Profiling

Profiling is now expressly covered by the applied GDPR and is subject to the rules governing processing of personal data, such as the principles and legal grounds of processing.

Profiling is any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's:

• performance at work
• economic situation
• health
• personal preferences
• interests
• reliability
• behaviour
• location or movements

Controllers must be aware of when profiling is occurring as the enhanced fair processing (transparency) requirements oblige controllers to:

• inform data subjects about the existence of profiling, and the consequences of such profiling
• provide details of the logic involved in any automatic data processing and what might be the consequences of such processing
• advise data subjects of their right to object to processing for direct marketing, including profiling to the extent that it is related to such direct marketing

In some cases data protection impact assessments will be required where profiling is undertaken, specifically in cases where data are processed "for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data".

Profiling is mentioned and further explained in

Article 3 - Territorial Scope (Recital 24)

Articles 13 & 14  - transparency/fair processing information (Recital 60),

Article 15 - right of access & logic of automated processing(Recital 63),

Article 21 - right to object to processing/direct marketing (Recital 70),

Article 22 - right to object to automated decisions, including profiling (Recital 71),

Article 35 - data protection impact assessments (Recital 91)