When does automated decision-making fall under GDPR Article 22?

Article 22 GDPR applies when a decision is made solely on the basis of automated processing, that decision produces legal effects concerning the data subject or similarly significantly affects them, and there is no or only marginal human involvement in the actual decision. Examples include an AI that automatically determines whether a loan application is approved or a CV is rejected, without a human actually reviewing the decision.

What is the difference between profiling and automated decision-making?

Profiling is the automated analysis of personal characteristics to categorise someone or predict something about them, such as purchasing behaviour, creditworthiness, or performance. Automated decision-making is the act of taking a decision based on that analysis without human intervention. Profiling always falls under GDPR when it involves personal data. Automated decision-making with legal effects is more strictly regulated under Article 22.

What rights does a person have regarding automated decisions?

Data subjects have the right not to be subject solely to automated decision-making that produces legal effects or similarly significantly affects them. They also have the right to human intervention, the right to express their point of view, and the right to contest the decision. As the data controller, you are obliged to make this possible and to be transparent about it.

Do I need to carry out a DPIA for automated decision-making?

In most cases, yes. The Dutch Data Protection Authority lists large-scale profiling and automated decision-making with legal effects as one of the processing activities that almost always require a DPIA. This is especially true when special categories of personal data are involved, such as health data or ethnic origin.

How does GDPR Article 22 relate to the EU AI Act?

The AI Act and GDPR overlap on this point. The AI Act classifies AI systems that make decisions about people in certain contexts (such as recruitment, credit, or social benefits) as high-risk. Those systems are subject to obligations around transparency, human oversight, and technical documentation. Complying with AI Act requirements helps with GDPR compliance, but does not replace it.

How to document automated decisions that affect people (GDPR Art. 22 + AI Act)

AI Act, GDPR, Compliance

5/29/2026

Your sales team uses an AI tool that scores leads by purchase likelihood. Your HR system automatically filters job applicants based on a set of criteria. Your fintech solution assesses loan applications without a human reviewing each individual case.

That sounds like efficiency. But when those systems make decisions that directly affect people, there is more happening than a useful piece of software.

GDPR Article 22 and the EU AI Act together impose concrete documentation requirements for automated decision-making. This article explains what those requirements are and how to implement them in practice.

When does a system fall under GDPR Article 22?

Article 22 GDPR applies when three conditions are met simultaneously.

The first: the decision is made solely or primarily by an automated system. There is no or only marginal human involvement in the actual decision.

The second: the decision produces legal effects for the data subject or similarly significantly affects them. This includes refusing a loan application, rejecting a job applicant, terminating an insurance policy, or adjusting the price someone pays based on a risk classification.

The third: the decision concerns an identified or identifiable person.

If your AI tool assigns lead scores but a human always makes the final decision, you are probably in the profiling category but not fully in Article 22 territory. The moment the tool directly determines the action, without a human reviewing the individual decision, you are in Article 22 territory.

What the AI Act adds on top

The EU AI Act adds an extra layer for a specific subset of automated decision systems: high-risk AI.

AI systems that make decisions in certain contexts are automatically classified as high-risk. The relevant sectors are recruitment and personnel selection, credit assessment, assessment of entitlement to social benefits, criminal risk assessment, and decisions about access to essential private and public services.

For high-risk AI systems, the AI Act requires:

Technical documentation of how the system works
Logging of decisions (automatically maintained)
Human oversight: a person must be able to review and reverse the decision
Transparency toward data subjects about the fact that an AI system is being used
Registration in the AI systems register

This is not a theoretical obligation. For deployers of high-risk AI, this becomes enforceable from August 2026.

What you must document at a minimum

Whether you fall primarily under Article 22 GDPR, the AI Act, or both, the core of what you need to document overlaps substantially.

System description: Name of the system, vendor, version. Which functionality makes the decision. Based on which input variables. Which type of AI is applied (rule-based, machine learning, or a combination).

Purpose and lawful basis: What do you use this system for? On what lawful basis do you process the personal data the system uses? If special categories of personal data are involved, which exception under Article 9 GDPR applies?

Scope of the decision: What decisions does the system make or support? Who is affected? How significant are the consequences for those people?

Human oversight: Who in your organisation can review and reverse a system-generated decision? Is there a procedure for objection by data subjects? Who is the point of contact for that?

Communication with data subjects: Are data subjects informed that an automated system is making a decision about them? At what point and through which channel?

Risk assessment: Has a DPIA been carried out? If so, when and what were the outcomes? Are there residual risks and if so, what measures have been taken?

Update history: When was the system last evaluated? Have any changes been made to the decision logic?

A practical documentation template per system

For each automated decision system in your organisation, record the following. You can complete this per system in your processing register and your AI register. Those two documents are connected for systems that process personal data.

System: [name] Vendor: [name] In use since: [date]

What the system does: [Brief description of the AI functionality and decision process]

Personal data processed: [List of data types, e.g. name, income, browsing history, CV content]

Lawful basis (GDPR): [Legitimate interest / consent / legal obligation / performance of contract]

Special categories processed: [Yes / No. If yes: which exception (Art. 9)]

Consequences of the decision for data subjects: [Describe what changes for the data subject as a result of the decision]

Human oversight: [Who can review and reverse a decision? How?]

Transparency toward data subjects: [Are data subjects informed? Through which channel and at what point?]

DPIA carried out: [Yes / No / Not applicable. Date of last review.]

Internal responsible person: [Name / role]

Last system evaluation: [Date]

This template gives you the minimum documentation needed for both Article 22 GDPR and the AI Act. You can expand it with technical details if the AI Act requires this for your specific system.

The most common mistake: human oversight on paper only

Many organisations write in their documentation that "a human always makes the final decision." In practice, this is rarely accurate.

If the AI makes a recommendation and the employee accepts it in 95% of cases without substantive review, there is no real human oversight. There is a rubber stamp.

The AI Act and Article 22 GDPR require that human oversight is meaningful. That means: the person has the knowledge, the time, and the authority to actually assess the decision and override it if necessary.

In your documentation, describe not only that human oversight exists but how it works in practice. How much time does the employee get per decision? Does that person have the context to assess the AI's recommendation? Is it tracked when the AI recommendation is overridden?

How to ask your vendor for what you need

If you use a SaaS tool that makes automated decisions, you depend on your vendor for part of the documentation. That is not an excuse not to have it.

Ask your vendor the following questions:

What input variables does the system use to reach a decision?
Is logging of individual decisions available?
Does the system offer a mechanism for human override?
What technical documentation can the vendor provide for AI Act compliance?

If the vendor cannot answer these questions, that is a risk signal. It is also information you can include as an obligation in your Data Processing Agreement.

In ComplianceHive you can document automated decision-making as part of your AI register and processing register, with the fields required by the AI Act and GDPR.

What to do next

Do you have systems in your organisation that make decisions about people? Start with an inventory. Know which systems you use and what consequences those decisions have for the people affected.

From there, build the documentation per system, step by step. The AI inventory is the starting point. Read our step-by-step guide to building an AI inventory for that.

Using automated decision-making that affects people and want to get the documentation in order? ComplianceHive helps you register AI systems with the right fields for GDPR Article 22 and the EU AI Act, including human oversight and data subject rights. Try free for 30 days.

This article is general information and not legal advice. Consult a qualified lawyer or privacy specialist for an assessment specific to your situation.