GDPR Brief: automated decision-making and profiling

7 Jan 2019

Individual opportunity increasingly depends on automated decisions by companies and (prospective) employers. Any automated decision-making, including profiling, is subject to the usual requirements of the GDPR.

Individual opportunity increasingly depends on automated decisions by companies and (prospective) employers. Any automated decision-making, including profiling, is subject to the usual requirements of the GDPR. Special attention should be paid to (a) selection and use of software, (b) transparency, (c) the qualified prohibition on significant decisions based on solely automated processing.

(a) Selection and use of Software – Data Protection by Design and Default

Software developers should design products that support fulfilment of data protection obligations, including fulfilment of data subject rights. Controllers must implement appropriate and effective technical measures. Before introducing new technologies into automated decision-making operations, especially in case of profiling, a Data Protection Impact Assessment may be required.

(b) Transparency – Right to be informed and obtain information

A data subject must be told of the existence of automated decision-making, including profiling, and “meaningful information” about the algorithmic logic involved, as well as the significance and envisaged consequences, at least where processing relates to decisions based on solely automated processing.

The responsibility is (normally) to provide this information at the time personal data is collected. This suggests information provided will relate to system function rather than specific decisions. A data subject also has a right to obtain this information at any point. If requested after an algorithm has been applied, then it may be possible for a controller to provide information about a specific decision, although the requirement appears still to be future oriented.

(c) Qualified Prohibition on Significant Decision-Making on Solely Automated Processing

Decisions which have legal or similar significant effects (on a data subject) should ordinarily not be based solely on automated processing: human intervention should be present. Exceptions exist if (i) necessary to a contract, (ii) with explicit consent, or (iii) otherwise authorised by law with suitable safeguards. In case of (i) or (ii), the data subject still has the right, at least, to obtain human intervention, to express his or her viewpoint, and to contest the decision. Solely automated decision-making (usually) ought not to concern a child.

Furthermore, special categories of personal data ought not to be used without explicit consent unless for reasons of substantial public interest, on a legal basis that is proportionate to the aim pursued, respects the essence of data protection, and provides appropriate safeguards. Such safeguards may include a right to obtain an explanation of the specific decision reached.

Mark Taylor is Associate Professor in Health Law and Regulation at Melbourne Law School.

Further Reading

Relevant GDPR Provisions

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.

Latest News

GA4GH logo and McGill's Victor Phillip Dahdaleh Institute of Genomic Medicine logo, with a sentence saying "Announcing GA4GH's Fifth Host Institution"
20 Jun 2024
The Victor Phillip Dahdaleh Institute of Genomic Medicine at McGill University is formally named as a fifth Host Institution of GA4GH
See more
13 Jun 2024
A letter from the Chair: introducing the members of the inaugural GA4GH Strategic Leadership Committee
See more
A DNA strand extending across a blue background, filled with molecular structures and more DNA
28 May 2024
GA4GH submits comments on the WHO’s draft principles for human genome access, use, and sharing
See more