The profiling of users is a form of automated decision-making process that has been governed by the European regulations on privacy (GDPR). Since it has many critical aspects and can impact people’s rights, rules have been introduced to ensure maximum transparency on the criteria, purposes of collection, and use of personal data.
Meaning of profiling
The meaning of profiling is provided to us by article 4 of the GDPR which defines it as ” any form of automated processing of personal data consisting in the use of such data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning the professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or travel of said natural person “.
Profiling is therefore an automated decision-making process aimed at collecting personal information of individuals to divide them into groups or categories according to their behavior or their characteristics. The profile of the individual thus obtained can then be used to predict or analyze the person and his preferences in an automated way.
For example, the site that provides a restaurant location service is profiling and, depending on the restaurants booked and the personal data collected, it creates a profile of the subject and identifies his preferences and lifestyle. It is also profiling when personal data is collected to assign an accommodation, to provide a mortgage or to calculate an insurance premium that will be high or low depending on the profile of the person concerned.
In order to speak of profiling, it must have the following characteristics:
- be any automated form of data processing with or without human intervention
- must process personal data
- it must have the purpose of analyzing and elaborating forecasts, attitudes and preferences of the individual.
Not all automated processing of personal data involves profiling. It involves profiling the analysis of data that allows you to make decisions that affect a person or that predict his preferences or behaviors. The simple “tracking” of the subject is not profiling.
For example, profiling is carried out if user data is collected and their behavior is analyzed with the aim of submitting certain products according to the profile. If, on the other hand, a company wants to classify its customers based on age or gender for statistical purposes and to acquire an overview of its customers in an aggregate way, it does not do profiling because the purpose is not the evaluation of the characteristics of individual customers.
It is mistakenly believed that profiling takes place only online, with the consequence that any data collection and processing operations carried out outside a website are not subject to the GDPR. It is not so. Profiling takes place whenever an automated process allows the provision of services, dedicated products or personalized advertising based on the behavior of a subject (behavioral marketing) by analyzing the personal data collected both online and offline that allow you to create a profile.
Just think, for example, of the use of a loyalty card in a shop. Customer profiling takes place through the collection of personal data provided when the card is issued and the monitoring of purchase preferences, data that are treated like any data collected from a website.
When consent is required
Our Privacy Guarantor requires that the consent of the interested party must be requested for all activities that use personal data with the aim of profiling it.
When profiling is based solely on automated processing (therefore without the intervention of a human) and produces legal effects or significantly affects the data subject, the GDPR has established that it is lawful only if at least one of the following conditions is met:
- carried out with the explicit consent of the interested party
- provided for by legislation that allows it
- necessary to conclude or perform a contract with the subject.
In fact, the same rules established by the GDPR apply to any other automated decision-making process. All information concerning the processing (how profiling works, the purposes, the data used, etc.) must therefore also be provided to the interested party.
Furthermore, consent must always be requested and strict limits must be respected when profiling sensitive data (those relating to health, political, religious beliefs, etc.) or of minors under the age of 18. In the latter case, it will be the parents or whoever exercises parental responsibility who must give explicit consent.
The profiling cookies are those small text files that websites visited by users send their terminals, which are used to track their behavior and create profiles on their tastes, habits, choices, etc. Profiling cookies can be installed on the user’s terminal only if they have given their consent.
To understand what profiling cookies are, let’s take an example. It will have happened many times to visit a site, to use e-mail or to access your page on a social network, and to find advertising banners related to your latest searches on the web or to the last purchase made on the internet. This is because those web spaces are designed to recognize your computer and direct “profiled” promotional messages to you based on your searches and your use of the network.
As established by the Guarantor, the data controller must inform the user when he accesses a website that uses profiling cookies. A banner must therefore appear immediately containing “short” information requesting consent to install cookies and including a link for the “extended” information where you will find all the information relating to the processing of data on the site.