The rights in relation to automated decision making
Unlock This Video Now for FREE
This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.
GDPR has provisions on automated decision-making where a decision is solely made by automated means, without any human intervention and profiling, which is where their personal data is processed to evaluate certain things about them. Profiling can be part of an automated decision-making process.
Examples of automated decision making would be an online decision to provide an individual with a loan or a recruitment aptitude test, which uses pre-programmed algorithms.
Most businesses do not carry out this type of processing and those that do would usually have a well-qualified Data Protection Officer.
Automated decision making is only permitted where it is necessary for the entry into a performance or contract, where it is based on the individual’s explicit consent or when authorised by Union or Member state law, applicable to the controller.
If you are carrying out this type of processing you must give individuals information about the processing, introduce easy ways for them to request human intervention or a simple way for them to challenge any decision made. You must make sure that regular checks are made to ensure the system is working as intended.
Due to the high risk accorded to this type of processing under GDPR, you have to carry out a Data Protection Impact Assessment or DPIA to show that you have identified and assessed those risks and how you will address them.
If you are carrying out this type of processing, all information should be included in your privacy statement or privacy policy. Decide your lawful basis for processing and ensure that you meet all of the privacy principles.