Data & Privacy
- Data Act
- Data Governance Act
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
Cybersecurity
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
General Data Protection Regulation
- Recitals
CHAPTER I
General provisionsArticles 1 — 4
CHAPTER II
PrinciplesArticles 5 — 11
CHAPTER III
Rights of the data subjectArticles 12 — 23
CHAPTER IV
Controller and processorArticles 24 — 43
CHAPTER V
Transfers of personal data to third countries or international organisationsArticles 44 — 50
CHAPTER VI
Independent supervisory authoritiesArticles 51 — 59
CHAPTER VII
Cooperation and consistencyArticles 60 — 76
CHAPTER VIII
Remedies, liability and penaltiesArticles 77 — 84
CHAPTER IX
Provisions relating to specific processing situationsArticles 85 — 91
CHAPTER X
Delegated acts and implementing actsArticles 92 — 93
CHAPTER XI
Final provisionsArticles 94 — 99
GDPR Article 22. Automated individual decision-making, including profiling
- 1.The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- 2.Paragraph 1 shall not apply if the decision:
- (a)is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- (b)is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
- (c)is based on the data subject's explicit consent.
- 3.In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
- 4.Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.
Relevant Recitals for this Article
The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her. However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child.
Profiling is subject to the rules of this Regulation governing the processing of personal data, such as the legal grounds for processing or data protection principles. The European Data Protection Board established by this Regulation (the ‘Board’) should be able to issue guidance in that context.