---
title: Profiling
type: concept
tags: [profiling, gdpr, automated-decision-making, legal, regulatory-risk]
sources: ["[[sources/gdpr-article-22-text]]", "[[sources/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance]]", "[[sources/2025-okan-btlj-blog-ccpa-vs-gdpr-automated-decision-making]]"]
created: 2026-04-27
updated: 2026-04-27
---

# Profiling

GDPR Art. 4(4) defines profiling as *any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements*.

## Profiling vs ADM

- Profiling is a *form* of automated processing — it may or may not feed into [[concepts/automated-decision-making|automated decision-making]].
- Profiling that does **not** produce legal/significant effects is out of scope of [[concepts/gdpr-article-22|Art. 22]] but still subject to other GDPR rules (Art. 5 principles, Art. 6 lawful basis, Art. 13/14 transparency, Art. 21 right to object).
- Profiling that **does** produce legal/significant effects falls inside Art. 22 — same regime as solely automated decisions.

## WP29 / EDPB Guidelines (2018)

Profiling involves three elements:
1. Automated processing.
2. Personal data.
3. Evaluation of personal aspects (assessment, prediction, classification involving judgement).

Mere classification (e.g. by age or gender) without evaluation may not count as profiling — *"there can be profiling without automated decision-making (and vice versa)"*.

## Risk patterns in process automation

| Profiling pattern | Typical regulatory exposure |
|---|---|
| Customer segmentation for marketing | Art. 6 lawful basis + Art. 21 right to object; usually not Art. 22 unless decisions auto-applied |
| Credit scoring | Art. 22 (post-CJEU *SCHUFA* C-634/21); Art. 35 DPIA; AI Act high-risk |
| Fraud-detection scoring | Art. 22 (likely); Art. 35 DPIA; AI Act high-risk |
| Health-risk profiling | Art. 9(1) special-category + Art. 22 + Art. 35 DPIA + AI Act high-risk |
| Employee performance prediction | Art. 22 + AI Act high-risk (Annex III); Member-State labour-law constraints |
| Customer attrition / churn scoring leading to retention offers | Borderline; significant effect question |

## Special-category profiling

Art. 22(4) GDPR explicitly prohibits ADM-based-on-profiling using Art. 9(1) special-category data unless 9(2)(a) explicit consent or 9(2)(g) substantial public interest applies *and* suitable safeguards exist.

The Italian *Foodinho* and *Deliveroo* cases highlight the risk of profiling-driven decisioning straying into special-category inferences (e.g. about health, union membership) without an Art. 9(2) basis.

## Cross-jurisdiction note

US **CCPA** proposed ADMT rules require risk assessments particularly when profiling is involved (§ 7150(b), § 7153). Definition narrower than GDPR's. See [[sources/2025-okan-btlj-blog-ccpa-vs-gdpr-automated-decision-making]].

## Related

[[concepts/gdpr-article-22]] · [[concepts/automated-decision-making]] · [[concepts/dpia]] · [[concepts/eu-ai-act]]