What is profiling under GDPR?

GDPR Article 4(4) defines profiling as any automated processing of personal data to evaluate, analyse, or predict aspects of a person — such as their behaviour, interests, reliability, or health. If your AI does that with personal data, it is profiling, regardless of what you call the feature.

Is all profiling illegal?

No. Profiling is lawful with a valid basis and the right safeguards. What is restricted is solely automated decision-making that produces legal or similarly significant effects, which Article 22 limits and surrounds with extra rights.

What triggers Article 22?

Article 22 applies when a decision is based solely on automated processing, with no meaningful human involvement, and produces legal or similarly significant effects like credit, employment, or pricing. That combination requires consent, a contract, or law, plus a route to human review and to contest the decision.

What if my AI could infer health or ethnicity?

Inferring special-category data needs an Article 9 condition, usually explicit consent, which is a high bar. Even an inference your model was not designed to make can pull you into that regime, so it is worth testing for deliberately.

Is this a substitute for legal advice?

No. It applies the GDPR profiling definition to help you triage and structure a conversation with your data-protection lead or counsel. A qualified adviser should confirm any conclusion for a live feature.

AI User Profiling Risk Detector

AI user profiling risk detector

Personalisation, scoring, recommendation, churn prediction, dynamic pricing — many AI features quietly meet the legal definition of profiling without their builders realising it. Under GDPR that definition is broad and the consequences are real: transparency duties, a lawful-basis requirement, and in some cases the strict limits of Article 22 on solely automated decisions. This tool walks you through the test so you know where your feature stands.

How it works

You describe the feature, its data inputs, and its outputs, then answer a short test that mirrors GDPR Article 4(4): does it process personal data, is it automated, does it evaluate or predict something about the person, do the outputs affect them, and could that effect be significant or reveal special-category data? The tool scores those answers, returns a plain-language verdict — not profiling, possibly profiling, or likely regulated profiling — and lists the obligations that follow, including the heightened duties when Article 22 or special-category inference is in play.

Tips and notes

Aggregate-only is your escape hatch. If outputs are purely statistical and never linked back to an individual, you are usually outside profiling — keep the data that way where you can.
Watch unintended inferences. A model trained on purchase history can infer pregnancy or health; the regulator cares about what the system can infer, not what you intended.
A DPIA is almost always expected. Profiling with significant effects sits squarely in the territory where a data protection impact assessment is required — do it early and keep it current.