Abstract

The article points out differences as regards the approach to personal data profiling in the General Data Protection Regulation as compared with the existing legal situation defined by the provisions of Directive 95/46/EC and the Polish Personal Data Protection Act. In particular, it discusses elements of the legal definition of profiling in the Regulation, and also differences in data administrators’ duties as regards “ordinary” and profiling for the needs of automated decision-making. In case of the latter, the duties concerning transparency as well as the basis for admissibility of this type data operation have been analysed. Of special significance in this context is to properly safeguard the interests of data subjects. It may be done in the form of ensuring the right to obtain human intervention, in particular the right to express one’s opinion, the right to obtain explanation as to the decision arising from such assessment, or the right to challenge such decision as well as employment of specific data security techniques (e.g. pseudonymisation).