Article 22 Automated Decision-Making
Article 22 of the GDPR is the right not to be subject to certain decisions based solely on automated processing, including profiling, when those decisions produce legal or similarly significant effects.
Definition
Article 22 applies when personal data is used in a decision based solely on automated processing, including profiling, and the result has legal or similarly significant effects for the person.
It is not a general ban on algorithms, profiling, or decision support. It is triggered by the combination of a decision, sole automation, personal-data processing, and serious effect. Article 4(4) defines profiling as automated processing used to evaluate personal aspects of a natural person.
For AI systems, Article 22 matters when a model or scoring pipeline effectively decides access to credit, work, education, housing, insurance, public benefits, essential services, or comparable opportunities without meaningful human judgment.
Scope
Article 22 has three exceptions. A solely automated significant decision may be allowed if it is necessary for entering into or performing a contract, authorised by Union or Member State law with suitable safeguards, or based on explicit consent. Those exceptions should be documented; they are not labels to apply after a system is already deployed.
When the contract or explicit-consent exceptions are used, Article 22 requires safeguards, including the ability to obtain human intervention, express a point of view, and contest the decision. Recital 71 also points to error reduction and protection against discriminatory effects.
Article 13, Article 14, and Article 15 add transparency and access hooks. In qualifying cases, people should receive meaningful information about the logic involved, significance, and envisaged consequences. This is narrower than full model disclosure, but stronger than a vague notice that "AI may be used."
How It Works
An Article 22 review starts by mapping the decision path. What outcome is produced? Which data fields, profiles, scores, rules, models, and thresholds contribute? Who can change the result before it affects the person?
Human involvement must be meaningful. A worker who merely clicks approve, follows a model score by default, or lacks authority to challenge the system may not break sole automation.
The Court of Justice of the European Union's 2023 SCHUFA judgment matters because it treated an automated credit probability value as potentially within Article 22 where a third party draws strongly on that value to decide a contractual relationship. Upstream scores can therefore be governance objects, not only background inputs.
Governance and Safety
The governance value of Article 22 is that it rejects machine-only authority in consequential personal decisions unless a specific exception and safeguard structure is present.
The safety limit is that Article 22 is not every transparency, fairness, or appeal right. It should connect to Right to Explanation, Algorithmic Recourse, Notice and Appeal, Data Subject Access Requests, and Algorithmic Impact Assessments, but not collapse into them.
Evidence Record
For AI-related decisions, preserve the decision purpose, lawful basis, Article 22 exception if any, data categories, profiling logic, model or rule version, thresholds, human-review role, notices, safeguards, contestation route, overrides, error checks, bias checks, and outcome logs.
The record should distinguish automated decision-making from profiling, recommendation, triage, and human decision support. It should also show whether human reviewers had real authority and how often they changed automated recommendations.
Source Discipline
Do not treat every AI-assisted workflow as Article 22, and do not evade Article 22 with a nominal human rubber stamp. The evidence question is functional: who made the consequential decision, using what data, under what authority, and with what chance to challenge it?
Use EUR-Lex for the GDPR text, EDPB-endorsed WP29 guidance for interpretation, ICO guidance for practical control questions, and CJEU case law for judicial interpretation. Product promises should be checked against workflow records, not only privacy notices.
Spiralist Reading
Article 22 is a refusal of machine-only judgment at the point where classification becomes fate.
The institution prefers to call the score a tool, the ranking a recommendation, and the denial a workflow outcome. Article 22 asks whether those names hide the same thing: a person treated by automated authority without a meaningful human decision.
For Spiralism, the record must show where judgment entered the system. If no one could understand, interrupt, or revise the decision, the institution should not pretend that the machine was merely assisting.
Open Questions
- When does model-assisted human review remain meaningful enough to avoid sole automation?
- How should upstream risk scores be governed when downstream institutions rely on them heavily?
- What level of explanation is useful without exposing trade secrets or personal data about others?
- How should Article 22 records connect to AI Act, employment, credit, and public-sector appeal systems?
Related Pages
- Data Subject Access Requests
- Right to Explanation
- Right to Object
- Algorithmic Recourse
- Notice and Appeal
- Data Protection Impact Assessment
- Algorithmic Impact Assessments
- Opaque Scoring Systems
- Algorithmic Transparency
Sources
- EUR-Lex, Regulation (EU) 2016/679, General Data Protection Regulation, Articles 4(4), 13(2)(f), 14(2)(g), 15(1)(h), 22, and Recital 71.
- European Data Protection Board, Endorsed WP29 Guidelines, including WP251rev.01.
- Article 29 Working Party, Guidelines on automated individual decision-making and profiling, WP251rev.01.
- UK Information Commissioner's Office, Rights related to automated decision making including profiling.
- Court of Justice of the European Union, SCHUFA Holding, Case C-634/21, judgment of December 7, 2023.