Article 22
Automated individual decision-making, including profiling
(41) Whereas any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing; whereas, for the same reasons, every data subject must also have the right to know the logic involved in the automatic processing of data concerning him, at least in the case of the automated decisions referred to in Article 15 (1); whereas this right must not adversely affect trade secrets or intellectual property and in particular the copyright protecting the software; whereas these considerations must not, however, result in the data subject being refused all information;
Regulation
Art. 22 1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. 2. Paragraph 1 shall not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (c) is based on the data subject's explicit consent. 3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. 4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place. |
Directive
Art. 15 1. Member States shall grant the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. 2. Subject to the other Articles of this Directive, Member States shall provide that a person may be subjected to a decision of the kind referred to in paragraph 1 if that decision: (a) is taken in the course of the entering into or performance of a contract, provided the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or that there are suitable measures to safeguard his legitimate interests, such as arrangements allowing him to put his point of view; or (b) is authorized by a law which also lays down measures to safeguard the data subject's legitimate interests. |
Romania
Law No. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data, as amended and completed Article 17: (1) Any person has the right to demand and receive the following: a) the withdrawal or the cancellation of a decision that produces juridical effects concerning him/her, adopted exclusively on a personal data processing basis, carried out through automatic means, destined to evaluate some aspects of his/her personality, such as professional competence, credibility, behavior or any other similar aspects; b) re-evaluation of any decisions regarding him/her, that affect him/her in a significant manner, if the decision was adopted exclusively on a basis of data processing that meets the requirements stated under letter a). (2) Respecting the other guarantees stated by the present law, a person may be subject to a decision of the nature mentioned in paragraph (1), only in the following situations: a) the decision is taken in the context of entering into or carrying out a contract, on the condition that the request to close or to bring the contract to conclusion, filled in by the data subject, has been satisfied or that some adequate measures to safeguard his/her legitimate interest have been taken, such as arrangements allowing him/her the possibility of sustaining his point of view in order to guarantee the protection of its own legitimate interest; b) the decision taken is authorized by a law which states the measures that guarantee the protection of the data subject's legitimate interests. |