the Dutch DPA
Close menu

Automated decision

Are you submitting an application to an organisation? For example, for a loan from an online bank? In any such case, the bank will need to decide whether or not to grant you the loan. Usually, it is a bank employee who makes that decision. However, more and more organisations are switching to automated decisions. This means that a computer makes the decision.

Companies are not the only ones using automated decision-making; the government does so too. Letting a computer make the decisions obviously takes less time and work.

Making such automated decisions is also referred to as 'automated decision-making'.

On this page

Use of personal data

Computers make automated decisions based on someone's personal data, among other things. Such as information about a person's income. In a fully automated decision, this happens without an employee assessing the data. That also means no one is checking whether the computer's conclusion is correct.

Profiling and automated decisions

An automated decision can be based on a single piece of personal data, but also on profiling. This involves checking whether a person meets a certain profile.

Profiling involves using personal data to make an assumption or prediction about a person's interests and (payment) behaviour, among other things. However, the resulting assumption or prediction is not always correct. This can lead to someone being wrongly put into a particular box.

Algorithms and automated decisions

Companies and organisations often use algorithms to make automated decisions. An algorithm is a kind of step-by-step plan for computers. It tells a computer how to evaluate a person's data. Or to compare that person to a specific profile, if profiling is used.

Automated decision without serious consequences

Much of our daily lives has become automated. That means there are a lot of automated decisions being made these days. For example:

  • You buy something in an online shop. The fact that you've paid is recorded automatically. The product is sent to you thereafter.
  • Your ID is about to expire. You automatically receive a notice that you need to renew your ID.

These automated decisions have no serious consequences for us and usually make our lives easier. The GDPR privacy law does not contain any special rules for this type of automated decision-making.

However, there are also automated decisions that can have legal consequences for people. For example, they can result in a contract being terminated, or other serious consequences. The GDPR contains special provisions for such cases.

Automated decision with legal or serious consequences

Possible legal consequences or other serious consequences of automated decision-making include someone:

  • not being invited for a job interview;
  • not receiving social benefits, such as child benefit or rental housing allowance;
  • not being granted a loan, insurance or a home.

Automated decisions with such consequences do carry risks, such as the chance of an unfair or biased decision. They can even result in discrimination. That is why the GDPR contains provisions for automated decisions with legal or other serious consequences.

Rules regarding automated decisions for companies

A company is not permitted to just make automated decisions with legal or other serious consequences. The GDPR lists only three situations in which this is permitted. A company can make such an automated decision about someone if:

  1. This decision is necessary to enter into or perform a contract with this person.
  2. This person has given explicit consent to the decision.
  3. A law is in place that says it is permitted. For example, a law that banks are required to comply with to prevent money laundering.

Even so, the company is still required to take 'appropriate measures'. This is stipulated in the GDPR.

Appropriate measures for companies

Companies are required to take appropriate measures to protect the people concerned. In any case, this means they must enable people to:

  • Ask the company to have an employee review the decision.
  • Let the company know their view on the decision. The company can then provide an explanation and take measures, if necessary.
  • Dispute the decision.

In addition, it is important that companies:

  • Are able to give a transparent explanation about how automated decisions are made. And can show that they are in full compliance with the GDPR.
  • Regularly monitor and test the systems that are used for automated decisions. This is to ensure that these systems work as intended and do not produce incorrect results.

Providing information

The company must provide you with information about the automated decision. You are entitled to this information. This enables you to stand up for yourself if you disagree with the decision.

Rules regarding automated decision-making for the government

In principle, a government organisation can make fully automated decisions with legal or other serious consequences only if a law states that this is permitted. The law must also stipulate which safeguards apply to protect the people concerned.

The General Administrative Law Act (Dutch abbreviation: Awb) provides such a safeguard. This act explains what people can do if they disagree with a decision made by a governmental organisation. In some instances, the Awb serves as sufficient safeguard, whereas in others, additional safeguards are required in addition to the Awb.

In addition, it is important that governmental organisations:

  • Know exactly how automated decisions are made. After all, it must be possible to check the basis of an automated decision to ensure that people are not treated unfairly.
  • Regularly monitor and test the systems that are used for automated decisions. This is to ensure that these systems work as intended and do not produce incorrect results.

Providing information

The governmental organisation must provide you with information about the automated decision. Often, you have the right to object to a decision with legal consequences.

Providing information about automated decisions

Has a company or governmental organisation made an automated decision regarding you that has legal or other serious consequences? In that case, the company or organisation must tell you:

  • The fact that the company or organisation makes automated decisions.
  • Whether profiling is used in that process.
  • Why an automated decision is permitted in your situation. This might be because you have given the company your explicit consent. Or because a law states that the governmental organisation is permitted to make automated decisions for a specific purpose.
  • On the basis of which of your data the automated decision was made.
  • The underlying logic of the decision. Such as the rationale behind the decision and the criteria on the basis of which the decision was made. This should be relevant information that explains the procedure and principles used in a concise, transparent, comprehensible and easily accessible form.
  • The importance of the automated decision and how that decision is likely to affect you.

Note: Companies sometimes buy people's profiles from another company, such as a business information agency. Using these profiles, computers can predict how much a given person would be able to spend. Companies are not permitted to simply use such profiles for automated decisions.

Back to subject Algorithms explained

Also view

Where can I find it?

Article 22 GDPR

More information

Privacy story

Jason (30) was excluded by an algorithm. "I just had this feeling something was wrong."

Man met warme trui en sokken thuis op de bank met laptop en telefoon
Back to subject Algorithms explained
This page was last edited on
.