Article 22

Automated individual decision-making, including profiling

1.   The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

2.   Paragraph 1 shall not apply if the decision:

(a)

is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b)

is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

(c)

is based on the data subject’s explicit consent.

3.   In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

4.   Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

What does it mean?

Automated decision-making is when decisions are made about an individual purely by automated processes, including profiling, without human involvement. This could happen through AI-driven decision-making.

Profiling involves analyzing personal data to evaluate or predict characteristics such as behavior, preferences, or economic situation, essentially creating a profile of an individual.

Individuals have the right not to be subject to decisions made solely by automated processing if those decisions produce legal effects or significantly affect them.

Yes, automated decision-making is permitted when:

  • It is necessary for entering into or performing a contract.
  • It is authorized by law.
  • It is based on explicit consent from the individual.

Legal effects include decisions impacting an individual’s legal rights, such as being denied a loan. Significant effects could include decisions influencing employment opportunities, access to essential services, such as health care.

Organizations must:

  • Allow human intervention in the decision-making process.
  • Allow data subjects to express their point of view regarding the decision-making.
  • Provide the option to contest the decision.

Though, these exceptions do not apply when automated decision-making is authorized by law.

Generally, the answer is no. However, it is allowed if:

  • The individual gives explicit consent.
  • It is necessary for reasons of substantial public interest, with safeguards in place.

Human intervention ensures a person reviews and potentially overrides an automated decision, giving individuals a chance to explain their situation.

Under Articles 13(2)(f) and 14(2)(g), data subjects have the right to be informed when automated decision-making is used.

They can contact the data controller to request a review, explain their point of view, or challenge the decision.

Awareness Training

Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.

Discover

About

Get Started within 24 hours.

Once you have submitted your details, you’ll be our top priority!