Key References:

Profiling

  • GDPR Art. 4(4) defines profiling as, “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;”
  • WP29 Guidelines state that, “[b]roadly speaking, profiling means gathering information about an individual (or group of individuals) and evaluating their characteristics or behaviour patterns in order to place them into a certain category or group, in particular to analyse and/or make predictions about, for example, their:
    • ability to perform a task;
    • interests; or
    • likely behaviour

Automated individual decision-making

  • The GDPR does not define automated decision making.
  • UK ICO explains it as, “[a]utomated decision-making is the process of making a decision by automated means without any human involvement. These decisions can be based on factual data, as well as on digitally created profiles or inferred data.
  • WP29 Guidelines states that, “[s]olely automated decision-making is the ability to make decisions by technological means without human involvement.

Overlaps between profiling and automated decision-making

  • WP29 Guidelines explains the overlaps between the two as follows: “Automated decisions can be made with or without profiling; profiling can take place without making automated decisions. However, profiling and automated decision-making are not necessarily separate activities. Something that starts off as a simple automated decision-making process could become one based on profiling, depending upon how the data is used.

Key elements of Art. 22

  • Art. 22(1) states that decisions based solely on automated processing or profiling that produce a legal or similarly significant affect on the data subject are prohibited, unless Art. 22(2) exceptions apply.
    • WP29 Guidelines call attention to the term “based solely” in Art. 22(1) and clarifies that the prohibition is limited to automated processing that has no human involvement in the final decision.
    • Note that profiling can have human involvement, and yet fall within Art. 22(1) restrictions.
    • While the GDPR does not define the terms ‘legal’ or ‘similarly significant’, WP29 Guidelines list examples that include: cancellation of a contract, denial of a social benefit such as housing, decisions that impact financial circumstances, health, employment, or result in discrimination or exclusion and so forth.
  • Art. 22(2) lists the permissible exceptions which include data subject’s explicit consent, performance of a contract including pre-contract stages, and member state or EU laws.
    • WP29 Guidelines state the when controllers implement solely automated decision-making processes for Art. 22(2)(a) contractual purposes, controllers must be able to show necessity.
  • Art. 22(3) states that despite permissible exceptions, when controllers engage in profiling or solely automated individual decision-making that has legal or similarly significant affects, data subjects have the right to obtain human intervention from controllers.
    • Recital 71 expands this further and lists examples of situations where data subjects have an unconditional right to see human intervention for decisions, such as automatic refusal of an online credit application or e-recruiting practices.
    • Recital 91 requires that controllers must carry out a DPIA in certain instances (such as automated monitoring of large scale public areas) to evaluate the risks to individuals.
  • Art. 22(4) and Recital 71 further state that when controllers process special categories of personal data for profiling or automatic decision-making they are required to have additional safeguards such as conducting a DPIA in order to address risks to individuals. Recital 71 also states that such processing be generally limited.

Art. 21(2) Right to object to profiling

  • Profiling triggers data subject’s Art. 21(2) right to object to processing for direct marketing that is based on profiling.
  • WP29 Guidelines states that this is an “unconditional right” of the individual which cannot be overridden by the controller by DPIA or other means.