What is Profiling Under GDPR?
Profiling under the GDPR is any form of automated processing of personal data that evaluates personal aspects of a natural person, such as analyzing or predicting behavior, preferences, interests, or movements.
Profiling, as defined in Article 4(4) of the GDPR, is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Profiling can occur as part of an automated decision-making process or as a separate activity. When profiling is used for automated decision-making that produces legal or similarly significant effects, Article 22 restrictions apply. Organizations must conduct a DPIA before engaging in systematic and extensive profiling with significant effects. Data subjects have the right to object to profiling based on legitimate interests or public interest, and to not be subject to decisions based solely on profiling that produce legal effects.
ComplyIQ helps organizations identify and document profiling activities, conduct required DPIAs, and ensure that appropriate transparency measures are in place. Organizations using profiling must inform data subjects about the existence of profiling, the logic involved, and the potential consequences through their privacy notices.
Relevant Regulations
How IQWorks Helps
Related Terms
Automated Decision-Making
Automated decision-making refers to decisions made by technological means without human involvement, which under the GDPR is restricted when it produces legal or similarly significant effects on individuals.
Data Protection Impact Assessment (DPIA)
A Data Protection Impact Assessment is a systematic process for evaluating the potential impact of a data processing activity on individuals' privacy, required under the GDPR for processing likely to result in high risk to data subjects.
Data Subject Rights (DSR)
Data Subject Rights are the legal rights granted to individuals under data protection laws, enabling them to control how their personal data is collected, used, stored, and shared by organizations.
Privacy Notice / Privacy Policy
A privacy notice is a public-facing document that informs individuals about how an organization collects, uses, stores, shares, and protects their personal data, as required by data protection regulations.