GDPR Article 22 and automated AI decision making

Article 22 applies to decisions about natural persons — individual human beings. It does not apply to decisions about legal entities (companies, organisations). However, the distinction matters less than it might appear in B2B contexts: sole traders and partnerships are natural persons for GDPR purposes; business credit decisions involving personal guarantees affect natural persons; and decisions about individual employees within B2B relationships (automated performance assessment, access control) affect natural persons. Many B2B AI systems affect natural persons in their individual capacity even when the primary commercial relationship is B2B. The safe approach is to analyse each AI decision use case for whether a natural person is significantly affected, regardless of whether the commercial context is B2B — the question is about the individual, not the business context.

Consent is a valid basis under Article 22(2)(c) but is rarely the appropriate choice for commercial automated decision-making. The problem: GDPR consent must be freely given, meaning there must be a genuine choice without detriment from refusing. If a lender's only credit assessment method is automated, a customer who refuses consent cannot get a loan — consent is not freely given in that context. Consent also creates operational complexity: it must be as easy to withdraw as to give, and withdrawal must be honoured without penalty. For most financial services, insurance, and employment automated decisions, contractual necessity (Article 22(2)(a)) or explicit legal authorisation (Article 22(2)(b)) are more appropriate and more practically manageable bases. Consent is most appropriate where automated processing genuinely is optional and the service is available without it.

The EU AI Act and GDPR Article 22 overlap significantly for high-risk AI systems — both apply in parallel, with different but complementary requirements. The AI Act designates AI systems used for creditworthiness assessment, employment screening, access to essential services, law enforcement biometrics, and similar categories as high-risk, triggering requirements for conformity assessment, technical documentation, human oversight, and transparency. GDPR Article 22 requires lawful basis, meaningful human review, explainability, and DPIA. Where both apply, compliance with one does not automatically satisfy the other — organisations need a compliance programme that addresses both frameworks. Practically: the AI Act's human oversight requirements directly support Article 22 meaningful human review compliance; the AI Act's transparency and logging requirements support Article 22 explanation rights. Organisations deploying high-risk AI in sectors subject to both frameworks should map requirements against each other to avoid duplicating compliance work while ensuring all requirements are met.

Article 22(3) requires that data subjects be provided with "at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision." The associated right to explanation comes from Recital 71 and EDPB guidelines, which require "meaningful information about the logic involved" in automated decisions — not a mathematical formula dump, but a comprehensible explanation of the principal factors and their weight. In practice for credit or insurance decisions: the explanation should identify the specific factors that most influenced the decision (e.g., "income-to-debt ratio and recent missed payments were the primary factors"); should allow the person to understand what they could change to get a different outcome; and should be in plain language understandable to a non-technical person. Technically, this means AI models used for Article 22 decisions must be explainable — black-box neural networks with no post-hoc explanation capability are not compliant. SHAP values, LIME, or inherently interpretable models (decision trees, logistic regression) are commonly used to generate compliant explanations.

If a human meaningfully reviews and decides based on their own judgment (with AI providing input but not determining the outcome), Article 22 does not apply — the decision is not "solely automated." The challenge is the spectrum between genuine human judgment and rubber-stamping: a human who clicks "approve" on 99% of AI recommendations without substantive review is effectively making solely automated decisions. The EDPB has specifically addressed this: "in order to qualify as human involvement, the controller should ensure that any oversight of the decision is meaningful rather than just a token gesture." Audit trails documenting override frequency, review times (extremely short review times suggest superficial review), and reviewer training records help demonstrate genuine human involvement. For compliance, design AI-assisted decision systems with: clear reviewer guidance on what to assess; AI output that presents factors and uncertainty rather than just a binary recommendation; and monitoring of review quality that can detect rubber-stamping patterns.

Automated decision-making that produces significant effects is explicitly listed as requiring a DPIA under Article 35(3)(a) GDPR. The DPIA must: describe the processing and its purposes; assess necessity and proportionality (is automated decision-making necessary and proportionate to the legitimate aim?); identify and assess risks to data subjects (errors in automated decisions, discrimination risks, lack of recourse); and document mitigating measures (human review, explanation rights, accuracy monitoring, bias testing). For AI systems, the DPIA should address model-specific risks: training data bias and its effect on decision equity; model accuracy and false positive/negative rates and their effect on data subjects; model drift over time and how it is monitored; and the explainability method used to satisfy explanation rights. DPIAs are not one-time documents — they must be revisited when the AI model is substantially retrained or when the risk profile changes. Consulting the DPO during DPIA development is a GDPR requirement (Article 35(2)) for controllers with an appointed DPO.

Article 22(4) prohibits automated decisions based on special category data (health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, biometric data, genetic data, data concerning sex life or sexual orientation) unless explicit consent or substantial public interest grounds apply — with additional requirement for suitable safeguards. This is a stricter standard than standard personal data under Article 22. In practice: insurance AI models must not use health data, genetic data, or disability status as direct inputs (noting that some jurisdictions permit limited insurance underwriting use under specific national law exemptions); employment AI must not use racial, ethnic, or other special category proxies in screening or scoring; and credit AI must not use protected characteristics or their proxies. Proxy discrimination — where a feature like postcode or name serves as a proxy for a protected characteristic — is specifically addressed in EDPB guidance and is prohibited. Bias testing for proxy discrimination effects (not just direct use of protected characteristics) is required as part of the DPIA risk assessment for automated decision systems.

Article 22 compliance documentation serves two purposes: demonstrating accountability under Article 5(2) GDPR and providing evidence in regulatory investigations or litigation. Minimum documentation: DPIA for each automated decision system; privacy notice text addressing Article 13/14 disclosure requirements; internal policy defining which systems are subject to Article 22 and their lawful basis; human review procedure (who reviews, what they assess, how overrides are recorded); training records for decision reviewers; override rate monitoring data (showing review is genuine); model documentation (training data, features used, explainability method); testing records including bias and accuracy testing results; and a procedure for handling Article 22 rights requests (requesting human review, expressing views, contesting decisions). For regulated sectors (financial services, insurance), regulatory submissions or approvals for AI systems provide additional compliance evidence. Maintain documentation for at least the duration of the processing plus the relevant limitation period for regulatory action (typically 5–7 years in EU member states).