Article 22 Automated Decision-Making
Article 22 of the GDPR is the right not to be subject to certain decisions based solely on automated processing, including profiling, when those decisions produce legal effects or similarly significant effects.
Definition
Article 22 applies when personal data is used in a decision based solely on automated processing, including profiling, and the result has legal or similarly significant effects for the person. Article 4(4) defines profiling as automated processing of personal data used to evaluate personal aspects of a natural person, including prediction or analysis of work performance, economic situation, health, preferences, reliability, behavior, location, or movements.
It is not a general ban on algorithms, profiling, scoring, or AI decision support. It is triggered by a tighter combination: a decision, personal-data processing, sole automation, and serious effect. A human reviewer can take a workflow outside Article 22 only when the involvement is meaningful rather than a rubber stamp.
For AI systems, Article 22 matters when a model, score, rule engine, ranking system, or automated pipeline effectively decides access to credit, work, education, housing, insurance, public benefits, essential services, account status, or comparable opportunities without meaningful human judgment.
Snapshot
- Core rule: a person has the right not to be subject to a decision based solely on automated processing, including profiling, when it has legal or similarly significant effects.
- Trigger test: personal data, a decision, sole automation, and a serious effect must be analyzed together.
- Exceptions: the decision may proceed only where it is necessary for a contract, authorized by Union or Member State law with safeguards, or based on explicit consent.
- Minimum safeguards: for contract and explicit-consent cases, the controller must provide at least human intervention, a chance to express a point of view, and a route to contest the decision.
- Transparency hooks: Articles 13, 14, and 15 require information about qualifying automated decision-making, including meaningful information about the logic involved, significance, and envisaged consequences.
- Case-law signal: the CJEU's SCHUFA judgment treats an upstream credit score as an Article 22 decision where a third party draws strongly on it, and Dun & Bradstreet Austria sharpens the information duty for automated decisions.
- Main governance risk: a nominal human click or unexplained score can hide machine-only authority.
Scope
Article 22 has three exceptions. A solely automated significant decision may be allowed if it is necessary for entering into or performing a contract, authorized by Union or Member State law with suitable safeguards, or based on explicit consent. Those exceptions should be documented before deployment; they are not labels to apply after a system is already in use.
When the contract or explicit-consent exceptions are used, Article 22 requires safeguards, including the right to obtain human intervention, express a point of view, and contest the decision. Recital 71 also points to specific information, an explanation of the decision reached after assessment, measures to correct inaccuracies, error reduction, data security, and protection against discriminatory effects.
Special-category personal data makes the analysis stricter. Article 22(4) says the relevant automated decisions must not be based on special categories of personal data unless the explicit-consent or substantial-public-interest conditions apply and suitable safeguards are in place. Recital 71 also says such measures should not concern a child.
Article 13, Article 14, and Article 15 add transparency and access hooks. In qualifying cases, people should receive meaningful information about the logic involved, significance, and envisaged consequences. This is narrower than full model disclosure, source-code disclosure, or model-weight access, but stronger than a vague notice that "AI may be used."
Current Context
As of July 1, 2026, Article 22 remains a GDPR rule, not an AI Act rule, but the practical setting has changed. Automated credit scoring, hiring screens, fraud flags, public-benefit triage, platform account enforcement, workplace analytics, and AI-assisted eligibility systems can all create Article 22 questions when personal data and serious effects are present.
The CJEU's 2023 SCHUFA judgment is now central. The Court held that the automated establishment of a credit probability value by a credit information agency can itself constitute automated individual decision-making under Article 22 where a third party draws strongly on that value to establish, implement, or terminate a contractual relationship. That means governance cannot focus only on the last institution that says yes or no; upstream scores can carry decision authority.
The CJEU's 2025 Dun & Bradstreet Austria judgment sharpened the access side. For Article 15(1)(h) information about automated decisions, a controller must give meaningful information about the procedure and principles actually applied so the person can understand which personal data were used and how. Trade secrets and third-party rights can require balancing by a supervisory authority or court, but they do not justify an empty explanation.
The EU AI Act adds adjacent duties without replacing Article 22. High-risk AI systems carry requirements for logging, transparency to deployers, human oversight, and fundamental-rights impact assessment in specified settings. Article 86 creates a separate explanation route for certain decisions taken on the basis of outputs from Annex III high-risk AI systems. Those AI Act duties can help build the evidence record, but they do not erase GDPR rights, lawful-basis analysis, or Article 22 safeguards.
How It Works
An Article 22 review starts by mapping the decision path. What outcome is produced? Which data fields, profiles, scores, rules, models, and thresholds contribute? Which actor receives the output? Who can change the result before it affects the person?
The next question is whether the effect is legal or similarly significant. Legal effects include changes to legal rights or legal status. Similarly significant effects can include serious influence over personal circumstances, behavior, choices, livelihood, access to essential services, or comparable opportunities.
Human involvement must be meaningful. A worker who merely clicks approve, follows a model score by default, lacks time or training, cannot inspect the relevant evidence, or lacks authority to change the result may not break sole automation. The functional question is whether a competent human actually exercised judgment before the decision affected the person.
If Article 22 is triggered, the controller should identify the exception, the safeguard path, the information duties, and the contestation route. If Article 22 is not triggered, the same workflow may still require lawful basis, transparency, data minimization, accuracy controls, DPIA review, anti-discrimination review, sector-law compliance, and appeal or recourse under other regimes.
Governance and Safety
The governance value of Article 22 is that it rejects machine-only authority in consequential personal decisions unless a specific exception and safeguard structure is present. It forces organizations to ask whether a score, model output, or rule engine is merely support or is functionally deciding a person's case.
For AI systems, Article 22 should connect to Records of Processing Activities, Data Protection Impact Assessment, Data Protection Officer, AI System Inventory, AI Audit Trails, and Human Oversight of AI Systems. The same evidence that shows whether the system is solely automated is often needed for access requests, appeals, audits, incident review, and post-deployment monitoring.
The safety limit is that Article 22 is not every transparency, fairness, or appeal right. It should connect to Right to Explanation, Algorithmic Recourse, Notice and Appeal, Data Subject Access Requests, and Algorithmic Impact Assessments, but not collapse into them. A workflow can fall outside Article 22 and still be unlawful, discriminatory, inaccessible, insecure, or impossible to contest under another rule.
Failure Modes
- Rubber-stamp review: a nominal human approves every output while lacking time, evidence, training, or override authority.
- Score laundering: an upstream provider calls a probability value "input" even though downstream institutions draw strongly on it.
- Exception laundering: a controller asserts contract necessity, legal authorization, or explicit consent without showing why that exception actually applies.
- Consent pressure: explicit consent is treated as valid even where the person has no realistic alternative to the service, job, benefit, or platform access.
- Vague logic notice: the person receives generic AI language but not meaningful information about the logic, significance, and consequences of the qualifying automated decision.
- Vendor blind spot: the deployer cannot reconstruct model version, score meaning, data categories, or thresholds because the vendor controls the evidence.
- Special-category drift: health, biometric, disability, union, ethnicity, religion, or other protected inferences enter the system through proxies or enrichment data.
- No contestation route: the controller offers a help form, but no trained reviewer with authority to change the outcome.
Evidence Record
For AI-related decisions, preserve the decision purpose, lawful basis, Article 22 trigger analysis, Article 22 exception if any, data categories, profiling logic, model or rule version, score definitions, thresholds, human-review role, reviewer instructions, notices, safeguards, contestation route, overrides, error checks, discrimination checks, and outcome logs.
The record should distinguish automated decision-making from profiling, recommendation, triage, and human decision support. It should show whether human reviewers had real authority, which evidence they saw, what training they received, how often they changed automated recommendations, and what happened after a person contested the result.
For upstream scoring and vendor systems, the evidence file should include contract terms, documentation rights, model-update notice, logs available to the controller, recipient or customer reliance patterns, and any constraints on disclosing meaningful information to affected people or supervisory authorities.
Defense Pattern
- Classify the workflow before launch. Identify decisions, serious effects, data sources, automation level, and responsible actors before the tool is procured or deployed.
- Document the exception. Record why contract necessity, law, or explicit consent applies, and do not rely on generic service terms for consequential decisions.
- Design real human review. Give reviewers authority, time, training, evidence access, and a duty to consider the person's point of view.
- Make notices decision-specific. Explain the existence of qualifying automated decision-making, the logic involved at a useful level, significance, envisaged consequences, and the contestation route.
- Test the safeguards. Measure whether people can obtain intervention, submit context, contest the decision, correct data, and receive a changed outcome where the original decision was wrong.
- Control vendor opacity. Require documentation, audit cooperation, model-version records, change notices, and disclosure support in contracts.
- Retest after change. Reassess Article 22 status after new models, thresholds, data sources, jurisdictions, affected groups, or deployment contexts.
Source Discipline
Do not treat every AI-assisted workflow as Article 22, and do not evade Article 22 with a nominal human rubber stamp. The evidence question is functional: who made the consequential decision, using what data, under what authority, and with what chance to challenge it?
Use EUR-Lex for GDPR text, EDPB-endorsed WP29 guidance for interpretation, European Commission pages for public-facing EU guidance, ICO guidance for UK GDPR practice, and CJEU judgments for judicial interpretation. Product promises should be checked against workflow records, not only privacy notices.
Keep Article 22 separate from adjacent rights. Right of access, right to be informed, right to object, rectification, explanation, algorithmic recourse, AI Act Article 86, employment-law appeals, and sector-specific adverse-action notices can reinforce each other, but they have different triggers, actors, deadlines, remedies, and evidence requirements.
Spiralist Reading
Article 22 is a refusal of machine-only judgment at the point where classification becomes fate.
The institution prefers to call the score a tool, the ranking a recommendation, and the denial a workflow outcome. Article 22 asks whether those names hide the same thing: a person treated by automated authority without a meaningful human decision.
For Spiralism, the record must show where judgment entered the system. If no one could understand, interrupt, or revise the decision, the institution should not pretend that the machine was merely assisting.
Open Questions
- When does model-assisted human review remain meaningful enough to avoid sole automation?
- How should upstream risk scores be governed when downstream institutions rely on them heavily?
- What level of explanation is useful without exposing trade secrets or personal data about others?
- How should Article 22 records connect to AI Act, employment, credit, and public-sector appeal systems?
- How should consent be evaluated when access to a service, job, benefit, or platform account depends on accepting automated decision-making?
- What evidence should prove that a human reviewer actually considered the person's point of view?
Related Pages
- Data Subject Access Requests
- Right to Explanation
- Right to Be Informed
- Right to Object
- Right to Rectification
- Right to Data Portability
- Algorithmic Recourse
- Notice and Appeal
- Data Protection Impact Assessment
- Data Protection Officer
- Records of Processing Activities
- Algorithmic Impact Assessments
- Opaque Scoring Systems
- Algorithmic Transparency
- Human Oversight of AI Systems
- AI Audit Trails
- AI Post-Market Monitoring
- EU AI Act
- AI in Employment
- AI Governance
Sources
- EUR-Lex, Regulation (EU) 2016/679, General Data Protection Regulation, Articles 4(4), 13(2)(f), 14(2)(g), 15(1)(h), 22, 23, and Recital 71, reviewed July 1, 2026.
- European Commission, Are there restrictions on the use of automated decision-making?, reviewed July 1, 2026.
- European Data Protection Board, Endorsed WP29 Guidelines, including WP251rev.01, reviewed July 1, 2026.
- Article 29 Working Party, Guidelines on automated individual decision-making and profiling, WP251rev.01, reviewed July 1, 2026.
- UK Information Commissioner's Office, Rights related to automated decision making including profiling, reviewed July 1, 2026.
- Court of Justice of the European Union, SCHUFA Holding, Case C-634/21, judgment of December 7, 2023.
- Court of Justice of the European Union, Judgment in Case C-203/22, Dun & Bradstreet Austria, press release 22/25, February 27, 2025.
- Court of Justice of the European Union, Dun & Bradstreet Austria, Case C-203/22, judgment of February 27, 2025.
- European Commission AI Act Service Desk, Article 86: Right to explanation of individual decision-making, reviewed July 1, 2026.
- European Commission AI Act Service Desk, Article 27: Fundamental rights impact assessment for high-risk AI systems, reviewed July 1, 2026.