The new rules give you the right not to be subject to a decision based solely on automated processing if it affects you legally or substantively.
Automated individual decision making is a decision made by automated means without any human involvement. Examples of this include:
Automated individual decision making does not have to involve profiling, although it often will do.
Automated decisions can be based on any type of data, including data provided directly by the individuals, data observed about the individuals, or data inferred from elsewhere (such as a profile of the individual that has already been created).
Organisations can only carry out automated decision making that has legal or similarly significant effect where the decision is:
The details of the automated decision making should be documented in the organisation’s privacy notice.
For automated decision making they should explain what information is used, why it's used and what the effects might be.
In addition to this, they should also provide you with a simple way to request intervention or the chance to challenge a decision.
The organisation must also carry out regular checks to make sure its systems are working properly as intended.
You also have the right to object to profiling, including profiling used for direct marketing purposes.
Companies must inform you of your right to object at the latest at their point of first communication with you, or - for example - in their privacy notice.
If they receive an objection to processing personal data for marketing purposes, they must ensure that your personal data is no longer processed for such purposes.
Companies often use algorithms to gather information about you. This analysis reveals links between your different behaviours and characteristics to create a personalised profile of your preferences.
This profile information can then be used by those companies to make decisions that affect you.
Under GDPR, profiling means gathering information about an individual (or group of individuals) and analysing their characteristics or behaviour patterns in order to place them into a certain category or group, and/or to make predictions or assessments about, for example, their:
They should explain to you how you’re able to access the details of the information used to create your profile.
The organisation should also have procedures for customers to access the personal data input into the profiles so you can review and edit for any accuracy issues.
If you’d like to object to profiling or automated decision making, ask the organisation for a copy or link to its procedures to appeal profiling and automated decision making.
If it is carrying out this type of decision making, it must have a procedure in place which explains how you can challenge, edit or withdraw consent.