Blog

GDPR series: profiling and automated decision-making

Everyone knows by now that parties such as Facebook and Amazon compose profiles of their users. These profiles are compiled on the basis of, among other things, social communities, ‘likes’ and purchased products. Based on these profiles, it is then possible to advertise in a more targeted way and to make suggestions to users. But […]

Everyone knows by now that parties such as Facebook and Amazon compose profiles of their users. These profiles are compiled on the basis of, among other things, social communities, ‘likes’ and purchased products. Based on these profiles, it is then possible to advertise in a more targeted way and to make suggestions to users.

But is this allowed? What if your profile is incorrect? And what if a party decides on the basis of this profile whether or not you are creditworthy?

These questions will be addressed in this part of our GDPR series. It will specifically zoom in on the provisions concerning profiling and automated decision-making in the General Data Protection Ordinance (‘GDPR’).

Profiling

Profiling consists of any form of automated processing of personal data evaluating certain personal aspects relating to a natural person. Profiling is particularly used to analyse or predict aspects concerning a person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location and movements. In other words, profiling implies that someone is being evaluated on the basis of a risk-profile.

Profiling in itself is permitted in accordance with the GDPR. However, this may change if decisions are made on the basis of these profiles.

Automated decision-making

As stated in the GDPR, automated decision-making based on profiling is restricted if it produces legal effects or similarly significantly affects concerning the data subject. One example of this is the situation concerning the creditworthiness of a person. Another example is the processing of applications via the internet without human intervention.

However, a general rule typically comes with an exception. This is no different with the rules concerning automated decision-making which is allowed if the decision:

  • is necessary for entering into, or performance of, aan agreement with a the data subject;
  • is permitted under Dutch law (e.g. detection of tax fraud); or
  • is based on the data subject’s explicit consent.

When automated decision-making takes place based on one of these grounds, the data controller is nonetheless required to implement suitable safeguards. This means that the data subject must be specifically informed about this, has a right to obtain human intervention on the part of the controller and has a right to express his or her point of view and to contest the decision. The data subject also has the right to an explanation of the decision reached after such assessment.

Organisations should nonetheless bear in mind that automated decision-making should never concern children and be aware of the specific conditions that apply when decision-making is based on special categories of personal data.

What will change?

The term ‘profiling’ was not included as such in the Dutch Data Protection Act (Wet bescherming persoonsgegevens, ‘wbp’). The prohibition on fully automated decision-making and the exceptions to it were however included in the Data Protection Act. Former Dutch Legislation therefore also allowed decision-making based on profiling, only if sufficient safeguards were implemented. As far as the prohibition and its exceptions are concerned, not much has been changed in the Netherlands due to the implementation of the GDPR.

What is new is the explicit statement in the GDPR that the data subject has the right to object to profiling. The organisation in question may only reject this objection if it invokes compelling, justified grounds for the profiling that outweigh the interests of the person concerned.

However, this does not apply in the case of profiling in relation to direct marketing. If the data subject objects to this, his or her personal data may in any case no longer be used for such purposes. That right should also be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

What does this mean for your organisation?

If your business model is (largely) based on profiling or automated decision-making, the GDPR is a good reason to re-examine your business operations. For example, you should assess whether the mathematical/statistical procedures on the basis of which profiles are composed, are still up-to-date. It is also important that your organisation has taken sufficient technical and organisational measures to ensure that inaccuracies are corrected on time and that the risk of errors is kept to a minimum. Finally, you will have to assess if your organisation is complying with its obligation to provide all necessary information to the data subjects.

Auteur

Expertises

Deel dit artikel

Meer blogs

Kyara van Roessel versterkt Louwers IP&Tech Advocaten

Per 1 augustus 2024 heeft Kyara van Roessel zich aangesloten bij Louwers IP&Tech Advocaten. Kyara zal de groeiende merken- en modellenregistratiepraktijk binnen Louwers IP&Tech Advocaten ondersteunen.

/LEES MEER

Kyara van Roessel versterkt Louwers IP&Tech Advocaten

Per 1 augustus 2024 heeft Kyara van Roessel zich aangesloten bij Louwers IP&Tech Advocaten. Kyara zal de groeiende merken- en modellenregistratiepraktijk binnen Louwers IP&Tech Advocaten ondersteunen.

Louwers bestuurslid Vereniging IE Proces Advocaten

Op 12 september 2024 is Ernst-Jan Louwers toegetreden tot het bestuur van de Vereniging Intellectuele Eigendom Proces Advocaten (VIEPA). VIEPA is een specialisatievereniging erkend door de Nederlandse Orde van Advocaten.

/LEES MEER

Louwers bestuurslid Vereniging IE Proces Advocaten

Op 12 september 2024 is Ernst-Jan Louwers toegetreden tot het bestuur van de Vereniging Intellectuele Eigendom Proces Advocaten (VIEPA). VIEPA is een specialisatievereniging erkend door de Nederlandse Orde van Advocaten.

Familienaam als handelsnaam: geen probleem (?)

Veel bedrijven kiezen ervoor om een familienaam als handelsnaam te voeren. Een familienaam voelt immers al snel vertrouwd (ons kantoor heeft die keuze ook gemaakt). Maar pas op: oudere handelsnamen of merken kunnen aan het gebruik van een familienaam in de weg staan.  Even ter inleiding. Een handelsnaam is de naam waaronder een onderneming wordt […]

/LEES MEER

Familienaam als handelsnaam: geen probleem (?)

Veel bedrijven kiezen ervoor om een familienaam als handelsnaam te voeren. Een familienaam voelt immers al snel vertrouwd (ons kantoor heeft die keuze ook gemaakt). Maar pas op: oudere handelsnamen of merken kunnen aan het gebruik van een familienaam in de weg staan.  Even ter inleiding. Een handelsnaam is de naam waaronder een onderneming wordt […]

Het recht op immateriële schadevergoeding op grond van de AVG

Immateriële schadevergoeding bij datalek: bijzondere of gevoelige persoonsgegevens 

In 2023 oordeelde het Hof van Justitie dat een inbreuk op de AVG niet automatisch recht geeft op een schadevergoeding. In deze blog behandelen wij de Nederlandse rechtspraak omtrent het recht op immateriële schadevergoeding vanwege het lekken van bijzondere of gevoelige persoonsgegevens.

/LEES MEER

Het recht op immateriële schadevergoeding op grond van de AVG

Immateriële schadevergoeding bij datalek: bijzondere of gevoelige persoonsgegevens 

In 2023 oordeelde het Hof van Justitie dat een inbreuk op de AVG niet automatisch recht geeft op een schadevergoeding. In deze blog behandelen wij de Nederlandse rechtspraak omtrent het recht op immateriële schadevergoeding vanwege het lekken van bijzondere of gevoelige persoonsgegevens.