Data subjects have the right not to be subject to a decision based solely on automated processing (e.g. by an algorithm), including profiling, which produces legal effects concerning them or similarly significantly affects them (Article 22(1), GDPR). A decision may be considered as producing legal effects when the individual’s legal rights or legal status are impacted (e.g. their right to vote). In addition, processing can significantly affect an individual if it influences their personal circumstances, their behaviour or their choices (e.g. automatic processing thatleads to the refusal of an online credit application).
The use of automated processing for decision-making is authorised only in the following cases:
- the decision based on the algorithm is necessary (i.e. there is no other way to achieve the same goal) to enter into, or to perform, a contract with the individual whose data thecompany/organisation processed via the algorithm (e.g. an online loan application);
- a particular EU or national law allows the use of algorithms and provides for suitable safeguards to protect the individual’s rights, freedoms and legitimate interests (e.g. tax evasion regulations);
- the individual has explicitly given theirconsent to a decision based on the algorithm.