Profiling according to GDPR and online sales


Profiling is the automatic processing of personal data. It is used by entrepreneurs for marketing purposes. It allows you to adjust the offer to the customer based on the analysis of his activities on the Internet, which are recorded by the so-called cookies. Profiling is therefore about creating a consumer profile. The collected data and their analysis, processing can lead to conclusions about the person, often too hasty. This is not a new phenomenon. After entering the website, we notice the message that it uses cookies, i.e. cookies that collect information about the person visiting the website.

Among the many tips on the protection of personal data, the GDPR also includes those on stopping people from "spying" on people on the Internet. The EU regulation does not prohibit this type of practice, but requires data processors to ensure the highest quality of this treatment. In addition, it introduces the possibility of interference by a person in the data collected in this way and the possibility of negating the conclusions based on these data. Until now, the legal definition of profiling has not existed in Polish law, the GDPR, which is applied directly, introduces such a definition.

The impact of profiling on online sales and the GDPR

Profiling, as already indicated, is a common phenomenon. Entrepreneurs on the Internet try to make the most of all sales opportunities, and the data about a potential customer is to guide them to prepare an offer that is perfect for him. Creating a customer profile based on observing his behavior on the Internet is a practice that is not prohibited by law. It is of great importance for direct marketing. The aforementioned adaptation of the offer to the client really increases sales efficiency, which affects the acquisition of an increasing number of them. Future consumer choices are also predicted based on profiling.

Differences between the applicable legal status and the GDPR

The Act on the Protection of Personal Data in Art. 26a indicated that it is unacceptable to make theses about the data subject. Such requests were inadmissible, unless they related to the conclusion of the contract. It was then the so-called justified action. The applicable law provides that, as a rule, own customers are not required to obtain additional consent for direct marketing of their own products.

So if the customer has entered into a contract with the trader (made a purchase), the law allows the data controller to directly market his own services. This is called legally justified purpose of the data controller.

Pursuant to the provisions of the GDPR, the proper solution for the operation of a seller who wants to continue acquiring customers in this way is to conduct regular audits. Reaching customers by profiling is not prohibited by the regulation. However, it will be necessary to comply with the lawfulness of this processing. At the very beginning, it will be necessary to establish goals and criteria for profiling, as well as obtain appropriate customer consents. Undoubtedly, it is necessary to ensure the correct form of informing about their rights in connection with profiling in accordance with the provisions of the regulation. The GDPR, on the other hand, prohibits basing decisions on the basis of detailed personal data, nowadays referred to as sensitive data by the applicable law (e.g. biometric data). Profiling entrepreneurs will have to indicate the scope of data to be analyzed and its criteria. The information obligation is one of the main postulates to improve the quality of functioning of the commonly used profiling by entrepreneurs.

Start a free 30-day trial period with no strings attached!

Collection of data about a natural person based on the GDPR

The GDPR introduces a definition of profiling that is missing in the current legal status. Elements of the definition are: lawful, automated action of collecting data that is not made available to the public. Publicly available data on the web is often sufficient to draw conclusions about a given individual. This is a highly controversial topic. Profiling seems to create an image of a person based on an analysis of their preferences, economic situation, health and even location.

The definition of profiling according to the GDPR regulation is as follows:

profiling means any form of automated processing of personal data, which consists in the use of personal data to evaluate certain personal factors of a natural person, in particular to analyze or forecast aspects related to the effects of that natural person's work, economic situation, health, personal preferences, interests, reliability, behavior, location or movement.

Profiling and the will of a person

A person subject to profiling may question a decision based on profiling - automated processing.

Example 1.

If a person searches the Internet for data on the symptoms of a disease, it does not mean that they themselves suffer from it, but it is possible that they are looking for information at the request of their loved one.

The GDPR therefore protects natural persons from making bold theses and making hasty conclusions based on tracking their behavior online. If, on the other hand, data processing does not significantly affect the situation of a natural person, there will be no contraindications for this type of action, as in the current legal status. However, it should be assessed whether such an impact occurs at all and whether it is significant.

Note that if decisions are made on the basis of profiling, the requested person has the option of evading the decision made on the basis of such inference. The profiled person will be able to make a declaration that he does not agree with the decision and conclusions.

A person for whom a decision was made on the basis of profiling will not be able to evade it if:

  • profiling is necessary for the conclusion or performance of a contract between persons,

  • EU law allows it or there is a legitimate interest,

  • she herself agreed to them.

A decision based on sensitive data, when the person has not consented to their processing, will also be irrelevant. A similar reservation applies to the processing of data relating to children. Profiling, on the other hand, will not be considered profiling of a wider group of people with the inability to establish specific identities.

The quality of the decision issued on the basis of profiling

The data controller may rely on profiling if:

  • it is necessary for the conclusion or performance of a contract between persons,

  • the person has given their explicit consent.

If he wants to process data in this way, he is obliged to implement appropriate security measures. Belong to them:

  • enabling the intervention of a person,

  • enabling the expression of a person's position,

  • making it possible to challenge a decision.

The role of the data controller in profiling

The role of the data controller under both the current rules and the new GDPR is just as important. When profiling, the data controller must remember about certain rules. Data processing should take place:

  • in certain circumstances and context,

  • while maintaining the implementation of technical measures to secure loss or unauthorized modification,

  • including correcting irregularities,

  • with minimizing the risk of errors,

  • with the prevention of negative effects of processing (e.g. discrimination).