Certified Information Privacy Technologist (CIPT) — Question 125

An EU marketing company is planning to make use of personal data captured to make automated decisions based on profiling. In some cases, processing and automated decisions may have a legal effect on individuals, such as credit worthiness.
When evaluating the implementation of systems making automated decisions, in which situation would the company have to accommodate an individual's right
NOT to be subject to such processing to ensure compliance under the General Data Protection Regulation (GDPR)?

Answer options

• A. When an individual's legal status or rights are not affected by the decision.
• B. When there is no human intervention or influence in the decision-making process.
• C. When the individual has given explicit consent to such processing and suitable safeguards exist.
• D. When the decision is necessary for entering into a contract and the individual can contest the decision.

Correct answer: B

Explanation

The correct answer is B, as GDPR specifies that individuals have the right not to be subject to solely automated decisions without human intervention, particularly when those decisions have significant effects on them. Options A and D are incorrect because they relate to situations where rights are not affected or where contesting decisions is allowed, but do not address the absence of human involvement. Option C is wrong since explicit consent and safeguards do not negate the right to avoid automated processing.