Profiling and (Automated) Decision-Making under the GDPR: A Two-Step Approach Computer Law & Security Review 2022, 11.03.2022.
This paper examines profiling and decision-making under the GDPR and analyses how these two processes are interconnected. The GDPR's definition of profiling is analysed and put in relation to both automated and human decision-making. This contribution works with a two-step approach. It can be derived from the structure and wording of the GDPR and provides for an enhanced level of legal certainty. Within this approach, profiling is considered to be step 1 and decision-making to be step 2. The two steps are treated as distinct, yet logically interconnected. This helps understand how profiling and decision-making are conducted. It makes it possible to identify the legal implications of these two steps and to allocate who is legally responsible, no matter how many parties are involved. The approach might be particularly helpful in the context of joint controllership, as it makes it possible to delineate whether joint controllership is given in the first place and to allocate the respective responsibilities of the parties concerned. Profiling (step 1) leads to implications of primary relevance for the data subjects’ right to the protection of personal data. Decision-making (step 2) regularly does not lead to such data protection implications but is primarily relevant from a personal autonomy and (economic) freedom perspective. A notable exception is the rare scenario of solely automated decision-making falling under Art. 22(1) GDPR. The two-step approach is eventually applied to a use case that concerns profiling and automated decision-making in the context of credit scoring conducted by a social network.
