Jump to

Profiling

What is profiling?

Profiling is any automated processing of personal data used to evaluate personal aspects of an individual — work performance, economic situation, health, preferences, reliability, behaviour, location or movements (GDPR Art. 4(4)). Scoring a loan applicant, ranking job candidates and predicting churn per user are all profiling.

The legal constraints

Profiling is lawful processing like any other — it needs a legal basis, transparency and proportionality. The sharper rule is GDPR Article 22: a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects requires a specific gateway (contract necessity, law, or explicit consent) plus safeguards — human intervention, the right to contest, meaningful information about the logic. Türkiye’s KVKK Art. 11 gives data subjects the right to object to results produced exclusively by automated analysis; the KVKK Board reads it in step with the ADM line of decisions.

Where AI products trip

The recurring mistakes: treating model output as “anonymous analytics” when it scores identifiable users; burying profiling in a generic privacy notice; and building fully automated reject flows (hiring, credit) with no human-review branch. Under the AI Act, several profiling contexts — recruitment, creditworthiness, essential services — sit in Annex III, adding the high-risk layer on top of data protection law.

Is segmentation for marketing profiling?

Yes, usually — audience segments built per user from behaviour are profiling; they rarely trigger Art. 22 (no significant effect), but they still need a basis and disclosure, and consent for the cookies feeding them.

Profiling vs. automated decision-making?

Profiling evaluates; ADM decides. Art. 22 bites when a decision with significant effect rests solely on the automated step — profiling without such a decision is regulated but not gated.

Related: automated decision-making, DPIA.