What is automated decision-making in GDPR?

Automated decision-making refers to a decision made without any human involvement i.e. made using technological means such as using an algorithm. Some examples of automated decision-making in business include showing product recommendations to consumers or banks using algorithms to identify fraudulent transactions.

Under Article 22 of the GDPR, a data subject has the right not to be subject to a decision based solely on automated processing including profiling, if the decision produces legal effects concerning the data subject or significantly affects them. 

In GDPR, automated decision-making is allowed when:

  • it is required for the performance contract between the data subject and a business
  • it is required by law of the EU or member states for purposes such as monitoring tax evasion
  • the consumer has given explicit consent.