1. Law
  2. All Volumes and Issues
  3. Volume 13, Number 1 (49), 2026
  4. Behavioural characteristics as an object of personal data protection in european Union Law

Behavioural characteristics as an object of personal data protection in european Union Law

Law.
2026;
Volume 13, Number 1
: pp. 38-48
https://doi.org/10.23939/law2026.49.038
Received: January 12, 2026
Accepted: March 10, 2026
Published: March 31, 2026

Цитування за ДСТУ: Булгакова Д. Поведінкові характеристики як об’єкт захисту персональних даних у праві Європейського Союзу. Вісник Національного університету “Львівська політехніка”. Серія: “Юридичні науки”. 2026. Том. 13, № 1 (49), С. 38–48. DOI:  https://doi.org/10.23939/law2026.49.038

Citation APA:  Bulgakova D. (2026) Behavioural characteristics as an object of personal data protection in european Union Law. Bulletin of Lviv Polytechnic National University. Series: Legal Sciences. Vol. 13, No 1 (49), pp. 38–48. DOI:  https://doi.org/10.23939/law2026.49.038

Authors:
  1. Daria Bulgakova
1
Lviv Polytechnic National University, Ukraine

This article examines behavioural data and its legal regulation under EU law, applying the GDPR and the regulatory framework for artificial intelligence. It analyses the conceptual and legal distinction between behavioural characteristics and biometric data, arguing that behavioural data digitally generated do not, as a rule, enable stable and unequivocal identification of a natural person. Thus, such data do not fall under the strict prohibition regime of Article 9(1) (2) GDPR, although its remain personal data and shall be lawfully processed on one of the legal bases provided in Article 6 GDPR.

The article also demonstrates that behavioural characteristics are primarily used for prediction, and pattern analysis, and are therefore regulated by the GDPR’s profiling concept rather than the special categories of personal data. Behavioral data may not identify a person at one moment, but becomes identifying through persistence, linkage, or learning effects in AI systems.

The paper argues for the relevance of the AI Act as a lex specialis that complements the GDPR by restricting the use of AI systems designed to substantially influence human behaviour or to exploit subliminal techniques, particularly where such practices may cause physical or psychological harm.

Moreover, in immersive or neuro-adaptive environments, individuals cannot realistically understand or meaningfully control the extraction and use of their behavioral data, which fundamentally undermines the concept of informed consent. Continuous behavioral monitoring may, over time, influence cognition, self-expression, and personal autonomy, producing chilling effects and self-censorship even outside traditionally “sensitive” domains. These risks support the emerging view that individuals should hold rights not only over their personal data, but also over how their behavior is shaped, nudged, or optimized by AI systems. Taken together, this provides a strong argument for recognizing “intimate behavioral data” or “neuro-behavioral data” as a distinct legal category that extends beyond classical biometric data. In all cases, proportionality, data minimization, and effective human supervision should be ensured.

GDPR
behavioural data
biometric data processing
profiling
AI Act
artificial intelligence
identification
  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (GDPR)), OJ L 119, 4.5.2016, p. 1–88, http://data.europa.eu/eli/reg/2016/679/oj (accessed: 11.01.2026) [In English].
  2. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act (AI Act)) PE/24/2024/REV/1, OJ L, 2024/1689, 12.7.2024, http://data.europa.eu/eli/reg/2024/1689/oj(accessed: 11.01.2026) [In English].
  3. Binns, R., & Veale, M. (2021). Is that your final decision? Multi-stage profiling, selective effects, and Article 22 of the GDPR. International Data Privacy Law, 11(4), 319–332. https://doi.org/10.1093/ idpl/ipab020 (accessed: 11.01.2026) [In English].
  4. Sposini, L. (2024). Neuromarketing and Eye-Tracking Technologies Under the European Framework: Towards the GDPR and Beyond. Journal of Consumer Policy, 47(3), 321–344. https://doi.org/10.1007/s10603-023-09559-2 (accessed: 11.01.2026) [In English].
  5. Ienca, M., & Malgieri, G. (2022). Mental data protection and the GDPR. Journal of Law and the Biosciences, 9(1), lsac006. https://doi.org/10.1093/jlb/lsac006 (accessed: 11.01.2026) [In English].
  6. Wachter, S. (2020). Affinity profiling and discrimination by association in online behavioraladvertising. Berkeley Technology Law Journal, 35(2), 367. https://doi.org/10.15779/Z38JS9H82M (accessed: 11.01.2026) [In English].
  7. Scholler, R., Alaoui-Ismaïli, O., Renaud, D., Couchot, J.-F., & Ballot, E. (2024). In-stream mobility and speed estimation of mobile devices from mobile network data. Transportation (Dordrecht). https://doi.org/10.1007/s11116-024-10494-5 (accessed: 11.01.2026) [In English].