were calculated in the specific case. “Based on this expert opinion, based on the result of the interpretation of the General Data Protection Regulation (GDPR) represented in this application, the enforcement order to be formulated by the court making the application must therefore also prescribe these additional information obligations, which the expert has classified as necessary. According to this university According to the expert opinion, the requesting court must therefore assume that the person entitled to information i.S.d. Article 15 (1) (h) of the General Data Protection Regulation (GDPR) of the procedure in question, Ms. B., is only then able to verify the accuracy of the information she has received on the basis of her request for information within the meaning of Article 15 (1) (h). General Data Protection Regulation (GDPR) to check the information provided if the requested processor C. Ges.m.b.H. or now the D. Ges.m.b.H., FN ..., in addition, this comparatively extensive and detailed information is also provided. 2) central legal provisions: Art. 7 of the Charter of Fundamental Rights of the European Union (GRC) including the heading reads as follows: "Respect for private and family life: "Everyone has the right to respect for their private and family life, their home and their communications."Art. 8 of the Charter of Fundamental Rights of the European Union (GRC) including the heading reads as follows: "Protection of personal data (1) Every person has the right to the protection of personal data concerning them. (2) This data may only be used in good faith for specified purposes purposes and with the consent of the data subject or on another legitimate basis regulated by law. Every person has the right to obtain information about the data that has been collected and to have the data corrected. (3) Compliance with these regulations is monitored by an independent body."Art. Article 52 of the Charter of Fundamental Rights of the European Union (CFR) reads as follows: "Scope and interpretation of the rights and principles(1) Any restriction on the exercise of the rights and freedoms recognized in this Charter must be provided for by law and reflect the essence of those rights and respect freedoms. Respecting the principle of proportionality, restrictions may only be made if they are necessary and actually correspond to objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others.[...]"Art. 2 Para. 1 and 2 of the General Data Protection Regulation (GDPR) including the heading reads: "Material scope (1) This regulation applies to the fully or partially automated processing of personal data as well as to the non-automated processing of personal data stored in a file system are or are to be stored. (2) This regulation does not apply to the processing of personal data a) in the context of an activity that does not fall within the scope of Union law, b) by the Member States in the context of activities that fall within the scope of Title V Chapter 2 EUV, c) by natural persons to carry out exclusively personal or family activities, d) by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or the execution of sentences, including protection against and averting dangers for public safety.(...)."Art. 4 of the General Data Protection Regulation (GDPR) including the heading reads: "Definitions For the purposes of this regulation, the term (...)"4. "Profiling" any type of automated processing of personal data, which consists in using this personal data to evaluate certain personal aspects relating to a natural person, in particular aspects related to work performance, economic situation, health, personal To analyze or predict preferences, interests, reliability, behavior, whereabouts or changes of location of this natural person;"Art. 15 of the General Data Protection Regulation (GDPR) including the heading reads: "Right of access of the data subject (1) The data subject has the right to request confirmation from the person responsible as to whether personal data relating to them are being processed; if this is the case, she has a right to information about this personal data and to the following information: (...) h) the existence of automated decision-making including profiling in accordance with Article 22 paragraphs 1 and 4 and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.(...)(3) The person responsible provides a copy of the personal data that are the subject of the processing. For any additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, the information must be made available in a commonly used electronic format, unless otherwise specified. (4) The right to receive a copy pursuant to paragraph 3 shall not affect the rights and freedoms of other persons. “Art. 22 of the General Data Protection Regulation (GDPR) including the heading reads: "Automated decision-making in individual cases including profiling (1) The data subject has the right not to be subject to a decision based solely on automated processing - including profiling - which he/she has a legal effect on it or significantly affects it in a similar way. (2) Paragraph 1 does not apply if the decision a) is necessary for the conclusion or performance of a contract between the data subject and the person responsible, b) on the basis of Union law or of the Member States to which the person responsible is subject is permissible and these legal provisions contain appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject or c) with the express consent of the data subject. (3) In the paragraph 2 letters a and c mentioned cases the person responsible shall take appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention on the part of the person responsible, to express his or her point of view and to contest the decision.(4) Decisions pursuant to paragraph 2 may not be based on special categories of personal data pursuant to Article 9 paragraph 1, unless Article 9 paragraph 2 letter a or g applies and appropriate measures have been taken to protect the rights and freedoms and legitimate interests of the data subject."Art . 23 of the General Data Protection Regulation (GDPR) including the heading reads: "Restrictions (1) Union or Member State legislation to which the controller or processor is subject may impose the obligations and rights set out in Articles 12 to 22 and Article 34 as well Article 5, insofar as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, may be limited by means of legislative measures, provided that such a limitation respects the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society which ensures: a) national security; b) national defence; c) public safety; d) the prevention, investigation, detection or prosecution of criminal offenses or the enforcement of sentences, including protection against and averting threats to public safety; e) the protection of other important objectives e the general public interest of the Union or a Member State, in particular an important economic or financial interest of the Union or a Member State, for example in the monetary, budgetary and tax areas as well as in the area of public health and social security; f) the protection of independence of the judiciary and the protection of court proceedings; g) the prevention, detection, investigation and prosecution of violations of the professional rules of regulated professions; h) control, surveillance and regulatory functions which are permanently or temporarily associated with the exercise of public authority for those under the Letters a to e and g are connected to the purposes mentioned; i) the protection of the data subject or the rights and freedoms of other persons; j) the enforcement of civil claims. (2) Any legislative measure within the meaning of paragraph 1 must in particular contain specific provisions where appropriate at least in relation to a) the purposes ke of the processing or the processing categories,b) the categories of personal data,c) the scope of the restrictions applied,d) the guarantees against misuse or unlawful access or unlawful transmission;e) the information on the person responsible or the categories of person responsible,f) the respective storage periods and the applicable guarantees, taking into account the type, scope and purposes of the processing or the processing categories, g) the risks to the rights and freedoms of the data subjects andh) the right of the data subjects to be informed about the restriction, provided this does not The purpose of the restriction is detrimental.” Recital 4 of the General Data Protection Regulation (GDPR) reads: “The processing of personal data should be in the service of humanity. The right to protection of personal data is not an absolute right; it must be viewed in relation to its social function and weighed up against other fundamental rights while respecting the principle of proportionality. This Regulation is consistent with all fundamental rights and respects all freedoms and principles recognized by the Charter and enshrined in the European Treaties, in particular respect for private and family life, home and communications, protection of personal data, Freedom of conscience and religion, freedom of expression and information, freedom to conduct a business, right to an effective remedy and a fair trial, and cultural, religious and linguistic diversity.” Recital 16 of the General Data Protection Regulation (GDPR) reads: “This Regulation does not apply to issues of protection of fundamental rights and freedoms and free movement of personal data related to activities outside the scope of Union law, such as activities affecting national security. This regulation does not apply to the processing of personal data carried out by the Member States within the framework of the common foreign and security policy of the Union." Recital 63 of the General Data Protection Regulation (GDPR) reads: "A data subject should have a right of access with regard to the data concerning them personal data that have been collected and can exercise this right easily and at reasonable intervals in order to be aware of the processing and to be able to verify its legality. This includes the right of data subjects to information about their own health-related data, such as data in their patient files that contain information such as diagnoses, examination results, findings of the treating physicians and information on treatments or interventions. Every data subject should therefore have the right to know and learn, in particular for what purposes the personal data is processed and, if possible, how long it will be stored, who the recipients of the personal data are, the logic behind the automatic processing of personal data Data takes place and what the consequences of such processing may be, at least in cases where the processing is based on profiling. Wherever possible, the controller should be able to provide remote access to a secure system that would allow the data subject direct access to their personal data. This right should not affect the rights and freedoms of others, such as trade secrets or intellectual property rights, and in particular copyright in software. However, this must not result in the data subject being denied any information. If the controller processes a large amount of information about the data subject, it should be able to require the data subject to specify what information or processing operations their request for information relates to before providing the information.” Recital 71 of the General Data Protection Regulation (GDPR) reads: "The data subject should have the right not to be subject to a decision — which may include a measure — to evaluate personal aspects concerning them that is based solely on automated processing and has legal effect on the data subject person or similarly significantly affects them, such as the automatic rejection of an online loan application or online recruitment process without any human intervention. Such processing also includes "profiling", which is any form of automated processing of personal data to evaluate personal aspects relating to a natural person, in particular to analyze or forecast aspects relating to work performance, economic situation, health, personal preferences or Interests, reliability or behavior, whereabouts or change of location of the person concerned, insofar as this has legal effect for the person concerned or significantly affects them in a similar way. However, decision-making based on such processing, including profiling, should be allowed where expressly permitted by Union or Member State law to which the controller is subject, including in order to comply with regulations, standards and recommendations of Union institutions or national supervisory bodies to monitor and prevent fraud and tax evasion and to ensure the security and reliability of a service provided by the controller, or where this is necessary for entering into, or the performance of, a contract between the data subject and a controller or if the person concerned has given their express consent to this. In any case, such processing should be accompanied by appropriate safeguards, including specific information to the data subject and the right to direct human intervention, to express his or her point of view, to have an explanation of the decision taken after such an assessment, and the right to contest the decision Decision. This measure should not affect a child. In order to ensure fair and transparent processing towards the data subject, taking into account the particular circumstances and framework in which the personal data are processed, the controller should use appropriate mathematical or statistical methods for profiling use, take technical and organizational measures with which it is appropriate to ensure, in particular, that factors that lead to inaccurate personal data are corrected and the risk of error is minimized, and secure personal data in a manner that protects against potential threats to the interests and rights of the data subject are taken into account and with which it is prevented that it is against natural persons on the basis of race, ethnic origin, political opinion, religion or belief, trade union membership, genetic facilities or state of health as well as sexual orientation leads to discriminatory effects or to measures that have such an effect. Automated decision-making and profiling based on special categories of personal data should only be allowed under certain conditions.” Recital 72 of the General Data Protection Regulation (GDPR) reads: “Profiling is subject to the rules of this regulation for the processing of personal data, such as such as the legal basis for processing or the data protection principles. The European Data Protection Board established by this Regulation (the "Board") should be able to issue guidance in this regard."Recital 73 of the General Data Protection Regulation (GDPR) reads:"Union or Member State law may restrict certain principles and regarding the right to information, access to and rectification or erasure of personal data, the right to data portability and objection, decisions based on profiling and notifications of a personal data breach to a data subject and certain related obligations of those responsible, to the extent necessary and proportionate in a democratic society to maintain public safety, including the protection of human life, particularly in the event of natural or man-made disasters trophies, the prevention, detection and prosecution of criminal offenses or the execution of sentences - which also includes the protection against and averting of threats to public safety - or the prevention, detection and prosecution of violations of professional rules in regulated professions, the keeping of public registers reasons of general public interest and the further processing of archived personal data to provide specific information related to political behavior under former totalitarian regimes, and to protect other important objectives of general public interest of the Union or a Member State, such as important economic or financial interests , or to protect the data subject and the rights and freedoms of others, including in the areas of social security, public health and humanitarian assistance. These limitations should be consistent with the Charter and with the European Convention for the Protection of Human Rights and Fundamental Freedoms.” Recital 75 of the General Data Protection Regulation (GDPR) reads: “The risks to the rights and freedoms of individuals — with varying degrees of likelihood and gravity — may result from processing of personal data which could lead to physical, material or non-material damage, in particular if the processing results in discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of the personal data subject to professional secrecy, the unauthorized removal of pseudonymisation or other significant economic or social disadvantages if the data subjects are deprived of their rights and freedoms or prevented from doing so control personal data where personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, health data or sex life or criminal convictions and offenses or related security measures Data are processed when personal aspects are evaluated, in particular when aspects relating to work performance, economic situation, health, personal preferences or interests, reliability or behavior, whereabouts or change of location are analyzed or forecast in order to create personal profiles or to use when processing personal data of vulnerable natural persons, in particular data of children, or when processing a large amount of personal data and a large number of affected persons. § 4 Data Protection Act reads as follows: "(1) The provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC (data protection -Basic Regulation), OJ. No. L 119 of 05/04/2016 p. 1, (hereinafter: GDPR) and this federal law apply to the fully or partially automated processing of personal data of natural persons, as well as to the non-automated processing of personal data of natural persons stored in a file system or should be stored, unless the more specific provisions of Chapter 3 of this Federal Act take precedence.(...)(6) The right to information of the data subject pursuant to Art. 15 GDPR does not generally apply to a person responsible, notwithstanding other legal restrictions, if a business or trade secret of the person responsible or third parties would be endangered by the provision of this information , to provide for rules at Union level to approximate the laws of the Member States, thus throughout the internal market t there is adequate and consistent protection under civil law in the event of the unlawful acquisition, use or disclosure of a trade secret. Those rules should not prevent Member States from requiring further protections against the unlawful acquisition, use or disclosure of trade secrets, provided that the rules expressly set out in this Directive to protect the interests of other parties are respected.Recital 11 of the Know-How Directive (EU) 2016/943 of 08/06/2016, L 157/1, reads: "This Directive should be without prejudice to the application of Union or national law which requires information, including trade secrets, to be disclosed to the public or government bodies. Likewise, it should be without prejudice to the application of legislation that allows government bodies to collect information in order to carry out their duties, or legislation that allows or requires those government bodies to disclose relevant information to the public. This includes in particular legislation on the disclosure of business-related information by Union institutions and bodies or national authorities, through which they are subject to Regulation (EC) No 1049/2001 of the European Parliament and of the Council (4), Regulation (EC) No 1367/2006 of the European Parliament and of the Council (5) and Directive 2003/4/EC of the European Parliament and of the Council (6) or other provisions regarding public access to documents or transparency obligations for national authorities." Recital 18 of the Know-How Directive (EU) 2016/943 of June 8th, 2016, L 157/1, reads: "Furthermore, the acquisition, use or disclosure of trade secrets should always be considered lawful in the terms of this policy apply. This applies in particular to the acquisition and disclosure of trade secrets within the framework of exercising the rights of employee representatives to information, consultation and participation in accordance with Union law and the law or practices of the Member States and within the framework of collective representation of the interests of employees and employers, including Participation and the acquisition or disclosure of trade secrets in the context of statutory audits carried out in accordance with Union or national law. However, that classification of the acquisition of a trade secret as lawful should be without prejudice to the duty of confidentiality of the trade secret or any restriction on the use of the trade secret that Union or national law imposes on the recipient of the information. In particular, this Directive should not relieve public authorities of their duty to keep confidential information communicated to them by trade secret holders, whether those duties are laid down in Union or national law. This confidentiality obligation includes, among other things, the obligations in connection with information that is transmitted to contracting authorities in the context of the award of public contracts, such as those set out in Directive 2014/23/EU of the European Parliament and of the Council, Directive 2014/24/EU of the European Parliament and Council and Directive 2014/25/EU of the European Parliament and Council. Recital 24 of the Know-How Directive (EU) 2016/943 of June 8, 2016, L 157/1 reads: " Faced with the possibility that the confidentiality of a trade secret may not be maintained in the course of legal proceedings, legitimate trade secret holders are often reluctant to initiate legal proceedings to protect their trade secrets; this calls into question the effectiveness of the envisaged measures, procedures and remedies. Therefore, subject to appropriate safeguards guaranteeing the right to an effective remedy and a fair trial, there is a need for specific requirements aimed at preserving the confidentiality of a trade secret that is the subject of judicial proceedings during the course of the proceedings. The corresponding protection should also continue after the conclusion of the court proceedings and as long as the information that is the subject of the trade secret is not publicly available.Recital 25 of the Know-How Directive (EU) 2016/943 of 06/08/2016, L 157/1, reads: “These requirements should at least provide for the possibility of restricting the persons entitled to access evidence or hearings — bearing in mind that all such persons should be subject to the secrecy requirements of this Directive — and only the non-confidential parts of publish court decisions. Given that one of the main purposes of judicial proceedings is to assess the nature of the information that is the subject of a dispute, it is important to ensure that trade secrets are protected effectively, while respecting the rights of the parties to an effective remedy and a fair trial procedure is maintained. The restricted group of persons should therefore consist of at least one natural person from each party, as well as the respective lawyers of the parties and, where appropriate, other representatives who are sufficiently qualified under national law to defend, represent or represent a party in any judicial proceeding covered by this Directive to look after interests; all such persons should have access to the relevant evidence or hearings. Where one of the parties is a legal person, it should be able to propose one or more natural persons to be among those persons, in order to ensure that it is adequately represented, subject to sufficient judicial control to prevent the aim , restricting access to evidence and hearings. These safeguard clauses should not be construed as requiring the parties to be represented by a lawyer or other representative in the course of the judicial proceedings where this is not required by national law. Nor should they be understood as reducing the competence of the courts to decide, in accordance with the applicable rules and practices of the Member State concerned, whether and to what extent competent court officials are also granted full access to the evidence and hearings in order to carry out their duties ."Recital 34 of the Know-How Directive (EU) 2016/943 of June 8th, 2016, L 157/1, reads: "This directive protects the fundamental rights and the principles that were recognized in particular in the charter, namely the law to respect for private and family life, the right to protection of personal data, the right to freedom of expression and information, the freedom to choose an occupation and the right to work, the freedom to conduct a business, the right to property, the right to good administration, and in particular the right of access to documents while maintaining business confidentiality, the right to an effective remedy and a fair trial and the rights of defence.” Recital 35 of the Know-How Directive (EU) 2016/943 of 06/08/2016, L 157/1, reads: “It is important that the right to respect for the privacy and family life and the protection of the personal data of all individuals whose personal data may be processed by the trade secret holder in accordance with trade secret protection measures or who are involved in a legal dispute regarding the unlawful acquisition, use or disclosure of a trade secret involved in this policy and whose personal data is being processed. Directive 95/46/EC of the European Parliament and of the Council applies to the processing of personal data carried out within the framework of this Directive under the supervision of the competent authorities of the Member States and in particular the independent public bodies designated by them. Therefore, this Directive should improve the rights and obligations laid down in Directive 95/46/EC — in particular the right of the data subject to access their personal data that is being processed and to rectification, erasure or blocking of incomplete or inaccurate data and, where appropriate, the obligation for the processing of sensitive data in accordance with Article 8 Paragraph 5 of Directive 95/46/EC — do not touch it." Subject and scope of application (1) This Directive lays down rules for the protection of trade secrets against unlawful acquisition, unlawful use and unlawful disclosure. unlawful use and unlawful disclosure, provided that It is provided that Article 3, Article 5, Article 6, Article 7 paragraph 1, Article 8, Article 9 paragraph 1 subparagraph 2, Article 9 paragraphs 3 and 4, Article 10 paragraph 2, Article 11, Article 13 and Article 15 paragraph 3 be complied with. (2) This Directive does not affect (...) b) the application of Union or Member State provisions under which the holders of trade secrets are obliged to disclose information, including trade secrets, to the public or administrative authorities for reasons of public interest or to disclose it to the courts so that they can carry out their duties,(...)”Article 2 including the heading of the Know-How Directive (EU) 2016/943 of 06/08/2016, L 157/1 reads: “Definitions for the purposes of this directive the term 1."Trade secret" means information that meets all of the following criteria: a) It is secret in the sense that it is not yours, either in its entirety or in the precise arrangement and composition r elements are generally known or readily accessible to those in the circles who usually deal with this type of information; b) they are of commercial value because they are secret; c) they are the subject of reasonable measures of secrecy according to the circumstancesthe person who lawfully controls the information; 2."Trade secret holder" means any natural or legal person who lawfully controls a trade secret;(...)"Article 9 including the heading of the Know-How Directive (EU ) 2016/943 of 08/06/2016, L 157/1, reads: "Protection of confidentiality of business secrets in the course of judicial proceedings(1) Member States shall ensure that the parties, their lawyers or other representatives, court officials, witnesses, experts and any other person who is a party to any legal proceeding involving the unlawful acquisition, use or disclosure of a trade secret, or who has access to any document forming part of any such legal proceeding, is not authorized to disclose a trade secret or an alleged trade secret to use or disclose a trade secret which is recognized by the competent courts pursuant to a s duly substantiated request of an interested party and of which they have become aware as a result of participation in the procedure or access to the documents. Member States may also empower the competent courts to take such measures ex officio.The obligation referred to in the first subparagraph shall survive the conclusion of the court proceedings. However, the obligation ends when one of the following situations occurs:a) a final decision establishes that the alleged trade secret does not meet the criteria set out in Article 2(1), orb) over time, the information in question becomes known for well known or readily accessible to persons in the circles customarily dealing with the type of information concerned.(2) Member States shall further ensure that the competent courts may, upon a duly reasoned request of a party, take specific measures that are necessary to protect the confidentiality of a trade secret or an alleged trade secret used or referred to in the course of any legal proceeding relating to the unlawful acquisition, use or disclosure of a trade secret. Member States may also authorize the competent courts to take such measures ex officio.The measures referred to in the first subparagraph shall provide for at least the possibility of: (a) access to documents submitted by the parties or third parties which contain trade secrets or purportedly trade secrets in their entirety or partially to a limited number of persons; b) to restrict access to hearings at which trade secrets or alleged trade secrets may be disclosed and to the relevant recording or transcript of such hearings to a limited number of persons; c) persons who are not among the limited number of persons referred to in points (a) and (b) to provide a non-confidential version of a court decision in which the passages containing trade secrets have been deleted or redacted. The number of persons referred to in points (a) and (b) of the second subparagraph f be no larger than is necessary to safeguard the parties' right to an effective remedy and a fair trial, and must include at least one natural person from each party and their respective lawyers or other representatives of those parties to the judicial proceeding. (3) In deciding on the When taking measures pursuant to paragraph 2 and assessing their proportionality, the competent courts shall take into account the need to ensure the right to an effective remedy and a fair trial, the legitimate interests of the parties and, where appropriate, of any third party, and the possible harm caused to one of the parties and, where appropriate, any Third parties may incur as a result of the granting or refusal of these measures.(...)"Article 11 including the heading of the Know-How Directive (EU) 2016/943 of 06/08/2016, L 157/1 reads: "Conditions of use and protective measures(1) Member States shall ensure that the competent courts in In connection with the measures referred to in Article 10, have the power to require the applicant to submit all reasonably available evidence to establish with reasonable assurance that a) a trade secret actually exists, b) the applicant is the owner of that trade secret, and c) the trade secret has been unlawfully acquired, used or disclosed, or there is a risk of unlawful acquisition, use or disclosure of the trade secret.(2) Member States shall ensure that the competent courts, when deciding whether to grant or refuse an application and the assessment of proportionality must take into account the particular circumstances of the case, including, where appropriate: (a) the value and other specific characteristics of the trade secret; (b) measures taken to protect the trade secret; (c) the conduct of the applicant opponent in the acquisition, use or disclosure of the trade secret,d) the consequences of unlawful use or disclosure of the trade secret, e) the legitimate interests of the parties and the effects that the granting or refusal of the measures could have for the parties, f) the legitimate interests Third,g) the public interest andh) the protection of fundamental rights. (3) Member States shall ensure that the measures referred to in Article 10 are repealed or otherwise overridden at the request of the respondent if: a) the applicant does not within a reasonable period of time to be determined either by the court ordering the measures, where permitted by the law of the Member State, or, failing that, 20 working days or 31 calendar days, whichever is longer exceeds, initiates the procedure at the competent court, which leads to a substantive decision ng leads orb) the information in question no longer meets the criteria specified in Article 2 number 1 for reasons that are not attributable to the respondent. (4) Member States shall ensure that the competent courts take the measures specified in Article 10 the posting of an appropriate bail or the provision of a corresponding security by the applicant in order to ensure possible compensation for the respondent or any other person affected by the measures. (5) The measures referred to in Article 10 on the basis of paragraph 3 Subparagraph (a) of this Article is set aside or lapses as a result of an act or omission of the applicant, or it is subsequently determined that there was no unlawful acquisition, use or disclosure of the trade secret or threatened, the competent courts shall have the power to at the request of the applicant order the defendant or an injured third party to be ordered by the applicant to compensate the defendant or the injured third party for the damage caused by those measures. III. Re question 1) In the present complaints procedure, the applicant court must specifically determine to what extent which data from the convicted C. Ges.m.b.H. or now by D. Ges.m.b.H., FN ..., are to be announced. The requesting court assumes that Article 15(1)(h) of the General Data Protection Regulation (GDPR) grants a data subject the right to be given truthful information, so that it is not sufficient to provide the data subject with an invented, incorrect information to provide information. However, if a right to truthful information is really to be granted, it can be concluded that the person concerned must also be able to request correct information. Such a right to correct information can be lost if the person concerned has been profiled can only be asserted by the latter, however, if the person concerned is granted such a comprehensive right to information by this provision that he/she (possibly with the involvement of experts) is able to check the consistency of the evaluation given and also to recognize whether the internal logic disclosed in the context of the provision of information is actually based on the profiling created for his person. According to the interpretation of the requesting court, this assumption that a person concerned must be able to check the comprehensibility and truthfulness of the information provided , through the last be ide rights granted to a data subject by Art. 22 Para. Because both rights can only be exercised if the data subject has previously obtained such extensive information on the internal logic of the automated decision-making regarding his person that he is able to check the traceability and truthfulness of the information provided. Without this knowledge, it is simply not possible to counter automated decision-making affecting oneself in such a way that it is possible to compare one's own point of view to the logic underlying this decision-making and the data processed for this decision-making, and subsequently also to successfully combat the result of this automated decision-making. In the opinion of the requesting court, the two above-mentioned and Art. 22 (3) of the General Data Protection Regulation (GDPR), in particular the extent to which information within the meaning of Article 15 (1) (h) of the General Data Protection Regulation (GDPR) is to be granted and what information obligations meet a person responsible in addition to merely disclosing the logic involved in order to meet his obligation to provide information within the meaning of Article 15 (1) (h) of the General Data Protection Regulation (GDPR).There are therefore many indications that these two in particular are protected by Article 22 Paragraph 3 of the General Data Protection Regulation (GDPR) can only be exercised if the data subject within the meaning of Article 22 Paragraph 3 of the General Data Protection Regulation (GDPR) has previously been enabled with regard to profiling or .an automated decision to represent his own point of view and also to oppose the evaluation of this profiling or this automated decision.In order to exercise these two rights, however, it is necessary 22 General Data Protection Regulation (GDPR) so that the data subject is able to understand the automated decision-making and rely on it correctness (therefore their actual use on the occasion of the automated decision made on the data subject within the meaning of Art. 22 General Data Protection Regulation [GDPR]). According to the understanding of the court in question, Art. 15 Para. 1 lit. h General Data Protection Regulation ( DS-GVO) guarantees in particular that the data subject within the meaning of Article 22 of the General Data Protection Regulation (GDPR) obtains the information required to exercise the above-mentioned rights under Article 22 (3) of the General Data Protection Regulation (GDPR). In any case, the university report on which the application is based is in a constellation n such as the present, this required traceability of the automated decision-making is only possible if the person concerned receives the following information by way of his right to information within the meaning of Article 15 (1) lit Data subjects, especially since this is the only way for the data subject to be able to see which of their data has been processed and how (possibly unobjectively) weighted, - secondly, the central parts of the automated decision-making algorithm, including at least 2.1) the mathematical Formula in which all information relevant to the calculation of the rating in question can be entered in the form of numerical values, so that the formula then results in the rating in question, whereby the formula must at least list all the information given in the original information for calculating the value, and 2.2) the comprehensible explanation of all values used in the formula, in particular those that are not derived directly from the information stored about the person concerned, and - thirdly, the relevant information for developing the connection between the processed information and the valuation that has taken place, including in particular 3.1 ) the specification and appropriate description of the valuation functions of all values used in this formula, as well as 3.2) the presentation of the necessary information to show the relationship between information and valuation in interval valuations. And 3.3) the presentation of the cadastral or index functions used. In addition, the university report obtained by the requesting court has also shown that, at least in the present case, only by issuing the information presented in the report as disclosed, which in particular includes the minimum information listed above , it is possible to check the coherence and correctness of information provided by a person responsible with regard to his obligation under Article 15 (1) (h) of the General Data Protection Regulation (GDPR). addressed in question 3b - it can be justifiable that the algorithm parts and valuation functions to be disclosed to the extent that they represent a business secret only have to be disclosed to the authority or the court, a possible objection to an impairment of fundamental rights of the process rs in the event of the obligation to hand over this necessary comprehensive data is possibly unjustified. In view of the open wording "meaningful" in Art. 15 Para. 1 lit. h General Data Protection Regulation (GDPR), it remains completely uncertain to what extent a person responsible is obliged to disclose information with regard to his obligation under Article 15 (1) (h) of the General Data Protection Regulation (GDPR). In this case, an interpretation by the Court of Justice seems to be absolutely necessary in the absence of a more detailed legal structure in EU law.IV. Re question 2) In the opinion of the requesting court, there is much to suggest that the rights granted by Article 22 (3) of the General Data Protection Regulation (GDPR) to express one's own point of view and to contest the decision are effectively designed, and therefore also really for the person concerned should enable them to exercise their right to comment in a well-founded manner and should enable them with a high chance of success to combat an illegal or technically unacceptable automated decision. But if these two rights are now effectively structured should be, this necessarily presupposes that the person concerned has also been granted all the rights that are necessary to actually make use of these rights through these two legal grants. Evidently, the possibility of exercising the right to express one's own point of view and to combat the decision with regard to an automated decision within the meaning of Article 22 of the General Data Protection Regulation (GDPR) requires that the person concerned has been given sufficient information on the logic involved in this automated decision-making process must be in order to then be able to raise objections to the conclusiveness and/or technical correctness of this decision-making process, which must also be so convincing that the person concerned is able to use these objections to raise objections that also affect his person to successfully combat an automated decision (in court). The court making the request therefore assumes that the General Data Protection Regulation (GDPR) applies to a person affected by an automated decision within the meaning of Article 22 of the General Data Protection Regulation (GDPR), in particular due to the determination of theArt. 22. Para. 3 General Data Protection Regulation (GDPR) grants a comprehensive right to information, through which he is able to counter the automated decision-making with his own point of view in a profound way and then to fight it successfully .According to the understanding of the applicant court, this grant of rights can be seen through the design of the right to information granted in Article 15 Paragraph 1 lit. h of the General Data Protection Regulation (GDPR). Such an understanding would have for the application in question The underlying proceedings have a far-reaching consequence, especially since in this case it would have to be assumed that the right to be specified by the applicant court in the specific case must be so comprehensive or detailed that Ms B. is thereby in a position to be able to exercise her rights defined by Art. 22 Paragraph 3 of the General Data Protection Regulation (GDPR) granted rights to the presentation of the e to assert their own point of view and to combat profiling affecting their person in a profound and promising way. It therefore seems absolutely necessary to gain knowledge of the scope and content of the determination of Art. 22 Para. 3 General Data Protection Regulation (GDPR). .In the absence of a more detailed legal structure in EU law, clarification by the Court of Justice appears to be absolutely necessary.V. Re question 3a) In the present case, there are clear indications that the C. Ges.m.b.H. or now the D. Ges.m.b.H., FN ..., information provided is contrary to the facts. According to the information given to Ms. B., she has a particularly good credit rating, but due to the actual profiling of Ms. B., any creditworthiness was denied, and therefore even the financial possibility of paying the amount of ten euros a month Therefore, the question currently arises as to the meaning of the guarantee in Article 15 (1) (h) of the General Data Protection Regulation (GDPR) if the provisions of the General Data Protection Regulation (GDPR) do not ensure that the Affected persons are put in a position to check the correctness of this disclosed information. If one did not want to classify such a right of inspection as being guaranteed by Art. 15 (1) lit. h General Data Protection Regulation (GDPR), the right to information under Art 15 Para to provide pertinent information. However, such an understanding of a right granted to the person concerned to check the conclusiveness and correctness of the information provided within the meaning of Article 15 (1) lit Degree of detail of the person responsible by Art. 15 Para. 1 lit. h General Data Protection Regulation (GDPR) is obliged to disclose information, far-reaching effects. In the present case, for example, the university report has shown and was already explained in the justification of the first question that such verifiability is only possible if not only essential parts of the algorithm on which the automated decision-making is based, as well as the data processed by the data subject and the relevant information for developing the connection between the processed information and the valuation carried out must be disclosed, but also at least twenty-five non-anonymized comparative profiling cases, which were created around the time of the profiling in question, must be disclosed. If one follows this interpretation, these are also additional information requirements in the court proceedings underlying the present request for a preliminary ruling by the requesting court. With regard to this implication, the clarification of this question appears for r the process in question is of central relevance.VI. Re question 3b) This question addresses the previously mentioned consequence, which is almost typical for profiling, that the correctness of information within the meaning of Article 15 (1) of the General Data Protection Regulation also includes the disclosure of non-anonymised comparative profiling cases at around the time of the procedure on which the procedure is based Profiling requires, which obviously also affects the data protection rights of these persons assessed in the comparative profiling cases. It is therefore obvious that if question 3a) is answered in the affirmative, appropriate precautions must also be taken to protect these persons as far as possible. In the absence of a more detailed legal structure in EU law, guidance from the Court of Justice is absolutely necessary in this case. In particular with regard to the regulation of Art. 9 of the Know-How Directive, which also deals with the solution of a tension between confidentiality interests, it seems appropriate to ask whether this tense relationship is to be resolved or can be resolved by disclosing the third-party data required for the accuracy check exclusively to the authority or the court, so that the authority or the court have to independently check whether the disclosed third-party data corresponds to the facts correspond to ? VII. ad Question 3c) This question addresses the fact that the person concerned is withheld extensive information as a result of the possible precautionary measure of setting up a black box to protect the rights of third parties, which is mentioned in question 3b). Art. 22 Para. 3 General Data Protection Regulation (GDPR) guaranteed rights to express your own point of view and to fight the decision can be made impossible. Such a restriction of the exercise of the rights granted to the person entitled to information within the meaning of Article 15 (1) (h) of the General Data Protection Regulation (GDPR) also appears questionable in the light of the requirements of Article 47 of the Charter of Fundamental Rights (GRC), and therefore only in within a very narrow framework. According to the understanding of the applicant court, no sufficiently clear solution to this tension can be derived from the provisions of the General Data Protection Regulation (GDPR). The provision of Article 15 (4) of the General Data Protection Regulation (GDPR) leaves it open as to whether appropriate procedural precautions, such as the establishment of a black box addressed under question 4a), can (must) be achieved that the possibly required refusal to provide more detailed information to the person entitled to information within the meaning of Article 15 Paragraph 1 lit In this case, guidance from the Court of Justice on how to appropriately resolve this conflict of interest between the rights of third parties and the rights of the person concerned is absolutely necessary.VIII. Re question 4a) According to the case law of the Austrian Supreme Court, which is shared by the prevailing doctrine, the algorithm used in profiling is a trade secret in the sense of the Know-How Directive.1 The requesting court assumes that this interpretation of the Supreme Court of Justice in virtually all cases of profiling corresponds to the understanding of the Know-How Directive. However, in the event of a request for information within the meaning of Article 15 Paragraph 1 lit. Art. 22 Para. 3 General Data Protection Regulation (GDPR) to present your own point of view and to fight the decision with reference to the existence of a trade secret is always right. Incidentally, it is already the norm that, with reference to the existence of a trade secret, requests for information within the meaning of Article 15 (1) (h) of the General Data Protection Regulation (GDPR) are not answered at all or at most rudimentarily also in the present case by C. Ges.m.b.H. or now by the D. Ges.m.b.H., FN ..., the disclosure of sufficient information on the logic used with reference to the business secret. For the present complaint procedure, the question therefore arises as to whether and to what extent the typical In the event of an objection to the existence of a trade secret, the data subject's right to information guaranteed by Article 15(1)(h) in conjunction with Article 22 of the General Data Protection Regulation (GDPR) may be largely undermined or even made impossible no sufficiently clear solution to this tension can be derived from the provisions of the General Data Protection Regulation (GDPR). The provisions of Article 15 (4) of the General Data Protection Regulation (GDPR) and Recital 63 of the General Data Protection Regulation (GDPR) leave it open as to whether appropriate procedural precautions, such as the establishment of a 4a) addressed to the black box, it can (must) be achieved that the refusal, if necessary, to provide more detailed information to the person entitled to information within the meaning of Article 15 (1) (h) of the General Data Protection Regulation (GDPR) does not make it impossible to check the information provided leads to their comprehensibility and correctness. In the absence of a more detailed legal structure in EU law, guidance from the Court of Justice on how to appropriately resolve this conflict of interest between the right of the data subject and the right of the processor is absolutely necessary Regulation of Art. 9 of the Know-How Directive, it seems appropriate to ask whether this tension is to be dissolved or can be dissolved to the extent that the information classified as a business secret within the meaning of Art the existence of a business secret within the meaning of Article 2 Z 1 of the Know-How Directive can be assumed, and whether the information provided by the person responsible within the meaning of Article 15 (1) of the General Data Protection Regulation (GDPR) corresponds to the facts.IX. Re question 4b) This question addresses the fact that the possible precautionary measure of setting up a black box to protect the rights of the processor, as mentioned in question 4a), withholds extensive information from the data subject, which in particular means that the data subject is unable to exercise the rights granted to him in particular by Art 22 Para. Such a restriction of the exercise of the rights granted to the person entitled to information within the meaning of Article 15 (1) (h) of the General Data Protection Regulation (GDPR) also appears questionable in the light of the requirements of Article 47 of the Charter of Fundamental Rights (GRC), and therefore only in within a very narrow framework. In the absence of a more detailed legal structure in EU law, guidance from the Court of Justice on how to appropriately resolve this conflict of interest between the rights of the data subject and the rights of the processor is absolutely necessary.X. Re question 5) In the articles of the General Data Protection Regulation (GDPR), as far as can be seen, there is only one single provision, which also standardizes a requirement to take the rights of third parties into account, namely in Article 15 (4) of the General Data Protection Regulation ( GDPR). According to its wording, however, this regulation is only limited to the issue of copies with regard to the data processed by a data subject within the meaning of Article 15 (1) of the General Data Protection Regulation (GDPR). 1 lit. h General Data Protection Regulation (GDPR) can also consist of the transmission of a copy of processed data, the question arises as to whether or to what extent this data disclosure restriction also requires that to this extent the person entitled to information within the meaning of Art. 15 Para 1 lit. h General Data Protection Regulation (GDPR) no information whatsoever may be given. Although the wording of Art. 15 Para. 4 General Data Protection Regulation (GDPR) contradicts such an interpretation, a teleological interpretation could even go against the clear wording of Art. 15 Para. 4 General Data Protection Regulation (GDPR) lead to an uncovered result. It is also noticeable that the standard in Recital 63 of the General Data Protection Regulation (GDPR) to weigh up the interests of the person obliged to provide information i.S.d. Article 15, paragraph 1, letter h of the General Data Protection Regulation (GDPR) to safeguard his interests arising from future business secrets in comparison with the information interests of the person entitled to information within the meaning of Article 15, paragraph 1, letter h of the General Data Protection Regulation (GDPR) is not reflected in the articles of the General Data Protection Regulation (GDPR), so it seems conceivable that the provision of Article 15 (4) General Data Protection Regulation (GDPR) also teleologically means that the requirement of recital 63 of the General Data Protection Regulation (GDPR). Since in the present case there is in particular the tension between the interests of the person obliged to provide information within the meaning of Article 15 Paragraph 1 lit on the one hand, and the information interests of the person entitled to information within the meaning of Article 15 (1) (h) of the General Data Protection Regulation (GDPR) to an appropriate solution guidance from the Court of Justice on how this conflict of interest between the right of the data subject and the right of the processor is to be resolved appropriately also with regard to this provision of Article 15 (4) of the General Data Protection Regulation (GDPR). required. XI. Re question 6) As already explained in relation to question 3a), in the case of a request for information within the meaning of Article 15 (1) (h) of the General Data Protection Regulation (GDPR), the refusal of further details, in particular the rights within the meaning of Article 22 (3). General data protection regulation (DS-GVO) to present one's own point of view and to combat the decision-making information with reference to the existence of a trade secret is almost the rule, and this was also objected to in the present proceedings. It was also already stated under question 3a that the danger 15(1)(h) in conjunction with Article 22 of the General Data Protection Regulation (GDPR) undermines or even makes impossible the data subject's right to information Legislators recognized and determined by simple law that in such a tense relationship the one affected n the rights guaranteed by Article 15 Paragraph 1 Letter h in conjunction with Article 22 Paragraph 3 of the General Data Protection Regulation (GDPR) are in fact never granted. This tense relationship was therefore resolved unilaterally in favor of the guarantees of the know-how directive, which, according to the requesting court's interpretation, in particular with regard to the case law of the European Court of Justice of the Union, according to which restrictions on the fundamental right to data protection (which also include restrictions on the possibilities of legal protection). are to be limited to what is absolutely necessary2, is neither necessary nor objectively justifiable in the light of the provisions of the General Data Protection Regulation (GDPR), such as Recital 63 in particular. The question therefore arises as to whether this provision of Section 4 (6) Data Protection Act can be based on the opening clause of Art. 23 Para. 1 lit. i or another opening clause of the General Data Protection Regulation (GDPR). 1 See OGH December 10, 2020, 4 Ob 182/20y, Blah R., Source code of a computer program as a trade secret, MR 2021, 932 See, for example, ECJ February 14, 2019, C-345/1 (Buivids) margin number 64