Profiling and automated decision-making under GDPR

This is probably the hottest potato within the digital marketing industry right now and especially the programmatic advertising these days. If you are a marketer, this concerns you too.

As site owners’ challenge these days is to ensure compliance on digital assets, you should know that most of the apps you use for marketing purposes do profiling, including the very popular Facebook Pixel, Google Ads, and various codes/tags you get from your agency or retargeting services.

Simply put, GDPR requires you to be transparent with your users and let them know what’s happening. Plus, they must agree for this type of processing before you those apps start running on your site.


So, what is profiling?

Profiling is as an automated form of processing personal data for evaluating various aspects, especially to analyze or make predictions about individuals.

Profiling practices construct knowledge from huge sets of data, that is commonly used by marketers to make or inform decisions (especially nowadays considering the ubiquitous consumer profiling, the programmatic media buying based on data segments and all the real-time personalization features).

It usually implies three distinct stages:

  • data collection;
  • automated analysis to identify correlations;
  • applying the correlation to identify individuals’ characteristics of present or future behavior.

Through profiling, personal information can be deducted, derived or predicted with certain degrees of accuracy. As a result, data about a person’s behavior can be used to generate inferred information (about his or her likely identity, attributes, behavior, interests, or personality traits) and activated in marketing campaigns.


Automated decision-making means using technology to decide various things without substantive input from a human decision-maker.

Automated decision-making is not expressly defined in the GDPR, but the European Data Protection Board shed some light on the matter.

Most marketing technology providers fall under this category, especially marketing automation tools, data management platforms (DMP), media buying platforms (DSP), content personalization and product recommendation engines, retargeting pixels and so on.

Put it simply, it’s about applications that track people online in order to create profiles based on their behavior and use those profiles to better target advertising content.


To sum it up, most of the marketing tools you may be using do profiling.

They are tracking, collecting, analyzing massive amounts of data in order to create individual profiles that are later being used for various purposes

This includes Facebook Pixel, Google Ads, DoubleClick, Segmentify, Data Management Platforms such as Lotame, Bluekai, Cxense, Krux, Avandor, and most DSPs and personalization tools out there.

As this may sometimes lead to significant effects for some users (e.g. discrimination or denial of opportunities), often beyond your control and beyond your knowledge, you as site owner and data controller, should thoroughly inform and ask for explicit consent from your users for this type of processing, before starting the applications. Be nice and avoid running such apps before asking for consent, ok?

To achieve this, you normally need to integrate a consent manager with a tag manager (or directly with your site’s code). Avandor Consent fortunately manages both consent and tags from a single platform, so why not check it out?

Georgiana Bedivan

Head of Compliance

We've struggled to understand GDPR so you won't have to. Learn from our experience →

We've asked a Data Protection Authority for answers on digital processing...

Since everyone is scared by penalties, we wrote and asked the Romanian Data Protection Authority (ANSPDCP) some questions about how GDPR will apply to the online processing. Here's what they had to say...

read more

What's wrong with cookie consent?

The common misbelief is that compliance on digital properties equals cookie consent. But the truth is that GDPR is not about cookies, but about who set those cookies and what for.

read more

10 steps to make your site compliant

Some have tried with cookie consent, others with implicit consent like "by continuing to use this website...", and others simply closed their sites to European citizens.

read more

What makes valid consent under GDPR?

Consent is just one of six lawful bases to process personal data, as listed in the GDPR. It may not always be necessary, but when it is, you have to make sure it is properly obtained and stored.

read more

Data controller vs. processor? Who's who

Although GDPR’s definition of the two may seem simple and concise, marketers are still having a hard time trying to figure out who’s what, especially when it comes to automated processing technologies.

read more

Profiling and automated decisions under GDPR

As site owners’ challenge these days is to ensure compliance on digital assets, you should know that most of the apps and technologies you use for marketing purposes do profiling.

read more

GDPR myths and misconceptions

Starting with May 25th, a lot of misinformation regarding GDPR has been spread so understanding the basic principles of this new regulation and how to get compliant proved to be overwhelming.

read more

Using Facebook pixel on your site?

As per today’s practices you can’t really help but using Facebook as part of your marketing strategy. However, the question that arises since the 25th of May is who is responsible for obtaining consent.

read more

Looking for the right consent solution?

Discover Avandor Consent

see features & benefits →

Need help navigating GDPR compliance?

We're happy to assist you with free advice

get in touch →

Your details:

Your interest:

Your Message:

by submitting this form you consent to our use of your data

For more information or a demo call +4072 893-9780 or get in touch.