A controller needs to distinguish between all these concepts, since they have different legal implications. They are clearly connected, but not at all equivalent, and the main legal outcome relates to whether certain processing falls within article 22 GDPR or not.
Indeed, casuistry can be very diverse: there can be automated data processing without profiling; however, profiling can also support for automated decision-making processes; moreover, profiling might serve as a basis for fully automated decision processes; but automated decision processes can be done with or without prior profiling. For instance, not every automated processing of personal data implies that profiling is taking place. Moreover, creating a user profile does not always involve profiling. A user profile may include information like username and observed characteristics without creating or inferring new data, or linking knowledge to a person derived from other data or analytics processes.
The next table shows the differences between these concepts:
|Automated processing of personal data
|The GDPR applies to “the processing of personal data wholly or partly by automatic means, as well as to the processing otherwise than by automatic means of personal data contained in or intended to be contained in a filing system” (article 2 GDPR).
|Processing performed by photo cameras that impose fines related to exceeding the speed limit.
Storing data in an Excel form allowing to automatically sort it by date, name, etc.
|It is defined by the GDPR as “consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements ”
Profiling consists of three elements:
-automated data processing;
– personal data; and
-its purpose must be to evaluate personal aspects about a natural person.
|The photographs made by the photo cameras are included in a file corresponding to the driver suffering the fine. These are used to toughen penalties for repeat offenses or bad driving habits.
|Fully automated decision processes of Article 22 of the GDPR.
|These are decisions taken and executed without decisive human intervention, with legal effects or which significantly affect in a similar way the data subjects.
|The camera system is designed to trigger the automatic sending of a personalized sanction based on the history of sanctions, behavior of the offender prior to the sanctioned action, age of the vehicle, average speed of the other drivers at that time, etc.
1This table has been built on the basis of the distinctions made by Jorge García here: https://jorgegarciaherrero.com/decisiones-automatizadas-profiling-inteligencia-artificial-que-son/#De_que_hablamos_cuando_hablamos_de_profiling_en_que_se_diferencia_el_profiling_de_las_decisiones_automatizadas_del_art_22 ↑