Profiling is now expressly covered by the GDPR and is subject to the rules governing processing of personal data, such as legal grounds of processing or data protection principles.

Profiling is any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's:

Controllers must be aware of when profiling is occurring as the enhanced fair processing requirements oblige controllers to:

In some cases data protection impact assessments will be required where profiling is undertaken, specifically in cases where data are processed "for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data".


Profiling is mentioned and further explained in

Article 3 - Territorial Scope (Recital 24)

Articles 14 & 14a  - fair processing information (Recital 60),

Article 15 - right of access & logic of automated processing(Recital 63),

Article 21 - right to object to processing/direct marketing (Recital 70),

Article 22 - right to object to automated decisions (Recital 71),

Article 35 - Impact assessments (Recital 91)

Article 47 - binding corporate rules (Recital 110)

Article 70 - guidance issued by the EDPB