Your rights relating to profiling and automated decision making

Profiling is any form of automated comparison of your data to the data of people or groups of people who have similar traits in order to:

  • generalise the preferences of a group of people that include you
  • predict your individual behaviour
  • make a decision about you

in relation to particular areas of:

  • your performance at work
  • your financial situation
  • your health
  • your personal preferences
  • your interests
  • your reliability
  • your behaviour
  • your location and movements

Profiling can form part of an automated decision making process, where a decision affecting you and based on your data is made without human involvement. Often automated decision making is used to determine whether to enter or to offer to enter into a legally binding contract with you.

Organisations can accumulate a lot of information about you from many different sources. Such “big data” sets allow for better decision making in many sectors, from financial services to education and healthcare.

For example, your bank might use software that uses data about where you live and your financial transaction history to decide whether or not to lend to you.

The law recognises that good decisions can only be made if the data is accurate and used responsibly. Automated decision making is so common and the risks for you as an individual are so high if the decisions are made poorly, that the GDPR aims specifically to protect you from poorly designed and implemented systems.

If the effect of the decision adversely affects your legal rights, or the effect of the decision could be significantly detrimental, then a decision cannot be made only by automated means. It must be made or reviewed by a human.

The exceptions are:

  • if the decision is necessary for entering into or carrying out a contract between you and the organisation, or has been authorised by law
  • you have given explicit consent for the decision to be made

With respect to special category data, such as those relating to your ethnic origin or heath, the organisation can only use automated decision making if

  • you have given explicit consent for the decision to be made
  • use is necessary for reasons of substantial public interest

Additionally, the organisation must:

  • tell you about how decisions are made and the possible significance and consequences for you
  • allow you to request a review of a decision, communicate your opinion about it and challenge it
  • use appropriate mathematical or statistical procedures
  • provide means for you to correct inaccuracies and minimise the risk of errors

secure your personal data proportionately to the risk to your interests and rights and in a way that prevents discriminatory effects

© 1999 - 2025 Net Lawman Limited.
All rights reserved