The right of access in automated decision-making: The scope of article 15(1)(h) GDPR in theory and practice

The right of access in Article 15 of the EU General Data Protection Regulation (GDPR) is es-sential for empowering data subjects when exercising other data subject rights. In the con-text of automated decision-making, including profiling, Article 15(1)(h) provides a right to meaningful information about the logic involved, as well as the significance and the envis-aged consequences of such processing for the data subject. In this research, the notions of 'meaningful information', 'the logic involved', and 'the significance and the envisaged con-sequences' are analysed. Apart from a legal analysis, empirical research was carried out in 30 countries (27 EU and 3 EFTA EEA Member States), consisting of a survey amongst all Data Protection Authorities (DPAs) and interviews with experts of privacy organisations. Several types of potentially meaningful information that could be in scope of right of access re-quests were assessed, as well as several types of information on the consequences for data subjects. Even though respondents indicate that most of these types of information should be provided upon access requests, the findings show that most of these types of information are rarely or not at all provided in practice. Providing such information strongly depends on the willingness of data controllers to cooperate, as they may balance this against rights and freedoms of others, including intellectual property and trade secrets. Particularly trade se-crets are invoked in practice to block or restrict access requests, despite the GDPR stating that these considerations should not lead to a refusal of the request to provide all informa-tion to the data subject.(c) 2022 Published by Elsevier Ltd. This is an open access article under the CC BY license ( http://creativecommons.org/licenses/by/4.0/ )

Automated summary

The right of access is crucial for data subjects' empowerment under the EU General Data Protection Regulation. However, a study reveals that meaningful information regarding the logic, significance, and consequences of automated decision-making is rarely provided in practice, depending on data controllers' willingness to cooperate and balance other rights and freedoms.