Automated decision-making and profiling
What does profiling mean?
Profiling means the automated processing of personal data for evaluating the personal aspects of an individual.
In particular, profiling refers to the analysis or prediction of aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.
- is automated or partly automated
- is performed on personal data and
- evaluates personal aspects.
What does automated decision-making?
Decision-making is automated when
- decisions are based solely on the automated processing of personal data and
- the decisions produce legal effects concerning the data subject or significantly affect him or her.
The processing in question includes profiling as defined in the GDPR insofar as it produces legal effects concerning the data subject or affects him or her in a correspondingly significant way.
Automated decision-making is possible without profiling and vice versa. However, a single processing activity can involve both, depending on factors such as the data being used.
Decisions that are not based on automated processing alone can also involve profiling. This could be the case, for example, if a bank processes the loan applicant's credit rating data when making a loan decision and a natural person plays a significant part in the decision-making process preceding the final loan decision.
Automated decision-making can be based on any type of data. The decision can be based on, for example,
- data obtained directly from the data subject (such as collecting data with a survey form)
- data collected through observation (such as collecting location data with a phone application) or
- deduced data or data derived from certain other data, e.g. a profile created of the data subject (such as credit rating data).
When is automated decision-making permitted?
Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. There are exceptions to this prohibition, however. Automated decision-making is permitted if the decision
- is necessary for entering into, or performance of, a contract between the data subject and a data controller
- is authorised by Union or Member State law to which the controller is subject or
- is based on the data subject's explicit consent.
In connection with such processing, the controller must ensure that at least the following safeguards are in place:
- the data subjects are notified of the processing
- simple methods for demanding human intervention in the processing, expressing his or her point of view and challenging the decision are offered to the data subject and
- the algorithms and data being processed are checked regularly in order to ensure that the decision-making process is functioning as intended and not leading to, for example, discriminatory processing.
The person in charge of the matter must be able to influence the result of the decision-making. All relevant information must be taken into account in the evaluation, and the data subject must be given the opportunity to submit additional information. In addition, the data subject has the right to obtain an explanation of the decision made after the evaluation.
Informing data subjects of automated decision-making and profiling
The controller must keep the obligation to provide information in mind in all of its processing activities. In the case of automated decision-making and profiling, the controller must pay particular attention to the transparency of processing activities.
The individuals subjected to automated decision-making must be informed of
- the existence of automated decision-making, including profiling
- meaningful information about the logic involved in the processing and
- the significance and envisaged consequences for the data subject.
The controller should, in clear and plain language, inform the data subject of the principles of automated-decision making and the weighting of factors in the decisions. The information provided should be meaningful to the data subject. An exhaustive and complicated description of the decision-making algorithm is not necessarily an appropriate way of informing data subjects on the logic employed.
For example, if credit rating data is processed in connection with making loan decisions, the data subject could be told
- why automated decision-making is employed (e.g. the responsibility of loan decisions)
- which factors are weighted in the decisions and what their weighting is
- the origin of the data (e.g. data provided by the data subject, the data subject's payment history or public data files)
- that the rating methods are verified on a regular basis in order to ensure their fairness, efficiency and equality and
- contact details for requesting the reprocessing of a decision.
The data subject should also be given the following information on the significance of the processing and its envisaged consequences:
- information on intended or future processing
- the possible effects of the automated decision-making and profiling on the data subject and
- examples of possible effects in order to ensure the meaningfulness and intelligibility of the information.
What must be taken into account in marketing based solely on automated processing?
Marketing is increasingly based on automated tools and frequently only involves automated processing of personal data. If marketing is based solely on automated processing, the controller must evaluate whether the regulations on automated decision-making are applicable to its operations.
In most cases, marketing based on profiling does not have effects corresponding to legal effects on individuals. In such cases, marketing is not considered automated decision-making. As an example, marketing by an online shop based on a simple demographic profile: women aged 25‒35, living in North Ostrobothnia and probably interested in fashion and certain types of clothing.
Targeted marketing based on profiling can have correspondingly significant effects on individuals, however. This depends on factors such as:
- the intrusiveness of the profiling procedure, such as the way in which individuals are monitored through different websites, devices and services
- the expectations and hopes of the targets of marketing
- the marketing channel and
- the vulnerability of the targets of marketing.
Marketing that normally only has a minor effect on the targets can have significant effects on certain categories of data subjects, such as minorities or individuals in a vulnerable position. For example, the regular targeted marketing of high-interest loans to individuals known or presumed to be in financial difficulties could lead to further indebtedness.
Marketing targeted at children also requires special care. According to the GDPR, the personal data of children merit special protection, particularly in case of
- the use of personal data of children for marketing purposes
- the creation of personality or user profiles and
- the collection of the personal data of children when they are using services intended for children.
What must a party performing automated decision-making and profiling take into account?
General Data Protection Regular: Articles 4 (section 4), 9, 12, 13, 14, 15, 21, 22, 35 (sections 1 and 3)
Guidelines on Automated Individual Decision-making and Profiling for the Purposes of Regulation 2016/679 (pdf)