Your right to object to automated decision making

The new changes that the EU-wide General Data Protection Regulation (GDPR), bought into UK law as the Data Protection Act 2018, mean you can object to solely automated decision making, and some of these decisions (such as online credit or e-recruiting) will be subject to additional controls.

The new rules give you the right not to be subject to a decision based solely on automated processing if it affects you legally or substantively.

How automated decision making works

Automated individual decision making is a decision made by automated means without any human involvement. Examples of this include:

  • an online decision to award a loan; and
  • a recruitment aptitude test which uses pre-programmed algorithms and criteria.

Automated individual decision making does not have to involve profiling, although it often will do.

Automated decisions can be based on any type of data, including data provided directly by the individuals, data observed about the individuals, or data inferred from elsewhere (such as a profile of the individual that has already been created).

Data Protection: jargon buster

  • Processing is the act of obtaining, recording, holding or using data.
  • Data subject is an individual who is the subject of personal data.
  • Data controller is a person or organisation that decides how personal data is processed. In many cases they will need the consent of the data subject to do this.
  • Data processor is any person or organisation that processes data on behalf of the data controller.

How organisations can use your data

Organisations can only carry out automated decision making that has legal or similarly significant effect where the decision is:

  • necessary for the entry into or performance of a contract; or
  • authorised by UK law applicable to the controller; or
  • based on your explicit consent.

The details of the automated decision making should be documented in the organisation’s privacy notice.

For automated decision making they should explain what information is used, why it's used and what the effects might be.

In addition to this, they should also provide you with a simple way to request intervention or the chance to challenge a decision.

The organisation must also carry out regular checks to make sure its systems are working properly as intended.

Your right to object to profiling

You also have the right to object to profiling, including profiling used for direct marketing purposes.

Companies must inform you of your right to object at the latest at their point of first communication with you, and in their privacy notice.  

If they receive an objection to processing personal data for marketing purposes, they must ensure that your personal data is no longer processed for such purposes.

How profiling works

Companies often use algorithms to gather information about you. This analysis reveals links between your different behaviours and characteristics to create a personalised profile of your preferences.

This profile information can then be used by those companies to make decisions that affect you.

Under GDPR, profiling means gathering information about an individual (or group of individuals) and analysing their characteristics or behaviour patterns in order to place them into a certain category or group, and/or to make predictions or assessments about, for example, their:

  • performance at work
  • economic situation
  • health
  • personal preferences
  • interests
  • reliability
  • behaviour
  • location or movements.

What companies must do

They should explain to you how you’re able to access the details of the information used to create your profile.

The organisation should also have procedures for customers to access the personal data input into the profiles so you can review and edit for any accuracy issues.

How to object to automated decision making or profiling

If you’d like to object to profiling or automated decision making, ask the organisation for a copy or link to its procedures to appeal profiling and automated decision making.

If it is carrying out this type of decision making, it must have a procedure in place which explains how you can challenge, edit or withdraw consent.

If it doesn’t provide you with useful information and next steps to take, contact the the Information Commissioners Office (ICO).

Please tell us what you think of the Which? Consumer Rights website.

Your feedback is vital in helping us improve this site. All data will be treated confidentially. This survey will take approximately 5 minutes to complete.

Please take our survey so we can improve our website for you and others like you.