Everyone knows by now that parties such as Facebook and Amazon compose profiles of their users. These profiles are compiled on the basis of, among other things, social communities, ‘likes’ and purchased products. Based on these profiles, it is then possible to advertise in a more targeted way and to make suggestions to users.
But is this allowed? What if your profile is incorrect? And what if a party decides on the basis of this profile whether or not you are creditworthy?
These questions will be addressed in this part of our GDPR series. It will specifically zoom in on the provisions concerning profiling and automated decision-making in the General Data Protection Ordinance (‘GDPR’).
Profiling consists of any form of automated processing of personal data evaluating certain personal aspects relating to a natural person. Profiling is particularly used to analyse or predict aspects concerning a person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location and movements. In other words, profiling implies that someone is being evaluated on the basis of a risk-profile.
Profiling in itself is permitted in accordance with the GDPR. However, this may change if decisions are made on the basis of these profiles.
As stated in the GDPR, automated decision-making based on profiling is restricted if it produces legal effects or similarly significantly affects concerning the data subject. One example of this is the situation concerning the creditworthiness of a person. Another example is the processing of applications via the internet without human intervention.
However, a general rule typically comes with an exception. This is no different with the rules concerning automated decision-making which is allowed if the decision:
- is necessary for entering into, or performance of, aan agreement with a the data subject;
- is permitted under Dutch law (e.g. detection of tax fraud); or
- is based on the data subject’s explicit consent.
When automated decision-making takes place based on one of these grounds, the data controller is nonetheless required to implement suitable safeguards. This means that the data subject must be specifically informed about this, has a right to obtain human intervention on the part of the controller and has a right to express his or her point of view and to contest the decision. The data subject also has the right to an explanation of the decision reached after such assessment.
Organisations should nonetheless bear in mind that automated decision-making should never concern children and be aware of the specific conditions that apply when decision-making is based on special categories of personal data.
What will change?
The term ‘profiling’ was not included as such in the Dutch Data Protection Act (Wet bescherming persoonsgegevens, ‘wbp’). The prohibition on fully automated decision-making and the exceptions to it were however included in the Data Protection Act. Former Dutch Legislation therefore also allowed decision-making based on profiling, only if sufficient safeguards were implemented. As far as the prohibition and its exceptions are concerned, not much has been changed in the Netherlands due to the implementation of the GDPR.
What is new is the explicit statement in the GDPR that the data subject has the right to object to profiling. The organisation in question may only reject this objection if it invokes compelling, justified grounds for the profiling that outweigh the interests of the person concerned.
However, this does not apply in the case of profiling in relation to direct marketing. If the data subject objects to this, his or her personal data may in any case no longer be used for such purposes. That right should also be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
What does this mean for your organisation?
If your business model is (largely) based on profiling or automated decision-making, the GDPR is a good reason to re-examine your business operations. For example, you should assess whether the mathematical/statistical procedures on the basis of which profiles are composed, are still up-to-date. It is also important that your organisation has taken sufficient technical and organisational measures to ensure that inaccuracies are corrected on time and that the risk of errors is kept to a minimum. Finally, you will have to assess if your organisation is complying with its obligation to provide all necessary information to the data subjects.