Home Privacy Law GDPR Article 22 GDPR (Automated Individual Decision-Making, Including Profiling)

Article 22 GDPR (Automated Individual Decision-Making, Including Profiling)

Article 22 of GDPR: Automated decision-making

Article 22 of GDPR establishes the right to individuals and prohibition to companies not to process personal data strictly on the basis of automated processes that may include profiling.

The objective of this article is to provide some guarantees to individuals and data subjects that companies will consider their personal aspects before making decisions that may affect their legal rights.

Right not to be subject to automated decision-making (Article 22(1) GDPR)

The first paragraph of Article 22 makes it clear: individuals have the right not to be subject to automated decision-making processes in such a way that their legal rights can be significantly affected or produce legal effects against the person.

This decision making specifically includes any commercial or business activity that consists of creating a profile on a person, or profiling.

Exception to the right (Article 22(2) GDPR)

There are three cases where GDPR makes an exception to the right not to be subjected to automated decision-making:

  1. When the automated process is necessary to enter into a contract or perform the obligations of a contract with a person (Article 22(2)(a) GDPR)
  2. When it is specifically authorized by an EU member country and where suitable protections are in place (Article 22(2)(b) GDPR)
  3. When a person has explicitly agreed and consented to such processing (Article 22(2)(c) GDPR

Right to obtain human intervention (Article 22(3) GDPR)

When personal data is processed based on automated decision-making processes in accordance with Article 22(2), companies must:

  1. Implement proper measures to protect the person’s information 
  2. Give the right to individuals to obtain human intervention to share their point of view or contest an automatic decision that was made

Processing of a special category of personal data (Article 22(4) GDPR)

Companies are not authorized to automatically process personal data that falls under the special category of personal data under Article 9(1) of GDPR, such as:

  1. Racial data
  2. Ethnic origin
  3. Political opinions
  4. Religious beliefs
  5. Philosophical beliefs
  6. Trade union membership
  7. Genetic data
  8. Biometric data for identifying a person
  9. Health data
  10. Data on a person’s sex life
  11. Data on a person’s sexual orientation 

The only exception is when any of the following conditions apply and the company has implemented security measures to protect the personal data:

  1. The data subject has given explicit consent
  2. When it’s necessary for the public interest

Recitals applicable to Article 22 of GDPR

Relevant Recitals: 71, 72, 92

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation in Article 22 or relevant recitals

None

GDPR Text: Article 22 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)

Editorial Staff
Hello Nation! I'm a lawyer by trade and an entrepreneur by spirit. I specialize in law, business, marketing, and technology (and love it!). I'm an expert SEO and content marketer where I deeply enjoy writing content in highly competitive fields. On this blog, I share my experiences, knowledge, and provide you with golden nuggets of useful information. Enjoy!

Most Popular

Squeeze Out In Business (Explained: All You Need To Know)

Squeeze Out In Business (Explained: All You Need To Know)

Financial Restructuring (Explained: All You Need To Know)

Financial Restructuring (Explained: All You Need To Know)

Troubled Debt Restructuring (Explained: All You Need To Know)

Troubled Debt Restructuring (Explained: All You Need To Know)

Organizational Restructuring (All You Need To Know)

Organizational Restructuring (All You Need To Know)

What Is The Hospitality Industry (Explained: All You Need To Know)

What Is The Hospitality Industry (Explained: All You Need To Know)

Editor's Picks

Virtual Data Room (What It Is And Why It’s Important: Overview)

Virtual Data Room (What It Is And Why It’s Important: Overview)

Duly Noted Meaning (Explained: All You Need To Know)

Duly Noted Meaning (Explained: All You Need To Know)

Form 8822 (Best Guide: What It Is And How To Fill It Out)

Form 8822 (Best Guide: What It Is And How To Fill It Out)

Agency By Estoppel (What It Means And Why It’s Important)

Agency By Estoppel (What It Means And Why It’s Important)

Flat Organizational Structure (All You Need To Know)

Flat Organizational Structure (All You Need To Know)