22.
(1) In this regulation—
“an automated individual decision-making” means a decision made by automated means without any human involvement.
(2) Pursuant to section 35 of the Act, a data controller or data processor shall—
(a) inform a data subject when engaging in processing based on automated individual decision making;
(b) provide meaningful information about the logic involved;
(c) ensure—
(i) specific transparency and fairness requirements are in place;
(ii) rights for a data subject to oppose profiling and specifically profiling for marketing are present; and
(iii) where conditions specified under section 31 of the Act arise, a data protection impact assessment is carried out;
(d) explain the significance and envisaged consequences of the processing;
(e) ensure the prevention of errors;
(f) use appropriate mathematical or statistical procedures;
(g) put appropriate technical and organisational measures in place to correct inaccuracies and minimise the risk of errors;
(h) process personal data in a way that eliminates discriminatory effects and bias; and
(i) ensure that a data subject can obtain human intervention and express their point of view.