Profiling is defined under article 4 of the GDPR as “any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
Generally, profiling consists of three elements: it is an automated form of processing, it concerns personal data and its purpose is to evaluate personal aspects about a natural person. The individual has the right to refuse profiling. There are a few special cases where automated decisioning is permitted, such as when the process is authorized by law or regulation within a Member State or when it is necessary for entering into a contract between the data subject and the data controller or if it is based on explicit consent. In the case of contractual agreement, the controller has to implement measures that protect the rights of the individuals. For example, individuals should be allowed to express their point of view, to obtain information about the decision that has been reached based on the profiling and of course, the right to contest this decision.
So, why is it such a concern? The general view is that profiling can have a considerable effect to the fundamental rights of an individual and it can lead, in its most extreme forms, to the violation of the principle of non-discrimination. If done correctly however, profiling can have benefits for both the organization and the individual. Correct forms of profiling include for instance consensual interviews, both online or face-to-face, meant as marketing research. As long as the rights of the individual are respected, the results can be used in a positive manner, to improve the quality of the services provided.