AI user profiling risk detector
Personalisation, scoring, recommendation, churn prediction, dynamic pricing — many AI features quietly meet the legal definition of profiling without their builders realising it. Under GDPR that definition is broad and the consequences are real: transparency duties, a lawful-basis requirement, and in some cases the strict limits of Article 22 on solely automated decisions. This tool walks you through the test so you know where your feature stands.
The GDPR profiling definition is intentionally broad
GDPR Article 4(4) defines profiling as any automated processing of personal data used to evaluate, analyse, or predict aspects of a natural person. That covers:
- Behaviour (what they buy, click, browse, where they go)
- Interests (what they seem to care about, what content they engage with)
- Performance (how productive they are, how they perform at work)
- Reliability (creditworthiness, risk of default or churn)
- Health (inferred from purchases, lifestyle data, sensor readings)
- Location (movement patterns, home/work inference)
- Personal preferences (political, religious, cultural inferences)
An AI recommender, a churn propensity score, a dynamic pricing engine, a personalised content feed — all of these are profiling if they process personal data and produce an evaluation or prediction about an individual. The definition does not require intent; it is about what the processing does, not what you called it.
How it works
You describe the feature, its data inputs, and its outputs, then answer a short test that mirrors GDPR Article 4(4): does it process personal data, is it automated, does it evaluate or predict something about the person, do the outputs affect them, and could that effect be significant or reveal special-category data? The tool scores those answers, returns a plain-language verdict — not profiling, possibly profiling, or likely regulated profiling — and lists the obligations that follow, including the heightened duties when Article 22 or special-category inference is in play.
Article 22 and where it applies
Article 22 goes further than basic profiling rules. It restricts decisions based solely on automated processing when those decisions produce legal or similarly significant effects on individuals. “Similarly significant” covers: automatic refusal of an online credit application, e-recruiting decisions that exclude candidates, differential pricing that materially affects access to a service, and similar.
The conditions for Article 22 are strict:
- The processing must be solely automated — meaningful human review that can change the outcome takes you outside it.
- The effects must be legal (rights, obligations, conditions) or similarly significant (material impact on person’s circumstances, behaviour, or choices).
- If both conditions apply, you need explicit consent, a contract necessity, or a legal basis, plus the right to explanation and human review.
Most production AI systems involve at least some human oversight at a system level, which is why many fall outside Article 22 in practice — but the test is whether that oversight is meaningful and capable of changing the outcome, not merely nominal.
Tips and notes
- Aggregate-only is your escape hatch. If outputs are purely statistical and never linked back to an individual, you are usually outside profiling — keep the data that way where you can.
- Watch unintended inferences. A model trained on purchase history can infer pregnancy or health; the regulator cares about what the system can infer, not what you intended.
- A DPIA is almost always expected. Profiling with significant effects sits squarely in the territory where a data protection impact assessment is required — do it early and keep it current.
- Transparency is the minimum. Even if your profiling is lawful, data subjects must be told you are doing it, for what purpose, and what their rights are — including the right to object.