GDPR: Four questions about data profiling

customer records.jpgWe are a little over a year away from launch of the General Data Protection Regulation (GDPR) on May 25, 2018. The countdown has begun.

As we have covered in previous GDPR articles, relating to consent and data subject rights, businesses (as a 'data controller' and/or 'data processor') must adhere to new legislation for the collection and use of personal customer data. However, we have yet to talk about an important area that many organizations will want to know more about: 'profiling', and its new definition. 

As the existing legislation was written long before 'Big Data' was even a thing, there is currently no legal definition of ‘profiling’ under European data protection law. The closest it comes is a reference to ‘automated individual decisions’, which grants:

“The right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.”

Under GDPR, this of course changes, and 'profiling' has a fully formed definition, which is:

“Profiling means any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural persona’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”

Before any profiling, companies will need to assess the lawfulness of their profiling activities in order to determine whether their intended profiling activities will lead to any legal effects or significantly affect the individuals concerned.

1. Will I need to inform people they are being profiled?

Data subjects must be informed about the existence of profiling on or before the time of the first communication, using explicit wording clearly and separately from other information. Organizations may use their Privacy Policy to notify consumers.

2. Can individuals object to profiling?

Data subjects have the right to object to profiling, including its use in direct marketing, but not if it is necessary for a contract. They must be informed of the consequences if they object. A data subject also has the right to "obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision."

Read more about GDPR

3. When might profiling be restricted?

The automated processing of personal data may be restricted when a decision has to be made about an individual which has a legal effect, or "significantly affects" him or her.

4. Are there any exceptions?

There are exceptions to some of these restrictions, under the following circumstances:

  • The controller’s Member State has a law or regulation that authorizes the profiling activity 
  • The profiling activity is necessary for the purpose of entering into (or performing) a contract with the individual concerned
  • The individual concerned has given his/her explicit consent to use his/her personal data for profiling purposes

GDPRAre you prepared for GDPR? BlueVenn GDPR Assessments

What stage are you at with your preparations for GDPR? Our compliance specialists can help assess the condition of your database and offer assistance with issues relating to contracts, policies and other marketing practices.

To find out more, please click the link below or email us at 

GDPR Assessment

Topics: GDPR Article