Search pages, courses, and articles
Three questions that answer whether your AI-driven decision triggers GDPR Article 22, the right not to be subject to decisions based solely on automated processing with legal or similarly significant effect. Walks the meaningful-human-review test, the legal-effect test, and the Article 22(2) exemption routes.
Sources: GDPR Article 22 on EUR-Lex + EDPB WP251rev.01. Self-assessment, not legal advice.
GDPR Article 22(1) only attaches when there is NO meaningful human involvement in the decision. 'Meaningful' means a human reviewer who can override the automated output, has the authority to do so, and has access to the data needed to form their own judgment. A rubber-stamp human is not meaningful. EU AI Act Article 14 codifies this human-oversight requirement for high-risk AI.
Article 22(1) of the GDPR grants every data subject the right not to be subject to a decision based SOLELY on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. In plain language: if AI makes the decision and there's no meaningful human in the loop, AND the decision has a real-world consequence for the person, the person has the right to demand human review.
The EDPB's WP251rev.01 guidelines lay this out clearly: a meaningful human reviewer must (1) have the authority to override the automated decision, (2) actually exercise that authority when warranted (not rubber-stamp), (3) have access to all the data and considerations needed to form their own judgment, and (4) be appropriately trained. A clerk who 'approves' 1000 AI decisions per day is not meaningful. A credit officer who reviews edge cases and can override the score is.
Article 14 of the EU AI Act codifies human-oversight requirements for high-risk AI systems, providers must design them so that natural persons can effectively oversee the AI during use. Article 26(2) requires deployers to assign actual humans with the competence and authority for that oversight. GDPR Article 22 is the data-subject-facing right: it says the person affected has the right to demand human review. The two regimes work together: AI Act ensures the oversight infrastructure exists; GDPR ensures the data subject can invoke it.
Yes, in nearly all cases. Credit decisioning with a numerical AI score and a yes/no credit grant has been the canonical Article 22 example since the regulation entered into force. The exemption typically relied on is Article 22(2)(b), authorised by Union or Member State law. The recast Consumer Credit Directive (2023/2225) Article 18 effectively codifies the explanation right, satisfying Article 22(3) safeguards. The Annex III(5)(b) AI Act classification adds Article 14 + Article 26(2) human-oversight obligations on top.
Often yes. AI-driven CV screening, candidate scoring, automated rejection, and performance scoring all meet the threshold IF there is no meaningful human review and the decision has employment consequences. The EDPB guidelines list employment shortlisting explicitly. Most modern HR stacks include a 'review the AI's shortlist' step, which is borderline meaningful, depends on whether the recruiter actually reviews edge cases or just approves the top 10. Design for unambiguous meaningful review to stay out of Article 22 scope; otherwise rely on (a) contract necessity (e.g. for fixed-criteria checks) or (c) explicit consent.
Article 22 stacks heavily with Annex III(5)(b) credit-scoring AI under the EU AI Act and Article 18 of the Consumer Credit Directive. The guide walks the full triple-stack obligation map.
