KEY GDPR PRACTICE TIPS RELATED TO AUTOMATED DECISION-MAKING AND PROFILING

Automated decision-making and profiling constitute personal data processing that may have a significant impact particularly on the rights of the data subject.  As such, they require special attention and care with regard to data protection practices, and the EU’s General Data Protection Regulation (“GDPR”) includes special provisions regarding their use, which controllers must observe.

Profiling refers to the automated processing of personal data that involves evaluation of personal aspects relating to a data subject

Profiling involves prediction and analysis pertaining, in particular, to performance at work, economic situations, health, personal preferences or interests, reliability or behavior, and location or movements.  Profiling is automated or partially automated by nature, performed on personal data and specifically aimed at evaluating or attempting to predict personal aspects of a data subject.  In contrast, simple classification of data subjects based on their age, gender and municipality of residence, for example, is not necessarily considered to be profiling. 

The key is the purpose of classification.

For instance, classification of a company’s customers, an educational institution’s students or the participants in a training provider’s courses based on their age and gender for statistical purposes with the intention of establishing an overall picture of the customers without predictions or conclusions concerning personal aspects relating to individual customers or students is considered to be classification.  This is because it is not aimed at evaluating personal aspects relating to an individual. 

If the purpose, however, is to evaluate a data subject’s personal aspects in order to, for example, target advertising based on a subject´s purchase history or courses taken at a school, the definition of profiling is fulfilled.

Automated decision-making happens without human intervention in the decision and the decision significantly affects the subject

Decision-making is automated when decision-making is based purely on the automated processing of personal data without the intervention of a natural person and the resulting decisions have legal effects on the subject of the automated decision-making or the decisions otherwise significantly affect the subject.

The data used as the basis of automated decision-making may have been obtained from the data subject directly or based on observation (e.g. location data, IP address), or it may be based on data that is extrapolated or deduced from other data using, for example, a profile (previously) generated on the data subject (e.g. credit rating).

It is important to understand that automated decision-making may be carried out without profiling, and profiling may be carried out without automated decision-making. The same personal data processing activity may also aspect which would be considered profiling and other aspects which do not, depending on how the data is used.

Automated decision-making is only allowed if the decision involves at least one of the following:

• is necessary for entering into, or performance of, a contract between the data subject and a data controller;
• is authorized by Union or Member State law to which the controller is subject; or
• is based on the data subject’s explicit consent.

In data protection practices, pay special attention to informing the data subject, implementing the rights of the data subject and conducting an impact assessment

The key to compliance with GDPR is to inform data subjects as clearly and intelligibly as possible regarding the processing of personal data they are subject to and the effects thereof.

Whenever automated decision-making or profiling is involved, make sure that at least the following conditions are met:

• The general data protection principles outlined in the GDPR are observed in the processing of personal data. They are the starting point for everything you do!
• There is a valid legal basis that allows automated decision-making or profiling, and this basis is indicated in the data protection notice.
• The data subjects have been informed of the data protection notice when their data has been obtained indirectly.
• The data subjects are clearly informed about how they can access the data used as the basis for creating a profile.
• The data subjects are clearly informed about where the personal data relating to them was obtained and how they can object to profiling (including profiling for marketing purposes).
• There are processes/procedures by which the data subjects can access the personal data relating to them, request rectification and, if necessary and possible, request the erasure of the data.
• There are adequate technical and organizational measures in place to protect special groups such as children and, if necessary, prevent the unjustified automated decision-making/profiling pertaining to them.
• Data minimization is actively carried out and personal data is kept up to date (unnecessary or outdated data is not processed).

When the case involves only automated decision-making or profiling, it is important that the following conditions are also met:

• The organization implements a data protection impact assessment (DPIA) to evaluate the risks to the subjects of decision-making, these risks should be documented and the organization should be able to demonstrate how the risks are managed and what procedures are in place to ensure GDPR compliance.
• The legal bases for processing personal data include:

 - contractual;

-specific consent, for which it is possible to demonstrate when and how the consent was obtained, and that the data subjects have been informed of how they can withdraw their consent and they can do so in a simple manner; or

 - a legal obligation.

• Special categories of personal data (e.g. data concerning health) are not used in automated decision-making unless there are demonstrable legal grounds that allow processing and any accidentally created personal data of this nature that may be created in this processing can be erased.
• There is a simple procedure in place for requesting the reconsideration of an automated decision and/or human involvement in the process, and there are people in the organization who can review and change decisions and such people have the necessary authority to do so.
• The systems in place are monitored, verified and continuously developed to prevent mistakes and ensure reliability.