GDPR compliance—rights relating to automated decision making, including profiling
GDPR compliance—rights relating to automated decision making, including profiling

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • GDPR compliance—rights relating to automated decision making, including profiling
  • Right to object or prohibition on automated decision making?
  • When does the right apply?
  • Exemptions
  • Information requirements
  • Complying with the right not to be subject to a decision based solely on automated processing, including profiling
  • Compliance challenges
  • Consequences of non-compliance with the GDPR

Brexit: As of exit day (31 January 2020), the UK is no longer an EU Member State, but it has entered an implementation period during which it continues to be treated by the EU as a Member State for many purposes. The UK must continue to adhere to its obligations under EU law, including in relation to data protection, and the ICO has confirmed the GDPR will continue to apply during the implementation period. For more information, see: Practice Note: Brexit—implications for data protection.

The General Data Protection Regulation (GDPR), in force from 25 May 2018, provides for enhanced rights for data subjects in the EU including providing rights of access, rectification, erasure and restriction of processing, data portability and a right to object to processing, with strict time limits for complying.

Automated decision making and profiling are used increasingly in both the public and private sectors, including in financial services and insurance, healthcare, taxation and marketing and advertising. While they can bring benefits and efficiencies, they can also pose significant risks to the rights of individual data subjects, such as unjustified discrimination and denial of service, if safeguards are not in place.

Article 22 of the GDPR provides that a data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects