Blog

GDPR series: profiling and automated decision-making

Everyone knows by now that parties such as Facebook and Amazon compose profiles of their users. These profiles are compiled on the basis of, among other things, social communities, 'likes' and purchased products. Based on these profiles, it is then possible to advertise in a more targeted way and to make suggestions to users. But [...]

Everyone knows by now that parties such as Facebook and Amazon compose profiles of their users. These profiles are compiled on the basis of, among other things, social communities, 'likes' and purchased products. Based on these profiles, it is then possible to advertise in a more targeted way and to make suggestions to users.

But is this allowed? What if your profile is incorrect? And what if a party decides on the basis of this profile whether or not you are creditworthy?

These questions will be addressed in this part of our GDPR series. It will specifically zoom in on the provisions concerning profiling and automated decision-making in the General Data Protection Ordinance ('GDPR').

Profiling

Profiling consists of any form of automated processing of personal data evaluating certain personal aspects relating to a natural person. Profiling is particularly used to analyze or predict aspects concerning a person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location and movements. In other words, profiling implies that someone is being evaluated on the basis of a risk-profile.

Profiling in itself is permitted in accordance with the GDPR. However, this may change if decisions are made on the basis of these profiles.

Automated decision-making

As stated in the GDPR, automated decision-making based on profiling is restricted if it produces legal effects or similarly significantly affects concerning the data subject. One example of this is the situation concerning the creditworthiness of a person. Another example is the processing of applications via the internet without human intervention.

However, a general rule typically comes with an exception. This is no different with the rules concerning automated decision-making which is allowed if the decision:

  • is necessary for entering into, or performance of, an agreement with a the data subject;
  • is permitted under Dutch law (e.g. detection of tax fraud); or
  • is based on the data subject's explicit consent.

When automated decision-making takes place based on one of these grounds, the data controller is nonetheless required to implement suitable safeguards. This means that the data subject must be specifically informed about this, has a right to obtain human intervention on the part of the controller and has a right to express his or her point of view and to contest the decision. The data subject also has the right to an explanation of the decision reached after such assessment.

Organizations should nonetheless bear in mind that automated decision-making should never concern children and be aware of the specific conditions that apply when decision-making is based on special categories of personal data.

What will change?

The term 'profiling' was not included as such in the Dutch Data Protection Act (Wet bescherming persoonsgegevens, 'wbp'). The prohibition on fully automated decision-making and the exceptions to it were however included in the Data Protection Act. Former Dutch Legislation therefore also allowed decision-making based on profiling, only if sufficient safeguards were implemented. As far as the prohibition and its exceptions are concerned, not much has been changed in the Netherlands due to the implementation of the GDPR.

What is new is the explicit statement in the GDPR that the data subject has the right to object to profiling. The organization in question may only reject this objection if it invokes compelling, justified grounds for the profiling that outweigh the interests of the person concerned.

However, this does not apply in the case of profiling in relation to direct marketing. If the data subject objects to this, his or her personal data may in any case no longer be used for such purposes. That right should also be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

What does this mean for your organization?

If your business model is (largely) based on profiling or automated decision-making, the GDPR is a good reason to re-examine your business operations. For example, you should assess whether the mathematical/statistical procedures on the basis of which profiles are composed, are still up-to-date. It is also important that your organization has taken sufficient technical and organizational measures to ensure that inaccuracies are corrected on time and that the risk of errors is kept to a minimum. Finally, you will have to assess if your organization is complying with its obligation to provide all necessary information to the data subjects.

Author

Expertises

Share this article

More blogs

EU regulations make switching Cloud and edge provider easier

The European Data Regulation makes switching between Cloud and edge services easier. In this blog, we discuss the obligations for data processing service providers under the Data Regulation, and the contract terms that follow.

/ READMORE

EU regulations make switching Cloud and edge provider easier

The European Data Regulation makes switching between Cloud and edge services easier. In this blog, we discuss the obligations for data processing service providers under the Data Regulation, and the contract terms that follow.

Louwers IP&Tech Lawyers launches trademark and design registration practice

After the announcement of our new branding and website and new partner, Louwers IP&Tech Advocaten has even more news. As of February 2024 we have started our own registration practice for trademarks and designs (design and product design). The registration practice will be run by Lidian de Weert, Eva van Groezen and Nathalie van der Zande.

/ READMORE

Louwers IP&Tech Lawyers launches trademark and design registration practice

After the announcement of our new branding and website and new partner, Louwers IP&Tech Advocaten has even more news. As of February 2024 we have started our own registration practice for trademarks and designs (design and product design). The registration practice will be run by Lidian de Weert, Eva van Groezen and Nathalie van der Zande.

Frank Rutgers joins as partner at Louwers IP&Tech Lawyers

After nearly seven years of valuable service, Frank Rutgers has joined Louwers IP&Tech Lawyers as a partner. This step is a milestone for Frank and our firm. It confirms our ambitions and position as leading specialists in the field of intellectual property, digitization, data and technology.

/ READMORE

Frank Rutgers joins as partner at Louwers IP&Tech Lawyers

After nearly seven years of valuable service, Frank Rutgers has joined Louwers IP&Tech Lawyers as a partner. This step is a milestone for Frank and our firm. It confirms our ambitions and position as leading specialists in the field of intellectual property, digitization, data and technology.

New branding and website!

Why a new corporate identity and website? And why the visual elements?

We were looking for a fresh new style. From the start of our office in 2006, the color green has stood for our fresh outlook and refreshing approach. More explanation in this article.

/ READMORE

New branding and website!

Why a new corporate identity and website? And why the visual elements?

We were looking for a fresh new style. From the start of our office in 2006, the color green has stood for our fresh outlook and refreshing approach. More explanation in this article.