Referral C-568/25 (Universal Versand, 27 Aug 2025)

Must Article 22(1) of Regulation (EU) 2016/679 1 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) be interpreted as meaning that the decision of a distance seller to refuse the ‘payment in instalments’ and ‘purchase on account’ payment methods requested by a customer when placing an order, but to inform that customer that it is willing to enter into a business relationship if the ‘credit card’ or ‘PayPal’ payment method is used, produces ‘legal effects’ concerning the customer or ‘similarly significantly affects him or her’ where that decision is based solely on an automated assessment of the likelihood of a customer defaulting on payment, an assessment resulting either from the fact that the response to an automatic request sent to a credit agency reveals that the customer is not known to that agency, or – in the event that the customer is known – from the fact that an internal credit rating reveals that the customer is not sufficiently creditworthy, provided that the order is not rejected outright by the decision, but the customer is limited to the payment methods proposed by the distance seller?

If Question 1 is answered in the affirmative:

2.a) Must Article 22(2)(a) of the GDPR be interpreted as meaning that, in order for a decision by a distance seller based on an automated assessment of the likelihood of a potential customer defaulting on payment, as described in question 1, to be ‘necessary’ for entering into a contract between the customer and the distance seller, there must be a direct and objective link between the purpose of the contract to be entered into with the customer and the assessment of the likelihood of the customer defaulting on payment?

2.b) In order to establish necessity under Article 22(2)(a) of the GDPR, must the categories of data collected be objectively appropriate, either in themselves or in combination, for assessing the likelihood of default?

Must the distance seller or the customer state and prove which categories of data were specifically collected for the purpose of assessing the likelihood of default and that those categories of data are objectively appropriate, either in themselves or in combination, for assessing the likelihood of default?

If Question 1 is answered in the affirmative:

3. Must Article 22(2)(a) of the GDPR be interpreted as meaning that it is the automated decision-making on the part of the controller that is necessary for entering into or performance of the contract?

If Question 3 is answered in the affirmative:

3.a) Must Article 22(2)(a) of the GDPR be interpreted as meaning that, for the purpose of determining whether a decision by a distance seller, as described in question 1, is necessary for entering into a contract, it must be established whether the automated decision-making process for approving or refusing the requested payment method can also be carried out with reasonable effort by individuals? What is the significance in that regard of the number of orders received by the distance seller and the fact that, in the context of the online ordering process, customers typically expect to be informed immediately whether or not the requested payment method has been approved by the distance seller?