What is profiling under GDPR? (Art. 4(4))

Profiling (GDPR Art. 4(4)) is any form of automated processing of personal data consisting of using that data to evaluate or predict certain personal aspects of a natural person. Examples: work performance, economic situation, health, preferences, reliability, behaviour, location, movements. Three elements: (1) automated (algorithm/AI), (2) on personal data, (3) aimed at deriving something about the person. Allowed? Yes, on one of the Art. 6 bases — usually legitimate interest or consent. But profiling that leads to an automated decision with legal effect or similarly significant effect falls under Art. 22 (stricter regime). Profiling with special category data (Art. 9) is much more restricted. Practical examples where Art. 22 bites: credit scoring (Experian, BKR), insurance premium calculation, payment fraud detection, automated CV screening, dynamic pricing. Examples where Art. 22 does NOT bite: Facebook targeting ("women 25-40 who installed a fitness app") — no legal-effect decision, so only Art. 6 + Art. 21 (objection). Your rights regarding profiling: (a) access to the profile itself (Art. 15), (b) objection for direct marketing is absolute (Art. 21(2)), (c) for Art. 22 — human intervention, explanation, contesting the decision. Tracking, cookies & Custom Audiences: profiling for marketing falls under ePrivacy + GDPR. Consent required for analytics + retargeting cookies. Cookieless profiling (server-side fingerprinting, IP tracking) is equally regulated. AI Act: high-risk AI systems consisting of profiling get additional transparency + risk-management requirements (AI Act Annex III).