GDPR Article 22 automated decision-making for AI

Q: What does 'solely' automated mean after the CJEU SCHUFA ruling?

In Case C-634/21 (judgment of 7 December 2023, OQ v Land Hessen, intervener SCHUFA Holding AG), the Court held that the automated establishment by a credit reference agency of a probability value about a person's ability to meet future payment commitments constitutes 'automated individual decision-making' within Article 22(1) where a third party draws strongly on that score to establish, implement, or terminate a contractual relationship. The Court rejected the narrower reading that scoring is merely preparatory.

Q: What does 'meaningful information about the logic involved' require after Dun and Bradstreet Austria?

In Case C-203/22 (judgment of 27 February 2025, CK v Magistrat der Stadt Wien, with Dun & Bradstreet Austria GmbH as other party), the Court held that the right under Articles 13(2)(f), 14(2)(g), and 15(1)(h) to 'meaningful information about the logic involved' is a right to an explanation of the procedure and principles actually applied, in concise, transparent, intelligible, and easily accessible form, sufficient for the data subject to understand which of their personal data have been used and in what way. The Court did not require disclosure of source code or the algorithm itself.

Q: Does Recital 71 add a 'right to an explanation' to Article 22?

Recital 71 names 'the right to obtain an explanation of the decision reached' alongside human intervention and contest as a suitable safeguard. The operative text of Article 22(3) lists human intervention, expression of view, and contest, but not explanation. The EDPB Guidelines (WP251rev.01, adopted 3 October 2017, last revised 6 February 2018) treat the Recital 71 explanation as part of the broader transparency obligation under Articles 13, 14, and 15. The Dun and Bradstreet Austria ruling reads that obligation operatively.

01 · § 1 · THE PROHIBITION

The load-bearing sentence.

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. Regulation (EU) 2016/679 · Article 22(1) · 27 April 2016

Read it as one obligation hanging on three load-bearing phrases. Solely automated. Legal effects. Similarly significantly affects. Each phrase has an interpretive history. Each one has been narrowed by regulators and widened by courts. Together, they decide whether a given AI agent's decision falls inside the article or outside it.

Solely automated. The European Data Protection Board reads the word strictly. A human in the loop who routinely accepts the system's output without changing it does not displace the article. The EDPB Guidelines say the human review must be meaningful — performed by someone with the authority and competence to alter the decision, not someone whose role is to approve in batches. A pipeline that puts a credit officer's name on every algorithmic refusal but never sees that officer overrule the algorithm is, for Article 22 purposes, solely automated.

Legal effects. The narrow reading. The decision must produce a change in the data subject's legal position. A refused loan agreement, a terminated contract, a denied insurance policy, an immigration outcome — all clear cases. The EDPB list is not closed.

Similarly significantly affects. The wider reading, where most contemporary AI argument lives. The EDPB Guidelines name as examples decisions that affect the data subject's financial circumstances, access to health services, employment opportunities, or access to education. Behavioural advertising is not normally significant; targeted differential pricing or scoring that gates access to a credit product is.

"Article 22 is not a prohibition on AI. It is a prohibition on AI making decisions about a person without that person having any way to intervene."Warrant Compliance · 2026-05-09

The structure matters. Paragraph 1 is the right. Paragraph 2 is the three carve-outs. Paragraph 3 is the safeguards that travel with two of those carve-outs. Paragraph 4 is the special-categories overlay. Four sub-clauses. Most of the regulatory weight sits in the first.

02 · § 2 · THE THREE EXCEPTIONS

The three carve-outs verbatim.

Paragraph 1 shall not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (c) is based on the data subject's explicit consent. Regulation (EU) 2016/679 · Article 22(2)

Three doors out of paragraph 1. Each door has a doorman. The EDPB Guidelines and supervisory authority practice have built up a regulator-recognised set of safeguards for each exception.

22(2)(a)

Contract necessity. The processing must be necessary, not merely useful, to entering into or performing the contract. The EDPB reads necessary narrowly. Where a less intrusive method achieves the same end, the controller must use it. Required safeguards under § 3 attach. SAFEGUARDS · meaningful human review on request, point of view, contest path. EDPB also requires Article 13/14 disclosure of the logic at the point of collection.

22(2)(b)

Union or Member State law authorisation. The law itself must lay down suitable measures. This is the door for fraud and tax-evasion monitoring (named in Recital 71), for credit scoring expressly authorised by national law, and for some statutory regulatory regimes. Article 22(3) safeguards do not automatically apply — the authorising law itself must contain them. SAFEGUARDS · whatever the authorising statute requires, but EDPB expects functionally equivalent protection. The controller cannot rely on (b) to bypass safeguards.

22(2)(c)

Explicit consent. Not ordinary GDPR consent — explicit. The data subject must be told precisely that the decision will be made by automated means, told what the consequences are, and given a free and informed choice. § 3 safeguards attach. SAFEGUARDS · meaningful human review on request, point of view, contest path. Withdrawal of consent must be as easy as giving it (Article 7(3)).

Three doors. The third door — explicit consent — is rarely the right one for systems that operate at scale. Mass consent is brittle, withdrawable at any moment, and supervisory authorities are sceptical of the genuineness of consent in employment and credit contexts. Most production AI agents that depend on Article 22(2) sit on (a) or (b).

03 · § 3 · THE SAFEGUARDS

The three safeguards verbatim.

In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. Regulation (EU) 2016/679 · Article 22(3)

Three operative safeguards, each load-bearing.

The right to obtain human intervention on the part of the controller. Not anywhere; on the part of the controller. The reviewer must be employed or instructed by the controller, must be able to access the inputs and outputs of the automated decision, and must have the authority to alter the outcome. The EDPB Guidelines underline that intervention must be more than a token gesture. A help-desk that returns the same automated answer is not intervention.

The right to express his or her point of view. The data subject must be able to put information in. New facts, contextual explanations, contested premises. The controller must consider the input.

The right to contest the decision. A contest is more than a complaint. The data subject can demand the decision be reviewed and altered or unwound. The supervisory authority track record after 2018 reads contest as a substantive right with a procedural shape — channel, timeline, response.

Note what the operative paragraph does not include. There is no right to an explanation of the decision in Article 22(3) itself. The right to an explanation lives in Recital 71 and, since the Dun and Bradstreet Austria judgment, operatively in Article 15(1)(h). The architecture of the safeguard is asymmetric: the data subject can intervene, contest, and reshape, but the textual right to ask why is housed in the access regime.

04 · § 4 · SPECIAL CATEGORIES

The special-categories overlay.

Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place. Regulation (EU) 2016/679 · Article 22(4)

Article 9(1) lists racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a natural person's sex life or sexual orientation. Article 22(4) raises the bar when any of those feed into the automated decision.

Two doors only. Article 9(2)(a) — explicit consent. Article 9(2)(g) — substantial public interest under Union or Member State law. The everyday Article 22(2)(a) contract-necessity door is closed when special categories are involved. A health-insurance pricing model that ingests medical history must run through 9(2)(a) explicit consent or 9(2)(g) statutory authorisation. There is no contract-necessity path.

The supervisory authority practice on derived special categories — proxies, inferences, embedding-level signals — is unsettled. EDPB Guidelines treat inferred special-category data as in scope of Article 9 once the inference is sufficiently reliable. AI systems that produce probabilistic class membership over protected attributes sit close to this boundary.

05 · RECITAL 71

Recital 71 · the rich-text version.

The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. … In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Regulation (EU) 2016/679 · Recital 71 · extracts

Recitals are not operative law. They are interpretive aid. Recital 71 nonetheless does two things that matter operatively.

First, it surfaces the named example use cases — automatic refusal of an online credit application, e-recruiting without any human intervention. Both have shaped the EDPB's reading of similarly significantly affects. Both have shaped national supervisory-authority enforcement priority. Recital 71 is not exhaustive but it tells controllers where the article is felt most.

Second, and more importantly, Recital 71 names a fourth safeguard not present in the operative Article 22(3): the right to obtain an explanation of the decision reached after such assessment. The asymmetry between Recital 71 and Article 22(3) was an open interpretive question for years. The Dun and Bradstreet Austria judgment in February 2025 closed it — not by reading explanation into Article 22(3), but by reading the existing transparency obligations in Articles 13, 14, and 15 to require an operative explanation of the procedure and principles actually applied.

Recital 71 also lists the kind of profiling the article targets: analysis or prediction of performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements. The list is the EDPB's working catalogue of significant-effect profiling. AI systems that score along any of these axes are in scope.

06 · EDPB WP251rev.01

The EDPB Guidelines · WP251rev.01.

The Article 29 Working Party — the EDPB's predecessor — adopted Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 on 3 October 2017 and last revised them on 6 February 2018, indexed as WP251rev.01. The EDPB endorsed them at its first plenary in May 2018. They remain the supervisory authority's canonical reading of Article 22.

Three positions in the Guidelines are doing operative work in 2026.

One. The meaning of "solely". The Guidelines treat human review as meaningful only where the reviewer has the authority and competence to change the decision, considers all the relevant data, and is not constrained to a token check. To qualify as human involvement, the controller must ensure that any oversight of the decision is meaningful, rather than just a token gesture. Cosmetic review does not move a system out of Article 22(1).

Two. The meaning of "meaningful information about the logic involved". The Guidelines explicitly disclaim a requirement for source code or for a complete mathematical specification of the algorithm. They require, instead, information that allows the data subject to understand the reasons for the decision — the kinds of inputs, the relative weight of those inputs in general terms, and the categories of personal data used. The position has now been confirmed and operationalised by the Dun and Bradstreet Austria ruling.

Three. Profiling without a § 1 decision. Profiling that does not produce legal effects or similarly significantly affect the data subject still triggers transparency duties under Articles 13(2)(f) and 14(2)(g). The Article 22 prohibition does not attach, but the disclosure obligation does. The EDPB has consistently treated marketing-personalisation profiling this way.

The Guidelines also emphasise that paragraph 2(a) contract-necessity must be read narrowly. Necessary means strictly necessary, not merely useful. Where a less intrusive non-automated alternative is available and reasonably efficient, the controller cannot rely on (a).

07 · CJEU SCHUFA · C-634/21

SCHUFA · credit scoring as automated decision.

On 7 December 2023, the First Chamber of the Court of Justice handed down its judgment in OQ v Land Hessen, intervener SCHUFA Holding AG, Case C-634/21. The reference came from the Verwaltungsgericht Wiesbaden. The question was whether the establishment by a credit reference agency of an automated probability value about a person's payment behaviour amounted to a decision based solely on automated processing within Article 22(1) — when the score itself was produced by SCHUFA but the actual contractual decision (lend or do not lend) was taken by the third party using it.

"The automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes automated individual decision-making within the meaning of Article 22(1)."CJEU · Case C-634/21 · 7 December 2023 · operative ruling, paraphrased

The Court rejected the narrower reading that the score is merely preparatory and that only the lending bank's downstream decision is the decision under Article 22(1). The qualifying condition the Court applied: where the third party draws strongly on the score to establish, implement, or terminate a contractual relationship, the score itself is the decision. The supervisory authorities had argued for this reading since the EDPB Guidelines. The Court adopted it.

The reach of the holding extends well beyond credit scoring. Any AI system that produces a probability value, risk score, or class assignment about a person — fraud risk, employment fit, insurance-pricing tier, recidivism estimate — and whose output is heavily relied upon by a downstream decision-maker is now squarely inside Article 22(1). The provider of the scoring model becomes a controller for Article 22 purposes, jointly or severally with the deployer who relies on the score.

Two practical consequences. First, the safeguards in Article 22(3) — human intervention, point of view, contest — must be reachable through the scoring controller, not only the downstream consumer. SCHUFA cannot point at the bank. Second, the transparency obligations in Articles 13(2)(f), 14(2)(g), and 15(1)(h) attach to the scoring controller, who must disclose meaningful information about the logic involved. The Dun and Bradstreet Austria ruling fifteen months later operationalises that disclosure.

08 · CJEU DUN & BRADSTREET · C-203/22

Dun and Bradstreet Austria · the right to an explanation.

On 27 February 2025, the Court of Justice handed down its judgment in CK v Magistrat der Stadt Wien, with Dun & Bradstreet Austria GmbH as the other party, Case C-203/22. The reference came from the Verwaltungsgericht Wien. The data subject had been denied a mobile phone contract on the basis of an automated credit assessment performed by Dun and Bradstreet Austria. She invoked Article 15(1)(h) and asked for meaningful information about the logic involved. She was given general explanations she considered inadequate. The referring court asked the CJEU what the right actually requires.

"The 'meaningful information about the logic involved' in automated decision-making … must describe the procedure and principles actually applied in such a way that the data subject can understand which of his or her personal data have been used in what way."CJEU · Case C-203/22 · 27 February 2025 · paragraph 61

The Court's operative ruling — point 1 — required the controller to explain, by means of relevant information and in a concise, transparent, intelligible and easily accessible form, the procedure and principles actually applied in order to use, by automated means, the personal data concerning that person with a view to obtaining a specific result, such as a credit profile.

What the Court did not do is also load-bearing. It did not require disclosure of the source code. It did not require disclosure of the trained model parameters. It did not mandate full algorithmic transparency. The right is not a right to inspect the system. It is a right to an explanation pitched at a level the data subject can use.

Three operative implications for AI controllers from the February 2025 reading.

One. Per-decision provenance. The controller must be able to say, for the specific decision in question, which of this person's personal data was used and in what way. Not a generic model card. A per-decision trace. Aggregate documentation of the model is necessary but not sufficient.

Two. Procedure and principles in plain text. The disclosure must be intelligible. A Bayesian-network diagram is not, by itself, intelligible. A generic boilerplate sentence is not, by itself, intelligible. The controller must produce an explanation that allows the data subject to understand why.

Three. Trade-secret defence is not absolute. The Court addressed the controller's interest in protecting algorithmic trade secrets. It held that the protection of trade secrets cannot extinguish the data subject's right entirely. National courts and supervisory authorities are to balance the two — the practical answer is layered disclosure: a usable explanation to the data subject, more detailed disclosure to the supervisory authority on request.

Together, SCHUFA and Dun and Bradstreet Austria define the post-2025 perimeter. SCHUFA pulls AI scoring into Article 22(1). Dun and Bradstreet Austria says the resulting transparency obligation has operative content — the data subject is entitled to a real explanation of the procedure and principles actually applied. The two rulings are the regulator's answer to the question of what an algorithm must explain to the person it judges.

09 · EU AI ACT BRIDGE

Article 22 GDPR under the AI Act.

Regulation (EU) 2024/1689 — the EU AI Act — does not displace Article 22. Recital 9 of the AI Act states that the AI Act applies without prejudice to the GDPR. Where an AI system processes personal data, both regimes attach. The AI Act adds obligations on the system side. Article 22 GDPR remains the operative right on the data-subject side.

The two regimes carry parallel disclosure and oversight obligations that overlap without merging.

AI Act 13

Transparency to deployer. Art. 13 of the AI Act obliges providers of high-risk systems to give deployers technical documentation enabling them to interpret system output. This is provider-to-deployer. RELATIONSHIP · transparency to the deployer, not to the data subject. GDPR Art. 22 plus Arts. 13/14/15 GDPR continue to govern transparency to the data subject.

AI Act 14

Human oversight in the system. Art. 14 of the AI Act requires high-risk systems to be designed for effective human oversight. Stop, override, intervene. System-design level. RELATIONSHIP · oversight is built into the system. GDPR Art. 22(3) gives the data subject a right to invoke human intervention. The AI Act is the design obligation; Art. 22 GDPR is the data-subject claim.

AI Act 86

Explanation by deployer. Art. 86 of the AI Act gives affected persons the right to obtain a clear and meaningful explanation from the deployer of high-risk AI systems for decisions significantly affecting their rights. RELATIONSHIP · the AI Act creates a parallel explanation right against the deployer. GDPR Art. 15(1)(h) plus Dun and Bradstreet Austria gives the data subject an explanation right against the controller. Most production AI systems trigger both.

A high-risk AI agent in production after the EU AI Act high-risk application date (2 August 2026 in the AI Act as enacted, subject to the May 2026 Omnibus provisional deferral to 2 December 2027 pending OJEU) must satisfy AI Act Art. 12 logging, AI Act Art. 13 transparency to the deployer, AI Act Art. 14 human oversight, AI Act Art. 86 explanation rights, and Article 22 GDPR's data-subject perimeter, all at once. The evidence package that satisfies the regulator must address all five. Sibling reading: EU AI Act Article 13, line by line.

10 · FIELD MAPPING

How Article 22 sub-clauses map to evidence fields.

22(1)

Per-decision classification — solely automated, legal or similarly significant effect. FIELD · trace.actions[*].human_loop_check (was the loop meaningfully closed by a competent reviewer); trace.actions[*].effect_class (legal | similarly_significant | neither).

22(2)

Per-decision lawful-basis tag, one of (a) contract necessity, (b) Union/MS law authorisation, (c) explicit consent. FIELD · metadata.lawful_basis (string-typed enum); metadata.lawful_basis_evidence (pointer to the contract clause, statutory citation, or consent record).

22(3)

Per-decision human-intervention right surfaced — channel, response window, reviewer authority. FIELD · trace.actions[*].appeal_path (channel, sla, reviewer_role, reviewer_authority_to_overturn).

22(4)

Per-decision special-categories check. FIELD · trace.actions[*].special_category_inputs (boolean); trace.actions[*].art9_basis if true.

13(2)(f)
14(2)(g)
15(1)(h)

Meaningful-information disclosure trail — procedure and principles actually applied for this decision. FIELD · regulator_evidence.transparency_disclosure (per-decision explanation text, intelligibility-pitched, citing personal data used and their use).

Sample Article 22 evidence package · Warrant registerINDEPENDENTLY VERIFIABLE WITHOUT CONTACTING WARRANT

→ /v/7de85ceaeac42a47

The evidence model treats each agent decision as a standalone Article 22 unit. Per decision, the package answers four questions a supervisory authority will ask: was the decision solely automated, on what lawful basis, was the human-intervention right reachable, and what is the per-decision explanation. The package is independently verifiable without contacting Warrant, so the answers cannot be amended after the fact. The four-layer evidence stack describes the architecture. For the sibling privacy regimes governing the same processing, see China's PIPL and HIPAA read against AI agents.

11 · FAQ

Questions a privacy officer asks first.

Does Article 22 prohibit all automated decision-making?

No. Article 22(1) gives the data subject a right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects them. Article 22(2) lifts the prohibition where the decision is necessary for a contract, authorised by Union or Member State law, or based on the data subject's explicit consent. Where (a) or (c) applies, Article 22(3) requires safeguards including the right to obtain human intervention, to express a point of view, and to contest the decision.

What does "solely" automated mean after the SCHUFA ruling?

The Court held in Case C-634/21 (judgment of 7 December 2023, OQ v Land Hessen, intervener SCHUFA Holding AG) that the automated establishment by a credit reference agency of a probability value about a person's ability to meet future payment commitments constitutes automated individual decision-making within Article 22(1) where a third party draws strongly on that score to establish, implement, or terminate a contractual relationship. The Court rejected the narrower reading that scoring is merely preparatory.

What does "meaningful information about the logic involved" require after Dun and Bradstreet Austria?

In Case C-203/22 (judgment of 27 February 2025), the Court held that the right under Articles 13(2)(f), 14(2)(g), and 15(1)(h) to "meaningful information about the logic involved" is a right to an explanation of the procedure and principles actually applied, in concise, transparent, intelligible, and easily accessible form, sufficient for the data subject to understand which of their personal data have been used and in what way. The Court did not require disclosure of source code, model parameters, or the algorithm itself.

Does Recital 71 add a "right to an explanation" to Article 22?

Recital 71 names the right to obtain an explanation of the decision reached alongside human intervention and contest as a suitable safeguard. The operative text of Article 22(3) lists human intervention, expression of view, and contest, but not explanation. The EDPB Guidelines (WP251rev.01) treat the Recital 71 explanation as part of the broader transparency obligation under Articles 13, 14, and 15. The Dun and Bradstreet Austria ruling reads that obligation operatively.

Does cosmetic human review take a system out of Article 22?

No. The EDPB Guidelines state that to qualify as human involvement, the controller must ensure that any oversight is meaningful, rather than a token gesture, and is carried out by someone with the authority and competence to change the decision. A reviewer who routinely rubber-stamps automated outputs does not move the system outside Article 22(1).

What is the maximum penalty for violating Article 22?

Article 83(5)(b) places infringements of data subject rights under Articles 12 to 22 in the higher tier of administrative fines. The ceiling is up to 20 million EUR or, if the offender is an undertaking, up to 4 percent of total worldwide annual turnover for the preceding financial year, whichever is higher.

How does Article 22 GDPR interact with the EU AI Act?

Article 22 GDPR remains binding alongside Regulation (EU) 2024/1689. The AI Act adds parallel obligations on the system side. Article 13 of the AI Act covers transparency to deployers. Article 14 covers human oversight in high-risk systems. Article 86 of the AI Act creates a parallel explanation right against the deployer. Article 22 GDPR remains the data-subject-side right against decisions made about them by the controller.

How do i produce an Article 22 evidence package today?

Drop the agent's execution trace at warrant.build/demo. Warrant produces a PDF that classifies each action against Article 22(1), tags the lawful basis under Article 22(2)(a) to (c), surfaces the human-intervention path required by Article 22(3), and packages the meaningful-information disclosure required by Articles 13(2)(f), 14(2)(g), and 15(1)(h). The result is a record mapped to each Article 22 obligation, independently verifiable without contacting Warrant.

12 · READ THE SOURCE

Read the source directly.

Authored by Warrant Compliance, the regulatory-analysis function at Warrant. [email protected]. Editorial commentary on regulatory text. Not legal advice. Verbatim quotation of Article 22 reflects the official English-language text of Regulation (EU) 2016/679 as published in the Official Journal of the European Union on 4 May 2016. Quotations from the CJEU rulings are taken from the official English-language text of the judgments as published on EUR-Lex.

GDPR Article 22, line by line.