Understanding GDPR Article 22: Your Rights Against Automated Decision-Making
GDPR Article 22 deals with a concept called ‘data profiling’ – essentially a method used to profile an individual’s personality solely through automated data analysis, that has the chance to affect them legally or financially (e.g. credit scoring and mortgage applications).
Under Article 22, individuals have the right not to be profiled in such a manner, unless expressly agreed by way of a contract between the subject and the organisation who is carrying out the profiling.
GDPR Article 22 Legal Text
EU GDPR Version
Automated individual decision-making, including profiling
- The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- Paragraph 1 shall not apply if the decision:
- is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
- is based on the data subject’s explicit consent.
- In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
- Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
UK GDPR Version
Automated individual decision-making, including profiling
- The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- Paragraph 1 shall not apply if the decision:
- is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- is required or authorised by domestic law which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
- is based on the data subject’s explicit consent.
- In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
- 3A. Section 14 of the 2018 Act, and regulations under that section, make provision to safeguard data subjects’ rights, freedoms and legitimate interests in cases that fall within point (b) of paragraph 2 (but not within point (a) or (c) of that paragraph).
- 4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Technical Commentary
Scope
Generally speaking, Article 22 isn’t relevant if decisions affect multiple data subjects, or groups of individuals connected by certain variables – e.g. age, gender, location.
Instead, the law focuses on the rights of the individual – i.e. one person – to not be subject to profiling without their consent.
What Is a ‘Decision’
Despite being the primary subject matter, decisions are something of a grey area. The law is unclear as to what constitutes a decision. These can range from a decision from a governmental authority, or something more easily recognisable such as a credit score or actions taken on a mortgage application.
To make things even more vague, decisions can also constitute an attitude or opinion towards a data subject, based on their data, but only if that has a likelihood of being acted upon.
Legal Effects
A ‘legal effect’ is a binding action taken towards a person. Decisions are scenarios such as a benefit claim, a tax return or a healthcare assessment.
Whilst some or all of these may not specifically change the basic legal status of a person, they still may have a profound effect upon that person’s life, including:
- changing a person’s circumstances or choices available to them;
- has a prolonged effect on a person over the course of their life;
- (in certain circumstances) leading to discrimination or unjust actions towards someone.
ISO 27701 Clause 7.2.2 and EU GDPR Article 22
In this section we talk about GDPR Articles 22 (2)(a), 22 (2)(b), 22 (2)(c), 22 (4)
Identifying a Lawful Basis
To form a legal basis for processing PII, organisations should document their actions and:
- seek consent;
- draft a contract, or contacts;
- comply with any other legal obligations;
- protect the ‘vital interests’ of the individuals and groups they hold data on;
- ensure that they are operating within the public interest, and is a legitimate interest.
Organisations also need to consider any ‘special categories’ of PII that relate to their organisation in their data classification scheme (see ISO 27701 Clause 7.2.8) (classifications may vary from region to region).
If organisations experience any changes to their underlying reasons for processing PII, this should be immediately reflected in their documented legal basis.
Supporting ISO 27701 Clauses
- ISO 27701 7.2.8
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
ISO 27701 Clause 7.3.10 and EU GDPR Article 22
In this section we talk about GDPR Articles 22 (1) and 22 (3)
Automated Decision Making
Organisations should take into account jurisdictional variances in automated decision making regarding PII.
Organisations should honour an individual’s right to object and requesting human intervention in place of automated procedures.
Index of Linked EU GDPR Articles and ISO 27701 Clauses
| GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
|---|---|---|
| EU GDPR Articles 22 (2)(a), 22 (2)(b), 22 (2)(c), 22 (4) | ISO 27701 7.2.2 | ISO 27701 7.2.8 |
| EU GDPR Articles 22 (1) and 22 (3) | ISO 27701 7.3.10 | None |
How ISMS.online Helps
By adding a PIMS to your ISMS on the ISMS.online platform, your security posture remains all-in-one-place and you’ll avoid duplication where the standards overlap.
With your PIMS instantly accessible to interested parties, it’s never been easier to monitor, report and audit against both ISO 27701 and ISO 27001 at the click of a button.
Find out how much time and money you’ll save on your journey to a combined ISO 27701 and ISO 27001 certification using ISMS.online by booking a demo.
