The Article 29 Working Party, the group of EU data protection authorities charged with agreeing European-wide guidance on GDPR, has published Guidelines on the Automated Individual Decision-Making and Profiling “WP251”. While the introduction of the concept of “profiling” in the GDPR is relatively new, it is not the case for automated individual decision-making, which is already prohibited. These guidelines provide details about key requirements with respect to profiling and automated individual decision-making.
Guideline 29 notably addresses the following issues:
· The concept of “profiling” and the different situations in which it is used.
· The concept of “legal effect” or “similar significant” effects. Even if a decision-making process does not have an effect on people’s legal rights it could still fall within the scope of Article 22 if it produces an effect that is equivalent or similarly significant in its impact. It envisages that this concept may apply, for example, to certain forms of behavioural advertising, in particular when it targets vulnerable persons.
· Providing meaningful information to data subjects about the “logic involved” in case automated individual decisions. It should be simple without going into the details of how the algorithm works.
· Informing people about the “significance” and “envisaged consequences” of automated individual decisions.
· The need for Data Protection Impact Assessments (DPIA) in case of profiling on the basis of which decisions are base, including when a decision is not based exclusively on automated processing (Article 35.3(a)).
Chapter II of these guidelines explains the specific provisions that apply to solely automated individual decision-making, including profiling. A general prohibition of this type of processing exists to reflect the potentially adverse effect on individuals. There are, however, exceptions and safeguards, including the right to be informed (specifically meaningful information about the logic involved, as well as the significance and envisaged consequences for the data subject), the right to obtain human intervention and the right to challenge the decision.