Is Profiling Allowed under the GDPR?

Writers of The General Data Protection Regulations (GDPR) have defined profiling to include ‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements’.

When is it Profiling?

It is not considered profiling if visitors to your website are tracked. Establishing an economic platform is also not considered profiling. However, if data obtained is utilized to rate such things as personal interests, individual preference or behaviour then that constitutes profiling.

If information gained from personal data and the collection and/or analysis of that data is used to make decisions or to act, then profiling has occurred.

GDPR Restrictions on Profiling

The GDPR under Article 22 has set out rules which protect EU citizens from ills of automated individual decisions.

Those from whom data is collected have the right under GDPR guidelines to avoid or refuse to answer any questions EU regulations deem to be profiling.

Questions may be asked. As long as the subject of the data collection does not have his rights and freedoms exposed or compromised, businesses may proceed. However, the data subject must give specific consent to information collection, use and storage.

Decisions related to data collection and potential profiling must not be based on such things as religious affiliation, gender, race, ethnicity or sexual preference.

However, there are exceptions:

  1. If processing this data is needed for public safety or the state’s security then that data can be collected.
  2. If the individual consents to processing of personal data then it may be collected, used, and stored.

How Can Profiling Harm?

An example would be: An individual is refused a credit card in an online application. An individual’s online job application might be turned down.

How to Deal with Permitted Profiling

Profiling is legal only if the controller of collected data uses it for statistical procedures. Moreover, care must be taken to ensure that personal data is accurate and error free.

All efforts to avoid discrimination related to race, political persuasion, religion, ethnicity, union membership, health, and/or sexual orientation must be taken.

One of the best ways to avoid potential suits on profiling is for businesses to appoint a Data Protection Officer. This in addition to making sure that GDPR guidelines regarding profiling are followed is the surest ways to avoid suits.