GDPR compliance—rights relating to automated decision making, including profiling
GDPR compliance—rights relating to automated decision making, including profiling

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • GDPR compliance—rights relating to automated decision making, including profiling
  • Right to object or prohibition on automated decision making?
  • When does the right apply?
  • Exemptions
  • Information requirements
  • Complying with the right not to be subject to a decision based solely on automated processing, including profiling
  • Compliance challenges
  • Consequences of non-compliance with the GDPR
  • Right not to be subject to a decision based solely on automated processing, including profiling readiness checklist

The General Data Protection Regulation (GDPR), in force from 25 May 2018, provides for enhanced rights for data subjects in the EU including providing rights of access, rectification, erasure and restriction of processing, data portability and a right to object to processing, with strict time limits for complying.

Automated decision making and profiling are used increasingly in both the public and private sectors, including in financial services and insurance, healthcare, taxation and marketing and advertising. While they can bring benefits and efficiencies, they can also pose significant risks to the rights of individual data subjects, such as unjustified discrimination and denial of service, if safeguards are not in place.

Article 22 of the GDPR provides that a data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. It protects data subjects against the risk that a potentially damaging decision is taken without human intervention.

This Practice Note explains the right not to be subject to a decision based solely on automated processing, including profiling, contained in the GDPR, and considers compliance strategies for businesses when addressing this right. A detailed explanation of when you can employ automated decision making processes is outside the scope of this Practice Note.

Right to object or

Related documents: