Profiling: Definition

GDPR Art. 4.4: "Any automated processing of data to evaluate personal aspects, such as performance at work, economic situation, health, preferences, interests, reliability, behavior, location."

Profiling examples:

• Credit scoring (credit reliability)

• Behavioral insurance scoring

• Automated recruiting (AI CV screening)

• Banking fraud detection

• Predictive policing

• Marketing segmentation

Lawfulness of profiling:

Profiling IN ITSELF is lawful if:

• ✅ Is there consent or other legal basis?

• ✅ Clear information (existence, logic, consequences)

• ✅ DOES NOT produce automated decisions under Article 22 (or falls within exceptions)

Unlawful if:

• ❌ On sensitive data without conditions Art. 9.2

• ❌ Produces automated decisions without human intervention

• ❌ Lack of information/consent

The 3 Exceptions: Lawful Automated Decisions (Art. 22.2)

Art. 22.1 prohibits purely automated decisions, BUT Art. 22.2 provides exceptions:

a) Necessary by contract (Art. 22.2.a)

Automated decision necessary to conclude/execute a contract.

Legal example:

• Automatic approval for small-amount financing (<€5,000) according to standard policy

• Automatic online insurance premium calculation based on objective parameters

NOT required:

• Automatic mortgage rejection: Banks can always require human review.

Interpretation: Restrictive exception, rarely to be used.

b) Authorized by law (Art. 22.2.b)

EU/national law explicitly provides for + protective measures.

Example:

• Anti-fraud banking algorithms (anti-money laundering regulations + appeal guarantees)

• Automatic tax calculation systems

c) Explicit consent (Art. 22.2.c)

The interested party has given explicit consent to the automated decision.

Requirements:

• Specific (for that specific decision)

• Informed (explains logic, consequences)

• Free (revocable)

• Unambiguous (clear positive action)