Is Profiling Still Allowed Under GDPR?

Written by Edwin Jacobs on , in category Rules & regulations

PaypersEcommerce merchants, PSPs, fintech companies and financial institutions use big data technologies to improve customer intelligence, reduce risk, and meet regulatory objectives. For all companies doing business in Europe, including those based in the US or elsewhere outside the EU, it is crucial to align business operations with the General Data Protection Regulation (GDPR) that will come into force on 25 May 2018.

Published in the Paypers guide

This article was published in the Online Payments and Ecommerce Market Guide 2017, an online report by The Paypers. You can learn more about online payments by downloading your free, printable PDF copy of this report HERE

The publication date of this report was 01 Nov 2017. In the meantime the Working Party 29 released a new guideline on profiling:

What is profiling?

Profiling is defined in the GDPR as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.

Non-automated data processing cannot constitute profiling.

Website visitor tracking

Merely tracking a website visitor on an ecommerce platform is not considered profiling, but using such data to evaluate his/ her behaviour, personal preferences and interests while online shopping would be. Profiling requires some sort of an outcome or action resulting from processing the collected data. It also implies automated data processing for the purpose of making decisions concerning the data subjects.

Restrictions on profiling-based decisions producing legal effects

The GDPR gives data subjects the right to not necessarily avoid profiling itself (e.g. automated processing of personal data for the purpose of making a decision), but rather the right to avoid being “subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” For example, a person could no longer be subjected to an automated refusal of an online credit application or e-recruiting practices without any human intervention

However, the GDPR clarifies that the decision itself may, nonetheless, be made provided it is:

  • (1) necessary for entering into, or performance of, a contract between the data subject and a data controller;
  • (2) authorized by Union or member state law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; such safeguards may include anonymization or pseudonymization; or
  • (3) based on the data subject’s explicit consent.

If a decision is made pursuant to a contract with the data subject or his explicit consent, the controller (e.g. merchant or ecommerce platform) must still allow the data subject to contest the decision.

The GDPR clearly states that profiling-based decisions shall not be based on special categories of personal data (e.g. racial, ethnic, or religious information), with the exception of two situations:

  • (1) the data subject has given explicit consent for the processing of such personal data for specified purposes, except those prohibited by law, or
  • (2) if processing is necessary for reasons of substantial public interest.

It is expected that the European Data Protection Board will provide additional guidance on this topic.

To do in case of permissible profiling

When profiling is lawful, a data controller must still use appropriate mathematical or statistical procedures, implement technical and organisational measures to correct personal data inaccuracies and avoid errors, secure all personal data, and minimize the risk of “discriminatory effects against natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status, or sexual orientation.”

For some profiling activities, the appointment of a Data Protection Officer may be mandatory. 

A data protection impact assessment (DPIA) will be required when a data controller engages in ”a systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.” 

This implies that profiling as such doesn’t trigger a DPIA requirements, but if legal effects are based on the profiling, a DPIA will be needed.

Notice and access

When data is collected, the data controller must inform the subject that profiling will occur and explain “the logic involved” and “the envisaged consequences of such processing.” The data subject has the right to ask for information of any such processing, including profiling and its consequences, at any time.

Even when profiling is permissible, the data subject has the right to object at any time. In that case, the processing of data must cease unless the controller demonstrates “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.”

We believe that typically an antifraud policy or AML-KYC measures could tip the balance in favour of the ecommerce platform/merchant acting as the data controller.

Profiling for direct marketing purpose

When processing is for direct marketing purposes, including profiling, the data subject also has the right to object but, in this case, processing must cease and the controller is not authorized to continue under any circumstances.

How can you prepare?

Ensure that you have a valid legal basis for your profiling use; ensure that no sensitive personal data are used for profiling, unless prior consent was obtained and suitable privacy safeguards are used. Do you have a compliant privacy and cookie statement? Inform data subjects that profiling is used and present its purposes and potential consequences, the underlying logics, relevant retention periods, as well as, the procedures by which they can have an automated decision re-evaluated by a human being. If you need a DPIA and/or DPO, make sure you have it all in place before 25 May 2018.