1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
(a) | is necessary for entering into, or performance of, a contract between the data subject and a data controller; |
(b) | is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or |
(c) | is based on the data subject’s explicit consent. |
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
Automated decision-making is when decisions are made about an individual purely by automated processes, including profiling, without human involvement. This could happen through AI-driven decision-making.
Profiling involves analyzing personal data to evaluate or predict characteristics such as behavior, preferences, or economic situation, essentially creating a profile of an individual.
Individuals have the right not to be subject to decisions made solely by automated processing if those decisions produce legal effects or significantly affect them.
Yes, automated decision-making is permitted when:
Legal effects include decisions impacting an individual’s legal rights, such as being denied a loan. Significant effects could include decisions influencing employment opportunities, access to essential services, such as health care.
Organizations must:
Though, these exceptions do not apply when automated decision-making is authorized by law.
Generally, the answer is no. However, it is allowed if:
Human intervention ensures a person reviews and potentially overrides an automated decision, giving individuals a chance to explain their situation.
Under Articles 13(2)(f) and 14(2)(g), data subjects have the right to be informed when automated decision-making is used.
They can contact the data controller to request a review, explain their point of view, or challenge the decision.
Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.
Once you have submitted your details, you’ll be our top priority!