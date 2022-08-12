When companies create profiles, they need a legal basis and specific purposes. In the c’t data protection podcast we explain the background.

At the end of July, Lower Saxony’s data protection officer, Barbara Thiel, completed a practice-oriented procedure relating to the evaluation, enrichment and transfer of customer data. The Hannoversche Volksbank is to pay a fine of 900,000 euros because they analyzed the usage behavior of customers without their consent and are said to have used a service provider to do so. According to the supervisory authority, the bank compared the results of the analysis with data from a credit agency and enriched it with additional information. The aim was to filter out customers who were receptive to certain forms of advertising.





This procedure is an opportunity for the c’t data protection podcast to take a look at how customer data and profiles are handled in data protection. Editor Holger Bleich and publisher’s legal advisor Joerg Heidrich have therefore invited David Pfau for Episode 68. Pfau is “Head of Data & Privacy” at conreri digital development GmbH. The business psychologist is a proven data protection expert and advises companies in the media and digital industry.

“legitimate interest”

First, the three discuss how and where profiling is defined in the GDPR and what legal grounds there may be for it. Inevitably, one ends up with the rather indefinite “legitimate interest” of the person responsible, i.e. Art. 6 Para. 1 lit f GDPR, which is regularly used by companies to avoid the individual consent of each customer. But even the “legitimate interest” does not justify any processing of customer data, as Pfau emphasizes.

The earmarking, which is laid down in Art. 5 GDPR, also stands in the way of free handling of customer data. Pfau recommends companies to carefully consider the intended purpose when collecting information and to define it as broadly as possible. In particular, if customer data is to be enriched later or used for profiling, the limit of what is legally permissible is quickly reached, which Pfau explains in detail.

