Profiling and (automated) decision-making under the GDPR: A two-step approach
This paper examines profiling and decision-making under the GDPR and analyses how these two processes are interconnected. The GDPR's definition of profiling is analysed and put in relation to both automated and human decision-making. This contribution works with a two-step approach. It can be d...
Saved in:
| Published in | Computer law & security review Vol. 45; p. 105662 |
|---|---|
| Main Author | |
| Format | Journal Article |
| Language | English |
| Published |
Elsevier Ltd
01.07.2022
|
| Subjects | |
| Online Access | Get full text |
| ISSN | 2212-473X 2212-4748 |
| DOI | 10.1016/j.clsr.2022.105662 |
Cover
Loading…
| Abstract | This paper examines profiling and decision-making under the GDPR and analyses how these two processes are interconnected. The GDPR's definition of profiling is analysed and put in relation to both automated and human decision-making. This contribution works with a two-step approach. It can be derived from the structure and wording of the GDPR and provides for an enhanced level of legal certainty. Within this approach, profiling is considered to be step 1 and decision-making to be step 2. The two steps are treated as distinct, yet logically interconnected. This helps understand how profiling and decision-making are conducted. It makes it possible to identify the legal implications of these two steps and to allocate who is legally responsible, no matter how many parties are involved. The approach might be particularly helpful in the context of joint controllership, as it makes it possible to delineate whether joint controllership is given in the first place and to allocate the respective responsibilities of the parties concerned. Profiling (step 1) leads to implications of primary relevance for the data subjects’ right to the protection of personal data. Decision-making (step 2) regularly does not lead to such data protection implications but is primarily relevant from a personal autonomy and (economic) freedom perspective. A notable exception is the rare scenario of solely automated decision-making falling under Art. 22(1) GDPR. The two-step approach is eventually applied to a use case that concerns profiling and automated decision-making in the context of credit scoring conducted by a social network. |
|---|---|
| AbstractList | This paper examines profiling and decision-making under the GDPR and analyses how these two processes are interconnected. The GDPR's definition of profiling is analysed and put in relation to both automated and human decision-making. This contribution works with a two-step approach. It can be derived from the structure and wording of the GDPR and provides for an enhanced level of legal certainty. Within this approach, profiling is considered to be step 1 and decision-making to be step 2. The two steps are treated as distinct, yet logically interconnected. This helps understand how profiling and decision-making are conducted. It makes it possible to identify the legal implications of these two steps and to allocate who is legally responsible, no matter how many parties are involved. The approach might be particularly helpful in the context of joint controllership, as it makes it possible to delineate whether joint controllership is given in the first place and to allocate the respective responsibilities of the parties concerned. Profiling (step 1) leads to implications of primary relevance for the data subjects’ right to the protection of personal data. Decision-making (step 2) regularly does not lead to such data protection implications but is primarily relevant from a personal autonomy and (economic) freedom perspective. A notable exception is the rare scenario of solely automated decision-making falling under Art. 22(1) GDPR. The two-step approach is eventually applied to a use case that concerns profiling and automated decision-making in the context of credit scoring conducted by a social network. |
| ArticleNumber | 105662 |
| Author | Wiedemann, Klaus |
| Author_xml | – sequence: 1 givenname: Klaus surname: Wiedemann fullname: Wiedemann, Klaus email: klaus.wiedemann@ip.mpg.de organization: Max Planck Institute for Innovation and Competition, Munich, Germany |
| BookMark | eNp9kEtLAzEQgINUsNb-AU856mFrHpttKl5K1SooFlHwFvK0qdtNSVLFf-8uFQ8eOpcZZviGme8Y9JrQWABOMRphhKuL1UjXKY4IIqRtsKoiB6BPCCZFOS5576-mb0dgmNIKtUEpRrzsg8dFDM7XvnmHsjHwTG5zWMtszTk0VvvkQ1Os5Uc33zbGRpiXFs6vF8-XcArzVyhSthsoN5sYpF6egEMn62SHv3kAXm9vXmZ3xcPT_H42fSg0RSgXminGJKow00pP1KTCjipZScwNQpxSpblkzJUTiZgbG8U5LQ2zhjmtiFOEDgDf7dUxpBStE9pnmdtjc5S-FhiJzoxYic6M6MyInZkWJf_QTfRrGb_3Q1c7yLZPfXobRdLeNtoaH63OwgS_D_8BjvJ-wA |
| CitedBy_id | crossref_primary_10_17803_2713_0533_2024_3_29_491_513 crossref_primary_10_1080_10496491_2023_2251465 crossref_primary_10_1016_j_omega_2024_103077 |
| ContentType | Journal Article |
| Copyright | 2022 The Authors |
| Copyright_xml | – notice: 2022 The Authors |
| DBID | AAYXX CITATION |
| DOI | 10.1016/j.clsr.2022.105662 |
| DatabaseName | CrossRef |
| DatabaseTitle | CrossRef |
| DatabaseTitleList | |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Law |
| EISSN | 2212-4748 |
| ExternalDocumentID | 10_1016_j_clsr_2022_105662 S0267364922000103 |
| GroupedDBID | --K --M .DC .~1 0R~ 1B1 1RT 1~. 1~5 29F 4.4 457 4G. 5GY 5VS 6J9 7-5 71M 8P~ 9JN 9JO AACTN AAEDT AAEDW AAFJI AAIKJ AAKOC AALRI AAOAW AAQFI AAQXK AAXKI AAXUO AAYFN ABBOA ABFNM ABMAC ABMMH ABXDB ACDAQ ACGFS ACHQT ACNNM ACRLP ACZNC ADEZE ADJOM ADMUD AEBSH AEKER AFJKZ AFKWA AFTJW AGHFR AGUBO AGYEJ AHHHB AHZHX AIEXJ AIKHN AITUG AJOXV AKRWK ALMA_UNASSIGNED_HOLDINGS AMFUW AMRAJ AXJTR BKOJK BLXMC CS3 DU5 EFJIC EO8 EO9 EP2 EP3 FDB FEDTE FGOYB FIRID FNPLU FYGXN G-2 G-Q GBOLZ HLX HLZ HVGLF HZ~ IHE J1W KOM LG8 LG9 M41 MO0 MS~ N9A O-L O9- OAUVE OZT P-8 P-9 PC. PRBVW Q38 R2- RIG RPZ SBC SBM SDF SDG SDP SES SEW SPC SSB SSO SSV SSZ T5K UHS WUQ YK3 ~G- AATTM AAYWO AAYXX ABWVN ACRPL ACVFH ADBBV ADCNI ADNMO AEUPX AFPUW AFXIZ AIALX AIGII AIIUN AKBMS AKYEP AOMHK AOUOD ASPBG AVARZ AVWKF AZFZN BNPGV CITATION EBS EJD GBLVA ROL SSH |
| ID | FETCH-LOGICAL-c300t-c5b55a0615cbc9b961f3ba6a18d00833bc8a55f49a05f7db8834d5ed5fcb2fb23 |
| IEDL.DBID | .~1 |
| ISSN | 2212-473X |
| IngestDate | Tue Jul 01 05:14:40 EDT 2025 Thu Apr 24 22:51:22 EDT 2025 Tue Dec 03 05:07:57 EST 2024 |
| IsPeerReviewed | true |
| IsScholarly | true |
| Keywords | Automated decision-making Data protection law Profiling Anti-discrimination law Credit scoring GDPR |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-c300t-c5b55a0615cbc9b961f3ba6a18d00833bc8a55f49a05f7db8834d5ed5fcb2fb23 |
| ParticipantIDs | crossref_citationtrail_10_1016_j_clsr_2022_105662 crossref_primary_10_1016_j_clsr_2022_105662 elsevier_sciencedirect_doi_10_1016_j_clsr_2022_105662 |
| ProviderPackageCode | CITATION AAYXX |
| PublicationCentury | 2000 |
| PublicationDate | July 2022 2022-07-00 |
| PublicationDateYYYYMMDD | 2022-07-01 |
| PublicationDate_xml | – month: 07 year: 2022 text: July 2022 |
| PublicationDecade | 2020 |
| PublicationTitle | Computer law & security review |
| PublicationYear | 2022 |
| Publisher | Elsevier Ltd |
| Publisher_xml | – name: Elsevier Ltd |
| SSID | ssj0000331084 ssj0016986 |
| Score | 2.2862418 |
| Snippet | This paper examines profiling and decision-making under the GDPR and analyses how these two processes are interconnected. The GDPR's definition of profiling is... |
| SourceID | crossref elsevier |
| SourceType | Enrichment Source Index Database Publisher |
| StartPage | 105662 |
| SubjectTerms | Anti-discrimination law Automated decision-making Credit scoring Data protection law GDPR Profiling |
| Title | Profiling and (automated) decision-making under the GDPR: A two-step approach |
| URI | https://dx.doi.org/10.1016/j.clsr.2022.105662 |
| Volume | 45 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV3LSgMxFA21btyIT6yPkoULRcZOMsk83JVqrY-Woha6G_KESm1LndKd324ykykK0oXLCXMhnAn3HjL3ngPAeRQhHgpJvVgx5ZEIay_GEtmJZaJNiSeU2fuObi_sDMjjkA4roFXOwti2Spf7i5yeZ2u30nBoNmajUePVeicFIUmwnTZBueInIZHVz7_-Qqt7Fj8wBMbOYro_C2GSuz9ik7LN1oKhG6Qper7E-NNqhGKcG9KH-O9i9aMAtXfAtmOOsFlsbhdU1GQPbDyz5T7o9nPnbVOFIJtIeMEW2dQwUSUvoXQeOt5HbjsF7czYHBrWB-9v-y83sAmz5dQzn3oGS3nxAzBo3721Op7zSfBE4PuZJyinlFluIrhIeBIiHXAWMhRLy7ACLmJGqSYJ86mOJI_jgEiqJNWCY81xcAiqk-lEHQGItY6F4Xy-0iFBOmbK8CMsMJJc-CTiNYBKQFLhRMStl8U4LbvF3lMLYmpBTAsQa-BqFTMrJDTWvk1LnNNfByE1OX5N3PE_407Aln0qOnBPQTWbL9SZ4RkZr-cHqQ42mw9Pnd4356_OIQ |
| linkProvider | Elsevier |
| linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV1JS8NAFB5qPehFXLGuc_CgSGxmy-JN3Kq2pWgLvYVZoaJt0ZTe_O3OJBNREA9eMxkYvjze-5i8730AHMUxEpFULEg01wGNsQkSrJBTLFNjSzxl3N13dLpRa0Dvh2xYA5eVFsa1VfrcX-b0Ilv7J02PZnM6GjWfnHcSiWiKndoEuYmfi5SR2IX22Qf6umgJiWUwTozpfy1EaWH_iG3OtmcjQ6-kKZu-5Mu7GxKKceFIH-Hfq9W3CnSzClY8dYQX5enWQE2P18FCm883QKdXWG_bMgT5WMFjPssnlopqdQKVN9EJXgvfKehEY2_Q0j54e9V7PIcXMJ9PAvutp7CaL74JBjfX_ctW4I0SAknCMA8kE4xxR06kkKlII2SI4BFHiXIUiwiZcMYMTXnITKxEkhCqmFbMSIGNwGQL1MeTsd4GEBuTSEv6Qm0iikzCtSVIWGKkhAxpLBoAVYBk0k8Rd2YWL1nVLvacORAzB2JWgtgAp197puUMjT_fZhXO2Y9IyGyS_2Pfzj_3HYKlVr_Tztp33YddsOxWynbcPVDP32Z635KOXBwUQfUJ4lzPtw |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Profiling+and+%28automated%29+decision-making+under+the+GDPR%3A+A+two-step+approach&rft.jtitle=Computer+law+%26+security+review&rft.au=Wiedemann%2C+Klaus&rft.date=2022-07-01&rft.issn=2212-473X&rft.volume=45&rft.spage=105662&rft_id=info:doi/10.1016%2Fj.clsr.2022.105662&rft.externalDBID=n%2Fa&rft.externalDocID=10_1016_j_clsr_2022_105662 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2212-473X&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2212-473X&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2212-473X&client=summon |