Profiling And Automated Decisions Flashcards
What is the definition of ‘profiling’ according to GDPR, and what are the three elements that are required for a process to be considered profiling?
According to GDPR, ‘profiling’ is any form of automated processing of personal data that evaluates certain personal aspects relating to a natural person, and it includes three elements:
- automated processing,
- personal data,
- intended to evaluate certain personal aspects of the natural person
What are automated decisions?
made by automated processing of personal data, and
may partially overlap with profiling or be based upon it, and they
can involve any type of personal data
may involve human intervention or not
Question: What does Article 22 GDPR relate to?
Answer: Article 22 GDPR regulates automated individual decision-making, including profiling, with legal effects or similarly significant effects.
What is the general content of article 22 of GDPR?
Answer: Article 22 GDPR provides the right for individuals not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless an exception is available to the controller.
What is the limited scope of application of Article 22 GDPR?
Article 22 only applies to decisions based solely on automated processing that produce legal effects or similarly significant effects concerning the data subject, with the majority of profiling activities and automated decisions falling outside its scope.
What are the elements of a decision with legal or similar significant effects?
It must have the potential to significantly affect circumstances, behaviour, or choices of the data subject.
What are some examples of decisions with significant effects?
They include eligibility to credit, access to health services, employment opportunities, and education.
Can online advertising targeted to a group significantly affect an individual?
Online advertising targeted to a group may not significantly affect an individual, but its effect on the group is uncertain.
What are the exceptions to the general prohibition of automated decisions?
Exceptions include necessity for entering into or performing a contract, authorization by law, or explicit consent of the data subject.
What are the data subject’s rights regarding automated decisions?
Data subjects have the right to meaningful information, and controllers must implement suitable measures to safeguard their rights and freedoms.
What are the consequences of controllers not complying with GDPR?
Controllers must respect data protection principles and must ground their processing activities on a lawful base.
Are inferences, assessments, predictions, or correlations considered personal data?
Their legal status is uncertain, and there is no clear answer.
What are the data subject’s rights to adequate safeguards?
Data subjects have the right to human intervention, express their point of view, and contest the decision.
What is the general GDPR legal regime for automated decision-making, including profiling?
Automated decision-making, including profiling, is allowed but it is subject to certain requirements, including the right for the data subject to
obtain human intervention,
the right to be informed about the existence of automated decision-making, and the
right to object to the decision-making.
The decision-making must also be fair, transparent, and based on appropriate safeguards, such as appropriate data protection impact assessments.
What are some general problems associated with automated decision-making?
Some problems include the uncertain legal status of inferences, assessments, predictions, or correlations, and conflicts of interest.
