🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Understand everything about profiling

Home Webinar Understand everything about profiling

Our articles follow our episodes d’1 minute to understand everything. These are short videos during which our lawyers who are experts in personal data protection offer you simple definitions of key concepts of the General Regulation on the Protection of Personal Data (GDPR) and give you concrete examples. Follow us on LinkedIn so you don't miss any news!  

Today we are addressing the notion of profiling. Make yourself comfortable, we'll explain everything to you in 5 minutes!  

 What is profiling?  

Article 4 paragraph 4 of the GDPR gives the following definition of profiling:  

 Any form of automated processing of personal data consisting of using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict elements concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements of this natural person. "  

In other words, profiling is processing which consists of using data to evaluate certain personal aspects relating to a natural person. The purpose of this processing is to analyze or predict behaviors or habits such as a person's preferences. Profiling is used in many sectors such as marketing and communication, but also medicine, education, banking, etc. According to the G29 guidelines (2018) relating to automated decision-making and profiling, three criteria make it possible to determine whether the processing falls under profiling:  

  • The processing is automated  
  • It concerns personal data,  
  • Its objective is to evaluate the personal aspects of a natural person.  

This processing can represent a real advantage for the data controller since he can make predictions, classify people into groups or categories and deduce certain information concerning them. However, it can create significant risks for the rights and freedoms of the people concerned. If the data on which the profiling is based is erroneous, for example, this processing may give rise to an inaccurate prediction, and potentially lead to refusal to provide access to a service, good or unjustified discrimination.  

 What rights do people affected by profiling have?  

Right to be informed  

According to the principle of lawfulness, loyalty and transparency established by the GDPR, the person must be informed by the data controller of the existence and operation of the profiling implemented. This information must be delivered in a concise, transparent, understandable and easily accessible manner. In the event that the data was obtained directly from the individual, the information must be communicated at the time of collection of the personal data. If the data was obtained indirectly, the data controller has a reasonable period of time not exceeding one month to inform the person; this deadline is provided for article 14 paragraph 3.  

Right of access  

The person can exercise his right of access to data used for profiling. The exercise of this right makes it possible, on the one hand, to obtain the data used by the data controller to carry out profiling; and on the other hand to access information on the profile created and the categories in which the person has been classified.  

On the other hand, the exercise of the right of access must not infringe the rights and freedoms of third parties, including business secrets or intellectual property. That is to say, the exercise of the right of access does not justify an obstacle to copyright which protects the software allowing profiling.  

Right to rectification, erasure and restriction of processing  

As explained previously, profiling based on incorrect data can represent a high risk for the rights and freedoms of data subjects. To limit this risk, it is essential to allow data subjects to correct, complete or delete the personal data used for profiling. The person can therefore exercise his right of rectification and his right of erasure data that concerns her. Individuals can challenge both the accuracy of the data they have provided and that of the data obtained through profiling (e.g. the person's final rating or the inferred profile).  

Finally, individuals can request restriction of processing, at any stage of the profiling process.  

Right to object  

According to article 21 paragraph 1 of the GDPR, the person concerned can exercise his right to object processing, including profiling processing, for reasons relating to their particular situation.  

Article 21 paragraph 2 of the GDPR poses an absolute right of opposition as long as the processing concerned has the purpose of commercial prospecting, including profiling. Apart from this exception, the right to object may be limited as long as the data controller demonstrates compelling legitimate reasons which prevail over the rights and freedoms of the data subjects. According to the G29 guidelines, this may be the case if profiling is "beneficial for society as a whole, not just for the business interests of the controller, such as profiling to predict the spread of contagious diseases" (Guidelines for automated decision-making and profiling, page 20).  

 What is fully automated decision making?  

Fully automated decision-making is made without human intervention. In this case, decision-making relies solely on technological means. This is the case, for example, when a fine is addressed to a car driver in the event that a fixed speed camera has detected speeding. This process is fully automated: the radar notices the violation, the fine is automatically sent to the driver without an agent intervening.  

The provisions of article 22 of the GDPR supervise automated individual decision-making. In principle, fully automated decision-making is prohibited if it has a legal effect or similarly significantly affects (Article 22 paragraph 1). A decision having legal or similar effects can, for example, lead to the cancellation of a contract or the refusal of a social benefit.  

But this principle contains exceptions (article 22 paragraph 2), since the decision is:  

  •  "Need for the conclusion or performance of a contract;  
  •  Authorized by European Union law or the law of the Member State to which the controller is subject and which also provides for appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject; Or  
  •   Based on consent explicit from the person concerned. "    

Finally, Article 22 paragraph 3 of the GDPR provides that where these exceptions apply, appropriate guarantees must be implemented by the data controller. These measures aim to protect the rights and freedoms of data subjects despite fully automated decision-making. This provision provides that the data controller must at least allow the person to obtain human intervention, to express their point of view and to contest the decision in question.  

 What rights do the person concerned by fully automated decision-making have?  

As explained above the person has the right to request human intervention in automated decision-making. On the other hand, the person has the right to be informed and to access the data that concerns them. The data controller must:  

  • Inform the person of the existence of fully automated decision-making,  
  • Explain in a simple and understandable way how the process works (its reason for existence and the criteria on which it is based),  
  • Inform the person about the importance and consequences of the processing, in particular how automated decision-making could affect the data subject.  

 What are the commonalities/differences between "profiling" and "fully automated decision-making"?  

These are two related but very distinct notions. A fully automated decision is made by an algorithm, without human intervention. It can be taken on the basis of profiling or not. In the example cited above of fixed radars, this is automated decision-making which is unfounded and does not result from profiling processing.  

However, fully automated decisions are often made based on profiling; and profiling frequently leads to making a decision about the person.    

 Is an impact analysis necessary for profiling processing and automated decision-making?  

Article 35 paragraph 3 of the GDPR specifically provides that one impact analysis is necessary when the treatment concerns the systematic and in-depth assessment of personal aspects concerning natural persons, which is based on automated processing, including profiling, and on the basis of which decisions are taken producing legal effects with regard to a natural person or similarly significantly affecting him or her.  

 How to carry out an impact analysis with Data Comply One (formerly Mission RGPD)?  

The Data Comply One platform (formerly Mission RGPD) has from a PIA module (Privacy impact assessment, or impact analysis in French). You are guided to carry out each step of your impact analysis in an automated manner. Data Comply One (formerly Mission RGPD) suggests an analysis of the risk represented by data processing. Then establish your action plan to improve your processes, assign actions to the operational staff concerned and monitor the progress of the actions.  

With Data Comply One (formerly Mission RGPD), carrying out an impact analysis and complying with the GDPR is simpler!  

Request a demo

 

Other articles
on the same subject