Automated Decision Making: Overview of GDPR Article 22

Updated: June 2026

Automated decision-making is changing how organisations operate, from loan approvals and insurance claims to recruitment and healthcare diagnostics. However, the use of automated systems raises significant concerns regarding data protection, especially when decisions are made solely by automated means without meaningful human involvement.

The General Data Protection Regulation (GDPR) addresses these concerns explicitly in Article 22, imposing strict restrictions and protections on automated individual decision-making, including profiling, that produce legal effects or similarly significant effects on individuals.

Data protection authorities, such as the European Data Protection Board and national data protection regulators, issue guidance and oversee compliance with GDPR requirements for automated decision-making.

Key Takeaways

• Article 22 of the GDPR restricts solely automated decisions that produce legal effects or similarly significant effects on individuals, emphasising the necessity of meaningful human involvement to safeguard data subject rights.

• Limited exceptions permit automated decision-making, including when it is necessary for contractual purposes, authorised by law, or based on the data subject’s explicit consent, each requiring strict safeguards to protect individuals.

• Compliance requires organisations to implement suitable technical and organisational measures, conduct Data Protection Impact Assessments (DPIAs), maintain transparency, and uphold data subjects’ rights to obtain human intervention and challenge automated decisions.

What does GDPR Article 22 say?

Article 22(1) of the GDPR establishes a qualified prohibition: a data subject shall not be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning him or her. This means that making decisions solely by automation, with no human involvement, is restricted under Article 22.

Determining when a data subject may be subject to a decision based solely on automated processing — and what compliance measures are necessary — requires a clear understanding of this provision.

What is solely automated decision-making under GDPR?

“Solely automated decision-making” refers to a situation in which the entire decision-making process, from data collection and analysis to the final decision, is carried out without meaningful human involvement, specifically concerning a natural person as defined under the GDPR.

The European Data Protection Board (EDPB) clarifies that human involvement must be substantive and capable of influencing the outcome. Mere rubber-stamping or superficial review does not suffice to exclude processing from the scope of Article 22.

For human involvement to be meaningful, it must include:

• Authority to change or override the automated decision.

• Access to all relevant data used in the automated process.

• Understanding of the logic and criteria behind the automated decision.

• Ability to consider additional information not processed by the automated system.

What are ‘legal effects’ and ‘similarly significant effects’?

Article 22 distinguishes between decisions producing a “legal effect” and those causing a “similarly significant effect” on individuals. A decision has a legal effect when it directly alters an individual’s legal rights or obligations, and Article 22 applies when automated processing produces legal effects concerning the data subject.

Legal effects are decisions that directly affect an individual’s legal rights or obligations, such as:

• Automatic refusal or cancellation of contracts.

• Denial of social security benefits or government services.

• Rejections of citizenship or immigration applications.

• Tax assessments or legal sanctions.

• Profiling that produces legal effects, for example automated credit scoring that determines loan eligibility.

Similarly significant effects refer to decisions that, while not legally binding, have a significant impact on an individual’s life circumstances. Examples include:

• Automatic refusal of online credit applications, which significantly affects an individual’s financial opportunities.

• AI-driven recruitment screening that excludes candidates, which can have a similarly significant impact on employment prospects.

• Insurance claim denials without human review, which result in a significant impact on the claimant.

• E-recruiting practices that systematically disadvantage certain groups, producing a similarly significant effect even if not strictly legal.

The threshold for “significant effect” is high; trivial or minor automated decisions that do not significantly affect individuals do not trigger Article 22 protections.

What exceptions permit automated decision-making under GDPR?

While Article 22(1) generally prohibits solely automated decisions with significant effects, Article 22(2) outlines three narrow exceptions where such processing is permitted, subject to strict conditions and safeguards. These exceptions include processing necessary for the performance of a contract, for contractual purposes, or with the individual’s explicit consent.

When does contractual necessity permit automated decisions?

Automated decision-making is permitted if necessary to enter into or perform a contract between the data controller and the data subject, specifically when processing is required for the purposes of the contract. This exception applies only when:

• Manual processing is genuinely impracticable or impossible.

• The automated decision is essential to fulfil the contract’s core purpose.

• Less intrusive alternatives have been considered and rejected.

For example, an automated credit scoring system that enables real-time loan approvals may qualify if manual review would cause unreasonable delays or costs.

When does legal authorisation permit automated decisions?

Processing is allowed when authorised by Union or Member State law, provided that the law includes suitable measures to protect data subject rights and freedoms. This exception typically applies in regulated sectors such as:

• Taxation and fraud prevention, including tax evasion monitoring.

• Anti-money laundering screening.

• Regulatory compliance monitoring.

• Public benefit eligibility determinations.

Organisations relying on this exception must verify that the legal basis explicitly permits their specific use case for automated decision-making and that appropriate safeguards are in place.

When does explicit consent permit automated decisions?

Automated decision-making is allowed if the data subject has given their explicit consent, which must be:

• Clear, specific, and informed about the nature and consequences of the automated processing.

• Freely given without coercion or undue pressure.

• Easily withdrawable at any time without detriment.

The GDPR treats an individual’s explicit consent as a last resort due to potential power imbalances and information asymmetry between organisations and individuals.

Why are other legal bases insufficient for automated decision-making?

Article 22 limits permissible legal bases for solely automated decisions to these three exceptions. Legitimate interests (Article 6(1)(f)), implied consent, or standard contractual necessity do not suffice for processing that falls within Article 22’s scope.

What additional restrictions apply to special category data?

Automated decision-making involving special categories of personal data (sensitive data) is subject to enhanced restrictions under Article 22(4) and Article 9 of the GDPR. Special categories, as defined by the GDPR, include information revealing:

• Racial or ethnic origin.

• Political opinions.

• Religious or philosophical beliefs.

• Trade union membership.

• Genetic or biometric data.

• Health information.

• Sexual orientation.

Automated decisions based on such data are generally prohibited unless:

• The data subject provides explicit consent for the specific processing.

• Processing is necessary for reasons of substantial public interest, based on Union or Member State law, with suitable safeguards.

Organisations must implement additional technical and organisational measures to protect special categories of data, including data minimisation, access controls, encryption, audit trails, and regular assessments.

When is a DPIA required for automated decision-making?

Article 35 of the GDPR mandates a DPIA for automated decision-making processes covered by Article 22. The DPIA must systematically assess risks to data subject rights and freedoms and identify technical and organisational measures to mitigate those risks.

What are the key risk factors to assess in a DPIA for automated decisions?

• Accuracy: Potential for errors or inaccuracies in automated decisions and their impact.

• Bias and Discrimination: Risks of unfair treatment or systematic disadvantage of protected groups.

• Transparency: Whether individuals can understand and challenge automated decisions.

• Data Quality: Completeness and relevance of data used in automated processing.

• Statistical Procedures: Importance of applying appropriate statistical procedures to ensure fairness, accuracy, and compliance with data protection regulations in automated decision-making.

• Security: Risks of unauthorised access or manipulation of automated systems.

When should DPIAs be reviewed and what triggers supervisory consultation?

DPIAs must be regularly reviewed, particularly when algorithms or data sources undergo changes. If high risks remain after mitigation, organisations must consult supervisory authorities before processing.

What rights do individuals have regarding automated decision-making?

Article 22(3) guarantees data subjects the right to obtain human intervention in automated decisions, express their point of view, and contest and seek reconsideration of automated decisions.

These rights apply when automated decisions involve evaluating personal aspects of the data subject, such as analysing personal data to assess characteristics, performance, or behaviours that significantly impact the individual.

How should organisations implement human intervention?

Human reviewers must:

• Understand the automated system’s logic.

• Have access to all relevant data.

• Possess authority to change decisions.

• Conduct thorough and independent reviews within reasonable timeframes.

Organisations should establish clear, accessible procedures for requesting human intervention and ensure timely responses.

What is the right to explanation for automated decisions?

Although the GDPR does not explicitly grant a “right to explanation,” combined provisions require organisations to provide meaningful information about:

• The logic involved in automated decision-making.

• The significance and consequences of decisions.

• How data subjects can exercise their rights.

Information must balance transparency against the protection of trade secrets and intellectual property.

What technical and organisational safeguards are required?

To ensure fairness, accuracy, and data protection, organisations must implement technical and organisational safeguards. These measures are necessary to meet GDPR requirements and ensure fair, transparent, and secure automated decision-making and profiling.

• Regular audits of automated systems to detect and correct biases

• Clear documentation of decision-making processes

• Human oversight of significant decisions

• Mechanisms for individuals to contest automated decisions

• Appropriate steps to secure personal data during automated decision-making, protecting it from unauthorised access

Evaluations or predictions of personal traits must not produce unfair or discriminatory outcomes. Maintaining fairness and transparency throughout the process is a core obligation under GDPR.

What statistical procedures support fair automated decision-making?

• Regular performance evaluation using statistical procedures and metrics like accuracy, precision, and recall.

• Validation techniques such as cross-validation and error analysis.

• Statistical testing to detect bias or disparities across groups.

How can organisations prevent bias in automated decision-making?

• Use of bias detection algorithms.

• Fairness constraints in model design.

• Diverse and representative training data, including consideration of personal preferences to prevent bias.

• Exclusion of proxies for protected characteristics.

What data minimisation and security measures are required?

• Processing only data necessary for decisions.

• Limiting data retention periods.

• Encryption of data at rest and in transit.

• Role-based access controls.

• Comprehensive logging and monitoring.

• Implementing measures to secure personal data against unauthorised access.

How often should automated decision-making systems be audited?

• Internal and external audits of algorithmic fairness and accuracy.

• Penetration and stress testing of automated systems.

• Compliance audits to verify adherence to GDPR requirements.

What transparency obligations apply to automated decision-making?

Organisations must provide clear, accessible information to data subjects about automated decision-making:

• Existence and nature of automated processing.

• Legal basis and exceptions relied upon.

• Categories of data and sources used.

• Purposes of automated decisions.

• Recipients and retention periods.

• Data subject rights and how to exercise them.

• Whether automated decisions involve evaluating or predicting personal aspects relating to individuals, such as health, preferences, or behaviour.

• How automated processing is used to predict aspects of individuals, including the logic involved and potential consequences.

When providing this information, organisations should account for specific circumstances to ensure the context of processing is clear to data subjects.

Updates should be communicated when significant changes to algorithms or criteria occur.

When does Article 22 not apply?

Automated processing with meaningful human involvement or lacking significant effects falls outside Article 22 but remains subject to GDPR principles, including:

• Lawful basis under Article 6.

• Purpose limitation and data minimisation.

• Data accuracy and storage limitation.

• Integrity and confidentiality.

Data subjects retain rights such as access, rectification, erasure, and objection, particularly under Article 21 for profiling based on legitimate interests.

How does Article 22 apply across different sectors?

What does Article 22 mean for financial services?

Credit scoring and loan approval systems require:

• Transparency about scoring logic.

• Human intervention mechanisms for contesting decisions, including in cases of automatic refusal of an online credit application.

• Regular bias and fairness assessments.

What does Article 22 mean for healthcare?

Automated diagnostic and treatment recommendation tools must:

• Comply with special category data restrictions.

• Serve as decision support, not sole decision-makers.

• Involve qualified healthcare professionals for oversight.

What does Article 22 mean for employment?

Recruitment and performance evaluation algorithms should:

• Prevent discrimination.

• Provide candidates and employees opportunities to contest decisions.

• Ensure transparency about automated processing impacts.

What does Article 22 mean for marketing?

Automated profiling affecting pricing or service access may trigger Article 22 protections. Organisations should:

• Assess the significance of effects.

• Provide transparency and objection mechanisms.

• Monitor for discriminatory impacts.

How do organisations build an Article 22 compliance framework?

Step 1: Assessment and Planning
Inventory automated processing activities.
Determine Article 22 applicability.
Identify legal bases and exceptions.
Conduct DPIAs.
Step 2: Policy and Legal Documentation
Update privacy notices.
Document legal basis and safeguards.
Establish human intervention procedures.
Define data subject rights processes.
Step 3: Technical and Organisational Measures
Implement appropriate technical and organisational measures to ensure accuracy, fairness, and security.
Develop monitoring and auditing systems.
Ensure data minimisation and secure handling.
Step 4: Training and Governance
Train staff on Article 22 requirements.
Define roles and responsibilities.
Establish escalation and review procedures.
Step 5: Ongoing Monitoring and Review
Regularly audit automated systems.
Monitor data subject rights requests.
Stay updated on regulatory guidance.
Update DPIAs and policies as needed.

How should organisations prepare for supervisory authority inquiries?

Data protection authorities may conduct inquiries or request information regarding compliance. Organisations should:

• Maintain comprehensive documentation.

• Establish response protocols.

• Ensure availability of legal and technical experts.

• Conduct regular compliance reviews and simulations.

Conclusion

Automated decision-making under GDPR presents significant compliance challenges but also real opportunities for innovation. Article 22 sets a high standard for protecting individuals from harmful automated decisions by requiring meaningful human involvement, strict exceptions, transparency, and appropriate safeguards.

By implementing compliance frameworks that include risk assessments, human intervention rights, technical controls, and ongoing monitoring, organisations can use automation while respecting data subject rights and fulfilling GDPR obligations. Continuous vigilance and adaptation are necessary as technologies and regulatory expectations evolve.

Frequently Asked Questions (FAQs)

What is considered a “solely automated decision” under GDPR Article 22?

A solely automated decision is one made entirely by automated means without any meaningful human involvement. This includes decisions based on profiling that produce legal effects or similarly significant effects on individuals, such as automatic refusal of a loan or exclusion from a recruitment process.

When is automated decision-making permitted under the GDPR, despite the restrictions?

Automated decision-making is permitted under three main exceptions in Article 22(2): when necessary for entering into or performing a contract; when authorised by Union or Member State law with suitable safeguards; or when the data subject has given their explicit consent.

What rights do individuals have regarding automated decisions under GDPR?

Individuals have the right to obtain human intervention, express their point of view, and contest decisions made solely by automated processing. Organisations must provide clear and meaningful information about the underlying logic and ensure mechanisms for review to protect data subjects’ rights.