In brief…

The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA.

Identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.

In more detail…

When does the right apply?

Individuals have the right not to be subject to a decision when:

  • it is based on automated processing; and
  • it produces a legal effect or a similarly significant effect on the individual.

You must ensure that individuals are able to:

  • obtain human intervention;
  • express their point of view; and
  • obtain an explanation of the decision and challenge it.


Does the right apply to all automated decisions?

No. The right does not apply if the decision:

  • is necessary for entering into or performance of a contract between you and the individual;
  • is authorised by law (eg for the purposes of fraud or tax evasion prevention); or
  • based on explicit consent. (Article 9(2)).

Furthermore, the right does not apply when a decision does not have a legal or similarly significant effect on someone.


What else does the GDPR say about profiling?

The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict their:

  • performance at work;
  • economic situation;
  • health;
  • personal preferences;
  • reliability;
  • behaviour;
  • location; or
  • movements.

When processing personal data for profiling purposes, you must ensure that appropriate safeguards are in place.

You must:

  • Ensure processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance and the envisaged consequences.
  • Use appropriate mathematical or statistical procedures for the profiling.
  • Implement appropriate technical and organisational measures to enable inaccuracies to be corrected and minimise the risk of errors.
  • Secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects.

Automated decisions taken for the purposes listed in Article 9(2) must not:

  • concern a child; or
  • be based on the processing of special categories of data unless:
    • you have the explicit consent of the individual; or
    • the processing is necessary for reasons of substantial public interest on the basis of EU / Member State law. This must be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard fundamental rights and the interests of the individual.

Next steps for the Article 29 Working Party

According to its workplan, the Article 29 Working Party will publish guidelines on profiling in 2017.

Next steps for the ICO

We have published our profiling discussion paper for feedback. The deadline for responses has now passed. We will analyse the feedback received and will publish a summary of responses in due course. This feedback will inform our input into the drafting of the EU guidance on profiling and automated decision-making.