What is profiling?
Profiling is any automated processing of personal data used to evaluate personal aspects of an individual — work performance, economic situation, health, preferences, reliability, behaviour, location or movements (GDPR Art. 4(4)). Scoring a loan applicant, ranking job candidates and predicting churn per user are all profiling.
The legal constraints
Profiling is lawful processing like any other — it needs a legal basis, transparency and proportionality. The sharper rule is GDPR Article 22: a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects requires a specific gateway (contract necessity, law, or explicit consent) plus safeguards — human intervention, the right to contest, meaningful information about the logic. Türkiye’s KVKK Art. 11 gives data subjects the right to object to results produced exclusively by automated analysis; the KVKK Board reads it in step with the ADM line of decisions.
Where AI products trip
The recurring mistakes: treating model output as “anonymous analytics” when it scores identifiable users; burying profiling in a generic privacy notice; and building fully automated reject flows (hiring, credit) with no human-review branch. Under the AI Act, several profiling contexts — recruitment, creditworthiness, essential services — sit in Annex III, adding the high-risk layer on top of data protection law.
Is segmentation for marketing profiling?
Yes, usually — audience segments built per user from behaviour are profiling; they rarely trigger Art. 22 (no significant effect), but they still need a basis and disclosure, and consent for the cookies feeding them.
Profiling vs. automated decision-making?
Profiling evaluates; ADM decides. Art. 22 bites when a decision with significant effect rests solely on the automated step — profiling without such a decision is regulated but not gated.
Related: automated decision-making, DPIA.