Rights related to automated decision-making and profiling under the GDPR and D-DPA
With this newsletter, we aim to provide a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR) and the new Swiss Data Protection Act (D-DPA), a draft revision of which is still subject to debate.
In our previous article, we discussed the rights under the GDPR and D-DPA to withdraw consent and to object and lodge a complaint with a supervisory authority. This article focusses on data subjects’ rights related to automated decision-making and profiling.
Definitions of automated decision-making and profiling
‘Automated individual decision-making’ is the process of making a decision about an individual by automated means. If the automated decision-making is ‘solely’ automated (please see below for further explanation), the decision is made only by technological means without any human involvement.
‘Profiling’ refers to any form of automated personal data processing that uses personal data to evaluate certain personal aspects relating to an individual. Specifically, it involves analysis or prediction of aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Although profiling always involves some form of automated processing, human intervention does not necessarily exclude the activity from being considered profiling. The use of the words ‘evaluate certain personal aspects’ suggests that profiling involves some form of assessment or judgement about a person.
As you can see from the above, automated decision-making and profiling have different scopes: unlike automated decision-making, profiling does not consist of a decision but rather an evaluation of personal aspects about an individual. Hence, automated decisions can be made with or without profiling, and profiling can take place without making automated decisions. Nonetheless, they are not necessarily different activities. Automated decision-making may overlap with or result from profiling. For instance, imposing speeding fines based on evidence from speed cameras is a form of automated decision-making which does not involve profiling. However, it would become a decision based on profiling if the amount of the fine were to be based on an automated assessment of certain personal aspects of the individual concerned, such as his or her driving habits (repeated speeding offences, other recent traffic violations, etc.).
Rights related to automated decision-making and profiling under the GDPR
Since automated decision-making and profiling constitute processing of personal data, the general rights of data subjects, such as the right to be informed and the right of access, apply to these activities.
Additionally, the GDPR provides some specific provisions with respect to decisions about an individual based solely on automated processing (including profiling) without any human involvement. Such solely automated decision-making is generally prohibited if the decision produces legal effects concerning the individual or similarly significantly affects them. A legal effect requires that the decision affects someone’s legal rights, for instance his or her rights under a contract. Typical examples of decision-making that similarly significantly affects an individual include the automatic refusal of an online credit application or e-recruiting practices without any human intervention.
As explained above, profiling as such does not constitute such decision-making, so it falls outside the scope of the general prohibition. That being said, decisions based on profiling might fall under the general prohibition.
There are three exceptions to the general prohibition:
- when the decision is necessary for the conclusion or performance of a contract between the individual and the data controller;
- if the decision is authorised by law; or
- if the individual concerned gave explicit consent.
In case the first or third exception applies, suitable measures must be implemented to safeguard the data subject’s rights, freedoms and legitimate interests: the individuals must at least have the right to obtain human intervention (which means verification by a human being), to express their point of view and to contest the decision. Furthermore, specific rules apply if the decision is (also) based on special categories of data.
In addition to the above, the data subjects concerned must be informed about the existence of solely automated decision-making (including profiling) which produce legal effects concerning them or similarly significantly affect them, or which concern special categories of personal data. Furthermore, they must be provided with meaningful information about the logic involved and about the significance and envisaged consequences of such processing.
Rights related to automated decision-making and profiling under the D-DPA
The rights related to automated decision-making and profiling under the future DPA differ from those under the GDPR. The D-DPA contains no general prohibition of automated decision-making. The only specific rights it grants data subjects are information rights and the possibility of expressing their point of view and requesting verification by a human being.
Comply with the highest standards
The safest approach for controllers is to comply with the highest standards of both the GDPR and the D-DPA.
Therefore, organisations should:
- Ensure that every processing activity that involves profiling and/or automated decision-making complies with both the GDPR and the D-DPA;
- Set up internal procedures and protocols for handling requests from data subjects regarding the intervention of a human being in the automated decision-making process, expressing their point of view and their right to contest a decision. Such protocols should also include procedures for verifying a data subject’s identity;
- Carry out regular checks to make sure that your systems are working as intented.
Joanne ZaaijerAssociate Attorney at law
Joanne Zaaijer, attorney at law, is an associate in our Rotterdam office. She focusses on data protection and privacy law, telecommunications, life sciences, advertising and e-commerce.T: +31 20 578 52 55 M: +31 6 53 57 74 21 E: Joanne.Zaaijer@loyensloeff.com