22—Automated individual decision making.

22.

(1) In this regulation—

“an automated individual decision-making” means a decision made by automated means without any human involvement.

(2) Pursuant to section 35 of the Act, a data controller or data processor shall—

(a)  inform a data subject when engaging in processing based on automated individual decision making;

(b)  provide meaningful information about the logic involved;

(c)  ensure—

(i) specific transparency and fairness requirements are in place;

(ii) rights for a data subject to oppose profiling and specifically profiling for marketing are present; and

(iii) where conditions specified under section 31 of the Act arise, a data protection impact assessment is carried out;

(d)  explain the significance and envisaged consequences of the processing;

(e)  ensure the prevention of errors;

(f)  use appropriate mathematical or statistical procedures;

(g)  put appropriate technical and organisational measures in place to correct inaccuracies and minimise the risk of errors;

(h)  process personal data in a way that eliminates discriminatory effects and bias; and

(i) ensure that a data subject can obtain human intervention and express their point of view.

168  PART IV—OBLIGATIONS OF DATA CONTROLLERS AND DATA PROCESSORS