Even if Article 22 does not apply to your processing, for example because there is human involvement in the decision-making process, you must still comply with the GDPR principles and identify and record your lawful basis for the processing. This is also the case for any new profiles you create.
Even if you don’t think the processing falls within Article 22, it’s good practice to do this and helps you be more transparent – particularly because this type of processing won’t necessarily be obvious to individuals.
As part of assessing whether your processing is fair, you also need to think about whether any profiling is fundamentally linked with the reason for using the service and what people would reasonably expect you to do with their data. Although a retailer analysing loyalty card data to decide what new products to suggest to a customer might be an expected activity; analysing someone’s social media posts to reject them for a job, refuse a loan, or increase their insurance might not be.
Individuals have access rights to the personal information you process about them, including information used in any profiling you carry out.
Remember as well that if the data you’re using isn’t correct then any profile or decision based on the data will also be flawed.
Don’t collect too much information or keep it for too long. Just because your systems allow you to retain vast quantities of data doesn’t mean you should. It also makes it more difficult to keep the data up to date, accurate and relevant for any profiling you’re carrying out.
Read our guide to the GDPR for information on compliance with the data protection principles and the different lawful bases for processing. Our guidance on lawful bases includes an interactive guidance tool which helps you to assess which lawful basis is likely to be appropriate for your processing.
Article 21 of the GDPR gives individuals the right to object to any profiling that you carry out:
- on the basis of legitimate interests or on the basis of public task or official authority. In these cases an individual can object on grounds relating to his or her particular situation. You’ll have to stop the processing unless you can show that you have a compelling reason to continue the profiling that overrides the individual’s interests;
- for direct marketing purposes. You must stop the profiling as soon as you receive an objection. There are no exemptions or grounds to refuse.
You must bring this right to the attention of individuals and present it separately from other information.
If you receive an objection under Article 21 you need to respond within one month and confirm the action you’ve taken.