Article 22 of the General Data Protection Regulation (GDPR) deals with the right of individuals not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
In other words, the GDPR prohibits organisations from making decisions about individuals’ data that are based solely on automated processing, such as algorithms or software. This is because such decisions can have a significant impact on individuals, and they may not have the opportunity to challenge the decision or have their say.
There are three exceptions to this rule mentioned in SS.2 of the same Article:
a. If the automated decision is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b. If the automated decision is authorised by Union or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
c. If the automated decision is based on the data subject’s explicit consent.
Therefore, automated decisions may be allowed if they are necessary for entering into or performing a contract with the individual or if they are authorised by law. However, even in these cases, the organisation should take steps to safeguard the individual’s rights and freedoms. This may include giving the individual the opportunity to review the decision or to challenge it.
The GDPR strictly prohibits automated decisions that are based on special categories of personal data, such as data about political opinions, religion or ethnicity, under Article 9. This could be because such data is considered to be more sensitive, and there is a greater risk of discrimination if it is used to make decisions about individuals.
The right not to be subject to automated decision-making is an important right designed to protect individuals from the potential negative consequences of such decisions. It is important for organisations to be aware of this right and to take steps to comply with it, as any violation of that right may be subject to fines of up to €20 million or 4% of their global annual turnover, whichever is greater under Article 83(5).