Understanding the legal provisions that allow processing and profiling of personal data—an analysis of GDPR provisions and principles

Abstract

This contribution looks at the legal grounds for data processing (‘when is one allowed to collect and use data on others?’) according to the General Data Protection Regulation (GDPR). It then addresses the specific regime for profiling both by solely automated and non-automated means. What is the most suitable lawful basis for this specific, sometimes controversial kind of processing? The vagueness and subjectivity of various relevant GDPR provisions in this matter can undermine legal certainty. Data protection principles such as transparency and overall fairness as enshrined in Article 5 GDPR may in this case serve as a resort to identify appropriate checks and balances. Additional understanding can be found outside data protection legislation—for instance, in competition law.