Automated decision-making and profiling
What does profiling mean?
Profiling means the automated processing of personal data for evaluating the personal aspects of an individual.
In particular, profiling refers to the analysis or prediction of aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.
Profiling
- is automated or partly automated
- is performed on personal data and
- evaluates personal aspects.
Generally, profiling refers to the collection of data on an individual or category of persons and the evaluation of their personal aspects or behaviour with the intention of placing them in a specific category or group. Its purpose is to analyse or predict the person's
- ability to perform a task
- interests and
- probable behaviour.
The simple categorisation of individuals by age, gender or height does not necessarily constitute profiling. The definition depends on the purpose of the categorisation. For example, a company could categorise its customers by age and gender for statistical purposes, with the objective of obtaining a comprehensive picture of its customers, without predicting or drawing conclusions on the personal aspects of individual customers. In this case, the processing is not profiling, since its purpose is not the evaluation of the personal aspects of individuals. If this would be the purpose, the processing could be defined as profiling.
What does automated decision-making?
Decision-making is automated when
- decisions are based solely on the automated processing of personal data and
- the decisions produce legal effects concerning the data subject or significantly affect him or her.
The processing in question includes profiling as defined in the GDPR insofar as it produces legal effects concerning the data subject or affects him or her in a correspondingly significant way.
Automated decision-making is possible without profiling and vice versa. However, a single processing activity can involve both, depending on factors such as the data being used.
Decisions that are not based on automated processing alone can also involve profiling. This could be the case, for example, if a bank processes the loan applicant's credit rating data when making a loan decision and a natural person plays a significant part in the decision-making process preceding the final loan decision.
Automated decision-making can be based on any type of data. The decision can be based on, for example,
- data obtained directly from the data subject (such as collecting data with a survey form)
- data collected through observation (such as collecting location data with a phone application) or
- deduced data or data derived from certain other data, e.g. a profile created of the data subject (such as credit rating data).
Decision-making is solely automated when no natural person is involved in making the decision.
For example, the generation of a recommendation concerning the data subject as a result of an automated process would constitute automated decision-making. If a human would evaluate and consider other factor affecting the final decision, the decision-making would not be solely automated.
This regulation cannot be circumvented through token human participation. For example, if automatically created profiles are routinely applied to individuals without an actual opportunity to influence the result, the decisions are solely based on automated processing.
For a natural person to be involved in the decision-making, his or her participation must be significant, i.e. the person must be able to influence the result of the decision-making.
Automated decision-making that influences the legal rights of individuals, such as the freedom of association, exercise of the right to vote or the right to take legal action, has legal effects. Decisions that influence the individual's legal standing or contractual rights can also have legal effects. For example, such legal effects concerning the data subject are involved in decisions resulting in
- the termination of an agreement
- the granting or rejection of statutory social benefits (e.g. housing allowance or child benefit) or
- refusal of entry or citizenship.
Even though the processing activity would not be deemed to have legal effects, it can have a correspondingly significant effect on the data subject. Such effects have to be sufficiently significant or important with regard to the data subject. The decision should potentially cause
- significant effects on the subject's circumstances, behaviour or choices
- long-term or permanent effects to the data subject or
- in extreme cases, discrimination or exclusion of individuals.
For example, the automatic refusal of an online credit application or e-recruiting practices without any human intervention have a correspondingly significant effect on the data subject.
When is automated decision-making permitted?
Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. There are exceptions to this prohibition, however. Automated decision-making is permitted if the decision
- is necessary for entering into, or performance of, a contract between the data subject and a data controller
- is authorised by Union or Member State law to which the controller is subject or
- is based on the data subject's explicit consent.
In connection with such processing, the controller must ensure that at least the following safeguards are in place:
- the data subjects are notified of the processing
- simple methods for demanding human intervention in the processing, expressing his or her point of view and challenging the decision are offered to the data subject and
- the algorithms and data being processed are checked regularly in order to ensure that the decision-making process is functioning as intended and not leading to, for example, discriminatory processing.
The person in charge of the matter must be able to influence the result of the decision-making. All relevant information must be taken into account in the evaluation, and the data subject must be given the opportunity to submit additional information. In addition, the data subject has the right to obtain an explanation of the decision made after the evaluation.
Informing data subjects of automated decision-making and profiling
The controller must keep the obligation to provide information in mind in all of its processing activities. In the case of automated decision-making and profiling, the controller must pay particular attention to the transparency of processing activities.
The individuals subjected to automated decision-making must be informed of
- the existence of automated decision-making, including profiling
- meaningful information about the logic involved in the processing and
- the significance and envisaged consequences for the data subject.
The controller should, in clear and plain language, inform the data subject of the principles of automated-decision making and the weighting of factors in the decisions. The information provided should be meaningful to the data subject. An exhaustive and complicated description of the decision-making algorithm is not necessarily an appropriate way of informing data subjects on the logic employed.
For example, if credit rating data is processed in connection with making loan decisions, the data subject could be told
- why automated decision-making is employed (e.g. the responsibility of loan decisions)
- which factors are weighted in the decisions and what their weighting is
- the origin of the data (e.g. data provided by the data subject, the data subject's payment history or public data files)
- that the rating methods are verified on a regular basis in order to ensure their fairness, efficiency and equality and
- contact details for requesting the reprocessing of a decision.
The data subject should also be given the following information on the significance of the processing and its envisaged consequences:
- information on intended or future processing
- the possible effects of the automated decision-making and profiling on the data subject and
- examples of possible effects in order to ensure the meaningfulness and intelligibility of the information.
What must be taken into account in marketing based solely on automated processing?
Marketing is increasingly based on automated tools and frequently only involves automated processing of personal data. If marketing is based solely on automated processing, the controller must evaluate whether the regulations on automated decision-making are applicable to its operations.
In most cases, marketing based on profiling does not have effects corresponding to legal effects on individuals. In such cases, marketing is not considered automated decision-making. As an example, marketing by an online shop based on a simple demographic profile: women aged 25‒35, living in North Ostrobothnia and probably interested in fashion and certain types of clothing.
Targeted marketing based on profiling can have correspondingly significant effects on individuals, however. This depends on factors such as:
- the intrusiveness of the profiling procedure, such as the way in which individuals are monitored through different websites, devices and services
- the expectations and hopes of the targets of marketing
- the marketing channel and
- the vulnerability of the targets of marketing.
Marketing that normally only has a minor effect on the targets can have significant effects on certain categories of data subjects, such as minorities or individuals in a vulnerable position. For example, the regular targeted marketing of high-interest loans to individuals known or presumed to be in financial difficulties could lead to further indebtedness.
Marketing targeted at children also requires special care. According to the GDPR, the personal data of children merit special protection, particularly in case of
- the use of personal data of children for marketing purposes
- the creation of personality or user profiles and
- the collection of the personal data of children when they are using services intended for children.
What must a party performing automated decision-making and profiling take into account?
Take the principles concerning the processing of personal data into account in all processing.
Automated decision-making and profiling can be based on the data subject's explicit consent. Ensure that the consent requested from the data subject fulfils the requirements set for explicit consent.
Evaluate whether automated decision-making will be necessary, or whether the same result could be achieved with a less invasive method. Automated decision-making is only permitted when it is necessary. If another efficient and less intrusive method would be possible, automated decision-making cannot be considered necessary.
Ensure that the processing of special categories of personal data, such as health information, is permitted. As a rule, the processing of special categories of personal data is also prohibited when the data is generated in connection with profiling.
For example, a review of an individual's purchase history could potentially make it possible to draw conclusions on his or her state of health. In that case, the profiling could generate data belonging to special categories of personal data, even though the original purchase history data does not. In such cases, the controller must make sure that it has an appropriate basis for the processing of special categories of personal data.
The processing of special categories of personal data in automated decision-making is even more restricted. The processing of special categories of personal data in connection with automated decision-making is only permitted when
- automated decision-making is permitted and
- the processing of personal data is based on the data subject's explicit consent or is necessary on important grounds of public interest provided for in Union or Member State law.
Remember that, as a rule, data subjects have the right of access to data concerning them. The data subject also has the right to obtain information on personal data used for profiling and the data categories used to generate profiles. In addition, the data subject is entitled to receive information on the data used for the creation of the profile, as well as information on the profile and the segment in which the data subject was placed.
Data subjects who are subjected to automated decision-making also have the right to obtain the following information, which the controller is also required to deliver by the notification obligation:
- the existence of automated decision-making, including profiling
- meaningful information about the logic involved in the processing and
- information on the significance of the processing and its envisaged consequences for the data subject.
Please take into account that the right to rectification and erasure applies both to the base data from which the profile was generated, the profile itself, and the rating applied to the data subject.
Please note that, in certain situations, the data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. The data subject must be informed of the possibility to exercise the right to object.
Take the special status of children into account. The GDPR does not explicitly provide for automated decision-making and profiling with regard to children. However, it is stated in the recitals that children should not be subjected to decisions that are based solely on automated processing and have legal effects or correspondingly significant effects. Subjecting children to automated decision-making and profiling can be justified, however, such as in order to safeguard the well-being of the child. In such cases, ensure that the appropriate protection measures are taken.
Carry out a data protection impact assessment particularly when
- performing a systematic and extensive evaluation of the personal aspects of individuals
- the evaluation is based on automated processing such as profiling and
- the evaluation will lead to decisions with legal effects concerning natural persons or that affect them in a correspondingly significant manner.