Profiling and (automated) decision-making under the GDPR: A two-step approach

This paper examines profiling and decision-making under the GDPR and analyses how these two processes are interconnected. The GDPR's definition of profiling is analysed and put in relation to both automated and human decision-making. This contribution works with a two-step approach. It can be d...

Full description

Saved in:
Bibliographic Details
Published inComputer law & security review Vol. 45; p. 105662
Main Author Wiedemann, Klaus
Format Journal Article
LanguageEnglish
Published Elsevier Ltd 01.07.2022
Subjects
Anti-discrimination law
Automated decision-making
Credit scoring
Data protection law
GDPR
Profiling
Automated decision-making
Data protection law
Profiling
Anti-discrimination law
Credit scoring
GDPR
Online AccessGet full text
ISSN2212-473X
2212-4748
DOI10.1016/j.clsr.2022.105662

Cover

More Information
Summary:This paper examines profiling and decision-making under the GDPR and analyses how these two processes are interconnected. The GDPR's definition of profiling is analysed and put in relation to both automated and human decision-making. This contribution works with a two-step approach. It can be derived from the structure and wording of the GDPR and provides for an enhanced level of legal certainty. Within this approach, profiling is considered to be step 1 and decision-making to be step 2. The two steps are treated as distinct, yet logically interconnected. This helps understand how profiling and decision-making are conducted. It makes it possible to identify the legal implications of these two steps and to allocate who is legally responsible, no matter how many parties are involved. The approach might be particularly helpful in the context of joint controllership, as it makes it possible to delineate whether joint controllership is given in the first place and to allocate the respective responsibilities of the parties concerned. Profiling (step 1) leads to implications of primary relevance for the data subjects’ right to the protection of personal data. Decision-making (step 2) regularly does not lead to such data protection implications but is primarily relevant from a personal autonomy and (economic) freedom perspective. A notable exception is the rare scenario of solely automated decision-making falling under Art. 22(1) GDPR. The two-step approach is eventually applied to a use case that concerns profiling and automated decision-making in the context of credit scoring conducted by a social network.
ISSN:2212-473X
2212-4748
DOI:10.1016/j.clsr.2022.105662