Profiling is done when your personal aspects are being evaluated in order to make predictions about you, even if no decision is taken. For example, if a company or organisation assesses your characteristics (such as your age, sex, height) or classifies you in a category, this means you are being profiled.
Decision-making based solely on automated means happens when decisions are taken about you by technological means and without any human involvement. They can be taken even without profiling.
The data protection law establishes that you have the right not to be subject to a decision based solely on automated means, if the decision produces legal effects concerning you or significantly affects you in a similar way. A decision produces legal effects when your legal rights are impacted (such as your right to vote). In addition, processing can significantly affect you if it influences your circumstances, behaviour or choices. For example automatic processing may lead to the refusal of your online credit application.
Profiling and automated decision-making are common practice in a number of sectors, such as banking and finance, taxation and healthcare. It can be more efficient, but may be less transparent and may restrict your choice.
Although, as a general rule, you may not be the subject of a decision based solely on automated processing, this type of decision-making may exceptionally be allowed if the use of algorithms is allowed by law and suitable safeguards are provided.
Decisions based solely on automated means are also allowed where:
- the decision is necessary that is to say, there must be no other way to achieve the same goal to enter or perform a contract with you;
- you have given your explicit consent.
In both instances, the decision taken needs to protect your rights and freedoms, by implementing suitable safeguards. The company or organisation must, at least, inform you of your right to human intervention and to make the required procedural arrangements. Furthermore, the company or organisation should allow you to express your point of view and inform you that you may contest the decision.
Algorithm-based decisions may not make use of special categories of data, unless you have given your consent or the processing is allowed by EU or national law (see above).
You use an online bank for a loan. You are asked to insert your data and the bank’s algorithm tells you whether the bank will grant you the loan or not and gives the suggested interest rate. You must be informed that you may express your opinion, contest the decision and demand that the decision made via the algorithm be reviewed by a person.
- Articles 21 and 22 and Recitals (71) and (72) of the GDPR
- Article 29 Working Party Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation (EU) 2016/679 (WP 251)