ERA Forum

, Volume 19, Issue 4, pp 597–621 | Cite as

Understanding the legal provisions that allow processing and profiling of personal data—an analysis of GDPR provisions and principles

  • Elena Gil GonzálezEmail author
  • Paul de Hert


This contribution looks at the legal grounds for data processing (‘when is one allowed to collect and use data on others?’) according to the General Data Protection Regulation (GDPR). It then addresses the specific regime for profiling both by solely automated and non-automated means. What is the most suitable lawful basis for this specific, sometimes controversial kind of processing?

The vagueness and subjectivity of various relevant GDPR provisions in this matter can undermine legal certainty. Data protection principles such as transparency and overall fairness as enshrined in Article 5 GDPR may in this case serve as a resort to identify appropriate checks and balances. Additional understanding can be found outside data protection legislation—for instance, in competition law.


Consent Fairness GDPR Legitimate interest Profiling 



  1. 1.
    Article 29 Working Party: Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679 (WP 251 rev. 01) (2018). Available at:
  2. 2.
    Article 29 Working Party: Guidelines on consent under Regulation 2016/679 (WP 259 rev. 01) (2018). Available at:
  3. 3.
    Article 29 Working Party: Opinion on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46 (WP 217) (2014). Available at:
  4. 4.
    Baroccas, S., Nissebaum, H.: Big data’s end run around anonymity and consent. In: Lane, J., Stodden, V., Bender, S., Nissenbaum, H. (eds.) Privacy, Big Data and the Public Good. Cambridge University Press, Cambridge (2014) Google Scholar
  5. 5.
    Butterworth, M.: The ICO and artificial intelligence. The role of fairness in the GDPR framework. Comput. Law Secur. Rev. (2018). Available at:
  6. 6.
    C-457/10, AstraZeneca, ECLI:EU:C:2012:770 Google Scholar
  7. 7.
    Case C-13/16 Rigas, ECLI:EU:C:2017:336 Google Scholar
  8. 8.
    Case C-212/13 Ryneš, ECLI:EU:C:2014:2428 Google Scholar
  9. 9.
    Case C-398/15 Manni, ECLI:EU:C:2017:197 Google Scholar
  10. 10.
    Cases C-468/10 and 469/10 ASNEF and FECEMD, ECLI:EU:C:2011:777 Google Scholar
  11. 11.
    Centre for Information Policy Leadership: Delivering Sustainable AI Accountability in Practice. First Report: Artificial Intelligence and Data Protection in Tension (2018) Google Scholar
  12. 12.
    Centre for Information Policy Leadership: The ePrivacy Regulation and the EU. Charter of Fundamental Rights (2018) Google Scholar
  13. 13.
    Charter of Fundamental Rights of the European Union [2000] OJ L C 364/01 Google Scholar
  14. 14.
    Convention for the Protection of Human Rights and Fundamental Freedoms as amended by Protocols No. 11 and No. 14, Rome, 4 November 1950 Google Scholar
  15. 15.
    Council of Europe: The protection of individuals with regard to automatic processing of personal data in the context of profiling. Recommendation CM/Rec (2010) 13 and explanatory memorandum (2010). Available at:
  16. 16.
    Culnan, M.J., Bruening, P.: Privacy notices limitations, challenges, and opportunities. In: Selinger, E., Polonetsky, J., Tene, O. (eds.) The Cambridge Handbook of Consumer Privacy (2018) Google Scholar
  17. 17.
    Data protection Network: Guidance on the use of Legitimate Interests under the EU General Data Protection Regulation (version 2.0) (2018). Available at:
  18. 18.
    Diakopoulos, N.: Algorithmic-accountability: the investigation of Black Boxes. Tow Center for Digital Journalism (2014) Google Scholar
  19. 19.
    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31 Google Scholar
  20. 20.
    European Data Protection Supervisor (EDPS): Developing a toolkit for assessing the necessity of measures that interfere with fundamental rights (2016). Available at:
  21. 21.
    Ferretti, F.: Data protection and the legitimate interest of data controllers: much ado about nothing or the winter of rights? Common Mark. Law Rev. 51(3), 843 (2014) Google Scholar
  22. 22.
    Gil González, E.: Big data y datos personales: ¿es el consentimiento la mejor manera de proteger nuestros datos? Diario La Ley, ISSN 1989-6913, No. 9050 (2017) Google Scholar
  23. 23.
    Gil González, E.: Aproximación al estudio de las decisiones automatizadas en el seno del Reglamento General Europeo de Protección de Datos a la luz de las tecnologías big data y de aprendizaje computacional. Revista Internacional de Transparencia 5 (2017) Google Scholar
  24. 24.
    Goodman, B., Flaxman, S.: European Union regulations on algorithmic decision-making and a “right to explanation”. AI Mag. 38(3) (2017) Google Scholar
  25. 25.
    Graef, I., Clifford, D., Valcke, P.: Fairness and enforcement: bridging competition, data protection and consumer law. Forthcoming in International Data Privacy Lawa (2018). Available at:
  26. 26.
    Hildebrandt, M.: Privacy as protection of the incomputable self: from agnostic to agonistic machine learning. DRAFT PAPER for the International Conference ‘The Problem of Theorizing Privacy’, submitted for publication in the special issue of Theoretical Inquiries in Law (TIL), and defended at PLSC-Europe (2018). Available at:
  27. 27.
    Hoffman, D.A., Rimo, P.A.: It takes data to protect data. In: Selinger, E., Polonetsky, J., Tene, O. (eds.) The Cambridge Handbook of Consumer Privacy (2018). Available at: Google Scholar
  28. 28.
    Information Commissioner’s Office: Big data, artificial intelligence, machine learning and data protection (version 2.2) (2017). Available at:
  29. 29.
    Information Commissioner’s Office: Guide to the General Data Protection Regulation (2018). Available at:
  30. 30.
    Information Commissioner’s Office: Lawful basis for processing, consent (2018). Available at:
  31. 31.
    Kalimo, H., Majcher, K.: The concept of fairness: linking EU competition and data protection law in the digital marketplace. Eur. Law Rev. 42(2), 210 (2017). Available at: Google Scholar
  32. 32.
    Kamara, I., de Hert, P.: Understanding the balancing act behind the legitimate interest of the controller ground. A pragmatic approach. In: Selinger, E., Polonetsky, J., Tene, O. (eds.) The Cambridge Handbook of Consumer Privacy (2018) Google Scholar
  33. 33.
    Kosta, E.: Consent in European Data Protection Law. Martinus Nijhoff Publishers, Leiden (2013) CrossRefGoogle Scholar
  34. 34.
    Kuner, C., Svantesson, D., Kate, F.H., Lynskey, O., Millard, C.: Machine learning with personal data: is data protection law smart enough to meet the challenge? Int. Data Priv. Law 7(1), 1 (2017) CrossRefGoogle Scholar
  35. 35.
    Lammerant, H., de Hert, P.: Predictive profiling and its legal limits: effectiveness gone forever? In: van der Sloot, B., Broeders, D., Schrijvers, E. (eds.) Exploring the Boundaries of Big Data. Amsterdam University Press, The Hague/Amsterdam (2016) Google Scholar
  36. 36.
    Malgieri, G., Comandé, G.: Why a right to legibility of automated decision-making exists in the general data protection regulation. Int. Data Priv. Law 7(4), 243 (2017) CrossRefGoogle Scholar
  37. 37.
    Martin, K.: Privacy notices as tabula rasa: an empirical investigation into how complying with a privacy notice is related to meeting privacy expectations online. J. Public Policy Mark. 34(2), 210 (2015) CrossRefGoogle Scholar
  38. 38.
    Moerel, L., Prins, C.: Privacy for the homo digitalis: proposal for a new regulatory framework for data protection in the light of Big Data and the internet of things. SSRN Electronic Journal (2016) Google Scholar
  39. 39.
    National Non-Discrimination and Equality Tribunal of Finland. C-216/2017 Google Scholar
  40. 40.
  41. 41.
    Pasquale, F.: The Black Box Society: The Secret Algorithms That Control Money and Information. Harvard University Press, Cambridge, London (2015) CrossRefGoogle Scholar
  42. 42.
    Privacy & Information Security Law Blog: UK ICO Issues Warning to Washington Post Over Cookie Consent Practices, November 21 (2018) Google Scholar
  43. 43.
    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free Government of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), [2016] OJ L 119/1 Google Scholar
  44. 44.
    Reidenberg, J., Russell, N., Callen, A., Qasir, S., Norton, T.: Privacy harms and the effectiveness of the notice and choice framework. 2014 TPRC Conference Paper, Fordham Law Legal Studies Research Paper No. 2418247 (2014).
  45. 45.
    The Netherlands, Autoriteit Persoonsgegevens, z2013-00194, Google. English (non-official) translation available at:
  46. 46.
    Van der Sloot, B., Borgesius, F.: The EU General Data Protection Regulation: a new global standard for information privacy (Working draft) Google Scholar
  47. 47.
    Veale, M., Edwards, L.: Clarity, surprises, and further questions in the Article 29 working party draft guidance on automated decision-making and profiling. Comput. Law Secur. Rev. 34(2), 398 (2018) CrossRefGoogle Scholar
  48. 48.
    Vedder, A.: KDD: the challenge to individualism. Ethics Inf. Technol. 1(4), 275 (1999) CrossRefGoogle Scholar
  49. 49.
    Wachter, S., Mittelstadt, B., Floridi, L.: Why a right to explanation of automated decision-making does not exist in the General Data Protection Regulation. Int. Priv. Data Law 7(2), 76 (2016) CrossRefGoogle Scholar
  50. 50.
    World Economic Forum and The Boston Consulting Group: Rethinking Personal Data: Strengthening Trust (2012) Google Scholar

Copyright information

© Europäische Rechtsakademie (ERA) 2019

Authors and Affiliations

  1. 1.CEU San Pablo University (Madrid)MadridSpain
  2. 2.Vrije Universiteit Brussels (LSTS)BrusselsBelgium
  3. 3.University of Tilburg (TILT)TilburgThe Netherlands

Personalised recommendations