Lexicon > Profiling

IT Glossary


Profiling is defined in terms of the GDPR as a form of automated processing of personal data for the purpose of evaluating certain personal aspects relating to the data subject, including analyzing or predicting factors relating to that individual’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Profiling is thus necessarily composed of the following three elements:

  • A form of automated processing in whole or in part;
  • On personal data;
  • And whose objective is to evaluate the personal aspects of the person concerned.

It is generally used to make predictions about individuals based on a statistical analysis of others with certain similarities.

Profiling involves a form of assessment or judgment by the data controller of the data subject in order to place him or her in a certain category and thus analyze and/or make various predictions about him or her.

Profiling may result in particular in automated decision-making, by technological means without human intervention by the controller.

Profiling is expressly prohibited when it concerns a child.

Under the right to information, the The controller must inform the data subject of the existence of automated decision-making, including profiling, and, at least in such cases, of relevant information concerning the underlying logic and the significance and intended consequences of such processing for the data subject.

Furthermore, the data subject has the right not to be subject to a decision based exclusively on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar way.

However, this right does not apply when the decision :

  • Is necessary for the conclusion or performance of a contract between the data subject and a controller ;
  • Is authorized by Union law or the law of the Member State to which the controller is subject and which also provides for appropriate measures to safeguard the rights and legitimate interests of the data subject or ;
  • Is based on the explicit consent of the person concerned.


“In order to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use adequate mathematical or statistical procedures for profiling, apply appropriate technical and organisational measures to ensure, in particular, that factors leading to errors in the personal data are corrected and the risk of error is minimised and secure personal data in a way that takes into account the risks to the interests and rights of the data subject and prevents, inter alia, discriminatory effects on natural persons based on racial or ethnic origin, political opinions, religion or belief, trade union membership, genetic or health status, or sexual orientation, or which result in measures having such an effect. Automated decision making and profiling based on particular categories of personal data should only be permitted under specific conditions.

Recital 39, second paragraph, of the GDPR

Point of jurisprudence

The Spanish supervisory authority recalls that:

Profiling can be opaque. It often relies on data derived or inferred from other data, rather than on data provided directly by the data subject.

Data controllers who wish to base profiling on consent will need to show that data subjects understand exactly what they are consenting to, and remember that consent is not always an appropriate basis for processing. In all cases, data subjects must be provided with sufficient relevant information about the intended use and consequences of the processing to ensure that the consent they give represents an informed choice.

Agencia Española de Protección de Datos, October 21, 2021, N°PS/00500/2020

The Bouchara firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.