GDPR: when do I engage in 'profiling'; what should I think about? And what is 'exclusively automated individual decision-making'?
Profiles of individuals and or groups can be made as part of a study, for example to determine, analyse or predict a person's personality or behaviour. When profiling involves the processing of personal data, you need to be mindful of the GDPR. The GDPR also applies when exclusively automated decisions (with or without profiling) are taken in a research based on personal data.
Profiling: what is it?
The widespread availability of personal data on amongst others the internet, and the ability to find correlations and create links, can allow aspects of an individual’s personality or behaviour, interests and habits to be determined, analysed and/or predicted in research.
Profiling is defined under the GDPR as « any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements».
According to Working Party article 29, profiling is composed of three elements:
- It has to be an automated form of processing. However, human intervention in the processing does not necessarily mean that the activity does not fall under definition.
- Which involves personal data and therefore uses personal data.
- The objective of the profiling must be to evaluate personal aspects about a natural person, in particular to determine, analyse or predict a person's personality or behaviour or their interests and habits. A simple classification of individuals based on known characteristics such as their age, sex, and height does not necessarily lead to profiling. This will depend on the purpose of the classification.
Thus, not all monitoring and observation methods that can be used in research constitute profiling within the meaning of the AVG. Consequently, whether or not a project constitutes profiling must be assessed on a case-by-case basis, depending on the research context.
Profiling can consist of three separate steps:
- Collection of (personal) data;
- Automated analysis to establish links;
- Applying the correlation to an individual to analyse and/or predict their personal aspects.
If you apply profiling in research, you must ensure that you comply with the requirements of the GDPR in all the above steps.
Profiling: when is it allowed?
There are three potential ways profiling can be used in research:
- General profiling;
- Decision-making based on profiling; and
- Exclusively automated decision-making, with profiling, that produces legal effects or otherwise significantly affects the data subject.
The GDPR does not prohibit profiling in principle. As a researcher, you can therefore use profiling as long as you comply with all the principles (such as transparency, purpose limitation, minimum data processing...) and have a legal basis for the processing.
Additional safeguards and restrictions do apply in case of exclusively automated decision-making, with profiling (situation 3; see below).
Also in case of profiling, participants in your research have rights that they can exercise.
Exclusively automated decision-making: what is it?
Exclusively automated decision-making is the making of decisions by technological means and without human intervention.
Exclusively automated decision-making has a different scope than profiling and may partially overlap profiling or result from it. Exclusively automated decisions can therefore be made with or without profiling.
Exclusively automated decision-making: when is it allowed?
There are two potential ways in which exclusively automated decision-making can be used in research:
- Exclusively automated decision-making, with profiling, which produces legal effects or otherwise significantly affects the data subject;
- Exclusively automated decision-making, without profiling, which produces legal effects or otherwise significantly affects the data subject.
The GDPR provides for a general prohibition of exclusively automated processing-based decision-making (with or without profiling) if:
- That decision has legal consequences for the data subject. Such as whether or not to enter into a purchase agreement or whether or not to grant a loan.
- That decision significantly affects the data subject in some other way. Such as offering higher prices, or in the first round entirely computer-processed applications over the internet.
However, there are exceptions to this rule; namely, if the decision is:
- is necessary for the performance or conclusion of a contract;
- is permitted by a provision of Union or Member State law applicable to the controller, which also provides for appropriate measures to protect the rights and freedoms and legitimate interests of the data subject;
- is based on the explicit consent of the data subject.
Where one of these exceptions applies, measures must be taken to safeguard the rights and freedoms and legitimate interests of the data subject. These measures include at least a way for the data subject to obtain human intervention, express his/her point of view and challenge the decision.
There are further conditions that you should observe in automated decision-making involving special categories of personal data.
As a researcher, you can therefore only apply automated decision-making if an exception applies to your research (e.g. explicit consent) and you comply with all principles (such as transparency, purpose limitation, minimum data processing...).
If you use automated decision-making in your research, you must in particular inform the data subject about its existence, the underlying logic and the importance and expected consequences of that processing for the data subject (e.g. via a privacy statement or an informed consent form).
Also in case of exclusively automated decision-making, participants in your research have rights that they can exercise.
- AVG: wanneer doe ik aan ‘profilering’; waar moet ik aan denken? En wat is ‘uitsluitend geautomatiseerde besluitvorming’?
Last modified Sept. 19, 2023, 5:09 p.m.