News top

Data profiling - GDPR

What is data profiling and automated decision making in the context of GDPR?

Data profiling is one of the novel concepts in GDPR. It is defined in Article 4 (4) as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements”. This means that profiling is an automated form of processing; carried out on personal data and its purpose is to evaluate personal aspects about a natural person. Examples of data profiling includes:

  • Keeping a record of traffic violations to monitor driving habits of individuals over time to identify repeat offenders (which may have an impact on the sanction)
  • Data broker collecting data from different public and private sources, compiling the data to develop profiles on the individuals, placing the individuals into segments and selling the output information to companies who wish to improve the targeting of their goods and services
  • Considering an individual's credit score before granting a mortgage


Three ways of using profiling are identified under the GDPR:

  • General profiling
  • Decision-making based on profiling
  • Solely automated decision-making, including profiling


What GDPR consider as “solely automated decision-making”?

Solely is a decision-making process that is totally automated and excludes any human influence on the outcome. A process might still be considered solely automated if a human inputs the data to be processed, and then the decision-making is carried out by an automated system, but it won’t be considered solely automated if someone interprets the result of an automated decision.

A typical example of solely automated is the decision about the call center employee’s bonus payment based on the data collected, regarding their productivity.

It is important to mention that in Article 22 (1) GDPR defines the rights of data subject in accordance with the solely automated decisions

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly affects him or her”

What types of decision have a legal or similarly significant effect?

Decisions that have a legal effect are those that impact on an individual's legal rights. For example when a person, is entitled to a particular social benefit granted by law, such as child or housing benefit.

A decision that has a similarly significant effect “must have the potential to significantly influence the circumstances, behavior or choices of the individuals concerned. At its most extreme, the decision may lead to the exclusion or discrimination of individuals.” The examples given by GDPR refer to automatic refusal of online credit application or e-recruiting practices without any human intervention. In contrast, the following example is unlikely to have a significant effect on an individual – recommendation for new TV channels based on an individual’s previous viewing habits.

If you are not sure whether a decision has a similarly significant effect on someone, you should consider to what extend it affects their finance, health, reputation, employment opportunities.

Used correctly, automated decision-making is useful for many businesses. It can help you to interpret policies correctly and make decisions fairly and consistently. In simple words GDPR allows you to carry out profiling or automated decision processes if it complies with the definition in Article 22 (1). In case of legal or significant effect, you must ensure that you are compliant with the exceptions in Article 22 (2):

  • The decision is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  • The decision is authorized by Union or Member State law
  • The decision is based on the data subject’s explicit consent.


If you are still struggling with GDPR and you are not sure if you managed to cover all its requirements, we recommend GDPRQ – a self-assessment tool to generate your compliance evidence report with an easy-to-update progress tracker and action plan. Try it now on


A honlap utolsó módosításának időpontja: 2019.10.01