Profiling

Profiling is automated processing of personal data used to evaluate personal aspects such as preferences, behaviour or reliability. The GDPR sets specific requirements for profiling and grants data subjects the right to object and to human intervention.

Back to Dictionary

What is profiling?

Profiling is defined in GDPR Article 4(4) as any form of automated processing of personal data that consists of using personal data to evaluate certain personal aspects relating to a natural person. This includes analysis of or predictions about:

Work performance and economic situation
Health and personal preferences
Interests and reliability
Behaviour, location and movements

Profiling is more widespread than many realise. Newsletters tailored to click behaviour, credit assessments based on transaction data and targeted advertising are all forms of profiling.

Profiling and automated decision-making

GDPR Article 22 regulates automated decision-making, including decisions based on profiling. Article 22 prohibits, as a general rule, decisions made solely by automated means that produce legal effects concerning the data subject or similarly significantly affect them.

Examples of automated decisions with legal effects:

Automatic rejection of a loan application based on credit scoring
Automatic rejection of a job application based on algorithms
Automatic pricing based on a personal profile

Automated decisions are only permitted if:

It is necessary for entering into or performing a contract
It is authorised by EU or Member State law
It is based on the data subject's explicit consent

In all cases, the data subject has the right to human intervention, to express their point of view and to contest the decision.

GDPR requirements for profiling

Profiling requires a valid legal basis. The most commonly used are consent and legitimate interest. In addition, you must:

Inform the data subject about profiling via your privacy policy (transparency obligation)
Respect the data subject's right to object (Article 21)
For direct marketing: cease immediately upon objection (unconditional right)
Carry out a DPIA if the profiling is systematic and extensive
Not base profiling on sensitive personal data unless an Article 9 exemption applies

Profiling of children requires particular caution. Recital 71 of the GDPR states that automated decisions should not concern children.

Profiling in practice

To handle profiling correctly:

Map where in your organisation profiling takes place
Document each instance in your record of processing activities with purpose and legal basis
Implement mechanisms to handle objections
Ensure human oversight for automated decisions
Apply data minimisation: use only the data necessary for the profiling

Be aware that cookie-based profiling typically requires consent under the ePrivacy rules (cookie legislation), in addition to the GDPR legal basis.

Frequently Asked Questions about Profiling

What is profiling under the GDPR?

Profiling is any form of automated processing of personal data that is used to evaluate personal aspects such as work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

When is profiling permitted?

Profiling is permitted when you have a valid legal basis (e.g. consent or legitimate interest). Profiling that leads to automated decisions with legal effects requires either explicit consent, that it is necessary for a contract, or that it is authorised by law.

Can the data subject object to profiling?

Yes. GDPR Article 21 gives the data subject the right to object to profiling based on legitimate interest. For direct marketing, the right is unconditional. For profiling with automated decisions, the data subject has the right to human intervention.

What is the difference between profiling and automated decision-making?

Profiling is the analysis of personal data to evaluate personal aspects. Automated decision-making is decisions taken without human involvement. The two can be combined but need not be. You can profile without making automated decisions, and automated decisions need not be based on profiling.