What is Automated Processing?
Automated processing is processing without human intervention. Processing is any operation on personal data. So automated processing is any operation on personal data without human intervention.
Operations include “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. GDPR, Article 4 (2).
Under the GDPR, automated processing is part of what makes up profiling. Profiling occurs when automated processing is used to evaluate certain personal aspects relating to a natural person.
A data subject has the right, among others, to object to the automated processing of personal data. A data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal (or similar) effects.
Automated processing can trigger a impact assessment. Under Article 35 of the GDPR, controllers are required to perform data protection impact assessments (DPIAs) where they are engaged in systematic and extensive evaluation of personal aspects relating to natural persons … based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
WP29 Guidelines on Automated decision-making and Profiling for the purposes of Regulation 2016/679, 3 October 2017 (WP 251)