GDPR Article 22 is the rule that governs AI automated decisions affecting individuals. It is narrower than most teams think — it applies only to fully automated decisions with legal or significant effects, not to every AI tool that touches personal data. Here is when it applies and what compliance looks like.
What Article 22 Actually Covers
Article 22 has three elements that must all be present before the rule applies:
- Solely automated processing — no meaningful human review before the decision is made
- Including profiling — the automated processing generates or uses a score, category, or prediction about the individual
- Legal or similarly significant effects — the decision affects the individual's rights, finances, employment, education, health, or access to services
All three must be true. If a human meaningfully reviews the AI output before it takes effect, Article 22 does not apply. If the automated processing does not significantly affect the individual, Article 22 does not apply.
Common scenarios where Article 22 applies:
- AI auto-rejects job applicants below a scoring threshold
- AI auto-denies a credit application based on risk score
- AI auto-removes social media content based on policy violation detection
- AI auto-blocks a transaction based on fraud probability score
- AI auto-determines insurance premiums with no human underwriter review
Common scenarios where Article 22 does NOT apply:
- AI scores candidates, human recruiter makes the final call
- AI flags a transaction as suspicious, human fraud analyst approves or denies
- AI drafts a credit recommendation, loan officer decides
- AI summarizes a customer complaint, support rep responds
The line is meaningful human review. If a human can see the AI's output and exercise genuine judgment to accept, modify, or reject it — Article 22's automated decision rule does not apply.
SCHUFA ruling (CJEU C-634/21, December 2023): The Court of Justice of the EU clarified that Article 22 can apply even when a human formally makes the final decision — if that human effectively rubber-stamps the AI output without independent review. A human in the loop is not sufficient if the human mechanically applies the AI score without exercising real judgment. This ruling affects credit scoring and similar AI systems where a human formally approves but has limited ability to deviate from the AI recommendation. Review your workflows for this rubber-stamp pattern.
Step 1: Determine Whether Article 22 Applies to Your AI Use Case
Work through this test for each AI tool that touches EU individual data:
| Question | Yes → Article 22 applies | No → Article 22 may not apply |
|---|---|---|
| Does AI make a final output that directly affects the individual (accept/reject/score)? | Continue | Stop — no Article 22 |
| Is a human reviewing this output before it affects the individual? | If human review is meaningful: stop | Continue |
| Does the effect have legal or significant consequences for the individual? | Article 22 applies | Stop — no Article 22 |
If Article 22 applies, you have two options: establish a lawful basis, or redesign the process to include meaningful human review.
Step 2: Establish a Lawful Basis (If You Need Automated Decisions)
Article 22 prohibits automated decisions with significant effects as the default position. You must have one of three lawful bases to proceed:
1. Contract necessity The automated decision is necessary for entering into or performing a contract with the individual. Example: automated credit scoring is necessary to process a loan application at scale. This basis is narrow — the decision must be genuinely necessary, not merely convenient.
2. EU or member state law A law explicitly authorizes the automated decision and provides appropriate safeguards. Example: automated fraud detection authorized by anti-money laundering regulations.
3. Explicit consent The individual has affirmatively opted in to automated decision-making for this specific purpose. Consent must be granular — general terms of service do not satisfy this requirement. Consent can be withdrawn at any time.
For most small teams, contract necessity is the most relevant basis. If your AI decision is necessary to perform a service the individual requested (automated claims processing, automated account verification), document how the decision is necessary for the contract.
Step 3: Implement the Three Required Safeguards
When an automated decision is permitted (Steps 1-2 confirmed it's allowed), three safeguards must be in place:
Safeguard 1: Right to Obtain Human Intervention
The individual must be able to request that a human reviews the automated decision. This means:
- Telling individuals, in plain language, that they have this right and how to exercise it
- Having an actual human who can review the case and make an independent decision
- Processing the human review request within a reasonable time (aim for 30 days maximum)
This is an operational requirement. "Contact us if you have questions" does not satisfy it. There must be a defined process, an owner, and capacity to handle requests.
Safeguard 2: Right to Express Their Point of View
The individual must be able to provide information or context that the automated system did not have access to. For example:
- An applicant rejected by AI screening can submit a written statement explaining circumstances
- A customer denied credit can provide additional financial documentation for human review
Build a channel for this input — a form, an email address, a phone number — and make it genuinely accessible.
Safeguard 3: Right to Contest the Decision
The individual can challenge the automated decision and receive a substantive human review of their case. This goes beyond the right to express their view — it means the human reviewer can change the outcome.
Document the outcome of each contest: was the automated decision upheld or overturned? This data is useful for auditing whether your AI is producing fair outcomes and whether the human review is meaningful.
Privacy Notice Requirements
If Article 22 applies to any of your AI processes, your privacy notice must disclose:
- The existence of automated decision-making
- The logic involved (at least a general explanation of how the AI works)
- The significance and consequences of the automated decision for the individual
- The individual's rights under Article 22 (human review, expressing view, contesting)
This disclosure must be in plain language. "We use AI to make decisions about you" is not enough — you must explain the type of decision, the general factors used, and what the individual can do about it.
Connecting Article 22 to Your Broader GDPR Compliance
Article 22 sits alongside (not instead of) GDPR's other requirements. For an AI tool that makes automated decisions:
- You still need a DPA with the vendor — see AI vendor DPA tracker
- You still need to document the processing activity in your Article 30 records — see the GDPR Article 30 template
- You may need a DPIA (Data Protection Impact Assessment) — required when processing is "likely to result in a high risk," which automated decision-making often is
- The lawful basis for the AI processing under Article 6 must also be established separately from the Article 22 lawful basis
For the full GDPR and CCPA picture for AI tools, including which vendors have DPAs and which train on your data, see AI data privacy for small teams.
