Data Mining or Profiling, is one of the provisions of the General Data Protection Regulation (GDPR) that will have the most significant impact on businesses.

Data controllers will be required to inform individuals specifically about ‘the existence of automated decision making including profiling and … meaningful information about the logic involved and information concerning the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject’ (Article 13(2)(f) of the GDPR).

“Profiling” is now clearly defined under article 4 as ‘any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.’

Recital 24 of the GDPR also explains the “monitoring of an individual’s behaviour”:

‘In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.’

Article 21 of the GDPR sets out three (3) criteria which may trigger the provisions on automated processing of personal data, namely:

• A decision has to be made about an individual;
• Which has a legal effect for that individual or significantly affects him or her; and
• This decision must be based solely on automated processing.

If those three criteria are met, ‘the data subject shall have the right not to be subject to a decision … based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her’.

Where a decision is made about one or several individuals which either produces a legal effect for those individuals, or significantly affects them, such automated processing is nonetheless permitted if such decision is:

• authorised by a law or regulation within a Member State to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights; or
• necessary for entering into (or performing) a contract between the data subject and the controller (where it has to be based on a justified, fair and minimisation principle); or
• based on the data subject’s explicit consent.

Where the profiling is based on a contractual relationship with the data subject or the data subject’s explicit consent, the controller/processor must implement “suitable measures” to safeguard the rights of the individuals. In particular, the controller must allow for a human intervention and the right for individuals to express their point of view, to obtain further information about the decision that has been reached on the basis of this automated processing, and the right to contest this decision.

For more information or if you have any questions, please feel free to contact Dr Ian Gauci on igauci@gtgadvocates.com

Disclaimer: This article is not intended to impart advice and readers are asked to seek verification of statements made before acting on them.