Poland’s Personal Data Protection Act (PDPA)1 as now in force does not recognise profiling as a separate operation performed on data, nor does it define profiling. The EU’s General Data Protection Regulation (GDPR)2, entering into force on 25 May 2018, doesn’t prohibit profiling, but it does underline certain rights of data subjects, while imposing additional obligations on data controllers.
Under the current Polish law, profiling does not constitute a special form of data processing, so today it’s irrelevant whether personal data held by a data controller is simple, basic information or a complex profile. The data controller only needs to inform the data subject of the method of processing of his or her data, according to PDPA Art. 32.
However, the current regulations do prohibit making automatic, final decisions affecting data subjects solely on the basis of operations performed upon personal data. Such operations do include profiling, and such determinations could include, for example, a loan decision by a bank or a decision whether or not to issue an insurance policy.
There is an exception to this prohibition on automated decision-making; it applies to situations where taking a decision based on profiling is necessary to perform a contract with the person in question and grant the person’s application.
Insurance policy or granting credit would be a good example.
New EU solutions
The first fundamental change introduced by the GDPR is to define ‘profiling’. Under GDPR Art. 4(4), profiling is “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
Thus, in line with this definition, profiling occurs when the data controller makes an evaluation of any personal aspects of the individual. The evaluation could concern the person’s current situation as well as a projection of whether a particular event, behaviour or characteristic will occur in the future (prediction).
Additionally, the preamble to the GDPR states that data controllers should use “appropriate mathematical or statistical procedures” for profiling and implement “technical and organisational measures” to reduce the risk of errors in profiles, and the like.
As is now the case under the PDPA, and under Art. 15(1) of the GDPR as well, the data subject will have the right to access the data making up that person’s profile. Under this provision, the data controller will also be required to explain the consequences of profiling and the logic involved in making automated decisions based on profiling.
In addition to these rights, the data subject will have the right under GDPR Art. 21(6) to object to profiling on grounds related to their own personal situation, even when the profiling is conducted for reasons of public interest.
As a rule, the data controller will not be permitted to process personal data subject to an objection, “unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.”
The data subject would not have a right to object, among other situations, where the profiling was done while carrying out a legal obligation. For this reason, it is proposed in work on revising numerous acts affecting regulated industries that profiling be expressly permitted, for example as one of the methods for evaluating insurance risk or credit risk.
Under GDPR Art. 22(1), “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
Nonetheless, this right does not apply if the automated decision is necessary for concluding a contract with the data subject, is based on their consent, or is authorised by the law of the member state.
It is also permissible to restrict this right due to an important economic or financial interest of the state, but such restriction must be expressly provided for by law.
The data subject has broader rights to object to profiling than in the case of the right not to be subject to an automated decision. This is a further argument for preparing appropriate sectoral regulations on profiling.
Monitoring of data processing
Profiling is becoming increasingly important in the economy, mainly because of the ever greater quantities of data and better and better computational capabilities. Even though today the use of personal data for profiling of individuals may be the subject of oversight by the Inspector General for Personal Data Protection, technological development and the provisions of the GDPR raise anew the issue of the scope of oversight.
Profiling may be based on various models and algorithms, but the same purpose, such as assessing a person’s reliable ability to make payments, can be achieved by various entities using various categories of personal data. This in turn can be questioned by the individuals being profiled. Thus the question of how far-reaching the oversight of profiling procedures used by businesses should be is an issue deserving more consideration.
1. Dz.U. 2016 item 922