GDPR Article 22 prohibits decisions based solely on automated processing — including profiling — that produce legal or similarly significant effects on an individual, unless one of three narrow exceptions applies; and even when an exception applies, specific safeguards including a genuine right to human review are mandatory.
Key takeaways
- Article 22 does not ban automated processing generally. It bans solely automated decisions with legal or similarly significant effects. A recruitment algorithm that emails candidates about open roles is not Article 22. One that eliminates them before a human reads their application is.
- "Solely automated" includes human sign-off where the person reviewing the output has no real ability or authority to override it. The CJEU confirmed in the SCHUFA ruling (Case C-634/21, December 2023) that a rubber-stamp review does not break the chain.
- Credit scoring, insurance pricing, recruitment screening, and benefits eligibility assessments are the most commonly cited Article 22 scenarios — and all have been tested in enforcement or court proceedings.
- Three exceptions exist: necessity for contract performance, authorization by member state law with safeguards, and explicit consent. They are narrow and come with conditions.
- Special-category data (health, biometrics, race, religion, etc.) requires one of the Article 22 exceptions AND a separate Article 9 condition. Explicit consent is usually the only viable route.
- Article 22 violations sit in GDPR's top tier of fines: up to €20 million or 4% of global annual turnover.
What Article 22 actually says
Article 22(1) states that a data subject shall not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Three concepts do the work:
Solely automated — no meaningful human involvement in reaching the decision. A human who formally signs a letter generated by an algorithm, or who reviews an algorithm's output but has no genuine authority or capacity to reach a different conclusion, does not make the process non-automated. The CJEU confirmed this in SCHUFA: the credit bureau argued that Article 22 did not apply because the actual credit refusal came from the lender, not from SCHUFA's score. The Court rejected this, ruling that the score itself constituted the automated decision because lenders almost invariably refused credit when the score fell below threshold.
Legal effects — decisions that alter, create, or extinguish legal rights or obligations: refusing a loan, terminating an employment contract, denying access to a benefit, deportation decisions.
Similarly significant effects — decisions that, without creating a formal legal change, substantially affect a person's life circumstances. Examples that courts and DPAs have found to qualify: insurance premium increases driven by algorithmic risk profiles, filtering a job applicant out of consideration before any human reviews them, restricting access to a platform or service based on a risk score, determining a social housing allocation.
The effect threshold is high. Article 22 does not cover minor inconveniences or routine data processing. Sending a personalized email newsletter is not Article 22. Pricing a person out of health insurance based on their postcode and inferred lifestyle data almost certainly is.
The distinction between profiling and automated decision-making
These are separate concepts that overlap in Article 22.
Profiling (defined in Article 4(4)) is any automated processing of personal data to evaluate personal aspects of a person, particularly to analyze or predict behavior, performance, economic situation, health, preferences, interests, reliability, location, or movements.
Automated decision-making is reaching a determination — a conclusion with a real-world consequence — through that profiling or through other automated processing.
Article 22 applies when an automated decision (with legal or significant effect) is made. Profiling alone does not trigger Article 22 unless a qualifying decision is made from it. But:
- Article 13/14 require transparency about profiling, including meaningful information about the logic involved and the envisaged consequences.
- Article 21(2) gives data subjects an unconditional right to object to profiling for direct marketing purposes, regardless of Article 22.
- Article 22 is triggered when the profile produces a qualifying decision — which is often the output the profile was built for.
The three exceptions
Article 22 is a prohibition, not merely a transparency obligation. It applies by default. Processing under it is unlawful unless one of the three exceptions in Article 22(2) is satisfied.
Exception 1: Necessity for contract performance
The automated decision is necessary for entering into or performing a contract between the data subject and the controller. "Necessary" is interpreted narrowly: the decision must be genuinely required for the contract to function, not just convenient or cheaper to automate.
What qualifies: Creditworthiness assessment where manual review of every application would make the product economically unviable may qualify, though this requires case-by-case analysis. An automated check that a user meets age requirements before allowing them to sign a digital contract likely qualifies.
What does not: Using automation because it is faster or cheaper, while a manual alternative exists, does not satisfy the necessity standard.
Safeguard requirement even under this exception: the controller must implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at minimum including the right to obtain human intervention, to express their point of view, and to contest the decision.
Exception 2: Authorized by member state law
Union or member state law authorizes the automated decision and lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests. This exception covers statutory schemes — fraud detection systems operated by government agencies, for example — where the automation is specifically enabled by legislation with built-in safeguards.
This exception is narrow in scope for private sector organizations. Most commercial AI applications do not have specific legislative authorization.
Exception 3: Explicit consent
The data subject has given explicit consent to the automated decision. This means the higher standard of consent under Article 9(2)(a) — specific to this processing activity, with a real choice, and not conditioned on access to a service.
For special-category data (health, biometrics, racial origin, etc.), explicit consent under Article 9(2)(a) is generally the only viable exception available to commercial operators. Even then, Article 22(4) additionally requires suitable measures to safeguard the data subject's rights.
Key constraint: Explicit consent cannot be bundled into general terms and conditions. An individual must specifically agree to a decision about them being made automatically, with full understanding of what that means and a genuine alternative if they decline.
Mandatory safeguards in all three exceptions
Whether the exception is contract necessity, legal authorization, or explicit consent, Article 22(3) requires the controller to implement at least:
- The right to obtain human intervention. Not nominal review — genuine human authority to reach a different outcome. The ICO's guidance specifies the reviewer must be capable of changing the decision and must actually consider the individual's specific circumstances rather than just reviewing whether the algorithm ran correctly.
- The right to express their point of view. The data subject must have a genuine opportunity to provide information that could affect the decision before it becomes final.
- The right to contest the decision. After a decision is made, the data subject must have a meaningful route to challenge it.
These rights must be communicated in the privacy notice and made practically accessible — not buried in a contact form.
Transparency obligations that apply even outside Article 22
Where automated processing or profiling occurs but does not reach the Article 22 threshold — because a human makes the final call, or because the effects fall short of legal or similarly significant — transparency obligations still apply under Articles 13 and 14:
- The privacy notice must disclose the existence of automated decision-making and profiling.
- It must include meaningful information about the logic involved.
- It must describe the significance and envisaged consequences of the processing for the data subject.
"Meaningful information about the logic" does not require disclosure of trade secrets or proprietary model weights. The CJEU addressed this directly in Case C-203/22 (February 2025): where a controller claims the scoring logic contains trade secrets, it must still disclose that information to the relevant supervisory authority or court, which then balances the competing interests. The controller cannot simply withhold the logic from regulators on trade-secret grounds.
Common use cases and their Article 22 status
| Use case | Article 22 triggered? | Notes |
|---|---|---|
| Credit scoring used by a lender to auto-approve/decline | Yes | SCHUFA ruling confirmed; the score itself is the automated decision |
| Insurance premium algorithm that sets price with no human review | Almost certainly yes | Similarly significant effect on financial circumstances |
| Recruitment AI that screens CVs and sends rejection emails autonomously | Yes | Eliminates a candidate before any human sees them |
| Recruitment AI that ranks CVs for a human recruiter who makes all hiring decisions | Not automatically | Depends on whether the human ranking is genuinely considered |
| Dynamic content personalisation (e.g. product recommendations) | No | No legal or similarly significant effect |
| Anti-fraud score that flags a transaction for manual review | Generally no | Human reviews the flag; no final decision without human input |
| Anti-fraud score that automatically blocks a payment | Likely yes | Legal effect on the transaction; also triggers financial regulation |
| Automated customer segmentation for marketing | No for Article 22 | Article 21(2) unconditional objection right for direct marketing still applies |
| Benefits eligibility determination by a government algorithm | Yes | Legal effect; exception 2 (law) likely needed |
The EDPB's 2026 Coordinated Enforcement Framework is actively examining GDPR transparency obligations under Articles 12-14, which means profiling disclosures in privacy notices are under heightened scrutiny right now.
For consent management platform deployments, note that if a CMP automatically determines which consent experience to show based on a profile of the user (jurisdiction, prior behavior, device fingerprint), this is unlikely to trigger Article 22 in most implementations — but must be disclosed in the privacy notice as profiling.
Enforcement in practice
Article 22 has historically been under-enforced relative to other GDPR provisions, but enforcement is accelerating as algorithmic management tools become widespread.
SCHUFA (CJEU, December 2023): The Court of Justice of the EU ruled in Case C-634/21 that SCHUFA's automated credit scoring constituted an Article 22 automated decision — not merely input data — because the score played a determining role in lenders' decisions and led to refusal in almost all cases below threshold. This shifted Article 22's reach significantly: any score or output that "plays a determining role" in a downstream decision is now within scope, even if the formal decision is made by a third party.
Foodinho/Glovo (Italian DPA, November 2024): The Garante fined Foodinho €5 million for using algorithms to manage shifts, assign orders, and deactivate accounts of over 35,000 delivery riders without any mechanism for human intervention and without allowing riders to contest automated decisions. This was one of the first DPA decisions explicitly finding that algorithmic workforce management breaches Article 22 — establishing that gig economy platforms using fully automated people management are in direct scope.
CJEU Case C-203/22 (February 2025): The Court addressed what "meaningful information about the logic" requires when a controller claims trade secret protection for its scoring model. The ruling: the controller must still disclose the logic to the supervisory authority or court, which then balances the competing interests. Controllers cannot simply withhold automated decision logic from regulators on trade-secret grounds.
The pattern across these cases: regulators are focused on algorithmic management of workers and the rubber-stamp problem (nominal human review with no genuine authority to override).
Building Article 22 compliance for AI tools
If your organization uses or deploys AI tools that produce individual-level outputs affecting people's access to services, credit, employment, or benefits, work through these steps:
Step 1: Inventory your automated processing. Map every system that produces an output about a named individual or an identifiable person. Include third-party tools you use (credit databases, ATS systems, insurance underwriting platforms).
Step 2: Test each against the two-part trigger. Is the decision solely automated (no genuine human authority to override)? Does it produce a legal or similarly significant effect? Both must be true for Article 22 to apply.
Step 3: Identify and document the exception. If Article 22 applies, which of the three exceptions covers the processing? Document why the exception is satisfied.
Step 4: Implement the required safeguards. For each Article 22 processing activity: build a genuine human review mechanism (not a rubber stamp), create a process for data subjects to input information before the decision, and create a meaningful challenge route after.
Step 5: Update privacy notices. For all Article 22 processing: disclose the existence of automated decision-making, the logic involved, and the consequences. For processing that involves profiling but falls below the Article 22 threshold, disclose it under Articles 13/14 regardless.
Step 6: Check special-category data. If any automated decision uses health, genetic, biometric, racial, religious, political, union, or sexual orientation data: both Article 22 and Article 9 conditions must be satisfied simultaneously.
Step 7: Record in your Article 30 RoPA. Document each Article 22 processing activity, the exception relied on, and the safeguards implemented. This is your primary defence if a DPA investigates.
For organizations deploying high-risk AI systems under the EU AI Act, Article 22 compliance overlaps with Article 14 (human oversight) requirements. The EU AI Act compliance guide for enterprises covers how these obligations interact.
Frequently asked questions
Does Article 22 only apply to fully automated decisions, or do hybrid human-AI decisions count?
Hybrid decisions where a human has genuine authority and actually exercises independent judgment are generally not Article 22. But where the human's role is to transmit or record the algorithm's output, the CJEU's SCHUFA ruling establishes that the processing is still "solely automated." The test is whether the human involvement is substantive and capable of influencing the outcome — not whether a human is present in the process.
Do we need explicit consent for every AI recommendation tool?
No. Article 22 only applies when the three conditions are met (solely automated, legal or similarly significant effect). Most AI recommendation systems — product suggestions, content personalization, customer segmentation — do not produce qualifying effects and do not require Article 22 compliance. They may still require disclosure under Articles 13/14 as profiling.
Can we use legitimate interests as the basis for Article 22 processing?
No. Article 22(2) lists three specific exceptions. Legitimate interests under Article 6(1)(f) is not one of them. Article 22 is a specific restriction that operates on top of Article 6 — satisfying a lawful basis under Article 6 does not satisfy Article 22's separate requirements.
What does "meaningful" human intervention actually require?
The ICO guidance states the reviewer must have the authority and competence to reach a different decision, and must actually review the individual circumstances — not just verify the algorithm ran correctly. In practice: the reviewer must be able to say "the algorithm said decline, but I'm approving this" based on information about the specific case, and that override must actually be honored downstream.
Does Article 22 apply to automated decisions about employees?
Yes. Employment decisions — performance assessment, promotion, disciplinary action, termination — that are produced by automated processing with legal or significant effect on the employee trigger Article 22. The European Data Protection Board's guidance on employee monitoring (published 2023) specifically addresses this for algorithmic productivity scoring and performance management tools.
Is Article 22 changing under the GDPR reform proposals?
Yes, partially. The European Commission's proposed GDPR reform (still in legislative process as of mid-2026) would relax some Article 22 requirements for non-sensitive data processing by public authorities, and extend the exceptions available. The core prohibition on solely automated decisions with legal effects without safeguards is expected to remain. Monitor the legislative progress before making compliance architecture decisions based on the proposed changes.
