Your Rights Around Automated Decisions and Profiling

What counts as profiling and a solely automated decision

Profiling is when an organisation uses your personal data to evaluate or predict something about you — for example, your reliability, interests, behaviour, or likely choices. A lot of profiling is ordinary and low-stakes, like a shop suggesting products. The UK GDPR does not ban profiling; it gives you rights to understand and, in some cases, push back on it.

A 'solely automated decision' is something different: a decision made by software alone, with no meaningful human involvement. If a person merely rubber-stamps a computer's output without genuinely reviewing it, the decision can still count as solely automated. The key question is whether a human is actually weighing the facts, not just clicking 'approve'.

Article 22 of the UK GDPR gives you a specific right where a solely automated decision produces a 'legal' or 'similarly significant' effect — such as an automated refusal of credit, a job application screened out by an algorithm, or an automated eligibility decision. This is general information, not legal advice.

• Profiling: using your data to evaluate or predict something about you.
• Solely automated: decided by software, with no meaningful human input.
• The Article 22 protection focuses on decisions with legal or similarly significant effects.

The rights you have when a decision is automated

Where Article 22 applies, an organisation generally should not make a solely automated decision about you with significant effects unless a specific condition is met — for example, it is necessary for a contract, you have given explicit consent, or it is authorised by law. Even then, you keep important safeguards.

Those safeguards usually include the right to obtain human intervention, to express your point of view, and to contest the decision. You can also use your right of access to ask what data was used, and organisations should give you meaningful information about the logic involved and the likely consequences — explained in plain terms, not as raw source code.

Special-category data (such as health or ethnicity) carries extra protection, and there are tighter rules where automated decisions affect children. If you think a decision was made by software alone and it had a real impact on you, you are entitled to ask the organisation how it was made and to request that a person look at it again.

• Ask for a human to review the decision.
• Explain your own side and provide context the system may have missed.
• Contest the outcome and ask for it to be reconsidered.
• Request meaningful information about the logic and the likely effects.

How to raise it calmly, and where OSINTA fits

Start by writing to the organisation and being specific: name the decision, say you believe it was made solely by automated means, and ask for human review under your UK GDPR rights. You can pair this with an access request to see the personal data and the broad logic behind the outcome. Keep a record of what you sent and when.

If the organisation does not respond, or you are not satisfied, you can raise a concern with the Information Commissioner's Office (the ICO), the UK's data protection regulator. The ICO can look at how the organisation handled your request, though it does not act as an appeal court for the underlying decision itself.

OSINTA is a self-only tool: it helps you understand your own digital footprint and frame and route your own requests. It does not make decisions for you, monitor anyone, or guarantee an outcome — the system suggests, and you decide every step. This article is general information, not legal advice; for advice on your specific situation, consider a qualified professional.

Frequently asked questions

Related terms

• GDPR (General Data Protection Regulation)
• Personal data
• Online identifier
• Data protection regulator