GDPR Response on Auto Decision Making-Restriction on Processing Template - Accepted

by Nash V


The GDPR requires that all the organizations which collect and use the personal data of their end-users give them the option to request that the organization not administer any automatic making decisions capabilities or profiling of their personal data. This can include decisions made by AI, algorithms and any automated processes that don't require human intervention.

GDPR Response on Auto Decision Making-Restriction on Processing - Accepted Template

If a data subject requests to restrict or completely stop this practice, that request must be reviewed by a human being. If the request is accepted, the data controller must inform the end user of that decision and comply with the request promptly.
The DPO (or their delegate) of an organization should respond to a request submitted by a data subject of the organization, asking to restrict the use of any automated decision-making or profiling processes regarding their personal data. The GDPR warrants that any automatic decision-making will be done transparent, lawful, and fair. The response needs to be kept in the organization's archive for audit purposes (internal and external).

Scope and Purpose

The organization may reject the automatic decision-making or profiling administering restriction request if one of the following occurs -

1. Either one is required to abide by a contract.

2. The data controller is within their rights to do so under the local law.

3. The end-user freely contested these processes, and restricting them at this time may negatively affect the organization.
If none of the above are relevant to the request, then the data controller must comply promptly.

Once an auto-making restriction request has been submitted, the data controllers are required to -

1. Review the request (by a human being)

2. Check that the personal data mentioned exists on the organization's servers and that a type of auto-making decision or profiling is in practice.

3. If they are: Validate that the requester is indeed the owner of the data or is a proxy of the legitimate end-user

4. If they are, Check if the organization has any reason not to comply with the request.

5. If section 1.2.c is negative, Inform the requester that their request is approved and will be processed promptly.

6. Please record the request, its response, and any further communication with the requester. This is required for external and internal audits.

The acceptance response should include the following fields -

1. The details of the DPO (or representative of the data controller)

2. The basic details of the requester (Name, email/phone/summary of the request)

3. Which automatic decision-making of the personal data is requested to be restricted.

4. The response to the request.

GDPR Response on Auto Decision Making-Restriction on Processing - Accepted Template

The Obligations of the Data Controller

1. Establish that the requester's data is automatically processed or profiled in any way.

2. Ascertain that the request is feasible, and if not, explain as to why.

3. Notify the data subject of the decision to approve their request.

Term Definitions

What is a Data Controller?

An organization or person who determines the use of the collected personal data from the data subjects. The data controller owns the collected personal data, decides how it will be processed and bears the sole responsibility for safekeeping it.

What is personal data?

Any unique data which relates to an individual data subject. This can include such information as Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.

What is the processing of personal data?

Any act performed on the collected personal data of all the organizations' data subjects. This may include such actions as storing the data, analyzing it to extract insights or deleting it once it is no longer required.

What is a data subject (also known as an end-user)?

Any person who created a unique username on the organization's website, thus giving them the possibility of using that username to perform specific tasks and use features offered on the website.

Who is the DPO?

The Data Protection Officer is the main stakeholder of the organization for all aspects of GDPR compliance. They are responsible for making sure that the GDPR guidelines are adhered to.

What is a data breach?

Any intentional or unintentional security incident involves sharing personal data with any unauthorized element. Sharing personal data may include viewing, copying, stealing, or altering personal data.

Key Takeaways / Conclusions

1. The DPO (or their delegate) is responsible for checking the request and responding to it.

2. In case of a rejection, the response must explain in clear, everyday language why the rejection decision was made.