Profiling and automated decision-making

The GDPR introduces the notion of profiling and automated decision-making and contains specific rules on these legal concepts.

The Article 29 Data Protection Working Party (WP29) issued guidelines on automated individual decision-making and profiling on 3 October 2017 (WP251). They were then revised on 6 February 2018 (the “Guidelines”) and seek to interpret the respective provisions of the GDPR (Article 4 clause 4 and Article 22).

1. What is profiling?

Under the GDPR, profiling “means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

It is worth stressing that for a data processing activity to qualify as profiling, it does not necessarily have to be based solely on automated processing. It will constitute profiling so long as some form of automated processing is involved, and the fact that there is human involvement does not necessarily bring the activity outside scope of the definition.

As the Guidelines put it,

“profiling means gathering information about an individual (or group of individuals) and evaluating their characteristics or behaviour patterns in order to place them into a certain category or group, in particular to analyse and/or make predictions about, for example, their:

- ability to perform a task;

- interests; or

- likely behaviour.”

2. Does profiling always include automated decision-making?

No. Profiling may – but doesn’t have to – include automated decision-making. For example, if an insurance broker collects personal data, develops profiles, and places the individuals into certain categories, and then sells the information to insurance companies, the broker carries out profiling but makes no automated decisions.

There are three types of profiling:

(i) general profiling;

(ii) profiling on which a decision is based; and

(iii) profiling which is part of a solely automated decision-making process, i.e. a decision-making process that is without any meaningful human involvement (since an algorithm makes the decision).

3. What is automated decision-making?

Solely automated decision-making is the ability to make decisions by technological means, i.e. without human involvement.

There can also be decisions that are not solely automated. This is the case when there is meaningful human involvement in the decision-making process.

4. Does automated decision-making always include profiling?

No. Automated decisions can be made with or without profiling. For example, as the Guidelines say: “[i]mposing speeding fines purely on the basis of evidence from speed cameras is an automated decision-making process that does not necessarily involve profiling.”

Of course, decisions that are not solely automated might also include profiling. The example made in the Guidelines is that a bank may carry out credit scoring with meaningful human involvement when assessing if the person applying for a credit facility may actually get the loan.

5. Is there a difference between “based solely on automated decision-making” and “based on automated decision-making”?

Yes. Please see question 3 above.

6. What do I have to pay specific attention to when it comes to profiling and/or automated decision-making?

(i) The basic principles as referred to in Article 5 of the GDPR apply to all profiling and automated decision making (i.e. even if Article 22 of the GDPR does not apply because the decision is not based solely on automated processing). Thus, entities engaged in profiling and/or automated decision-making have to make sure that their data processing activities are lawful, fair & transparent, and that they respect the principles of purpose limitation, data minimization, accuracy and storage limitation.

(ii) In addition, entities carrying out profiling and/or making automated decisions have to demonstrate a valid legal basis for their processing as referred to in Article 6 of the GDPR (consent of the data subject, performance of a contract with the data subject, compliance with a legal obligation of the controller, protection of vital interests of the data subject, public interest or legitimate interest of the controller or of a third party).

It is essential to determine if any one of the legal bases listed above may be applied. In case of an investigation, the controller has to prove that a proper legal basis was applied.

(iii) Furthermore, it is worth noting that the data subject may exercise his/her rights in connection with profiling / automated decision-making, as enlisted in Articles 15-21 of the GDPR. This includes the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restriction of processing, and the right to object. If the decision making is not solely automated, Article 22 of the GDPR does not apply.

7. What do I have to pay specific attention to when it comes to solely automated decision-making (with or without profiling)?

According to Article 22 (1) of the GDPR, “the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

Under the GDPR, controllers are required to specifically provide information on solely automated decision-making as referred to in paragraph (i) above, namely, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Also, the GDPR provides that the data subject has the right of access and right to obtain meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

8. Is the prohibition as per Article 22 (1) of the GDPR an absolute prohibition?

No. The prohibition (or right of the data subject) does not apply if the decision:

“(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or

(c) is based on the data subject's explicit consent.”

In the cases referred to in points (a) and (c) above, the data controller has to implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right (i) to obtain human intervention on the part of the controller, (ii) to express his or her point of view, and (iii) to contest the decision.

9. Can solely automated decisions be made towards children?

The wording of Article 22 of the GDPR applies to both adults and children (as it makes no distinction between them). However, Recital (71) states that children should not be subject to solely automated decision-making. Taking this into account, the WP29 recommends that controllers should not use such decision-making / profiling (with legal or similarly significant effects) with respect to children unless such decision-making is necessary to protect the welfare of children. In this case, processing may be carried out based on the exceptions, as appropriate, mentioned in question 8 above.

10. How does the data protection impact assessment (DPIA) relate to profiling and automated decision-making?

The Guidelines suggest that a DPIA may have to be prepared not only when it comes to decision-making based solely on automated processing (with or without profiling) but even if the decision is based only partly rather than “solely” on automated processing. This means that a DPIA may have to be prepared also in the event of decision-making that is not wholly automated.

Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attoneys at Law, Budapest, Hungary (zoltan.kovacs@szecskay.com)

The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.