The CJEU ruled that individuals have the right to understand how their personal data was used in automated decisions, but not necessarily the underlying algorithm. Controllers must disclose this information to data subjects, but trade secrets and third-party data may be disclosed to supervisory authorities for a balancing exercise. While this provides clarity on some aspects of GDPR compliance, questions remain about black box algorithms, trade secret disclosure, and the role of supervisory authorities.