The right not to be subject to automated decision making – the implications for your business

By virtue of Article 22 of the GDPR, individuals have “the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” We explore this provision and consider the potential implications for your business.

What is automated decision making?

Due to technological advancements in recent years, it has become easier for organisations to use automated decision making. Automated decision making has become prevalent in a diverse range of sectors including banking and finance, insurance and healthcare. However, automated decision making has significant implications for individuals. Therefore, the GDPR introduces safeguards and restricts the use of automated decision making subject to certain exceptions.

The fact that Article 22 is structured to restrict decisions based solely on automated processing supports the concept of individuals having control of their personal data.

Automated decision making is deemed to occur where a decision is made solely by automated means and there is no human involvement or influence over the outcome. An example of this is where pay is based on hours worked and this is monitored automatically on each individual worker’s computer. Their pay is then paid automatically using this data.

However where processing involves elements of both human and automated decision making, this would not be covered by Article 22. An example of this would be where a pay performance system notes that a worker has been late for 5 days in a month and sends a notification to HR who then decide to issue a warning to the employee based on their review of this data.

For the Article 22 right to apply, the decision must also produce legal effects concerning the individual. This means that it must affect the legal rights and/or legal status of an individual. An example of such a decision would be a decision relating to entitlement to benefits. Alternatively, the decision must similarly significantly affect the individual. An example of this is an automatic refusal based on an online credit application.

What are the exceptions?

The right not to be subjected to automated decision making is not absolute. The right does not apply where the processing is based on:

(i) contract, i.e. it is necessary for entering into or performance of a contract between a controller and an individual;
(ii) law, i.e. it is authorised by national law; or
(iii) consent, i.e. based on explicit consent of the individual.

Therefore, if your organisation satisfies one of the above exceptions, it may process personal data using automated means. However, even where an exception is met, where the processing is based on (i) or (iii) above (contract or consent), organisations must:

(i) implement suitable measures to safeguard the rights and freedoms and legitimate interests of individuals;
(ii) implement the right to obtain human intervention on the part of the controller;
(iii) allow the individual to express their point of view; and
(iv) allow the individual to contest the decision.

Consent

Additionally, if your organisation is intending to rely upon consent for processing, you should note that this consent will need to be “freely given, specific, informed and an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” The imposition of such a high standard underlines the importance the GDPR places on individuals having control over their personal data. Further, in order to ensure the consent given is “specific and informed” you must provide information about the processing being conducted by automated means. You should do this by means of a Privacy Notice.

What else does your organisation need to know?

If your organisation is involved in automated decision making, you must carry out a data protection impact assessment to demonstrate that you have considered the risks involved and you must detail how you will deal with those risks.

Further, if your organisation carries out automated decision making in relation to special category data, you may only process this data if:

(i) your organisation has obtained the explicit consent of the data subject; or
(ii) processing is necessary for substantial public interest reasons.

Conclusion

Although automated decision-making has benefits, such as enabling services and goods to be tailored to specific individual requirements, it also has implications for the rights and freedoms of individuals. Given the significant fines that may be imposed under the GDPR (up to 4% of global turnover or up to 20 million euros, whichever is higher), compliance with the GDPR is essential. Where Article 22 is applicable to your organisation’s activities, you should ensure your approach is consistent with the GDPR and, in particular, the rights of individuals.

This article was co-written by Charlotte Fleming.

Latest updates from @MacRoberts

  • MacRoberts is recruiting! We currently have a vacancy for a Senior solicitor/associate to join our Private Client… https://t.co/nTGY8Irf5S 9 hours ago
  • This week on our new IGTV mini-series, giving an insight into what it’s like to begin a legal career during the pan… https://t.co/giTipHUGgd 23/06/2021
  • Would you like to work at one of Scotland’s leading law firms? We currently have a number of opportunities availabl… https://t.co/atxn5NHzLj 21/06/2021
  • We currently have a vacancy for a Customer Due Diligence Administrator based in Glasgow or Edinburgh. Please shar… https://t.co/IXsvMkBnYa 18/06/2021
  • Maya Forstater received a lot of media attention around her tweets relating to her beliefs about sex, resulting in… https://t.co/VbDAGhzAqX 18/06/2021
  • Applications for our traineeships starting in 2023 are now open! Get your legal career off to the best possible sta… https://t.co/nx3WmygTTM 18/06/2021
  • RT @DundeeAndAngus: Leading Scottish commercial law firm, @MacRoberts has advised BAM on the ‘game-changing’ Atlantic Square development in… 16/06/2021
  • This week on our new IGTV mini-series, giving an insight into what it’s like to begin a legal career during the pan… https://t.co/tqSQy4tRqG 16/06/2021
  • Self-employed status: What does the Uber case really mean? 🚖 Kenny Scott explains what the recent ruling means for… https://t.co/SIt6iBNYPx 16/06/2021
  • What is the Scottish #gin industry doing to improve #sustainability? Following #WorldGinDay celebrations over the w… https://t.co/P4d0oPh54U 15/06/2021
  • The European Commission has adopted & published versions of two new sets of Standard Contractual Clauses. What ch… https://t.co/c8nMQEo6uk 15/06/2021
  • What impact could Ireland High Court's decision to reject an action by Facebook to block an inquiry by the Irish… https://t.co/leiseQnxYe 14/06/2021
  • Wishing all of our followers a happy #WorldGinDay! ICYMI: Earlier this week, we were delighted to catch up with… https://t.co/OJ85qOwAhN 12/06/2021
  • We're #hiring! We have a #vacancy for a Senior #Solicitor or Associate to join our IP, Technology & Commercial team… https://t.co/YWbpcD0eFD 10/06/2021
  • Dealing with an employee's misconduct when that employee contends it is linked to a disability can be tricky - read… https://t.co/Gy1dLbrwPk 09/06/2021