|
|
The art. 4 of the GDPR defines profiling as : " any form of automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning professional performance, economic situation , health, personal preferences, interests, reliability, behaviour, location or movements of that natural person ”. This activity is included in the broader category of " automated decision-making processes " which is currently subject to the general prohibition imposed by Article 22 pursuant to which: " the interested party has the right not to be subjected to a decision based solely on automated processing , including profiling, which produces legal effects concerning him or which similarly significantly affects him ."The art. 22 of the GDPR at par.
2 includes among the exceptions to the general prohibition Special Data the possibility that fully automated processing is based on the explicit and specific consent of the interested party , i.e. on a consent expressed through an express declaration and not inferred from conclusive behavior. In line with the requirement of specificity, the Guidelines dictated by the Guarantor in this regard also clarify that the data must be processed for the specific purpose indicated in the request for consent presented to the interested party, as their use for a purpose other than the which it will be necessary to ask for another specific consent.With reference to the fully automated processing referred to in art. 22, the GDPR introduces the owner's obligation to :provide the information necessary to guarantee the interested party knowledge not only of the automated decision-making process , but also the logic used and the expected consequences of such processing;implement appropriate and reinforced protection measures ;guarantee the interested party the right to obtain human intervention from the owner, to express their opinion and to contest the decision .Rights of interested partiesThe European legislator
has substantially reworked the provisions with which the Privacy Code (which, we remember, will remain in force even after 25 May to the extent that its provisions are not incompatible with the new formula) already regulated the rights of interested parties to feedback, access, oblivion, limitation of processing, opposition to processing.In addition to what is already in force, the GDPR introduced the right to data portability , understood as the right of interested parties to receive the personal data provided by them to the data controller, in a structured, commonly used and mechanically readable format and to transmit it to a different owner.Before May 25th, the owners will therefore have to adopt the technical and organizational measures necessary to guarantee and facilitate the exercise of the rights and the response to the requests presented by the interested parties , which - unlike what is currently envisaged - will have by default the written form (also electronic)
|
|
發表於 2024-3-10 12:16:51