automated-decision-rights
Managing Automated Decision-Making and Profiling Rights
Overview
GDPR Article 22 provides data subjects with the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning them or similarly significantly affect them. This skill covers the identification of automated decision-making, implementation of meaningful human intervention, explanation of logic, and contestation procedures.
Legal Foundation
GDPR Article 22 — Automated Individual Decision-Making, Including Profiling
-
Art. 22(1) — The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
-
Art. 22(2) — Exceptions: Art. 22(1) does not apply if the decision:
- (a) is necessary for entering into, or performance of, a contract between the data subject and the controller
- (b) is authorised by Union or Member State law which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests
- (c) is based on the data subject's explicit consent
-
Art. 22(3) — Where exceptions (a) or (c) apply, the controller must implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to:
- Obtain human intervention on the part of the controller