Yes, individuals should not be subject to a decision that is based solely on automated processing (such as algorithms) and that is legally binding or which significantly affects them.
A decision may be considered as producing legal effects when the individual’s legal rights or legal status are impacted (such as their right to vote for example). In addition, processing can significantly affect an individual if it influences their personal circumstances, their behaviour or their choices (for example an automatic processing may lead to the refusal of an online credit application).
The use of automated processing for decision-making is authorised only in the following cases:
- the decision based on the algorithm is necessary (i.e. there must be no other way to achieve the same goal) to enter into or to perform a contract with the individual whose data your company/organisation processed via the algorithm (for example an online loan application)
- a particular EU or national law allows the use of algorithms and provides for suitable safeguards to protect the individual’s rights, freedoms and legitimate interests (for example anti-tax evasion regulations);
- the individual has explicitly given his consent to a decision based on the algorithm.
However, the decision taken needs to protect the individual’s rights, freedoms and legitimate interest, by implementing suitable safeguards. Except where such decision-making is based on a law, the individual must be at least informed of (i) the logic involved in the decision-making process, (ii) their right to obtain human intervention, (iii) the potential consequences of the processing and (iv) their right to contest the decision. Your company/organisation must therefore make the required procedural arrangements to allow the individual to express their point of view and to contest the decision.
Finally, particular attention should be given if the algorithm uses special categories of personal data: automated decision-making is only allowed in the following circumstances:
- the individual has given their explicit consent; or
- the processing is necessary for reasons of substantial public interest under EU or national law.
Furthermore, if the individual is a child, decisions made solely on automated processing that produce legal effects or effects which are of similar significance for the child should be avoided, because children represent a more vulnerable group of society.
Your company/organisation is an online bank offering loans. Clients insert their data and an algorithm produces results on whether they should be offered a loan or not and the suggested interest rate. Your company/organisation needs to review the said decision before communicating to the prospective client and inform him that he may express his opinion and eventually contest the decision, keeping in mind that the individual has the right not to be subject to a decision based on algorithms.