Also in Europe, exemptions have been made in GDPR for reasons of national security and to prevent and investigate crimes. However, in Europe, we do operate differently with regard to the rights of individual citizens, equal treatment and a strong assumption of innocence. We should therefore not base our observations on imported software without a clear view on the adaptations made (or not made) to our cultures.
Individuals must be informed
In cases of profiling, the GDPR requires that “meaningful information about the logic involved, as well as the significance and the envisaged consequences” of the data processing should be provided to the individual. This should be provided both when the data is collected (notification), and if the individual requests further information (right of access).
Data should be safely collected, processed and stored
Authorities collecting and processing personal data for profiling purposes must not only process data lawfully, but are mandated also to ensure that data are not:
- Accessed by unauthorized persons,
- Used for other purposes than the original purpose, or
- Stored for longer than necessary.
To this end, authorities and law enforcement officers must ensure that appropriate measures are implemented to protect the integrity and security of the data. They must keep track of any access to, and use of, the data by creating and maintaining records of all processing activities or categories of processing activities.