Profiling
Profiling is any automated processing of personal data used to evaluate, analyse or predict personal aspects of an individual, such as work performance, economic situation, health, behaviour or location.
Under Art. 4(4) GDPR, profiling means any form of automated processing of personal data that uses those data to evaluate certain personal aspects of a natural person. This covers, in particular, the analysis or prediction of aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. The decisive element is the evaluative or predictive character: existing data are used to infer characteristics or future behaviour, going beyond the mere storage or listing of information.
Profiling is not a legal basis in itself but a form of processing that, like any other, requires a legal basis under Art. 6 GDPR and must comply with the general principles of Art. 5 GDPR, in particular purpose limitation, data minimisation, transparency and accuracy. Controllers must inform data subjects under Art. 13 and 14 GDPR about the existence of profiling and make its significance and the envisaged consequences intelligible to them. Where special categories of personal data under Art. 9 GDPR are involved, such as health or trade union data, additional, stricter requirements apply.
A specific legal limit is set by Art. 22 GDPR: where profiling leads to a solely automated decision that produces legal effects or similarly significantly affects the person, this is in principle prohibited and permitted only in narrow exceptions, for example with explicit consent, contractual necessity, or a legal authorisation accompanied by suitable safeguards. Under Art. 21 GDPR data subjects have the right to object to profiling based on legitimate interests or a public-interest task, and an unconditional right to object where profiling serves direct marketing. Extensive or particularly intrusive profiling regularly triggers the obligation to carry out a data protection impact assessment under Art. 35 GDPR.
Legal Basis
Art. 4(4), Art. 5, Art. 6, Art. 13/14, Art. 21, Art. 22 GDPR
Practical Example
An online retailer automatically analyses purchase history, click behaviour and payment data to assign each customer a creditworthiness and fraud-risk score that determines which payment methods are offered. As the data protection coordinator, you first verify the legal basis, document the profiling in the record of processing activities, and extend the privacy notice with a clear explanation of the logic and significance involved. Because the score co-determines whether the contract is concluded, you assess whether Art. 22 GDPR applies, carry out a data protection impact assessment, and set up a process allowing data subjects to request human review, to express their point of view, and to contest the decision.