Profiling — AI-Based Individual Assessment and GDPR Obligations

Definition

Profiling is defined in GDPR Article 4(4) as any form of automated processing of personal data consisting of the use of that data to evaluate certain personal aspects relating to a natural person — in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements. AI systems are the primary technology through which profiling is conducted at scale.

AI-based profiling combines machine learning with personal data to build predictive models of individual behavior, preferences, risk, or likely actions. Credit scoring, insurance risk modelling, employee performance prediction, customer lifetime value estimation, fraud detection, and recidivism prediction are all profiling applications. The EU AI Act and GDPR both impose obligations on profiling systems that produce significant effects for individuals.

GDPR Article 22 grants individuals the right not to be subject to decisions based solely on automated processing, including profiling, where those decisions produce legal effects or similarly significant effects. Exceptions require explicit consent, contractual necessity, or Member State law authorization — and even in those cases, meaningful human review must be available.

Why it matters operationally

Profiling matters because it is the mechanism through which AI systems translate data about individuals into consequential predictions and decisions — and both the EU AI Act and GDPR impose regulatory obligations that profiling systems must satisfy. Organizations that deploy AI-based profiling without adequate governance face double regulatory exposure: EU AI Act obligations for high-risk systems (employment, credit, insurance, public services) and GDPR obligations for automated decision-making based on profiling.

The governance challenge is that profiling is frequently embedded in AI systems whose primary classification is something else. A fraud detection system is also a profiling system. A credit application system includes profiling. A HR analytics platform profiles employees. Each of these requires both EU AI Act compliance assessment and GDPR profiling governance — simultaneously.

Regulatory framework

Framework Profiling obligations
GDPR — Arts. 4(4), 22 Defines profiling and restricts automated decisions based on it with legal or similar effects. Requires meaningful human oversight or specific legal basis.
GDPR — Arts. 13, 14 Individuals must be informed about the profiling logic, its significance, and the envisaged consequences.
EU AI Act — Annex III AI systems used to assess individuals in employment, credit, insurance, and essential services — all profiling contexts — are high-risk systems.
ISO/IEC 27701 The privacy management system must include controls on data processing for profiling, including impact assessment and data subject rights.

How Zertia evaluates it

Zertia evaluates profiling systems through two services. The EU AI Act Assessment classifies profiling-based AI systems against the regulation’s risk taxonomy and identifies applicable high-risk obligations. ISO/IEC 27701 certification evaluates the Privacy Information Management System that governs profiling activities, including legal basis documentation, DPIA processes, and data subject rights management for profiling decisions.

[EU AI Act Assessment] · ISO 27701 Certification

Definitions that hold up under audit.

Does this term apply to your certification project? Let's talk 30 minutes, no commercial pressure.