The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

In detail

You can only carry out this type of processing if you can rely on one of the three exceptions set out in Article 22(2). These exceptions are not the same as the lawful bases for processing required under Article 6.

What are the exceptions?

  • When the decision is necessary for a contract

You need to consider whether the decision is actually necessary for the performance of a contract with the individual. This means that it does not have to be essential, but it should be a targeted and reasonable way of meeting your contractual obligations. It should also be the least privacy intrusive way to reasonably achieve your objective.

The wording of this exception implies that the decision-making defined in Article 22(1) could potentially be carried out by a different controller than the one who is party to the contract with the individual.

“if the decision is necessary for entering into, or performance of, a contract between the data subject and a (not the) data controller.”

Article 22(2) (a)

Example

A loan application might represent a contract between a financial organisation and a potential borrower. The financial organisation relies on an automatically generated credit score carried out by a credit reference agency to decide whether or not to agree the loan.

Even though the contract is not between the data subject and the credit reference agency the decision is covered by Article 22(2)(a) as long as it can be shown that it is necessary for the contract to be fulfilled.

  • When the decision is authorised by law.

The decision has to be authorised by law, but this doesn’t mean that there has to be a law which explicitly states that solely automated decision-making is authorised for a particular purpose. The Data Protection Act 2018 (DPA 2018) refers only to a decision which is ‘required or authorised by law’ (Chapter 2, Part 2, Section 14 (3)(b)).

If you have a statutory or common law power to do something, and automated decision-making/profiling is the most appropriate way to achieve your purpose, then you may be able to justify this type of processing as authorised by law and rely on Article 22(2)(b). However you must be able to show that it’s reasonable to do so in all the circumstances.

Example

In the financial services sector, an organisation might use automated decision-making, including profiling, to identify fraud, in order to comply with a high level regulatory requirement to detect and prevent crime. It identifies cases of potential fraud by comparing data from credit reference agencies, bank accounts, the Land Registry, the DVLA, credit card sales, online marketplaces and social media.

  • When the decision is based on the individual’s explicit consent.

Firstly you need to understand what explicit consent looks like. Consent generally under the GDPR must be a freely given, specific, informed and unambiguous affirmative indication of the individual’s wishes.

Explicit consent means that the individual should expressly confirm their consent, for example by a written statement, filling in an electronic form or sending an email. Our guidance on consent provides more information on this area.

In the context of Article 22, in order to be specific and informed your consent request needs to explain that the decision will be entirely automated.

What about special categories of personal data?

Article 22(4) provides an additional layer of protection for special category personal data. You can only carry out the processing described in Article 22(1) if one of the above exceptions applies and:

  • you have the individual’s explicit consent; or
  • the processing is necessary for reasons of substantial public interest. Substantial public interest conditions are set out in Schedule 1 Part 2 of the DPA 2018.

Further reading – ICO guidance

ICO consent guidance

 

Further reading – European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

WP29 published the following guidelines which have been endorsed by the EDPB: