Profiling und automatisierte Entscheidungen: Praxisleitfaden für SaaS-Teams

Profiling and automated decision-making matter when a SaaS system uses personal data to evaluate, score, rank, predict, approve, reject, flag, suspend, route, or otherwise influence an outcome for an individual. The team should first separate ordinary automation from profiling, and then identify whether any workflow makes a solely automated decision with legal or similarly significant effects.

Under the GDPR, profiling is automated processing used to evaluate personal aspects of a person. Article 22 is the higher-risk case: it concerns decisions based solely on automated processing, including profiling, that have legal effects or similarly significant effects. If this applies, the team needs a permitted route, suitable safeguards, and a real path for human intervention, challenge, and review.

Practical workflow

Start with an inventory of systems that score, rank, predict, flag, recommend, approve, reject, suspend, prioritise, or route individuals. Include product features, AI tools, fraud systems, moderation, CRM scoring, customer success dashboards, support triage, security tooling, analytics, vendor tools, and internal dashboards.

For each workflow, document purpose, data inputs, output, lawful basis, whether special category data or children are involved, human involvement, impact on the person, vendor role, retention, monitoring, and evidence location. Then classify the workflow as ordinary automation, profiling, automated decision support, or solely automated decision-making with significant effects.

Controls

Transparency should explain the purpose, data used, broad logic, significance, and likely consequences where required. Human review must be meaningful: the reviewer needs enough information, authority, time, and independence to change the outcome.

Controls should also cover data quality, fairness, accuracy, drift, override rates, complaints, vendor changes, deletion, access, objection, and contest routes. If a model, threshold, data source, user group, or vendor changes, the review should be refreshed.

Common mistakes

Teams often treat profiling as only advertising, assume a nominal human-in-the-loop removes risk, rely on vendor labels without understanding impact, document the model but not the decision, or forget that governance must continue after launch.

FAQ

When does Article 22 matter?

It usually matters when a decision is solely automated, concerns an individual, and has legal or similarly significant effects. Profiling alone does not always trigger Article 22, but it still requires GDPR controls.

What should teams document first?

Document the workflow inventory, purpose, data inputs, output, human involvement, impact, lawful basis, Article 22 assessment, safeguards, vendor role, monitoring, and evidence owner.

Sources

This guide relies on the GDPR, EDPB guidance on automated individual decision-making and profiling, and ICO guidance on automated decision-making, profiling, and individual rights.