Data protection regarding profiling and scoring

A rough guesstimate minus your address = Sorry, you’re too poor for us

Profiling in practice: Insurance from a machine
Searching for a new a car insurance, you find a provider with a policy based on your driving behaviour. A probability value is calculated to try to determine how risky your driving style is. To that end, data is collected while driving, for example on braking distances, speeds, time spent on the road and length of trips. The insurance company explains that this data will be connected to each other to make an automated decision on the amount you have to pay as an insurance premium.

Such explanations about the significance and consequences of automated individual decision-making are essential: Profiling may only take place within narrow limits and you also have the possibility to intervene.

What profiling means: The measurement of your person using all kinds of data

In general, profiling means that your personal data is analysed to assign you to a certain group or category and/or to make assertions about your future behaviour. Such a profile can then be used to show you personalized ads, for instance. A special case of profiling is called scoring or credit scoring, which is often used when you apply for a loan. Based on your personal data, a credit score aims to calculate how likely it is that and how you will repay a loan. If such profiling decisions happen fully automated and without human intervention — for example when a computer alone determines your loan — this is only allowed with your explicit consent and for specified contractual obligations under the General Data Protection Regulation.

Human involvement desired: Your rights in profiling

In cases of automated individual decision-making, you have the right to demand that a real person on the side of the data-processing company becomes involved in the decision-making. Additionally, you can always present your own point of view and challenge an automated decision by contacting the company’s data protection officer, preferably in writing. Data protection officers are obliged to explain how this automatic decision came about (the General Data Protection Regulation calls this the “logic involved”). They also have to give you information on what impact the automated decision-making process can have on you. This makes it easier for you to become aware of which organisations you allow to profile and score you.

Special rules in Germany: Scoring based on your address has to be disclosed

As an example of how different EU member states can have rules in addition to the GDPR, you can take a look at Germany’s rules specifically on scoring. For example, a scientifically accepted mathematical-statistical procedure must be used to calculate your “score”. Furthermore, the score value may not be solely based on your address data. Even if your address data is only part of the score calculation, you have to be informed about this separately. Finally, there are also guidelines as to which of your unpaid invoices or loans may be used for scoring, for instance if you have expressly acknowledged these outstanding claims or they have been ascertained by a legal sentence.

The dictionary contains more details and has sources regarding automated decisions, profiling and scoring.