by Alberto Passiu


Profiling and automated decision-making processes are increasingly used tools on the web. Sectors such as banking & finance, health care, taxation, insurance, and above all marketing and advertising activities, are increasingly based on the use of automated web systems.

Analysis of articles 4 and 22 contained in the GDPR referred to a fully automated processing activity defined as profiling. They define three ways in which the profile attributable to a natural person can be used in practice: a) general profiling; b) the decision-making process based on the profile; c) the fully automated decision-making process.

The EU Regulation 2016/679 generally prohibits the activity of fully automated processing and that leads to decisions that influence the individual in a sufficiently significant manner.

The fully automated processing activity that leads to decisions that affect the individual in a meaningful manner is generally prohibited. A completely automated individual decision-making process, including profiling, which has a legal effect, or similarly has a significant impact on an individual. However, the key elements are the notions of “legal” effects or similar effects, which the GDPR does not define. The Working Group 29 – which has the specific task of understand and explain the ratio of GDPR – has defined the legal effect as a processing activity that has an impact on someone’s legal rights, such as the freedom to associate with others, to vote in an election or to initiate actions Legal. A legal effect can also be something that concerns the legal status of a person or his rights under a contract. With the entry into force on May 25 of the GDPR, to understand if the profiling activity is forbidden or not, it will always be necessary an “evaluation” by the Data Controller with respect to the automated operations he wants to carry out.

Therefore, Article 22  introduces some exceptions to justify automated processing, namely:

  1. the decision is necessary for the conclusion or execution of a contract between the Data Subject and a Data Controller; this provision must be interpreted in a restrictive sense, the holder must demonstrate that there are no less intrusive methods of privacy than profiling;
  2. the decision is based on the explicit consent of the interested party, therefore there must be a declaration expressed by the interested party, thus excluding the “concluding facts”;
  3. the decision is authorized by the law of the Union or of a Member State to which the Data Controller is subject, which also specifies appropriate measures to protect the rights, freedoms and legitimate interests of the Data Subject.