Guidelines on profiling and automated decision-making pursuant to the GDPR, from the Liechtenstein DPA
The Liechtenstein Data Protection Authority (“the DPA”) published on September 1, 2021, comprehensive guidelines on profiling and automated individual decision-making pursuant to Article 22 GDPR.
The DPA notes that current technological developments allow for the automated collection, processing, combination and analysis of enormous amounts of data in order to determine, for example, trends, correlations or other characteristics, which in turn can be assigned to specific groups. With the help of such comparison groups, characteristics or the behaviour of individual natural persons can subsequently be determined or predicted, which corresponds to a so-called “profiling” of the person. Such profiling measures are used, for example, in the areas of banking and financing, taxes, insurance, health, medicine, transport or advertising, for credit assessment, risk and fraud analysis, market research or for direct advertising.
This not only makes it possible to increase efficiency, but also to reduce costs. However, since an individual with his or her personal characteristics simultaneously becomes an object or a mere data set for the calculations of complex, non-transparent and increasingly self-learning algorithms, which are then sometimes followed by automated decisions with considerable consequences for the individual, the risk of discrimination of various kinds increases.
In this context, the DPA lays out the conditions that data controllers must comply with when carrying out profiling measures or automated individual decisions in order for these to be permissible and to reduce the risks to the rights and freedoms of data subjects as per the requirements of the GDPR.
1. Definition of profiling under the GDPR
The definition of profiling provided by Article 4 (4) GDPR highlights the following characteristics that a data processing operation must fulfil in order to be considered profiling under the GDPR and be subject to its rules:
If these points apply, a data processing operation must comply with both the general principles of the GDPR and its specific rules on profiling.
Examples: An example of profiling is the automated assessment of the creditworthiness (in particular the economic situation and reliability) of a natural person by means of a mathematically-statistically calculated scoring value. The compilation and evaluation of personal information from customers to predict their interests and to send them direct advertising that is as targeted as possible also constitutes profiling.
Note: A certain, rather limited degree of profiling for the purpose of direct marketing to existing customers is covered by the legitimate interest of a company and is therefore permitted. For this purpose, the data subject has a right of objection pursuant to Article 21 GDPR. However, if the profiling exceeds this level, e.g. by combining a large amount of different data, possibly from a wide variety of sources, or by carrying out very extensive profiling, it is no longer covered by the legitimate interest of the controller, but requires the consent of the data subject as a legal basis.
Nevertheless, according to the GDPR, profiling does not include the mere sorting of personal data on the basis of certain characteristics without evaluating them or analysing or predicting the behaviour of individuals, such as the selection of customer addresses by place of residence for the delivery of mail or for statistical purposes. Although such processing is not considered profiling under the GDPR, it is nevertheless subject to its general rules with regard to the processing of personal data.
2. General requirements for profiling under the GDPR
Profiling is initially subject to the general requirements of the GDPR for automated processing of personal data. However, there are also some specific rules that must be observed and complied with for profiling. In general, the GDPR requires for permissible profiling in Recital 71 that the data subject is guaranteed fair and transparent processing of his or her personal data. This requirement finds expression in the various rules of the GDPR for profiling, as shown below.
A) Principles according to Article 5 GDPR
Processing of personal data for profiling purposes must also comply with the general principles of the GDPR regarding lawfulness, fair processing, transparency, purpose limitation, data minimisation and proportionality, accuracy, storage limitation, integrity and confidentiality. The controller is accountable for this.
B) Legal basis
Any permissible profiling must be able to rely on a legal basis pursuant to Article 6 (and Article 9 in the case of special categories of personal data) of the GDPR. The requirements stipulated therein, such as consent or legitimate interest, must be strictly adhered to.
C) Data subject rights
As with any processing of personal data, the controller must also comply with the data subject rights pursuant to Article 12 et seq. GDPR.
The information obligations under Articles 13 and 14 of the GDPR and the right to information under Article 15 of the GDPR are of particular importance here. In addition to the general information and disclosure obligations, these articles also contain specific information and disclosure obligations regarding profiling (Art. 13 (2) (f), Art. 14 (2) (g), Art. 15 (1) (h) GDPR). In each case, the controller must provide information on "the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject". And also Recital 60 states that the controller should inform the data subject "of the existence of profiling and the consequences of such profiling". The existence of profiling and its consequences or purposes must therefore be informed in any case. In addition, at least in cases of fully automated decision-making, meaningful information must be provided about the logic involved and the scope and intended effects of any profiling carried out. In principle, this duty to provide information must be interpreted very broadly, but does not have to lead to the disclosure of actual business secrets.
The right to rectification, erasure or restriction of processing under Articles 16, 17 and 18 GDPR may also be relevant for a data subject in connection with profiling.
Profiling is also explicitly mentioned in Article 21 (1) and (2) GDPR (and Recital 70), where the right of a data subject to object to the processing of his or her personal data on the basis of a public or legitimate interest of the controller pursuant to Article 6 (1) (e) or (f) GDPR, or to profiling based on these provisions, is set out. In particular, this right to object also includes processing or profiling for direct marketing purposes. The controller must expressly inform a data subject of his or her right to object.
D) Data Protection Impact Assessment (DPIA)
Apart from the general criteria for the requirement of a DPIA, according to Article 35 (3) (a) GDPR, a DPIA is required in particular if "a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person" is carried out. Thus, unless profiling is merely unsystematic, or is limited to very few assessments of personal aspects of individuals, or does not serve as a basis for decisions having legal effects or similarly significantly affecting individuals, a DPIA will have to be carried out in any case. Even otherwise, an obligation to conduct a DPIA would still have to be examined according to the general criteria for doing so. In any case, a DPIA is a useful tool to determine which measures should be taken to avoid or limit the risks of the planned data processing for the data subjects.
领英推荐
E) Appropriate procedures and measures
In order to ensure fairness and transparency of a data processing operation in the context of profiling, the controller should, in accordance with Recital 71:
F) Special categories of personal data and children
Profiling involving special categories of personal data (Article 9 GDPR) is only permitted in compliance with a legitimate legal basis under Article 6 and Article 9 (2) GDPR. This also applies to the production of special categories of personal data by linking various non-sensitive data via profiling (e.g. inferring the health status of a data subject from their food purchases and the quality or energy content of the food purchased).
Children are considered a particularly vulnerable social group in the GDPR. According to the European Data Protection Board, companies should therefore generally refrain from using profiling on them for advertising purposes.
3. Additional requirements for certain automated individual decisions (based on profiling) pursuant to Article 22 GDPR
In many cases, decisions are made using or supported by automated evaluations of personal data, such as profiling (profiling can but does not have to be the basis for an automated decision in an individual case pursuant to Article 22 GDPR). This is also permissible as long as the decision or measure of the controller relating to the individual case (which evaluates personal aspects of a data subject and has legal effect vis-à-vis them or similarly significantly affects them) is not based exclusively on such automated data processing without any human intervention.
Note 1: Such a legal effect or impairment may, for example, lie in the specific form of a contract offer (price, interest rate, other conditions etc.) or an automatic termination of a contract, concern the granting of state transfer benefits, have the effect of excluding or otherwise discriminating against a data subject or otherwise have a significant influence on the data subject's living conditions, behaviour or decisions.
Note 2: Human intervention must, however, reach a certain level of substantive co-responsibility and must not be limited to a mere review of decisions or to a purely routine application of profiles. This also means that a decision must not only be based on the automatically generated data, but must include an overall assessment of all relevant factors. The possibility of adjustment or correction of the decision by the competent natural person is essential.
However, if all of these criteria apply to a decision, it is - apart from a few exceptions (see below) - prohibited. This is intended to prevent people and their individual personality traits from becoming the mere object of computerised decision-making mechanisms which, on one hand, are prone to discrimination and, on the other hand, are extremely difficult to verify due to increasingly complex algorithms.
Examples: The decision on granting credit may not be based exclusively on the automatically calculated scoring value of the person applying for credit without any human intervention, but must also include other factors. Otherwise, it would be inadmissible pursuant to Article 22 (1) GDPR. Although the personnel decision on a position to be filled via an online tool may be limited to automatically pre-selected candidates according to job-relevant criteria in the case of a very large number of applications, it must ultimately be based on a holistic assessment of the individual applications. Only in this way does it not fall under the prohibition of Article 22(1) GDPR.????????????
Note: Individual case decisions that are not exclusively based on automated data processing but also involve other aspects and are made with the substantive involvement or review by a natural person, or that do not have legal or other significant effects on a data subject, or that do not assess any personal aspects at all, do not fall under the prohibition or the specific provisions of Article 22 GDPR. Similarly, automated data processing that does not result in a decision, but e.g. only creates an (internal) assessment, is not covered. For example, the calculation of a scoring value for credit assessment by credit agencies does not fall under Article 22 GDPR, because here it is the customer of the credit agency as the responsible party who makes the decision on the conclusion of a contract with the data subject. However, the general rules of the GDPR always apply to the processing of personal data (in the context of profiling).
In addition to the prohibition, Article 22 GDPR also provides for a number of exceptions when such an automated decision is permitted:
(a) if it is necessary for entering into, or performance of, a contract between the data subject and a data controller; one example that can be mentioned here is the automated checking of the account cover or the credit line granted for cash withdrawals at ATMs,
(b) if it is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
(c) if it is based on the data subject's explicit consent.
However, in addition to the general and, where applicable, the profiling-related provisions of the GDPR, additional, stricter requirements for the protection of data subjects apply to the use of such exceptions. Already contained in the regulatory text itself for the exception at point (b), Article 22 (3) GDPR also explicitly stipulates in relation to the exceptions at points (a) and (c) that the controller must take appropriate measures to protect the rights and freedoms as well as the legitimate interests of the data subjects. To this end, it must at least ensure - as minimum rights of the data subjects:
In addition, for all exceptions, specific information must be provided to data subjects about the existence of such automated decision-making and their rights as listed above, as well as an explanation of the decision taken. This specific information and disclosure obligation is further complemented by Articles 13, 14 and 15 of the GDPR, which additionally require meaningful information about the logic involved and the scope and intended effects of such processing or decision for the data subject.
In the event of the data subject's explicit consent to an automated individual decision affecting him or her, the requirements for valid consent pursuant to Article 7 GDPR must also be observed. Furthermore, the requirements of Recital 71 on the appropriate procedures and technical and organisational measures to ensure fairness and transparency as described above also apply to automated individual case decisions.
Finally, Article 22 (4) GDPR provides that such exceptionally permitted individual decisions based exclusively on automated processing may also contain special categories of personal data only if there is either the explicit consent of the data subject pursuant to Article 9 (2) (a) GDPR or a substantial public interest laid down in a legal provision pursuant to Article 9 (2) (g) GDPR. Then again, appropriate measures must be taken to protect the rights and freedoms and legitimate interests of the data subject. According to Recital 71, children should not be affected by decisions or measures based exclusively on automated data processing.
The full guidelines are available in German on the DPA's website: https://www.datenschutzstelle.li/index.php?cID=683 .?
Assistante de Direction passionnée en protection des données
3 年Thanks for sharing !
Expert en Sécurité Digitale, Retraité, Expert Cyber Menaces (Réserviste) Office Anti Cybercriminalité - OFAC
3 年Thanks for sharing