Exercise your Rights – Article 22 – be protected from Automated Decision-Making!

Did you know the GDPR also protects your personal data from being unfairly subject to an automated decision? If you think this might be relevant to a decision that was made about you (eg a bank refusing a mortgage or your gym membership refused), or are interested to know more, read on to find out how to exercise your right to be protected from automated decision making…

Your Right to be Protected from Automated Decision-Making!

What is automated decision making?

Automated decision making (or ADM) is the making of decisions by technological means, such as an algorithm or computer. The GDPR prohibits individuals from being subjected to decisions “based solely on automated processing”. This means in certain circumstances companies, authorities and other entities cannot make decisions about individuals using only technology and no human intervention.

The data used in ADM may be collected in different ways: the data could be provided directly by the individuals, eg via questionnaire, by observing individuals, collecting location data from an app on your phone, or by deriving data from a profile you have already created or that was created about you.

Some example of cases where you might be subject to ADM: your bank refuses a loan based on an algorithm in a computer program, a telecommunication provider does not accept you as a customer because a creditworthiness agency returned a negative result on you, or the operator of a platform is sanctioned by an algorithm because he refused several requests.

ADM should not be confused with profiling. Profiling involves the processing of personal data in order to evaluate personal aspects, eg the characteristics or behavioural patterns of individuals. This is often done to place individuals into particular categories to further analyse or predict their behaviour. Profiling does not always lead to ADM, and ADM is not always taken on the basis of profiling. 

Step 1: Identify the right you want to exercise

Step 2: Controller contact details

Step 3: Draft your request

Step 4: Controller response

Step 5: what if the controller refuses my request?


In which cases is it forbidden to use ADM to make decisions about me?

The right to be protected from ADM is slightly different to the other data subject rights in the GDPR, because it involves a protection that will exist whether or not an individual makes a request to the controller or takes a legal action. This right prohibits the use of ADM.

The use of ADM is prohibited when:

  • The decision is solely based on an automated decision: These are usually situations when the decision is taken without human intervention. The human intervention must come from somebody with the authority and competence to change the decision if necessary. A controller cannot try and avoid the ban by fabricating some minimal or very loose human involvement.
  • The decision produces legal effects or similar significant effects
    • Legal effects mean outcomes that affect an individual’s legal rights or legal status. This could include having a contract cancelled, being denied benefits or certain rights, such as taking legal action or voting, or being refused a change in your citizenship or marital status.
    • Similar significant effects mean effects with a comparable severity to the legal effects above. This could include being refused an online credit application, being subject to an e-recruiting process with no human intervention, being unable to access health services or education, being denied employment opportunities, or being subject to discrimination in any of these processes.

Are there exceptions to this prohibition?

Yes. If certain legal bases are used for the processing, then there is no ban on decision-making using only ADM.

Controllers can only use ADM without human intervention when :

ADM should not involve  specific categories of data (“sensitive data”) except in certain circumstances and subject to safeguards.

If you are unsure of the legal basis being used for the processing of your personal data, or which data are processed for an ADM, you can make an access request to the controller. They have a legal obligation to provide you with this information.

Does the GDPR give me any rights I can exercise in relation to ADM?

Yes! As a result of the GDPR’s automatic protection against ADM, you have the right to receive certain information and are entitled to several safeguards.

Information. In cases where an ADM is in place, you a have a right to know the following information:

  • meaningful explanation about how the decision was made, such as the logic involved and the data used to reach the decision;
  • the significance of the processing: the controller has to explain why the decision was adopted and the reasoning behind the conclusion;
  • the consequences envisaged for you as a result of the processing, ie what the controller intends to do with the results of the ADM.

Safeguards. If a controller is processing your personal data for ADM under one of the exceptions above, then they are required to implement certain safeguards and give you some rights:

  • The right to obtain human intervention (eg a human with real power to change the decision should intervene);
  • The right to express your point of view (eg a person should listen to the arguments against the decision);
  • The right to obtain an explanation (eg a human should explain how the decision was reached);
  • The right to contest the decision (the human intervening must hear your point of view and confirm the decision or change it on the basis of your arguments).


How can I exercise these rights?

Step 1: Identify the right you want to exercise

  • If you are unsure which right to exercise, making an access request first may give you a better idea of what the controller is doing with your personal data and confirm whether your personal data has been used for ADM. This may help you decide what you want to do next. In such a case, inform the controller that you are seeking information that confirms the legal basis for the processing and the existence of ADM, and the logic, significance and consequences of that processing.
  • If you think that you were subject to an ADM despite the prohibition to do so, you can ask the controller to stop using an ADM (follow Step 2 below) or file a complaint with a data protection authority.
  • To exercise your right to the safeguards when ADM is being legally used, follow the steps below.


Step 2: Controller contact details

Your request to restrict the processing of your data should be addressed to the controller (the organisation/entity/administration/company processing your data).

This can be done by email, letter, fax or through a form, as long as you have a written record of the request.

The relevant email address can usually be found in the “privacy policy” or “contact us” section of the controller’s website. It will generally have a name like privacy@company.com or legal@publicauthority.eu. If this is difficult to find, or if there is no specific address to which you can send your request, that’s the fault of the controller, not yours - the GDPR requires controllers to make this information easily accessible. Where there is no specific email address, you can use the general contact details of the controller.


Step 3: Draft your request

  • Specify that you are seeking confirmation that your personal data is being used for ADM purposes and which safeguards you are seeking to exercise in relation to the ADM. An example of a sentence specifying safeguards could read as follows: “pursuant to my data subject rights under EU Regulation 2016/679 Article 22, I am seeking to obtain human intervention in relation to the decision/to express your point of view/ to contest the decision and on what grounds/to obtain an explanation regarding the decision.” You can include several or only one of these rights.
  • Specify your name or other identifier used by the controller (eg an account username). To help the controller address your request more efficiently, include some information that would help to identify your account, such as your phone number (if you gave it when you signed up), username or account name, or IP address. This will be particularly helpful if you have a common first name and surname. 
  • Include the date in the text if you put your request in an attachment to the email or in a letter. This clarifies the controller’s deadline for providing the information.


Step 4: Controller response

Once the controller receives your request, they have one month to respond.  This period can only be extended once by a maximum of two further months, in cases of complex or multiple requests.

The controller can ask you additional information to confirm your identity in case of doubt. However, such a request should be limited to the additional information necessary to confirm who you are. The additional information cannot be disproportionate, having considered the context of the processing of your data (eg a shop asking you for a copy of your passport to change the address of a loyalty card would be disproportionate).

Generally, this information must be provided to you in writing, but it can be communicated to you via electronic means such as email, or it can be provided orally if you request it.


Step 5: what if the controller refuses my request?

If the controller:

  • rejects your request without a satisfactory explanation,
  • tries to unjustifiably charge you for your request,
  • does not respond after a month or after the extended deadline (maximum 3 months in total),

you are entitled to file a complaint with a data protection authority (eg the DPA where you live or work), and the controller should inform you about that.

If you need assistance in assessing the legal elements of a controller’s reply, you can contact us at info@noyb.eu to discuss further steps. 


Back to Exercise Your Rights