Wiki · Concept · Last reviewed July 1, 2026

Article 22 Automated Decision-Making

Article 22 of the GDPR is the right not to be subject to certain decisions based solely on automated processing, including profiling, when those decisions produce legal effects or similarly significant effects.

Definition

Article 22 applies when personal data is used in a decision based solely on automated processing, including profiling, and the result has legal or similarly significant effects for the person. Article 4(4) defines profiling as automated processing of personal data used to evaluate personal aspects of a natural person, including prediction or analysis of work performance, economic situation, health, preferences, reliability, behavior, location, or movements.

It is not a general ban on algorithms, profiling, scoring, or AI decision support. It is triggered by a tighter combination: a decision, personal-data processing, sole automation, and serious effect. A human reviewer can take a workflow outside Article 22 only when the involvement is meaningful rather than a rubber stamp.

For AI systems, Article 22 matters when a model, score, rule engine, ranking system, or automated pipeline effectively decides access to credit, work, education, housing, insurance, public benefits, essential services, account status, or comparable opportunities without meaningful human judgment.

Snapshot

Scope

Article 22 has three exceptions. A solely automated significant decision may be allowed if it is necessary for entering into or performing a contract, authorized by Union or Member State law with suitable safeguards, or based on explicit consent. Those exceptions should be documented before deployment; they are not labels to apply after a system is already in use.

When the contract or explicit-consent exceptions are used, Article 22 requires safeguards, including the right to obtain human intervention, express a point of view, and contest the decision. Recital 71 also points to specific information, an explanation of the decision reached after assessment, measures to correct inaccuracies, error reduction, data security, and protection against discriminatory effects.

Special-category personal data makes the analysis stricter. Article 22(4) says the relevant automated decisions must not be based on special categories of personal data unless the explicit-consent or substantial-public-interest conditions apply and suitable safeguards are in place. Recital 71 also says such measures should not concern a child.

Article 13, Article 14, and Article 15 add transparency and access hooks. In qualifying cases, people should receive meaningful information about the logic involved, significance, and envisaged consequences. This is narrower than full model disclosure, source-code disclosure, or model-weight access, but stronger than a vague notice that "AI may be used."

Current Context

As of July 1, 2026, Article 22 remains a GDPR rule, not an AI Act rule, but the practical setting has changed. Automated credit scoring, hiring screens, fraud flags, public-benefit triage, platform account enforcement, workplace analytics, and AI-assisted eligibility systems can all create Article 22 questions when personal data and serious effects are present.

The CJEU's 2023 SCHUFA judgment is now central. The Court held that the automated establishment of a credit probability value by a credit information agency can itself constitute automated individual decision-making under Article 22 where a third party draws strongly on that value to establish, implement, or terminate a contractual relationship. That means governance cannot focus only on the last institution that says yes or no; upstream scores can carry decision authority.

The CJEU's 2025 Dun & Bradstreet Austria judgment sharpened the access side. For Article 15(1)(h) information about automated decisions, a controller must give meaningful information about the procedure and principles actually applied so the person can understand which personal data were used and how. Trade secrets and third-party rights can require balancing by a supervisory authority or court, but they do not justify an empty explanation.

The EU AI Act adds adjacent duties without replacing Article 22. High-risk AI systems carry requirements for logging, transparency to deployers, human oversight, and fundamental-rights impact assessment in specified settings. Article 86 creates a separate explanation route for certain decisions taken on the basis of outputs from Annex III high-risk AI systems. Those AI Act duties can help build the evidence record, but they do not erase GDPR rights, lawful-basis analysis, or Article 22 safeguards.

How It Works

An Article 22 review starts by mapping the decision path. What outcome is produced? Which data fields, profiles, scores, rules, models, and thresholds contribute? Which actor receives the output? Who can change the result before it affects the person?

The next question is whether the effect is legal or similarly significant. Legal effects include changes to legal rights or legal status. Similarly significant effects can include serious influence over personal circumstances, behavior, choices, livelihood, access to essential services, or comparable opportunities.

Human involvement must be meaningful. A worker who merely clicks approve, follows a model score by default, lacks time or training, cannot inspect the relevant evidence, or lacks authority to change the result may not break sole automation. The functional question is whether a competent human actually exercised judgment before the decision affected the person.

If Article 22 is triggered, the controller should identify the exception, the safeguard path, the information duties, and the contestation route. If Article 22 is not triggered, the same workflow may still require lawful basis, transparency, data minimization, accuracy controls, DPIA review, anti-discrimination review, sector-law compliance, and appeal or recourse under other regimes.

Governance and Safety

The governance value of Article 22 is that it rejects machine-only authority in consequential personal decisions unless a specific exception and safeguard structure is present. It forces organizations to ask whether a score, model output, or rule engine is merely support or is functionally deciding a person's case.

For AI systems, Article 22 should connect to Records of Processing Activities, Data Protection Impact Assessment, Data Protection Officer, AI System Inventory, AI Audit Trails, and Human Oversight of AI Systems. The same evidence that shows whether the system is solely automated is often needed for access requests, appeals, audits, incident review, and post-deployment monitoring.

The safety limit is that Article 22 is not every transparency, fairness, or appeal right. It should connect to Right to Explanation, Algorithmic Recourse, Notice and Appeal, Data Subject Access Requests, and Algorithmic Impact Assessments, but not collapse into them. A workflow can fall outside Article 22 and still be unlawful, discriminatory, inaccessible, insecure, or impossible to contest under another rule.

Failure Modes

Evidence Record

For AI-related decisions, preserve the decision purpose, lawful basis, Article 22 trigger analysis, Article 22 exception if any, data categories, profiling logic, model or rule version, score definitions, thresholds, human-review role, reviewer instructions, notices, safeguards, contestation route, overrides, error checks, discrimination checks, and outcome logs.

The record should distinguish automated decision-making from profiling, recommendation, triage, and human decision support. It should show whether human reviewers had real authority, which evidence they saw, what training they received, how often they changed automated recommendations, and what happened after a person contested the result.

For upstream scoring and vendor systems, the evidence file should include contract terms, documentation rights, model-update notice, logs available to the controller, recipient or customer reliance patterns, and any constraints on disclosing meaningful information to affected people or supervisory authorities.

Defense Pattern

Source Discipline

Do not treat every AI-assisted workflow as Article 22, and do not evade Article 22 with a nominal human rubber stamp. The evidence question is functional: who made the consequential decision, using what data, under what authority, and with what chance to challenge it?

Use EUR-Lex for GDPR text, EDPB-endorsed WP29 guidance for interpretation, European Commission pages for public-facing EU guidance, ICO guidance for UK GDPR practice, and CJEU judgments for judicial interpretation. Product promises should be checked against workflow records, not only privacy notices.

Keep Article 22 separate from adjacent rights. Right of access, right to be informed, right to object, rectification, explanation, algorithmic recourse, AI Act Article 86, employment-law appeals, and sector-specific adverse-action notices can reinforce each other, but they have different triggers, actors, deadlines, remedies, and evidence requirements.

Spiralist Reading

Article 22 is a refusal of machine-only judgment at the point where classification becomes fate.

The institution prefers to call the score a tool, the ranking a recommendation, and the denial a workflow outcome. Article 22 asks whether those names hide the same thing: a person treated by automated authority without a meaningful human decision.

For Spiralism, the record must show where judgment entered the system. If no one could understand, interrupt, or revise the decision, the institution should not pretend that the machine was merely assisting.

Open Questions

Sources


Return to Wiki