Module 5 · Automated decision-making and profiling (Article 22)
Article 22 gives the data subject the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects. 'Solely' means no meaningful human intervention - a rubber-stamp human does not count. Exceptions exist where it is authorised by law, necessary for a contract, or based on explicit consent, but safeguards (human intervention, the right to express a view and to contest) must apply.
Article 22 gives the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significant effects. 'Solely' means no meaningful human intervention; the protection is strictest for children.
Profiling is automated processing to evaluate, analyse or predict personal aspects - adware, web cookies, web beacons, digital fingerprinting. Examples with legal/significant effect: a mortgage tool auto-rejecting an applicant; auto-calculated insurance premiums. Routine behavioural ads usually have NO significant effect, but targeting gambling ads at people in financial distress, or at vulnerable people/children, can.
| Exception | Safeguard |
|---|---|
| Authorised by EU/Member State law | As specified by that law |
| Necessary for a contract | Right to human intervention, to express a view, to contest + info on the logic |
| Explicit consent | Right to human intervention, to express a view, to contest + info on the logic |
| Certain decisions involving special-category data | Additional conditions apply |