法律翻譯|信用評級機構的評級行為本身即構成“自動化決策”——OQ訴黑森州之資料保護糾紛

譯者 | 李想中國政法大學法學碩士

一審 | 李梓源英國布里斯托大學LL.M.

二審 | 王槐語加州大學伯克利分校 LL.M.

編輯 | 田悅華僑大學本科

蘇桐華中科技大學本科

責編 | 馮雨萱北京大學J.D.&J.M.

OQ v Land Hessen

信用評級機構的評級行為本身即構成“自動化決策”

——OQ訴黑森州之資料保護糾紛

一、案例評析

本案核心爭議在於信用機構僅基於程式自動生成評級結果，最終貸款決定方為作為資料接收方的銀行，能否認為信用機構的行為屬於自動化決策。為解決這一問題，歐洲法院主要從文字和目的兩個角度進行解釋。在文字層面，歐洲法院將GDPR第22(1)條的適用條件拆分為三點：其一，存在“決策”行為；其二，決策需完全基於自動程式做出；其三，決策對資料主體產生重大影響，從而將爭議問題集中在了第一個條件上。歐洲法院認為生成機率值行為至少符合使用者畫像，因此屬於“決策”行為。就這一點，法院也從目的層面加以論證，即若將該行為排除在“決策”之外，則會導致自動化決策場景下資料主體的知情權落空。最後需要注意的是，歐洲法院在本案中也明確說明了GDPR第22(1)條規定的資料主體的“反對權”實為禁令。[1]

[1]See Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679.

Synopsis of Facts

二、案情概述

This request for a preliminary ruling concerns the interpretation of Article 6(1) and Article 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and corrigendum OJ 2018 L 127, p. 2; ‘the GDPR’).

威斯巴登行政法院請求本院就2016 年 4 月 27 日歐洲議會和歐盟理事會透過的《關於在資料處理中保護個人資料安全和促進資料自由流動》的第 2016/679 號條例（取代第 95/46/EC 號指令），即《通用資料保護條例》（OJ 2016 L 119, p. 1和勘誤書OJ 2018 L 127, p. 2, 下稱“GDPR”）第6(1)條和第22條的解釋，做出初步判決。

The request has been made in proceedings between OQ and the Land Hessen (Federal State of Hesse, Germany) concerning the refusal of the Hessischer Beauftragter für Datenschutz und Informationsfreiheit (Data Protection and Freedom of Information Commissioner for the Federal State of Hesse, Germany; ‘the HBDI’) to order SCHUFA Holding AG (‘SCHUFA’) to grant an application lodged by OQ seeking to access and erase personal data concerning her.

本案發生於OQ（資料主體）和黑森州（黑森州，德國聯邦州）之間。黑森州資料保護和資訊自由專員（黑森州資料保護和資訊自由委員會，下稱“HBDI”）拒絕判令德國信用保護聯合會（下稱“SCHUFA”）批准OQ向其提出的查閱及刪除個人資訊的申請。

SCHUFA is a private company under German law which provides its contractual partners with information on the creditworthiness of third parties, in particular, consumers. To that end, it establishes a prognosis on the probability of a future behaviour of a person (‘score’), such as the repayment of a loan, based on certain characteristics of that person, on the basis of mathematical and statistical procedures. The establishment of scores (‘scoring’) is based on the assumption that, by assigning a person to a group of other persons with comparable characteristics who have behaved in a certain way, similar behaviour can be predicted.

SCHUFA是一家註冊於德國的私營企業，它依據合同向合作伙伴提供第三方，特別是消費者的信用資訊。為此它根據個人的某些特徵，基於計算和統計程式來對未來個人特定行為（如償還貸款）發生的機率做出預測（“分數”）。SCHUFA生成此分數（“打分”）是基於這樣的假設：當把一個人與其他具有同樣特徵的人聚類時，可以透過同類人的行為模式推測這一個人也可能會做出類似行為。

（圖片源於網路）

It is apparent from the request for a preliminary ruling that OQ was refused the granting of a loan by a third party after having been the subject of negative information established by SCHUFA and transmitted to that third party. OQ applied for SCHUFA to send her information on the personal data registered and to erase some of the data which was allegedly incorrect.

從請求初步判決的申請中可以清晰瞭解到，在SCHUFA把對OQ做出的負面評價提供給了第三方後，第三方拒絕了OQ的貸款申請。OQ請求SCHUFA提供她的個人資訊，並主張部分資訊存在謬誤需刪除。

In response to that request, SCHUFA informed OQ of her score and outlined, in broad terms, the methods for calculating the scores. However, referring to trade secrecy, it refused to disclose the various elements taken into account for the purposes of that calculation and their weighting. Lastly, SCHUFA stated that it limited itself to sending information to its contractual partners and it was those contractual partners which made the actual contractual decisions.

對於OQ的申請，SCHUFA告知了她的分數並概述了計算方法。但是出於商業保密需求，SCHUFA拒絕披露評級計算中考慮的多重因素及權重。最後，SCHUFA還陳述：其僅為資訊提供者，最終決定權在合作伙伴方。

By a complaint lodged on 18 October 2018, OQ asked the HBDI, the competent supervisory authority, to order SCHUFA to grant her request for access to information and erasure.

2018年10月18日，OQ向監督部門HBDI投訴，要求SCHUFA透過其查閱和刪除資訊的申請。

By decision of 3 June 2020, the HBDI rejected that application for an order, explaining that it was not established that SCHUFA did not comply with the requirements set out in Article 31 of the BDSG incumbent upon it with regard to its activity.

2020年6月3日，HBDI做出決定，認為OQ沒能證明SCHUFA違反《德國聯邦資料保護法》（Federal Data Protection Act, BDSG）第31條針對信用評級及報告商業活動提出的要求，因此拒絕了OQ的請求，

OQ appealed against that decision before the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany), the referring court, in accordance with Article 78(1) of the GDPR.

OQ根據GDPR第78(1)條，向移送法院——威斯巴登行政法院提起上訴，請求推翻HBDI的決定。

（圖片源於網路）

According to that court, it is important to determine, for the purposes of ruling on the dispute before it, whether the establishment of a probability value such as that at issue in the main proceedings constitutes automated individual decision-making within the meaning of Article 22(1) of the GDPR. If that question is answered in the affirmative, the lawfulness of that activity would be subject, under Article 22(2)(b) of that regulation, to the condition that that decision be authorised by EU law or Member State law to which the controller is subject.

為解決本案爭議，該院認為重點在於判斷生成機率值（如在主要訴訟中涉及的行為）是否構成GDPR第22(1)條項下的自動化決策。[2]如果答案是肯定的，根據GDPR第22(2)(b)條，案涉行為合法性取決於是否獲得了歐盟法律或者資料控制者所在成員國法律的授權。

[2]關於自動化決策的定義可參見解正山：《演算法決策規制——以演算法“解釋權”為中心》，載《現代法學》2020年第1期，第179—180頁。

In that regard, the referring court has doubts as to the argument that Article 22(1) of the GDPR is not applicable to the activity of companies such as SCHUFA. It bases its doubts, from a factual point of view, on the importance of a probability value such as that at issue in the main proceedings for the decision-making practice of third parties to which that probability value is transmitted and, from a legal point of view, mainly on the objectives pursued by that Article 22(1), and on the guarantees of legal protection enshrined by the GDPR.

針對這一問題，法院無法確定GDPR第22(1)條是否適用於SCHUFA這類公司的評級活動。法院從兩個方面考慮該爭議：其一，從事實角度，需判斷主要訴訟程式中存在爭議的機率值對於接收該機率值後的第三方決策的影響力；其二，從法律層面，主要需要討論GDPR第22(1)條的立法目標以及提供的法律保障。

More specifically, the referring court notes that it is the probability value which normally determines whether and how the third party will contract with the person concerned. Article 22 of the GDPR precisely aims to protect people against the risks linked to decisions purely based on automation.

更具體來說，移送法院提到第三方在決定是否以及如何與相關人員訂約時，機率值通常能發揮決定性作用。而GDPR第22條的立法目的即為保護人們免受完全依賴自動化所做的決策帶來的風險。

By contrast, if Article 22(1) of the GDPR were to be interpreted as meaning that the status of ‘automated individual decision-making’ cannot be recognised, in a situation such as that at issue in the main proceedings, until the decision taken by the third party with regard to the data subject, this would result in a lacuna in legal protection. First, a company such as SCHUFA would not be required to provide access to the additional information to which the data subject is entitled under Article 15(1)(h) of that regulation because that company would not be the company which adopts ‘automated decision-making’ within the meaning of that provision and, consequently, within the meaning of Article 22(1) of that regulation. Secondly, the third party to whom the probability value is communicated could not provide that additional information because it does not have it.

相反，如果將GDPR第22(1)條理解為：第三方就資料主體做出決策之前，在主要訴訟程式中發生爭議的這類情形不能被認定為自動化決策，這種解釋會導致法律保護上的空白。首先，如果認為SCHUFA這類公司不屬於第15(1)(h)條和第22(1)中的採用“自動化決策”的公司，那麼資料主體無權依據第15(1)(h)條要求SCHUFA這類公司提供與自動化決策有關的額外的資訊。其次，由於接收機率值的第三方無法獲得相關資訊，其自然也無法向資料主體提供資訊。

Thus, according to the referring court, to avoid such a lacuna in legal protection, it would be necessary for the establishment of a probability value such as that at issue in the main proceedings to fall within the scope of application of Article 22(1) of the GDPR.

因此，根據移交法院的觀點，為避免此類法律保護漏洞，有必要將在主要訴訟程式中存在爭議的生成機率值的行為納入GDPR第22(1)款的適用範圍之內。

（圖片源於網路）

If such an interpretation were to be accepted, the lawfulness of that activity would then be subject to the existence of a legal basis at the level of the Member State concerned, under Article 22(2)(b) of that regulation. In the present case, while it is true that Article 31 of the BDSG may constitute such a legal basis in Germany, there are serious doubts as to the compatibility of that provision with Article 22 of the GDPR because the German legislature regulates only the ‘use’ of a probability value such as that at issue in the main proceedings, and not the establishment in itself of that value.

如果採用這種解釋方法，此行為的合法性將取決於是否存在GDPR第22(2)(b)條規定的成員國層面的合法性基礎。在本案中，儘管BDSG第31條的確在德國開展的自動化決策行為提供了相應的法律基礎，但由於BDSG僅僅規制對在主要訴訟程式中存在爭議的機率值的“使用”行為，而並不針對機率值的生成本身，關於該條款與GDPR第22條的相容性仍存在很多疑問。

By contrast, if the establishment of such a probability value does not constitute automated individual decision-making within the meaning of Article 22 of the GDPR, the opening clause appearing in paragraph 2(b) of that Article 22 would also not apply to national regulations regarding that activity. In view of the exhaustive, in principle, nature of the GDPR and in the absence of any other normative competence for such national regulations, it seems that the German legislature, by subjecting the establishment of probability values to more advanced conditions of substantive lawfulness, specifies the regulated matter by going beyond the requirements set out in Articles 6 and 22 of the GDPR, without having regulatory power for this purpose. If this point of view were to be correct, this would modify the margin of examination of the national supervisory authority, which would then have to assess the compatibility of the activity of credit information agencies in the light of Article 6 of that regulation.

相反，如果此類確定機率值的行為並不構成GDPR第22條中的自動化決策，則也無法依據第22條2(b)條的“開放條款”適用與該活動相關的成員國立法。[3]考慮GDPR原則上的窮盡性以及此類成員國法規無法從其他規範中獲得許可權，該德國立法似乎超越了GDPR第6和第22條的要求，在沒有相關立法許可權的情況下，為生成機率值這一行為設定了更嚴格的實質性合法要件。如果採用此觀點，則會修改對於成員國監督機構的審查範圍，即成員國監督機構只能依據GDPR第6條評估該信用資訊機構的行為合法性。

[3]See Miscenic, Emilia & Hoffmann, Anna-Lena, The Role of Opening Clauses in Harmonization of EU Law: Example of the EU’s General Data Protection Regulation (GDPR), EU and comparative law issues and challenges series (ECLIC), 41, 51.2020.

The Questions Referred for Preliminary Ruling

三、威斯巴登行政法院向歐洲法院

提交的問題

(1) Is Article 22(1) of the [GDPR] to be interpreted as meaning that the automated establishment of a probability value concerning the ability of a data subject to service a loan in the future already constitutes a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her, where that value, determined by means of personal data of the data subject, is transmitted by the controller to a third-party controller and the latter draws strongly on that value for its decision on the establishment, implementation or termination of a contractual relationship with the data subject?

(1) [GDPR]第22(1)條是否可理解為自動生成針對資料主體未來償還貸款能力的機率值，構成包含使用者畫像行為的完全自動化決策，並且資料控制者將依據資料主體個人資訊得出的機率值轉移給第三方，而後者在做出關於與資料主體合同關係的訂立，履行以及終止等決定時在很大程度上依賴於該機率值，因此其對資料主體造成法律影響或者其他同等程度的影響。

(2) If the first question is answered in the negative:

are Articles 6(1) and 22 of the [GDPR] to be interpreted as precluding national legislation under which the use of a probability value – in the present case, in relation to a natural person’s ability and willingness to pay, in the case where information about claims against that person is taken into account – regarding specific future behaviour of a natural person for the purpose of deciding on the establishment, implementation or termination of a contractual relationship with that person (scoring) is permissible only if certain further conditions, which are set out in more detail in the grounds of the request for a preliminary ruling, are met?

(2) 如果第一個問題的回答是否定的，那麼：

結合[GDPR]第6(1)條和第22條，是否可認為GDPR不允許成員國規定只有在滿足提起初步裁決的請求理由中詳細列出的特定條件時，才允許使用本案中機率值——在本案中是指與個人還款能力和意願有關的機率值，且在計算機率值時對於資料主體不利的關於特定未來行為的資訊也被考慮在內——來做出關於與該自然人訂立、履行或終止合同關係的決定（打分）。

（圖片源於網路）

Relevant Provisions of GDPR & BDSG

四、GDPR及BDSG的相關規則

BDSG

《德國聯邦資料保護法》

Entitled ‘Protection of trade and commerce in the context of “scoring” and credit reports’, Paragraph 31 of the Bundesdatenschutzgesetz (Federal Law on data protection) of 30 June 2017 (BGBl. I, p. 2097; ‘the BDSG’), reads as follows:

2017年6月30日透過的德國聯邦資料保護法(BDSG)第31條“保護‘評分’和信用報告的商業交易”規定：

(1)The use of a probability value regarding specific future behaviour of a natural person for the purpose of deciding on the establishment, implementation or termination of a contractual relationship with that person (“scoring”) shall be permissible only if

1. the provisions of data protection law have been complied with,

2. the data used to calculate the probability value are demonstrably relevant to the calculation of the probability of the specific behaviour, on the basis of a scientifically recognised mathematical statistical method,

3. the data used for the calculation of the probability value were not exclusively address data, and

4. where address data are used, the data subject has been notified of the intended use of such data before the calculation of the probability value; the notification must be documented.

(1) 滿足以下條件時方可使用自然人未來特定行為發生機率值以做出訂立、履行或者終止與該自然人的合同關係的決策（“評分”）：

1. 遵守資料保護法的規定，

2. 計算機率值所使用的資料需與計算特定行為機率值這一目的顯著相關，並基於科學公認的數學統計方法，

3. 計算機率值所使用的資料包括地址資料及其他資料，並且

4. 當使用地址資料時，需於計算機率值之前通知資料主體使用目的；通知應留檔儲存。

（圖片源於網路）

(2) The use of a probability value determined by credit information agencies in relation to a natural person’s ability and willingness to pay shall, in the case where information about claims against that person is taken into account, be permissible only if the conditions under subparagraph 1 are met and claims relating to a performance owed but not rendered despite falling due are taken into account only if they are claims:

(2) 使用信用資訊機構計算出的與自然人付款能力及意願有關的機率值時，若計算中要將與逾期履行相關債權作為考慮因素，在滿足第一項要求的情況下，該債權應：

1.which have been established by a judgment which has become final or has been declared provisionally enforceable or for which there is a debt instrument pursuant to Paragraph 794 of the Zivilprozessordnung [(Code of Civil Procedure)],

1. 已經由終審或臨時可執行的判決確定或者該債權基於《民事訴訟法典》第794條項下的債務票據，（或者）

2.which have been established in accordance with Paragraph 178 of the Insolvenzordnung [(Insolvency Code)] and not contested by the debtor at the meeting for verification of claims,

2. 已經依據破產法第178條確定，並且在債權確認會議上，債務人未就其提出異議，（或者）

3.which the debtor has expressly acknowledged,

3. 已經被債務人明示承認，（或者）

4.in respect of which

(a) the debtor has been given formal notice in writing at least twice after the claim fell due,

(b) the first formal notice was given at least four weeks previously,

(c) the debtor has been informed in advance, but at the earliest at the time of the first formal notice, of the possibility that the claim might be taken into account by a credit information agency and

(d) the debtor has not contested the claim, or

4. 針對該債權

(a) 在到期後，已向債務人至少發出兩次書面正式通知，

(b) 兩次書面正式通知至少間隔四周，

(d) 債務人對該債權沒有提出異議，或者

5.whose underlying contractual relationship may be terminated without notice on the ground of arrears in payment and in respect of which the debtor has been informed in advance of the possibility that account might be taken of them by a credit information agency.

The permissibility of the processing, including the determination of probability values and of other data relevant to creditworthiness, under general data protection law remains unaffected.

5. 由於逾期履行付款義務，該債權所基於的合同關係可能會未經通知即終止。但相關債務人已經被提前告知該債權資訊可能會被信用機構作為評價因素。

包含確定機率值以及其他與信用相關的資料處理在內的資料處理行為，需遵守GDPR的相應規則。

（圖片源於網路）

GDPR

《通用資料保護規則》

Entitled ‘Information to be provided where personal data have not been obtained from the data subject’, Article 14 of the GDPR provides, in paragraph 2 thereof:

GDPR第14條“獲取個人資訊前需提供的資訊”的第2款規定：

In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:

除第1款提及的資訊之餘，資料控制者還應當向資料主體提供下列必要資訊以確保資訊處理公平透明：

…

(g)the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

……

(g) 存在第22(1)條和第22(4)條規定的自動化決策處理行為，包括使用者畫像，以及在此類情況下，至少需就演算法、重要性和可能出現的後果提供有效資訊。

Entitled ‘Right of access by the data subject’, Article 15 of that regulation provides, in paragraph 1 thereof:

第15條“資料主體的訪問權”第1款規定：

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

資料主體應當有權要求資料控制者告知其個人資訊是否正在被處理，以及若正在被處理，則有權訪問其個人資訊及以下資訊：

…

(h)the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

……

(h) 存在第22(1)條和第22(4)條規定的自動化決策處理行為，包括使用者畫像，以及在此類情況下，至少需就邏輯、重要性和可能出現的後果提供有意義資訊。

（圖片源於網路）

Entitled ‘Automated individual decision-making, including profiling’, Article 22 of that regulation provides:

第22條“自動化決策，包括使用者畫像”規定：

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

1. 資料主體應當有權拒絕完全自動化決策行為，包括使用者畫像，只要該行為對其產生法律上的影響或者其他同等程度的影響。

2. Paragraph 1 shall not apply if the decision:

(a)is necessary for entering into, or performance of, a contract between the data subject and a data controller;(b)is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or(c)is based on the data subject’s explicit consent.

2. 當存在如下情形時，第1款不適用：

(a) 系簽訂和履行資料主體和資料控制者間合同之必要；

(b) 存在歐盟或資料控制者所在成員國立法授權，且該立法中規定了保護資料主體權利、自由和合法利益的適宜規範

3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

3. 在第2款的(a)、(c)點規定的情況下，資料控制者應當制定適宜措施以保障資料主體的權利、自由和合法利益，至少需保障資料主體要求資料控制者進行人工干預的權利以及表達他/她的觀點、就決策結果提出異議的權利。

4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

4. 第2款情況下的自動化決策不能以第9(1) 條規定的特殊型別個人資訊為處理客體，除非符合第9(2)(a)條或者(g)條的情形並且已採用了適宜措施以保障資料主體的權利、自由和合法利益。

（圖片源於網路）

Consideration of the Questions Referred

五、判決主要內容

The first question

第一個問題

By its first question, the referring court asks, in essence, whether Article 22(1) of the GDPR must be interpreted as meaning that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes ‘automated individual decision-making’ within the meaning of that provision, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person.

移送法院提出的第一個問題本質上是指當信用資訊機構基於個人資訊自動生成的關於他/她未來還款能力的機率值被接收方作為做出訂立或中止與相關自然人合同關係決定的重要依據時，能否認為自動生成機率值的行為構成GDPR第22(1)條項下的“自動化決策”。

In order to answer that question, it should be borne in mind, as a preliminary point, that the interpretation of a provision of EU law requires that account be taken not only of its wording, but also of its context and the objectives and purpose pursued by the act of which it forms part (judgment of 22 June 2023, Pankki S, C579/21, EU:C:2023:501, paragraph 38 and the case-law cited).

為解答這一問題，首先應明確認識到，在解釋歐盟法規時，不僅需要考慮文字本身，還需考察上下文以及作為法規重要組成部分的法規目標和目的。（見2023年6月22日Pankki S案判決書第38段及引用的先例，C579/21, EU:C:2023:501）

As regards the wording of Article 22(1) of the GDPR, that provision provides that the data subject is to have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

從GDPR第22(1)條法規文字來看，只要完全自動化決策（包括使用者畫像）對資料主體產生了法律上的或者類似程度的影響，他/她就有權拒絕該行為。

The applicability of that provision is therefore subject to three cumulative conditions, namely, first, that there must be a ‘decision’, secondly, that that decision must be ‘based solely on automated processing, including profiling’, and, thirdly, that it must produce ‘legal effects concerning [the interested party]’ or ‘similarly significantly [affect] him or her’.

因此，要想適用該條款，需同時滿足三個條件，即：其一，需存在“決策”；其二，該決策“需完全依據自動化程式做出，包括使用者畫像”；其三，該決策需對“相關主體產生法律影響”或者“其他類似程度的影響”。

As regards, first, the condition relating to the existence of a decision, it should be noted that the concept of ‘decision’, within the meaning of Article 22(1) of the GDPR, is not defined by that regulation. However, it is apparent from the very wording of that provision that that concept refers not only to acts which produce legal effects concerning the person at issue but also to acts which similarly significantly affect him or her.

首先對於“存在決策”這一條件，應注意到GDPR並未就第22(1)條中的“決策”下定義。但從文字中可以看出“決策”這一概念不僅指對當事人產生法律影響的行為，也包含產生類似程度影響的行為。

（圖片源於網路）

The broad scope of the concept of ‘decision’ is confirmed by recital 71 of the GDPR, according to which a decision evaluating personal aspects relating to a person, to which that person should have the right not to be subject, ‘may include a measure’ which either produces ‘legal effects concerning him or her’, or, ‘similarly significantly affects him or her’. Under that recital, the term ‘decision’ covers, for example, the automatic refusal of an online credit application or e-recruiting practices without human intervention.

GDPR序言第71條明確了“決策”這一概念的廣泛性。根據序言第71條，當事人有權拒絕的關於自然人個人特徵評估的決策，可能包含要麼“對其產生法律影響”，要麼“產生類似程度影響”的“舉措”。根據這一序言，“決策”包括沒有人為介入時自動拒絕線上信貸申請或者線上招聘。

The concept of ‘decision’ within the meaning of Article 22(1) of the GDPR is thus, as the Advocate General noted in point 38 of his Opinion, capable of including a number of acts which may affect the data subject in many ways, since that concept is broad enough to encompass the result of calculating a person’s creditworthiness in the form of a probability value concerning that person’s ability to meet payment commitments in the future.

正如法律顧問官在其意見書第48點中所言，GDPR第22(1)條項下的“決策”一詞可以包含在很多方面可能對資料主體產生影響的一系列行為，因為這一廣泛概念足以包含以計算未來履行還款承諾能力的機率值的形式評估自然人信用情況的行為。

As regards, secondly, the condition according to which the decision, within the meaning of that Article 22(1), must be ‘based solely on automated processing, including profiling’, as the Advocate General noted in point 33 of his Opinion, it is common ground that an activity such as that of SCHUFA meets the definition of ‘profiling’ appearing in Article 4(4) of the GDPR and therefore that that condition is met in the present case, since the wording of the first question referred explicitly refers to the automated establishment of a probability value based on personal data relating to a person and concerning that person’s ability to repay a loan in the future.

關於第22(1)條規定的第二個條件，“決策”需“僅依靠自動化程式做出，包括使用者畫像”。正如法律顧問官在其意見書第33點所言，本案中SCHUFA所做的這類行為無疑符合GDPR第4(4)條對 “使用者畫像”下的定義。同時，前述第一個問題的措辭中已明確表示本案中基於個人資料生成的關於個人未來還款能力的機率值系自動生成。因此，第二個條件也滿足。

As regards, thirdly, the condition that the decision must produce ‘legal effects’ concerning the person at issue or affect him or her ‘similarly significantly’, it is apparent from the very wording of the first question referred that the action of the third party to whom the probability value is transmitted draws ‘strongly’ on that value. Thus, according to the factual findings of the referring court, in the event where a loan application is sent by a consumer to a bank, an insufficient probability value leads, in almost all cases, to the refusal of that bank to grant the loan applied for.

關於第三個條件，即該決策必須對相關自然人產生“法律影響”或者“類似程度的影響”。從前述第一個問題的表述中可以明顯看出，接收機率值的第三方所做決策在很大程度上參考了機率值。因此，根據移送法院確認的事實，當客戶向銀行提交貸款申請，在大多數情況下，較低的機率值會導致銀行拒絕批准貸款。

In those circumstances, it must be stated that the third condition to which the application of Article 22(1) of the GDPR is subject is also fulfilled, since a probability value such as that at issue in the main proceedings affects, at the very least, the data subject significantly.

綜合以上情況，因為在主要訴訟程式中存在爭議的機率值至少會對資料主體產生重要影響，所以第22(1)條的第三個適用條件也已經滿足。

（圖片源於網路）

It follows that, in circumstances such as those at issue in the main proceedings, in which the probability value established by a credit information agency and communicated to a bank plays a determining role in the granting of credit, the establishment of that value must be qualified in itself as a decision producing vis-à-vis a data subject ‘legal effects concerning him or her or similarly significantly [affecting] him or her’ within the meaning of Article 22(1) of the GDPR.

因此，正如在主要訴訟程式中爭議案情，信用資訊機構生成並提供給銀行的機率值在授予貸款與否的決策中發揮著決定性的作用，此時生成機率值這一行為本身必須被定性為GDPR第22(1)條項下的對資料主體產生“法律影響或類似程度[影響]”的決策。

That interpretation is corroborated by the context in which Article 22(1) of the GDPR takes place and by the objectives and purpose pursued by that regulation.

GDPR第22(1)條的上下文以及法規目標與目的都可進一步證實這一解釋。

In this regard, it is important to note that, as the Advocate General observed in point 31 of his Opinion, Article 22(1) of the GDPR confers on the data subject the ‘right’ not to be the subject of a decision solely based on automated processing, including profiling. That provision lays down a prohibition in principle, the infringement of which does not need to be invoked individually by such a person.

就此，需重點指出的是，正如法律顧問官在他的意見書第31點所表達的，GDPR第22(1)條授予資料主體不受制於完全自動化決策（包括使用者畫像）的“權利”。這一條款原則上設定了禁令，對該禁令的違反不必以自然人提出反對為前提。

As follows from a combined reading of Article 22(2) of the GDPR and recital 71 of that regulation, the adoption of a decision based solely on automated processing is authorised only in the cases referred to in that Article 22(2), namely where that decision is necessary for entering into, or performance of, a contract between the data subject and a data controller (point (a)), where it is authorised by EU or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests (point (b)), or where it is based on the data subject’s explicit consent (point (c)).

基於此，綜合理解第22(2)條和序言第71條，只有在滿足第22(2)條的情況下方可允許完全自動化的決策，也就是說，(a)當該決策對於達成或者履行資料主體與資料控制者之間的合同是必要的；或者(b)當被歐盟法律或者資料控制者所在成員國法律授權允許，並且該法律同時規定了適當措施以保障資料主體的權利；或者(c)當基於資料主體的明示同意。

（圖片源於網路）

Furthermore, Article 22 of the GDPR provides, in paragraphs 2(b) and 3 thereof, that suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests must be taken. In the cases referred to in points (a) and (c) of Article 22(2) of that regulation, the data controller is to implement at least the right of the data subject to obtain human intervention, to express his or her point of view and to contest the decision.

另外，GDPR第22條第2款(b)項和第3款規定，要想適用該類例外，必須規定適當措施以保障資料主體的權利、自由與合法權益。而在第22(2)條(a)項和(c)項的情況下，資料控制者至少應保障資料主體獲得人為介入、表達立場以及反對該決策的權利。

In addition, under Article 22(4) of the GDPR, it is only in certain specific cases that automated individual decision-making within the meaning of Article 22 are to be based on special categories of personal data referred to in Article 9(1) of that regulation.

另外，根據GDPR第22(4)條，只有在特定例外情況下，第22條項下的自動化決策才可基於GDPR第9(1)條所指的特殊型別個人資訊做出。

Furthermore, in the case of automated decision-making, such as that referred to in Article 22(1) of the GDPR, first, the controller is subject to additional information obligations under Article 13(2)(f) and Article 14(2)(g) of that regulation. Secondly, the data subject enjoys, under Article 15(1)(h) of that regulation, the right to obtain from the controller, in particular, ‘meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject’.

並且，在自動化決策情況下，正如GDPR第22(1)條所指出的，首先，資料控制者需額外履行第13(2)(f)條和第14(2)(g)條規定的告知義務。其次，資料主體依據第15(1)(h)條享有知情權，特別包含從資料控制者處瞭解“關於決策邏輯以及此類處理行為對資料主體的重要性和可能後果的有意義資訊。”

（圖片源於網路）

Those enhanced requirements as to the lawfulness of automated decision-making and the additional information obligations of the controller and the related additional rights of access of the data subject are explained by the purpose pursued by Article 22 of the GDPR, consisting of protecting individuals against the particular risks to their rights and freedoms represented by the automated processing of personal data, including profiling.

GDPR對於自動化決策合法性提出的嚴格要求、要求資料控制者額外承擔的告知義務以及資料主體享有的相關知情權，可以從GDPR第22條的立法目的中尋求解釋，包括保護資料主體免受自動化處理個人資訊（包括使用者畫像）對其權利和自由帶來的特殊風險。

That processing involves, as is apparent from recital 71 of the GDPR, the evaluation of personal aspects relating to the natural person concerned by that processing, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.

從GDPR序言第71條中可以明顯看出，自動化處理包含評估相關自然人的個人特徵，特別是如評估或預測資料主體的工作表現、經濟狀態、身體情況、個人偏好或興趣、信用或行為特徵、位置或者行蹤。

Those particular risks are, under that recital, likely to weigh on the legitimate interests and rights of the data subject, in particular taking account of discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation. It is therefore important, still according to that recital, to provide suitable safeguards and to ensure fair and transparent processing in respect of the data subject, in particular through the use of appropriate mathematical or statistical procedures for the profiling and the implementation of technical and organisational measures appropriate to ensure that the risk of errors is minimised.

根據序言第71條，這些特殊風險有可能會侵害資料主體的合法利益和權利，特別當自動化處理將基於種族或民族、政治觀點、宗教或信仰、工會會員身份、基因或身體狀況或者性取向的歧視性因素考慮在內。因此根據該序言，提供適當保障以確保資料處理的公開透明是很重要的，特別是在使用者畫像中使用適當的計算或統計程式，以及採用合適的技術或組織措施來最大程度降低出錯風險。

The interpretation set out in paragraphs 42 to 50 of this judgment, and in particular the broad scope of the concept of ‘decision’ within the meaning of Article 22(1) of the GDPR, reinforces the effective protection intended by that provision.

本判決第42段到第50段的解釋進一步加強了本條款意圖提供的有效保護，特別是對於GDPR第22(1)條項下“決策”這一概念內涵廣泛性的解讀。

On the other hand, in circumstances such as those at issue in the main proceedings, in which three stakeholders are involved, there would be a risk of circumventing Article 22 of the GDPR and, consequently, a lacuna in legal protection if a restrictive interpretation of that provision was retained, according to which the establishment of the probability value must only be considered as a preparatory act and only the act adopted by the third party can, where appropriate, be classified as a ‘decision’ within the meaning of Article 22(1) of that regulation.

另一方面，像主要訴訟程式這樣牽涉了三個利益相關方的爭議情況下，如果堅持限縮解釋該條款，有規避GDPR第22條，從而導致法律保護出現漏洞的風險。因為在這種情況下，生成機率值只能為視為準備行為，而只有在該行為被第三方採納時，才有可能被界定為第22(1)條項下的“決策”。

（圖片源於網路）

In that situation, the establishment of a probability value such as that at issue in the main proceedings would escape the specific requirements provided for in Article 22(2) to (4) of the GDPR, even though that procedure is based on automated processing and that it produces effects significantly affecting the data subject to the extent that the action of the third party to whom that probability value is transmitted draws strongly on it.

在這種情況下，如主要訴訟程式中存在爭議的生成機率值的行為將規避GDPR第22(2)、(4)條提出的具體要求，即使該資料處理系基於自動化程式，即使它對資料主體產生了重大影響，影響大到接受該機率值的第三方在很大程度上是基於該機率值對資料主體採取行動。

Furthermore, as the Advocate General noted in point 48 of his Opinion, first, the data subject would not be able to assert, from the credit information agency which establishes the probability value concerning him or her, his or her right of access to the specific information referred to in Article 15(1)(h) of the GDPR, in the absence of automated decision-making by that company. Secondly, even assuming that the act adopted by the third party falls within the scope of Article 22(1) of that regulation in so far as it fulfils the conditions for application of that provision, that third party would not be able to provide that specific information because it generally does not have it.

另外，正如法律顧問官在其意見書第48點中提到的，首先，在未發生自動化決策時，資料主體無權向生成關於該自然人機率值的信用資訊機構主張GDPR第15(1)(h)條規定的知情權。其次，即使主張在滿足適用條件的情況下，第三方所採取的行動屬於第22(1)條適用範疇，該第三方也無法提供第15(1)(h)條規定的具體資訊，因為通常其並不擁有這些資訊。

The fact that the establishment of a probability value such as that at issue in the main proceedings is covered by Article 22(1) of the GDPR has the consequence, as noted in paragraphs 53 to 55 of this judgment, that it is prohibited unless one of the exceptions set out in Article 22(2) of that regulation is applicable and the specific requirements provided for in Article 22(3) and (4) of that regulation are complied with.

根據判決書第53段到第55段，在主要訴訟程式中存在爭議的生成機率值的行為適用GDPR第22(1)條，因此除非滿足第22(2)條中任一例外，否則該行為將被禁止，並且還需滿足GDPR第22(3)、(4)條中規定的具體要求。

With regard, more specifically, to Article 22(2)(b) of the GDPR, to which the referring court refers, it is apparent from the very wording of that provision that the national law which authorises the adoption of an automated individual decision must lay down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests.

更具體來說，關於移交法院提及的GDPR第22(2)(b)條，從條文表述中可以清楚看出授權允許採用自動化決策的成員國法律必須同時規定適當措施以保障資料主體的權利、自由和法定利益。

In the light of recital 71 of the GDPR, such measures must include, in particular, the obligation for the controller to use appropriate mathematical or statistical procedures, implement technical and organisational measures appropriate to ensure that the risk of errors is minimised and inaccuracies are corrected, and secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and prevent, inter alia, discriminatory effects on that person. Those measures include, moreover, at least the right for the data subject to obtain human intervention on the part of the controller, to express his or her point of view and to challenge the decision taken in his or her regard.

（圖片源於網路）

根據GDPR序言第71條，此類保障措施必須特別包括資料控制者使用適當計算或統計程式、採用合適的技術和組織措施來最大程度降低出錯風險和糾正不準確性、針對可能對資料主體利益和權利產生的潛在風險採用適當方式保障個人資料，包括避免歧視性因素。另外，此類保障措施還至少需包含保障資料主體要求資料控制者人為介入決策、表達他/她的立場觀點以及就對其做出的決策表示異議的權利。

It is also important to note that, in accordance with the settled case-law of the Court, any processing of personal data must, first, comply with the principles relating to the processing of data established in Article 5 of the GDPR and, secondly, in the light, in particular, of the principle of the lawfulness of processing, laid down in Article 5(1)(a), satisfy one of the conditions of the lawfulness of the processing listed in Article 6 of that regulation (judgment of 20 October 2022, Digi, C-77/21, EU:C:2022:805, paragraph 49 and the case-law cited). The controller must be able to demonstrate compliance with those principles, in accordance with the principle of accountability set out in Article 5(2) of that regulation (see, to that effect, judgment of 20 October 2022, Digi, C77/21, EU:C:2022:805, paragraph 24).

需指出的是，為遵循本案先例，首先，任何對於個人資料的處理行為均需遵循GDPR第5條確定的資料處理原則；其次，尤其是根據第5(1)(a)條規定的合法處理原則，處理行為均需至少符合第6條規定的合法性基礎之一。（見2022年10月20日Digi案判決書第49段以及引用的先例，C-77/21, EU:C:2022:805）並且根據第5(2)條規定的可追責性原則，資料控制者還需能夠舉證說明其行為遵循法定處理原則。（參見2022年10月20日Digi案判決書第24段，C-77/21, EU:C:2022:805）

Thus, in the event that the law of a Member State authorises, under Article 22(2)(b) of the GDPR, the adoption of a decision solely based on automated processing, that processing must comply not only with the conditions set out in the latter provision and in Article 22(4) of that regulation, but also with the requirements set out in Articles 5 and 6 of that regulation. Accordingly, Member States cannot adopt, under Article 22(2)(b) of the GDPR, regulations which authorise profiling in disregard of the requirements laid down by those Articles 5 and 6, as interpreted by the case-law of the Court.

因此，當成員國依據GDPR第22(2)(b)條立法授權允許採用完全自動化決策，相關處理行為不僅需要滿足該條後半句以及第22(4)條規定的條件，還需滿足第5條和第6條中的要求。因此正如本院先例觀點，在未遵守第5條和第6條的情況下，成員國不得依據GDPR第22(2)(b)條授權允許使用者畫像。

（圖片源於網路）

With regard in particular to the conditions of lawfulness, provided for in Article 6(1)(a), (b), and (f) of the GDPR, which are likely to apply in a case such as that at issue in the main proceedings, Member States are not empowered to provide additional rules for the implementation of those conditions, such an option being, in accordance with Article 6(3) of that regulation, limited to the reasons referred to in Article 6(1)(c) and (e) of that regulation.

根據主要訴訟程式中爭議事實可能可適用的、規定在GDPR第6(1)(a)、(b)、(f)條的合法性基礎，成員國無權就這類合法性基礎設定額外的要求。根據GDPR第6(3)條，只有在具有第6(1)(c)、(e)條中提及的理由時，成員國方可設定額外規則。

Furthermore, with regard more specifically to Article 6(1)(f) of the GDPR, Member States cannot, under Article 22(2)(b) of that regulation, dismiss the requirements resulting from the case-law of the Court following the judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts) (C-26/22 and C-64/22, EU:C:2023:XXX), in particular, by definitively prescribing the result of the balancing of the rights and interests at issue (see, to that effect, judgment of 19 October 2016, Breyer, C-582/14, EU:C:2016:779, paragraph 62).

另外，就GDPR第6(1)(f)條更具體的內容而言，根據GDPR第22(2)(b)條，成員國不能排除本院在2023年12月7日SCHUFA案判決（免除剩餘債務之判決，C-26/22 and C-64/22, EU:C:2023:XXX）之後的判例中提出的要求，特別是權衡案涉權利與利益而明確得出的結果。（參見2016年10月19日Breyer案判決第62段，C-582/14, EU:C:2016:779）

In the present case, the referring court states that only Paragraph 31 of the BDSG could constitute a national legal basis for the purposes of Article 22(2)(b) of the GDPR. However, it has serious doubts as to the compatibility of Paragraph 31 of the BDSG with EU law. Assuming that that provision is deemed incompatible with EU law, SCHUFA would act not only without legal basis, but would ipso iure disregard the prohibition laid down in Article 22(1) of the GDPR.

本案中，移送法院主張只有BDSG第31段可以構成GDPR第22(2)(b)項下的成員國法律基礎。然而移送法院也對於BDSG第31段與歐盟法律的相容性存在較大疑慮，若假設該條款的確與歐盟法相沖突，SCHUFA的處理行為不僅沒有成員國法律基礎，也直接違反了GDPR第22(1)條中的禁止性規定。

（圖片源於網路）

In this regard, it is for the referring court to verify whether Paragraph 31 of the BDSG can be classified as a legal basis authorising, under Article 22(2)(b) of the GDPR, the adoption of a decision solely based on automated processing. If that court were to reach the conclusion that Paragraph 31 of the BDSG constitutes such a legal basis, it would still be up to it to verify whether the conditions set out in Article 22(2)(b) and (4) of the GDPR and those laid down in Articles 5 and 6 of that regulation are fulfilled in this case.

對於此，需由移送法院來確認BDSG第31段是否可以被認為屬於GDPR第22(2)(b)條項下的授權完全自動化決策的法律基礎。如果該院得出結論，認為確構成這類法律基礎，仍需由其判斷本案中SCHUFA的行為是否滿足GDPR第22(2)(b)條、第22(4)條、第5條以及第6條中規定的條件。

In the light of all the foregoing considerations, the answer to the first question is that Article 22(1) of the GDPR must be interpreted as meaning that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes ‘automated individual decision-making’ within the meaning of that provision, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person.

鑑於前述考量，本院對於第一個問題的回答為，當信用資訊機構基於個人資訊自動生成關於他/她未來還款能力的機率值，而接收方將其作為做出訂立或中止與相關自然人合同關係決定的重要依據時，應當認為自動生成機率值的行為構成GDPR第22(1)條項下的“自動化決策”。

The second question

第二個問題

Given the answer to the first question, there is no need to answer the second question.

鑑於本院對一個問題的回答，第二個問題已經沒有解答必要。

原文連結：

https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62021CJ0634