You may be trying to access this site from a secured browser on the server. Please enable scripts and reload this page.
Turn on more accessible mode
Turn off more accessible mode
Skip Ribbon Commands
Skip to main content
Turn off Animations
Turn on Animations
back to GOV portal
About the Office
Mission and Vision
The Data Protection Commissioner
The Powers of the Commissioner
The Functions of the Commissioner
Data Protection Act 2017
Data Protection Regulations
Controllers and Processors
Principles relating to processing of personal data
Your Legal Obligations
Roles & Responsibilities of Data Protection Officer
Exceptions and restrictions
Right of Access
Automated individual decision making
Rectification, erasure or restriction of processing
Right to object
Exercise of rights
Guidelines Data Protection Act 2017
Privacy Compliance Assessment
Useful References and Links
Data Protection Office
Automated Individual decision making
Automated individual decision making (Section 38)
At a glance:
The Act has provisions on:
automated individual decision-making (making a decision solely by automated means without any human involvement); and
profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
he Act applies to all automated individual decision-making and profiling.
Subject to section 23(2)(g), the controller shall, at the time of collecting the personal data,
ensure that the data subject concerned is informed of the existence of automated
decision making, including profiling, and information about the logic involved, as
well as the significance and the envisaged consequences of such processing for the data subject.
What is automated individual decision-making and profiling?
Automated individual decision-making is a decision made by automated means such as online or by a computer without any human involvement.
Examples of this include:
an online decision to award a loan; and
a recruitment aptitude test which uses pre-programmed algorithms and criteria.
“profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
What does the Act say about automated individual decision-making and profiling?
Data subjects have the right not to be subject to a decision based solely on automated processing which significantly affect them (including profiling). Such processing is permitted where:
* it is necessary for entering into or performing a contract with the data subject provided that appropriate safeguards are in place;
t is authorised by law; or
the data subject has explicitly consented and appropriate safeguards are in place.
Any automated processing of personal data intended to evaluate certain personal aspects relating to an individual should not be based on special categories of personal data.
Furthermore, the information to be provided by the controller under section 23 (collection of personal data) should include information as to the existence of processing for a decision of the kind
referred to subsection in 38 (1) and the envisaged effects of such processing on the data subject.
In addition, the controller should implement suitable measures to safeguard the data subject's rights, freedoms and legitimate interests.