Automated decision making and profiling in the light of GDPR and protection of personal data (personal data X non-personal data) in Czech Republic
Profiling and automated decision making are intertwined and relate one to another, but they are two separate institutes with their own rules. These rules have been established mainly on May of 2018 by the General Regulation of the European Parliament on the Protection and Processing of Personal Data No. 2016/679 ("GDPR"). For the lawful use of these methods, it is essential to respect the rules laid down in the GDPR, as these methods undoubtedly represent a higher risk in the protection of the rights and interests of individuals. We can speak about automatization in all cases of personal data processing, where computers and the programs contained therein are used. Czech lawyers specialisied in GDRP and personal data protection analyse in detail various legal issues related to this topic.
The definition of profiling can be found along with other definitions of other terms, specifically in Article 4, paragraph 4 of the GDPR, which defines that “profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”. From this definition can be inferred that such profiling within the meaning GDPR can, and will be relevant in number of activities carried out by commercial companies, whether monitoring the behaviour of website visitors for marketing purposes, or in the financial sector, inter alia in order to provide financial services, and possibly in employment agenda, for example in connection with the recruitment of new staff. The same definition of profiling is also included the text of the 71 GDPR recital, which mentions profiling in relation to the automated decision making.
During the process of profiling, a variety of (not only) personal data is collected by an administrator to create a profile, and to include such profile into a category or group (often using the so-called big data technology, see another article in the tab Digitization 4.0). Individuals in such group generally share similar patterns of behaviour. That allows the companies using profiling to predict the behaviour of such group of people in the future. An example of such finding is on which type of ad the group responds best. Obviously, in all cases, there must be taken into account the nature, purpose and extent of profiling; it is not excluded that the consent of the subject might eventually be necessary (especially if any personal data that are not anonymized or so-called sensitive data shall be included in the profiling).
Automated decision making, on the other hand, means making decisions solely using computer systems completely without human intervention. The absence of a human factor is the most risky, at least from the viewpoint of GDPR in terms of protecting the rights and interests of the subjects of data, as the pre-configured computer with the algorithm decides on these entities. This procedure excludes any consideration of other aspects of decision making, which the program does not know, but which ultimately could influence a particular decision, if it were made by a person. An administrator gets in the automated decision mode, under Article 22 of the GDPR when (1) certain decisions are based solely on automated processing of personal data, and (2) those decisions also have legal effects or significantly affect the subject.
Automated decision making is only possible in cases where (1) it is necessary to conclude or perform a contract between the data subject and the data controller, (2) is permitted by Union law or member state law, which also provides appropriate protective measures, or (3) when it is based on explicit and explicitly expressed consent of the data subject.
The data controller must also take appropriate protective measures to protect the rights and legitimate interests of the data subjects and must provide information about the measures to the subjects about which he automatically decides. This measure must be at least the data subjects right to ask for human intervention by the data controller, the right of the data subject to express his or her opinion and the right to challenge the decision. The above-mentioned rights of data subjects are generally defined as the subject's right not to be a subject to automated decision making. In practice, this means that the data controller should have a mechanism by which the data subject can contact the data controller and require the automated decision to be reviewed by the individual and subsequently reassessed.
For more information please contact us:
About ECOVIS ježek advokátní kancelář s.r.o.
The Czech law office in Prague ECOVIS ježek practices mainly in the area of Czech commercial law, Czech real estate law, representation at Czech courts, administrative bodies and arbitration courts, as well as Czech finance and banking law, and provides full-fledged advice in all areas, making it a suitable alternative for clients of international law offices. The international dimension of the Czech legal services provided is ensured through past experience and through co-operation with leading legal offices in most European countries, the US, and other jurisdictions. The Czech lawyers of the ECOVIS ježek team have many years of experience from leading international law offices and tax companies, in providing legal advice to multinational corporations, large Czech companies, but also to medium-sized companies and individual clients. For more information, go to www.ecovislegal.cz/en.