Article 22 of the GDPR
Automated decisions with or without profiling
Automated decisions with or without profiling are decisions based solely on some form of automated decision-making. For example, through algorithms, without the involvement of a natural person’s judgement.
Rights related to automated decisions with or without profiling
Automated decisions can significantly affect data subjects or have legal consequences for them. Therefore, data subjects have the right not to be subject to automated decisions under the GDPR.
Article 22 of the GDPR governs the data subject’s rights regarding automated decisions and profiling. This is one of the eight fundamental rights that data subjects have under the GDPR. In this article, we explain the meaning of “automated decision” and “profiling” according to the GDPR.
The meaning of automated decisions with or without profiling
An automated decision is when a company takes a decision about something, for example, by an algorithm, without personal contact.
Examples of automated decisions
with or without profiling
Rejection of a credit loan application
A private individual applies for a credit loan from a bank on the internet and receives a rejection of the application. The Bank has thus decided to reject the loan application automatically, through its algorithms. This means that there has been an automatic analysis of the information provided by the person in his/her application. The Bank did the analysis through an algorithm, without the involvement of a physical bank employee.
Rejection of a job application
A data subject applies for a job online via an e-recruitment tool and receives an automatic negative decision. The recruitment company did the assessment of the candidate's submitted CV through an algorithm, without the involvement of a physical recruiter.
Actors who frequently make use of automated decisions
Some private and public actors can make decisions using algorithms in relation to the processing of personal data. This is common in for example hospitals, marketing, banks and tax offices. It is an effective way for these actors to make decisions, but such decisions may affect the data subject legally or otherwise.
Therefore, it is important that companies that make automated decisions, with or without profiling, are transparent about this. The data subject has the right to receive information about automated decisions, whether they include profiling or not.
A company does not necessarily base its automated decision-making on only information provided by the data subject. It is possible to do this also through information obtained by the company’s own observations. For example, if a company operating a mobile application collects and makes decisions based on the users location data.
Data subjects may require not to be subject to decision-making that is purely automatic. However, this does not always mean that the data subject has this right.
Examples of when automated decisions may be allowed
A company can conduct automated decisions in the following cases:
If it is necessary to conduct the automated decision for the conclusion or performance of a contract which the data subject is a party to.
When the controller has obtained explicit, voluntary and active consent to automated decision-making from the data subject.
If specific legislation expressly allow automated decisions. It can be a national law or in accordance with European Union law
Actions after an automated decision has been taken
When a company makes a decision by automated means, such as by using algorithms, the company must inform that the automated decision.
- In addition, the data subject has the right to:
- have the automated decision reviewed by a human being; and
- contest the automated decision.
The meaning of profiling under the GDPR
In some cases, a company can take a decision by automated means using profiling. Profiling is the automatic processing of personal data for the purpose of assessing the personal characteristics of the data subject.
Article 4(4) of the GDPR governs the definition of profiling. In short, this means that the controller will use the personal data to assess certain personal characteristics of the data subject. For example, a company can use profiling in connection with automated decisions to analyse or predict work performance. Or to analyze or predict other parameters. Such as, interests, health, personal preferences, behavior or reliability.
When a company conducts profiling, the data subject’s personal data is being processed. Therefore, the data subject has the right to receive information about the processing.
If a company takes an automated decision using profiling, the same rights apply as for automated decisions taken without profiling.
Guidelines on automated individual decision-making and profiling
If you want to get more in-depth on the rules for automated decision-making and profiling under the GDPR, you can visit the European Commission’s website. From there, you can download their document with guidelines on automated individual decision-making and profiling.
Other data subjects' rights under the GDPR
The right to be informed
The right to information means that the company shall inform the data subjects about the processing of their personal data. For example, the purpose of the processing and the legal basis on which the processing is based. Also, information about how long the personal data will be processed and their other rights under the GDPR. In addition, in some cases, data subjects must be informed in the event of a personal data breach. They also have the right to know what personal data the company processes during the processing.