Article 4 of the GDPR defines profiling as:
any form of automated processing of personal data consisting of the use of personal data to evaluate certain aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour location or movements
Profiling consists of using an individual's personal data with a view to analysing and predicting his or her behaviour, such as determining his or her performance at work, financial situation, health, preferences, lifestyle, etc.
According to the UK data protection authority (the ICO), '"because profiling can be used to serve a wide range of purposes it is particularly important to be clear about the purposes for which your service uses personal data to profile its users, and to differentiate between them. Catch-all purposes, such as ‘providing a personalised service’ are not specific enough."
Profiling is based on the establishment of an individualised profile of a person: it aims to assess certain personal aspects of that person, with a view to making a judgement or drawing conclusions about him or her.
Profiling is linked to the right not to be subject to an entirely automated decision. A decision based on profiling can be made under the following conditions:
- explicit consent
- the decision is necessary for a contract entered into with the organisation
- the automated decision is authorised by specific legal provisions.