The Article 29 Working Party took the position that for an action to constitute profiling three elements must be met:

  1. An activity must involve “an automated form of processing;”
  2. An activity must be “carried out on personal data;”
  3. The objective of the activity must be “to evaluate personal aspects about a natural person.”1

The above elements can be met, and an activity could be considered profiling, even if an organization does not take any action on the profiled data. Put differently, while profiling is often used by an organization to make decisions about individuals (e.g., automatic decisions made solely based upon the profiling, or human decisions where profiling is one of many factors), it does not need to be. While the act of making a decision based on profiling requires a separate analysis under the GDPR, simply profiling an individual in the first place implicates the general rights given to individuals under the regulation. These include, for example:

  • Transparency. Organizations are obligated to notify the individual about the profiling pursuant to Article 13 of the GDPR (if the profiling is based upon information that the organization collected directly from the individual) or Article 14 of the GDPR (if the profiling is based upon information that the organization collected from a third party.2
  • Lawful purpose. Organizations are obligated to identify one of six lawful purposes of processing permitted by the GDPR. For example, the profiling might be based upon consent obtained from the individual being profiled, or the profiling could be based upon compliance with a Member-State law or the legitimate interest of the organization (so long as that interest is balanced against the rights and freedoms of the individual).3
  • Data minimization. Organizations should be able to explain their reasonable need to collect and hold personal data used in constructing a profile, or their reasonable need to maintain the data produced or inferred from profiling.4 This includes, among other things, setting retention periods or schedules regarding how long both input and output data is kept.5
  • Accuracy. Organizations are obligated to promote the accuracy of the profile, and to take steps to address inaccuracies if brought to their attention. According to the Article 29 Working Party, controllers should “introduce robust measures to verify and ensure on an ongoing basis that data re-used or obtained indirectly [as part of profiling] is accurate and up to date.”6
  • Access to data. Organizations should permit individuals to request copies of information used for profiling (input data) as well as information generated from profiling (output data).7
  • Deletion of data. Organizations should permit individuals to request that both input and output data be deleted.8
  • Correction of data. Organizations should permit individuals to request that input data and output data be corrected if inaccurate.9
  • Objection. If processing is based upon the legitimate interest of the organization, the organization must give individuals an opportunity to object to the processing and ask that the organization reconsider whether its interest in processing overrides contrary interests of the individual.10 Similarly if the processing is based upon consent, the organization must give individuals the ability to withdraw their consent (which effectively would cause the processing to cease unless further processing were based on another lawful purpose).