---
title: GDPR Article 22 — Automated Individual Decision-Making
type: concept
tags: [gdpr, automated-decision-making, profiling, human-oversight, legal, regulatory-risk]
sources: ["[[sources/gdpr-article-22-text]]", "[[sources/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance]]", "[[sources/2025-okan-btlj-blog-ccpa-vs-gdpr-automated-decision-making]]", "[[sources/2025-navaie-iapp-engineering-gdpr-compliance-agentic-ai]]"]
created: 2026-04-27
updated: 2026-04-27
---

# GDPR Article 22 — Automated Individual Decision-Making

The provision in the GDPR that grants data subjects the right *not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects* — and the corresponding obligation on data controllers to provide human-oversight safeguards. **The single most important legal anchor for AI-driven process automation in the EU.**

## Structure

- **Art. 22(1)** — general prohibition on solely automated decisions producing legal/significant effects.
- **Art. 22(2)** — three exceptions: (a) contractual necessity, (b) Union/Member-State law authorisation, (c) explicit consent.
- **Art. 22(3)** — for (a) and (c), controller must provide *at least*: right to obtain human intervention, right to express POV, right to contest the decision.
- **Art. 22(4)** — special-category data (Art. 9(1)) excluded from exceptions unless 9(2)(a) explicit consent or 9(2)(g) substantial public interest applies.

See [[sources/gdpr-article-22-text]] for the full text.

## Two intervention mechanisms

Per [[sources/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance|Lazcoz & de Hert 2023]]:

| Mechanism | Triggered by | Stage | Goal |
|---|---|---|---|
| **Human-in-the-loop** | Art. 22(1) | *Prior* to legal/significant effect | Lift the prohibition by including human as essential decision component (accountability rationale) |
| **Human-out-of-the-loop on request** | Art. 22(2) safeguards | *After* the decision is effective | Enable contestation by data subject (contestability rationale) |

## Operative ambiguities

- **"Solely"** — interpreted by [[entities/wp29|Article 29 Working Party]] (now EDPB) as requiring *meaningful* human intervention. Mere rubber-stamping does not lift the prohibition. Confirmed by Amsterdam District Court in *Uber/Ola* transparency cases (C/13/687315; C/13/689705) and *Uber* deactivation case (C/13/692003).
- **"Legal or similarly significant effect"** — covers credit scoring (CJEU *SCHUFA* C-634/21, Dec 2023), employment, insurance, platform deactivation.
- **"Suitable safeguards" under 22(2)(b)** — vaguely drafted; case-by-case interpretation.

## Meaningful intervention requires

1. **Authority and competence** to change the decision (not merely apply algorithmic output).
2. **Consideration of all relevant data**, not just algorithmic recommendation.
3. **Avoidance of [[concepts/automation-bias|automation bias]]** — institutional check, not just individual review.

## Connection to AI Act

The [[concepts/eu-ai-act|EU AI Act]] (Reg. 2024/1689) Art. 14 mandates human oversight for high-risk AI systems and extends GDPR's framework to the **development phase** (not only use phase). Art. 29 AIA explicitly references the DPIA-duty under Art. 35 GDPR — a deliberate bridge.

## Connection to DPIA

[[concepts/dpia|Data Protection Impact Assessments]] (Art. 35 GDPR) are the principal governance tool for demonstrating that human intervention under Art. 22 is meaningful. Mandatory under Art. 35(3)(a) for systematic and extensive evaluation of automated processing producing legal/significant effects.

## Cross-jurisdiction comparison

US **CCPA** proposed ADMT rules differ from Art. 22 on three structural axes — opt-out vs opt-in consent, conditional vs unconditional appeal right, narrow vs broad scope. See [[sources/2025-okan-btlj-blog-ccpa-vs-gdpr-automated-decision-making]].

## Engineering implication for agentic AI

Per [[sources/2025-navaie-iapp-engineering-gdpr-compliance-agentic-ai|Navaie 2025]], static DPIA documents cannot govern agentic systems whose behaviour mutates per execution. Article 22 compliance for agentic stacks requires runtime mechanisms: purpose locks, execution traces, tiered memory governance, live controller/processor mapping.

## Why this matters for BPM

Any AI-driven [[concepts/business-process|business process]] that produces decisions affecting individuals (loan approval, fraud detection, hiring, claims handling, customer offboarding, scheduling with significant impact) sits inside Art. 22's scope. [[concepts/agentic-bpm|Agentic BPM]] systems are particularly exposed because:
- Their behaviour is non-deterministic across runs.
- Their tool-calls invoke services not anticipated in the original DPIA.
- Their decisions emerge from multi-step plans, not a single classifier — making "solely automated" hard to disprove without traces.
- Memory and derived artefacts persist beyond task scope — violating storage limitation.

## Related

[[concepts/automated-decision-making]] · [[concepts/profiling]] · [[concepts/human-oversight]] · [[concepts/dpia]] · [[concepts/eu-ai-act]] · [[concepts/automation-bias]] · [[concepts/gdpr-accountability-principle]]