TOURISM, DATA PROTECTION AND COVID-19 357 iii. The objective of profiling must be to evaluate personal aspects about a natural person. Moreover, Article 22(1) of the GDPR defines three ways in which profiling may be used: i. General profiling; ii. Decision-making based on profiling; and iii. Solely automated decision-making, including profiling, which produces legal effects or similarly significantly affects the data subject. Generally, the GDPR forbids decision-making process based on profiling18. Recital 71 of the GDPR provides for some typical hypothesis that can be considered for sure within the scenario of STD. It provides: “The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention”. In these cases of profiling decisions, we can recognise defined exceptions that allow such kind of process to take place when there is a clear consent, contract or national provision. At the same time, Recital 71 states some basis on which the profiling process is possible: “Decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent”. Recital 71 complements this last form of profiling providing that: “In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human 18 For further information on the activity of profiling, see A. Ricci, I diritti dell’interessato, in G. Finocchiaro (edited by), La protezione dei dati personali in Italia, Regolamento UE n. 2016/679 e d.lgs. n. 101, Zanichelli, 2019.
RkJQdWJsaXNoZXIy MTE4NzM5Nw==