Profiling and automated decisions executed by financial entities under the GDPR


Financier Worldwide Magazine

March 2018 Issue

Customer profiling has become the key data processing activity carried out by financial entities. It is essential for institutions to get to know their prospective customers and existing ones better. Profiling activities may be related to activities such as scoring, creditworthiness, pre-approved credit offers and, in general terms, the provision of customised offers to clients, including personal loans, mortgage loans, credit cards and investment funds, for which all sorts of information on the customer are used, either purely financial or otherwise.

Thus, technology is helping financial institutions to offer more competitive and tailor-made products targeting a specific audience based on, for instance, the analysis of customer behaviour and payment card statements. Big Data techniques can be convenient in terms of resource saving and increased efficiencies in the business activities of all kinds of companies. In particular, profiling has turned out to be of great assistance to financial entities as it allows companies to reduce their risks, as well as providing a more objective assessment on financial standing, while offering customers more attractive products cut out to the level of risk they encompass and can put up with.

However, the analysis of all the information regarding targeting a specific customer with a particular financial product involves an important amount of data (including personal data) related to the daily activities of the customer, such as monthly payroll, direct debit payments, where he or she eats, where he or she does grocery shopping, the type of shops he or she visits and analysis of geo-location by means of the mobile phone. Some of this information may or may not be relevant for the purposes of the financial entity, but it may certainly give rise to concerns about the potential impact on the privacy of the individual. In this sense, the Article 29 Working Group has pointed out the inherent risks of profiling activities to data subjects’ fundamental rights in the field of financial activities.

As a general rule, European Union (EU) regulation 2016/679 of the European Parliament and Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) requires parties to obtain the express consent of individuals for executing profiling activities. Profiling under the GDPR requires the automated processing of personal data for the purpose of evaluating personal aspects, and the empowerment of data subjects ‘against’ said profiling pursues that individuals are not unknowingly discriminated based on the data they give unconsciously. The concept of automated decision-making partially overlaps with profiling under the GDPR as it acts on three types of data – data provided by the individual, data observed about the individual and data inferred from the personal information obtained about the individual. Therefore, the issue at stake is how to make the regime of express consent that governs these practices compatible with the execution of profiling activities that are essential for the business activities of a financial entity.

In addition, the regime applicable for those cases where the processing is only intended to assess a request of a new product or service from the customer (or where it is necessary for the development of the contractual relationship) from those automatically executed by the financial entities with a mere marketing purpose, should be analysed separately.

It could be construed that the profiling of customers is essential for the execution of the agreement that binds the financial entity with the customers or that, at least, the financial entities have a legitimate business purpose or interest to process such data. One of the referred alternatives, the execution of a contract or legitimate interest, may provide a lawful ground to execute the profiling, in those cases where the consent of the individual has not been obtained.

In order to assess whether consent is required, it is necessary to evaluate different elements that may impact upon the profiling activities. At least three different sources may be used to execute profiling activities, such as public sources, including websites, social networks and blogs, third-party private sources, including listbrokers and partners of the financial entities, as well as the financial entity itself.

In the event that third-party private sources are used to execute profiling activities for marketing purposes, that is, to offer new products or services to the existing customers, the prior express consent of the individual should be obtained. In our view, the consent regime should also apply to the processing of personal data that is available via the internet, considering that such data was not published by the individuals or third parties with the objective of being processed in the framework of profiling activities.

On the contrary, if the personal data used by the financial entity is the one lawfully gathered in the framework of the contractual relationship with the customer, it could be construed that the entity may rely upon the existence of a legitimate interest in order to be able to execute such profiling and for the subsequent offering of new products and services. It should be borne in mind that any marketing campaign should observe, in addition to the GDPR, any other piece of legislation applicable to the case at hand, for example Directive 2002/58 may be repealed by the future ePrivacy Regulation. Such specific pieces of legislation may require additional formalities or specific consents to execute the relevant processing activities, for example the sending of marketing communications by email or SMS.

In any event, even if financial entities rely upon the legitimate interest ground to execute profiling activities for marketing purposes, it would be necessary to clearly inform the customer about such processing and give him or her the option to object to such processing. In this sense, the Spanish DPA issued a non-binding legal opinion in response to a consultation by the Spanish Banking Association in which, among other aspects, the Spanish DPA analyses the conditions under which the business legitimate interests of a financial entity may be used as legal grounds for the processing of personal data. The Spanish DPA calls upon some examples provided by the GDPR recitals, such as direct marketing activities with customers. In any event, this should not be understood as leeway for carrying out any profiling activities without limitations on the personal data of customers. For instance, the Spanish DPA considers that the business interests of companies as legal ground for processing within direct marketing campaigns may be seen as stronger in relation to current customers than to former ones. Therefore, any personal data processing based legitimate business interests should be performed after the necessary balance analysis between the fundamental rights and freedoms of the data subjects and business interests of the financial entity.

Among the entities directly concerned by the regulations on profiling and automated decision-making under the GDPR will also be the newly regulated figures created by Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (PSD II). PSD II provides for the inclusion within the regulated entities of payment initiation service providers and account information service providers. At the very core of these figures is the fact that the technologies that they will be using would be closely related to the creation and enhancement of profiles that, in both cases, are called to substitute the current identification means and authentication techniques.

One of the main challenges for financial entities and FinTech companies in the coming months would be to analyse how to implement in practice the relevant clauses and consents (where necessary) to be able to execute the profiling activities with marketing purposes. It does not seem very likely that the future European Data Protection Board and the national data protection authorities may change its interpretation to reduce the number of requirements to be fulfilled to lawfully execute such profiling.


Rafael García del Poyo is a partner, Roger Segarra is a senior associate and Samuel Martínez is an associate director at Osborne Clarke. Mr García del Poyo can be contacted on +34 60 884 8406 or by email: Mr Segarra can be contacted on +34 68 637 0932 or by email: Mr Martínez can be contacted on +34 62 014 4377 or by email:

© Financier Worldwide


Rafael García del Poyo, Roger Segarra and Samuel Martínez

Osborne Clarke

©2001-2019 Financier Worldwide Ltd. All rights reserved.