As we have mentioned in other articles on GDPR compliance, GDPR specifically prohibits the automated profiling of individuals, including of their online identifiers or locations, which means that it is a violation of GDPR to note, in an automated fashion, from what region in the world they are surfing over to your website.
Many of you have asked for the actual language of GDPR which prohibits automated profiling and, by extension, prohibits a site from excluding traffic from the EU. So here it is. (You can read the full text of GDPR here.)
From the prefatory language:
(71) The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes â€˜profilingâ€™ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her. However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child.
From the actual law – in particular pay attention to the first two paragraphs:
Article 4 (1): â€˜personal dataâ€™ means any information relating to an identified or identifiable natural person (â€˜data subjectâ€™); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Article 4 (4): â€˜profilingâ€™ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
Article 35 provides for a “Data protection impact assessment” which must be carried out *before* implementing profiling by automated means, and this includes that “A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of…a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;”
And before such implementation a supervisory authority has to sign off on it, and even the data subjects themselves may need to agree to it.
So, basically, automated profiling of personal data is prohibited unless you jump through all of these hoops.
And that’s how GDPR prohibits the automated detection of IP addresses in order to geolocate and exclude EU visitors and traffic.