Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automated individual decision-making and profiling under the GDPR

236 views

Published on

Presentation for BAM Legal Day

Published in: Law
  • Be the first to comment

Automated individual decision-making and profiling under the GDPR

  1. 1. Automated individual decision-making and profiling under the GDPR Johan Vandendriessche Partner | Erkelens Law Visiting Professor ICT & Data Protection Law | UGent | HoWest
  2. 2. PROFILING AND AUTOMATION IN MARKETING • Marketing companies seek to enhance the effectiveness of marketing • Segmentation of an audience • (Individual) Profiling • Predictive modelling • Marketing automation • General rule of thumb: the more individualised the marketing content, the higher the effectiveness
  3. 3. PROFILING • What is profiling under the GDPR? • Any form of automated processing of personal data • Use of personal data • Evaluation of certain personal aspects • in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements • Large definition that is not necessarily harmful for processing purposes
  4. 4. AUTOMATED INDIVIDUAL DECISION-MAKING • What is automated individual decision-making? • Decision based solely on automated processing • No meaningful human intervention (computer assisted decision-making vs. automated decision-making) • Decision must products specific effects • Legal effects concerning the data subject • Similarly significantly affecting the data subject • Negative?
  5. 5. GDPR APPROACH TO PROFILING AND AUTOMATED INDIVIDUAL DECISION-MAKING • Different rules depending on situation • General profiling • Decision-making based on profiling • Automated individual decision-making without legal effect or without significantly affecting the data subject • Automated individual decision-making which produces legal effect or similarly significantly affects the data subject • General prohibition only applies to automated individual decision- making with legal effect or which significantly affect the data subject
  6. 6. DATA SUBJECT RIGHTS • Right to information (article 13 and 14 GDPR) • The existence of automated decision-making, including profiling • Meaningful information about the logic involved • What? • Understanding of the process • What is excluded (no absolute effect)? • No adverse effect on the rights and freedoms of others: protection of IP and know-how • German Bundesgerichtshof ruled in the past that algorithms should not be disclosed • The significance and the envisaged consequences for the data subject • Information required to understand the reason and the consequences of the process
  7. 7. DATA SUBJECT RIGHTS • Right of access • The existence of automated decision-making, including profiling • Meaningful information about the logic involved • The significance and the envisaged consequences for the data subject • Confirmation of transparency rules under article 13-14 GDPR
  8. 8. DATA SUBJECT RIGHTS • Right to object • General right to object • Applies to all purposes but only when specific legal grounds are invoked • Specific right to object to processing of personal data for marketing purposes (“opt-out”) • Applies only to direct marketing purposes irrespective of the legal ground • Transparency obligation • Article 13 and 14 GDPR: existence of these rights • Article 21 GDPR: “confirmation” of the existence of these rights • At the latest at the time of the first communication • Explicit confirmation • Clear and separate from any other information
  9. 9. DATA SUBJECT RIGHTS • General right to object • Grounds relating to his or her particular situation • Restricted to certain legal grounds for processing • General interest • Legitimate interest • No automatic application • Data subject has to adduce evidence of grounds relating to his particular situation • Controller may override • Compelling legitimate grounds • Establishment, exercise or defence of legal claims
  10. 10. DATA SUBJECT RIGHTS • Specific right to object to processing of personal data for marketing purposes • Limited to marketing purposes • No restrictions in terms of legal grounds for processing • No further conditions • At any time • Free of charge • No reasons required
  11. 11. DATA SUBJECT RIGHTS • Right not to be subject to automated individual decision-making • Legal effect • Similarly significantly affect the data subject • General prohibition • Proactive application • Limited exceptions
  12. 12. DATA SUBJECT RIGHTS • Exceptions to the right not to be subject to automated individual decision- making • The decision is necessary for entering into, or performance of, a contract between the data subject and a data controller • The decision is authorised by Union or Member State law to which the controller is subject • The decision is based on the data subject's explicit consent • Conditions • Obligation to implement suitable safeguards (not applicable if there is a legal basis) • The right to obtain human intervention • The right to express a point of view • The right to contest the decision • No special categories of personal data may be processed • Exception for explicit consent and substantial public interest
  13. 13. ADDITIONAL OBLIGATIONS • Profiling followed by decisions that affect the data subject require a DPIA • a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person • Automated individual decision-making not necessarily requires a DPIA • Risk assessment still required based on Article 29WP criteria • Automated decision-making with legal effect or significant effect • Evaluation or scoring • …
  14. 14. ADDITIONAL OBLIGATIONS • Profiling (even without decision-making) may require the appointment of a DPO • The core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale • Systematic monitoring is not the same as profiling (data collection activity which often precedes profiling) • No DPO required if large scale data file is obtained in a single operation?
  15. 15. WHAT DOES MY PROFILE LOOK LIKE? I MIGHT JUST ASK AFTER TOMORROW … Johan Vandendriessche Johan.vandendriessche@erkelenslaw.com www.erkelenslaw.com

×