GDPR and Profiling

What is data profiling?

Profiling is defined by more than just the collection of personal data; it is the use of that data to evaluate certain aspects related to the individual. The purpose is to predict the individual’s behaviour and take decisions regarding it. In the context of email marketing, it can be the choice to send a particular targeted email campaign instead of another one.

Profiling can be defined by three specific elements:

• It implies an automated form of processing;

• It is carried out on personal data; and

• The purpose of it is to evaluate certain personal aspects of a natural person to predict their behaviour and take decisions regarding it.

Is data profiling allowed by GDPR?

Yes, but there are some requirements you need to respect to ensure the profiling data subjects’ rights.

What are the rights on profiling data subjects?

The rights on profiling data subjects are:

• Be forgotten; be informed; have data deleted; a copy of their personal data (within a month, free of charge)

• The right to data portability – data electronically in a commonly used format;

• The right to object;

• The right to halt; and

• Rights in relation to automated decision making and profiling.

What happens when a profiling data subject requests the halt of the profiling?

Under Article 19, upon the data subject’s request to halt the profiling, the processing must cease unless the controller demonstrates that the objection overrides the interests, rights and freedoms of the data subject.

Is profiling allowed on children?

No, profiling and automated decision making are not allowed on children, irrespective of their age.