News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Top 10 operational impacts of the GDPR: Part 5 - Profiling Related reading: Top 10 operational impacts of the GDPR: Part 1 – data security and breach notification

rss_feed

""

The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.

Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.

With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.

This is the fifth in a series of articles addressing the top 10 operational impacts of the GDPR.

The GDPR restricts “profiling” and gives data subjects significant rights to avoid profiling-based decisions

Since the Directive was implemented nearly 20 years ago, technologies have proliferated that allow data controllers to gather personal data and analyze it for a variety of purposes, including drawing conclusions about data subjects and potentially taking action in response to those conclusions such as target marketing, price differentiation, and the like. Although the concepts of “profiling” or “target marketing” appear in the Directive, the precise terms do not. In its sweeping efforts to define and enhance data subjects’ rights to control their personal data, the GDPR contains many restrictions on automated data processing – and decisions based upon such processing – to the extent they can be characterized as profiling.

Definition of profiling

A hotly contested provision of the GDPR, the “profiling” restrictions ultimately adopted were narrower than initially proposed.

Under Article 4(4), data processing may be characterized as “profiling” when it involves (a) automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person. Specific examples include analyzing or predicting “aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

This definition implicitly excludes data processing that is not “automated.”

Further elaboration of this definition may be found in the Recitals, where the GDPR establishes its jurisdiction over non-EU controllers provided they are “monitoring the behaviour of [EU] data subjects as far as their behaviour takes places within the European Union.” Processing activity involves data subject “monitoring” when “individuals are tracked on the Internet including potential subsequent use of data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” This definition suggests that profiling is not equivalent to tracking, but instead is something more, involving the intention to take decisions regarding a data subject or predict the subject’s behaviors and preferences.

That “profiling” requires some sort of an outcome or action resulting from the data processing is underscored by the data subject’s rights to be informed of the “consequences” of profiling decisions as discussed in Recitals 60 and 63. Articles 13 and 15, which address information to be provided a data subject upon personal data collection and upon the data subject’s request, both require disclosure of “the existence of automated decision making including profiling” along with “the significance and the envisaged consequences of such processing for the data subject.”

Elsewhere in the Recitals, data subjects are given the right to object to processing for direct marketing as well as to “profiling to the extent it is related to direct marketing,” further underscoring that profiling is not direct marketing per se but instead is something more.

Finally, Recital 91 describes the obligation to conduct a data impact assessment and characterizes the “profiling of data” as follows: “A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data.”

Accordingly, taking all of the definitions and discussions of “profiling” together, they seem to consistently require not simply the gathering of personal data involving personal aspects of natural persons, but the automated processing of such data for the purpose of making decisions about the data subjects.

Controllers must honor data subjects’ rights regarding profiling

Data subjects are entitled under the GDPR to a number of rights with regard to profiling, some of which – like notice and access – require procedures similar to non-profiling data processing, but others of which – like the right to object, halt the profiling, and avoid profiling-based decisions – will require special attention and processes for compliance.

Restrictions on profiling-based decisions producing legal effects

Pursuant to Article 22(1) of the GDPR, data subjects have a right not necessarily to avoid profiling itself (e.g. automated processing of personal data for the purpose of making a decision), but rather to avoid being “subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” Recital 58 provides as examples the “automatic refusal of an on-line credit application or e-recruiting practices without any human intervention.”

Article 22(2) clarifies that the decision may nonetheless be made provided it is (a) necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) authorized by Union or member state law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (c) based on the data subject's explicit consent. Suitable safeguards may include anonymization or pseudonymization as components of profiling-based activities.

In the case of a decision made pursuant to a contract with the data subject or his explicit consent, the controller must still allow the data subject to contest the decision under Article 22(3).

When data is transferred pursuant to Binding Corporate Rules, such BCRs must specify “the rights of data subjects in regard to the processing of their personal data and the means to exercise these rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22.”

Article 22(4) provides that profiling-based decisions shall not be based on special categories of personal data (e.g. racial, ethnic, or religious information) unless (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where prohibited by Union law or member state law; or (b) processing is necessary for reasons of substantial public interest, on the basis of Union or member state law. Even in these circumstances, described more fully in Article 9(2)(a) and (g), the controller must still ensure “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.” Presumably the European Data Protection Board will provide additional guidance on the circumstances under which profiling-based decisions are permissible for special categories of personal data.

For all permissible profiling, Recital 71 compels a controller to use appropriate mathematical or statistical procedures, implement technical and organisational measures to correct personal data inaccuracies and avoid errors, secure all personal data, and minimize the risk of “discriminatory effects against natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status, or sexual orientation.”

Notice and access

In the case of profiling decisions subject to Article 22, Article 13 provides that the controller must inform a data subject at the time data is collected not only of the fact that profiling will occur, but as well “the logic involved” and “the envisaged consequences of such processing.” Under Article 14, a data subject may also inquire of a controller and receive confirmation of any such processing, including profiling and its consequences, at any time.

Processing must cease upon data subject’s objection

Even when profiling is otherwise lawful, a data subject has the right to object at any time. Pursuant to Article 19, upon the data subject’s objection to profiling that is otherwise authorized under Article 6, the processing must cease unless the controller demonstrates “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.”

When processing is for direct marketing purposes, including profiling, the data subject similarly has a right to object but in this case processing must cease and the controller is not authorized to continue under any circumstances.

Data impact assessments for controllers engaged in profiling

One of the triggers requiring a data impact assessment is when a controller engages in “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significantly affect the individual.” Parsing this language once again demonstrates that “profiling” involves more than merely automated processing, and that profiling may or may not involve decisions that produce legal effects or significantly affect an individual, but, when it does, the data subject is entitled to many additional rights and remedies.

Conclusion

Controllers will undoubtedly be seeking additional guidance from the European Data Protection Board to determine what automated data processing activities fall within the definition of profiling, and what profiling activities may fall outside the purview of Article 22. Data subjects, on the other hand, will benefit from a broader interpretation of profiling activities in order to be able to avoid profiling-based decisions – even those to which they have given prior explicit consent.

Photo credit: Egyptian via photopin (license)

Where to find the rules

Looking to dive deeper into the General Data Protection Regulation to read the text regarding profiling for yourself? Find the full text of the Regulation here in our Resource Center.

You’ll want to focus on these portions:

Recitals

(24) The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the European Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the Internet including potential subsequent use of data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

(60) The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. … Furthermore the data subject should be informed of the existence of profiling, and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the data and of the consequences, where he or she does not provide such data. …

(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of and verify the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. …

(70) Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to the initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

(71)  The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing, and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements where it produces legal effects concerning him or her or similarly significantly affects him or her. However, decision making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law, to which the controller is subject, including for fraud and tax evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child. In order to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure in particular that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents inter alia discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status, or sexual orientation, or that result in measures having such effect. Automated decision-making and profiling based on special categories of personal data should be allowed only under specific conditions.

(73) Restrictions concerning specific principles and concerning the rights of information, access to and rectification and erasure of personal data and on the right to data portability, the right to object, decisions based on profiling, as well as on the communication of a personal data breach to a data subject and on certain related obligations of the controllers may be imposed by Union or member state law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or man made disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a member state, in particular an important economic or financial interest of the Union or of a member state, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes.…

(91) This should in particular apply to large-scale processing operations, which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk for the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights. A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures. ….

Articles

Article 4, Definitions (4) ‘profiling’

Article 6, Lawfulness of processing

Article 13, Information to be provided where personal data are collected from the data subject

Article 15, Right of access by the data subject

Article 21, Right to object

Article 22, Automated individual decision-making, including profiling

Article 35, Data protection impact assessment

Article 47, Binding corporate rules

Article 70, Tasks of the Board

Author
Headshot Rita Heimes, CIPP/E, CIPP/US, CIPM IAPP Staff Contributor
Tags
Marketing/Retail
Europe
Enforcement
Privacy Operations Management
5 Comments

If you want to comment on this post, you need to login.

  • comment Lewis Barr • Jan 22, 2016 
    Excellent article, Rita. Thank you.
  • comment Lifan Shiu • Apr 18, 2016 
    How will companies comply to the right to object to profiling? Do you need to give the visitor a clear and noticable option on your website to object to profiling? Or is it enough to describe it in the privacy statement that the visitor can object for profiling by filling out a contact form or send an email?

Even if you, as business, complies how would we make this technically possible? 
 - Is Google Analytics data categorized as profiling? I would assume not if you mask the IP address of all the visitors.
 - How would you delete certain data from FaceBook retargetting, Google retargetting, etc.? Since I'm almost certain that it is now not possible to delete/ block certain records from FaceBook, Google, etc.
 - How would the right to forget even work  with the above situation. That would be even harder to make it happen.
 - What if you have multiple website (corporate, business and several retail branch websites) and a visitor makes use of his/ her right to object to profiling/ erasure of one of the sites. Do you need to not profile them of / delete their records from all of your websites?

I'm sorry that I have a lot of questions even though the rules/ law/ regulation/ directive is quite clear, the "how" is very unclear.
  • comment Andor Demarteau • Mar 30, 2017 
    This article should
 be updated with the correct article and recital numbers (e.g. recital 58 as mentioned on clarifying profiling has become recital 71 it seems in the final version).
This probably holds true for other references in this and the other 9 parts in this series as well.
It would make the entire series more useful.
Though I understand where the discrepancies came from as the series was written before the final version of the law was published.
  • comment Sam • Apr 4, 2017 
    Hi Andor,

We updated all of the references and such when we compiled this series into an e-book, free to members. Find it here: https://iapp.org/news/a/e-book-the-top-10-operational-impacts-of-the-gdpr/
  • comment Inês de Castro Ruivo • May 4, 2017 
    Very good, thank you!
Related Stories
The GDPR Is Here: What's a Privacy Pro To Do Next?
Tuesday night, the European Parliament and Council announced that, after years of negotiating, they've reached an agreement on a consolidated text of a brand-new General Data Protection Regulation. The Luxembourg Presidency of the Council of the European Union called it a "historic agreement," while...
Read More queue Save This
Where to find the rules

Looking to dive deeper into the General Data Protection Regulation to read the text regarding profiling for yourself? Find the full text of the Regulation here in our Resource Center.

You’ll want to focus on these portions:

Recitals

(24) The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the European Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the Internet including potential subsequent use of data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

(60) The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. … Furthermore the data subject should be informed of the existence of profiling, and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the data and of the consequences, where he or she does not provide such data. …

(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of and verify the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. …

(70) Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to the initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

(71)  The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing, and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements where it produces legal effects concerning him or her or similarly significantly affects him or her. However, decision making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law, to which the controller is subject, including for fraud and tax evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child. In order to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure in particular that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents inter alia discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status, or sexual orientation, or that result in measures having such effect. Automated decision-making and profiling based on special categories of personal data should be allowed only under specific conditions.

(73) Restrictions concerning specific principles and concerning the rights of information, access to and rectification and erasure of personal data and on the right to data portability, the right to object, decisions based on profiling, as well as on the communication of a personal data breach to a data subject and on certain related obligations of the controllers may be imposed by Union or member state law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or man made disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a member state, in particular an important economic or financial interest of the Union or of a member state, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes.…

(91) This should in particular apply to large-scale processing operations, which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk for the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights. A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures. ….

Articles

Article 4, Definitions (4) ‘profiling’

Article 6, Lawfulness of processing

Article 13, Information to be provided where personal data are collected from the data subject

Article 15, Right of access by the data subject

Article 21, Right to object

Article 22, Automated individual decision-making, including profiling

Article 35, Data protection impact assessment

Article 47, Binding corporate rules

Article 70, Tasks of the Board

Related Stories
Tags
Marketing/Retail
Europe
Enforcement
Privacy Operations Management
Recent Comments