What does the regulation say about the profiling of people in computer processing, the opinion of the IT lawyer in Paris


Personal data protection regulations, such as the European Union's General Data Protection Regulation (GDPR), strictly regulate the profiling of individuals in IT processing.

According to Article 4 of the GDPR, profiling is defined as "any form of automated processing of personal data which involves the use of such data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict factors concerning that natural person's work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements".

Profiling is only allowed in certain specific circumstances, and the data subject must be informed and must have given his or her explicit consent for his or her personal data to be used in this way. In addition, individuals have the right to object at any time to the profiling of their data.

The GDPR also requires organisations to take steps to ensure the transparency, security and accuracy of data used for profiling, as well as to protect the fundamental rights and freedoms of data subjects.

Some remarks by the lawyer specialised in computer law in Paris on the regulations concerning the profiling of persons in data processing, in particular with regard to the RGPD (General Data Protection Regulation), which applies to the member countries of the European Union.


Profiling is defined by the GDPR as "any form of automated processing of personal data which consists in using that personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict factors concerning preferences, interests, financial situation, behaviour, etc."


The GDPR provides a framework for profiling to protect the rights and freedoms of data subjects, particularly in relation to automated decisions with legal or similar effects. Here are some key points to consider:


  1. Consent: Profiling generally requires the consent of the data subject. Individuals must be informed of the existence of profiling and its potential consequences.
  2. Right to object: Individuals have the right to object to profiling when it is used for direct marketing.
  3. Automated decisions: Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or significantly affecting them.
  4. Limitation of data: Data processing must be limited to the data strictly necessary to achieve the purposes of the processing.
  5. Transparency: Controllers must provide clear and accessible information on profiling procedures and the criteria used to make automated decisions.
  6. Impact assessment: For high-risk processing operations, such as large-scale profiling, a data protection impact assessment (DPIA) may be required.


It is important to note that regulations may vary depending on the jurisdiction and context. Consult Pierre de Roquefeuil for legal advice specific to your situation.


Datenschutzbehörde, GZ: D124.3816, Registrar: 2023-0.193.268


The Austrian Data Protection Authority (DPA) ruled that the vast majority of personal data collected by the CRIF credit bureau was illegal and should be deleted. 


The CRIF collected the addresses, dates of birth and names of almost all Austrians in order to calculate their "creditworthiness" without consent or other legal basis


. Most of the basic data used by the CRIF to calculate the "solvency values" come from the address publisher AZ Direkt (which belongs to the German Bertelsmann Group). 


AZ Direct is only allowed to pass on this data for marketing purposes and not for the calculation of the credit rating. 


These credit ratings also have real impacts, explained Max Schrems: "Millions of people in Austria are affected by this. Customers do not receive a mobile phone contract or an electricity contract if their score is too low. One might have to pay higher loan payments if the bank uses this score. We believe that data should only be collected from clear defaulters, not from the whole population. noyb expects the CRIF to appeal the decision as it is a blow to its business model.


CJEU, Opinion of the Advocate General in Case C-634/21 SCHUFA Holding and Others (Scoring) and in Joined Cases C-26/22 and C-64/22 SCHUFA Holding and Others (Release of outstanding debts) Advocate General Pikamäe: the automated establishment of a probability of a person's ability to repay a loan constitutes profiling under the GDPR 


Case C-634/21 concerns a dispute between a citizen and the Land Hessen, represented by the Commissioner for Data Protection and Freedom of Information of the Land Hessen (hereinafter 'HBDI'), concerning the protection of personal data. In the course of its business activity of providing its customers with information about the creditworthiness of third parties, SCHUFA Holding AG (hereinafter 'SCHUFA'), a company governed by private law, provided a credit institution with a score for the citizen in question, which was used as the basis for the refusal of the credit applied for by the latter. The citizen then asked SCHUFA to delete the relevant record and to give him access to the corresponding data. However, SCHUFA only informed him of the relevant score and, in general, of the principles underlying the method of calculating the score, without informing him of the specific data taken into account in this calculation and the relevance attributed to them in this context, arguing that the method of calculation falls within the scope of business confidentiality. Insofar as the citizen concerned argues that SCHUFA's refusal is contrary to the data protection regime, the Court of Justice is called upon by the Wiesbaden Administrative Court to rule on the restrictions which the General Data Protection Regulation 1 (hereinafter 'GDPR') imposes on the economic activity of intelligence agencies in the financial sector, in particular in the management of data, and on the impact to be attributed to business confidentiality. Similarly, the Court will have to clarify the scope of the regulatory powers that certain provisions of the RGPD confer on the national legislator by way of derogation from the general objective of harmonisation pursued by this legal act.


In his Opinion, Advocate General Priit Pikamäe states, first, that the GDPR establishes a "right" of the data subject not to be subject to a decision based solely on automated processing, including profiling. The Advocate General then finds that the conditions for that right are met since: - the procedure at issue constitutes "profiling", - the decision produces legal effects in relation to the data subject or significantly affects him in a similar way, and 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (OJ 2016 L 119, p. 1). Directorate of Communication Press and Information Unit curia.europa.eu - the decision can be considered to be based exclusively on automated processing. The provision of the GDPR providing for that right is therefore applicable in circumstances such as those in the main proceedings.