In 2025, the Court of Justice of the European Union (CJEU) ended the extensive debate on whether the General Data Protection Regulation (GDPR) includes a right to an explanation when a data subject is digitally profiled and a decision is made based on the profile. The Court also addressed the level of detail required in the explanation and several other issues. However, while the Court has settled the existence of an explanation duty, it has not exhausted its scope. Post the recent case law, this article argues that the unresolved centre of gravity in the GDPR’s “right to explanation” is no longer what must be explained about the data processing and profiling. However, the rulings leave several research questions unanswered, including whether – and if so – how far the explanation must extend to external norms, which in the public sector are usually statutory provisions and their interpretation and operationalisation in automated decision rules applied to a set of personal data, including profiles, thereby forming a decision regarding the data subject.