Skip to main content

Profiling by apps under the GPRR provisions with the aim to promote similar products and services

Written on .

The GDPR profiling provisions

According to recital 24 of the GDPR (General Data Protection Regulation – Regulation  (EU) 2016/679) introduction, “In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”

According to recital 47 of the GDPR introduction, “The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

According to recital 60 of the GDPR introduction, “The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling.

According to recital 63 of the GDPR introduction, “Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing.

According to recital 70 of the GDPR introduction, “Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

According to recital 72 of the GDPR introduction, “Profiling is subject to the rules of this Regulation governing the processing of personal data, such as the legal grounds for processing or data protection principles.

According to Article 6 of the GDPR, “1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

According to the Article 13 para 2 of the GDPR, “In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: … (f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.” You may also see also Article 14 para 2 (g) of the GDPR.

According to the Article 21 of the GDPR, “2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

According to the Article 22 of the GDPR, “1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.  2.   Paragraph 1 shall not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; … or (c) is based on the data subject’s explicit consent.

The Article 29 Working Party approach

The Article 29 Working Party Guidelines  on Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwi15L3o5In4AhW5R_EDHdFiCskQFnoECAwQAQ&url=https%3A%2F%2Fec.europa.eu%2Fnewsroom%2Farticle29%2Fdocument.cfm%3Fdoc_id%3D49826&usg=AOvVaw3Hbd9vdV-5JxpwJPUmrucm ) has identified three main types of profiling:

(i) general profiling;

(ii) decision-making based on profiling; and

(iii) solely automated decision-making, including profiling, which produces legal effects or similarly significantly affects the data subject (Article 22[1] of GDPR).

The difference between (ii) and (iii) is best demonstrated by the following two examples where an individual applies for a loan online:

  • a human decides whether to agree the loan based on a profile produced by purely automated means(ii);
  • an algorithm decides whether the loan is agreed and the decision is automatically delivered to the individual, without any prior and meaningful assessment by a human (iii).

Controllers can carry out profiling and automated decision-making as long as they can meet all the principles and have a lawful basis for the processing, as these are determined in Article 6 of the GDPR. Additional safeguards and restrictions apply in the case of solely automated decision-making, including profiling, defined in Article 22(1) of GDPR.

Therefore, general profiling is subject to the rules of the GDPR governing the processing of personal data, such as the legal grounds for processing (Article 6 of the GDPR) or data protection principles (Article 5 of the GDPR).

Our conclusion

An app may proceed only with a general profiling, based on its data policy. Therefore, if the app intents solely to provide its customers / subscribers with alternatives or similar services to the ones already acquired, initially it does not need to comply with the additional safeguards and restrictions that they apply in the case of solely automated decision-making, including profiling, defined in Article 22(1) of GDPR. The app needs, of course, to provide its customers / subscribers with a detailed – to the extent possible – description on the profiling (as this is an additional processing), by noting that the mere purpose of this general profiling is to provide them with alternatives or similar services to the ones already acquired and also that the collection of this information does not have any kind of legal effects. Also, the app needs to provide its customers with the option of objection to this processing, but this falls under the general rights of the data subject. Under the light of these points, the legitimate interest of the controller may be a basis for the abovementioned points > “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest ” (GDPR Recital 47). Therefore, an additional consent of the customer / subscriber regarding profiling may not be required, provided that all other aspects of GDPR rules are fulfilled.

© Stylopoulos & Associates

34 Omirou Str., 10672, Athens, Greece | T: +30 210 3832518 | F: +30 210 3821568 | E: [email protected]