At a glance

  • The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
  • Identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.

In brief

When does the right apply?

Individuals have the right not to be subject to a decision when:

  • it is based on automated processing; and
  • it produces a legal effect or a similarly significant effect on the individual.

You must ensure that individuals are able to:

  • obtain human intervention;
  • express their point of view; and
  • obtain an explanation of the decision and challenge it.

Does the right apply to all automated decisions?

No. The right does not apply if the decision:

  • is necessary for entering into or performance of a contract between you and the individual;
  • is authorised by law (eg for the purposes of fraud or tax evasion prevention); or
  • based on explicit consent. (Article 9(2)).

Furthermore, the right does not apply when a decision does not have a legal or similarly significant effect on someone.

What else does the GDPR say about profiling?

The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict their:

  • performance at work;
  • economic situation;
  • health;
  • personal preferences;
  • reliability;
  • behaviour;
  • location; or
  • movements.

When processing personal data for profiling purposes, you must ensure that appropriate safeguards are in place.

You must:

  • ensure processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance and the envisaged consequences;
  • use appropriate mathematical or statistical procedures for the profiling;
  • implement appropriate technical and organisational measures to enable inaccuracies to be corrected and minimise the risk of errors; and
  • secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects.

Automated decisions taken for the purposes listed in Article 9(2) must not:

  • concern a child; or
  • be based on the processing of special categories of data unless:
    • you have the explicit consent of the individual; or
    • the processing is necessary for reasons of substantial public interest on the basis of EU / Member State law. This must be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard fundamental rights and the interests of the individual.
In more detail – Article 29

The Article 29 Working Party includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

The Article 29 Working Party has published guidelines on Automated individual decision-making and Profiling. The consultation period for these guidelines will run for six weeks from 17 October 2017.

Comments should be sent to the following addresses by 28 November 2017 at the latest.

JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr.

 

In more detail – ICO guidance

We have now analysed the responses to our request for feedback on profiling and automated decision-making. A summary of the responses is available on the Consultation pages of the website.

We are currently considering whether the ICO can provide any further detail over and above the Article 29 Working Party guidelines. We will add any additional advice we are able to provide here in due course.