---
title: "Article 22 GDPR — Automated individual decision-making, including profiling (regulation text)"
type: source
tags: [gdpr, gdpr-article-22, automated-decision-making, profiling, primary-source, legal, regulatory-risk]
authors: [European Parliament; Council of the European Union]
year: 2016
venue: "Regulation (EU) 2016/679 (General Data Protection Regulation), Art. 22 — text reproduction by gdpr-info.eu"
kind: webpage
raw_path: "raw/Legal/gdpr-article-22-automated-decision-making-text.pdf"
authoritative_source: "EUR-Lex — Regulation (EU) 2016/679, OJ L 119, 4.5.2016, p. 1"
created: 2026-04-27
updated: 2026-04-27
key_claims:
  - Art. 22(1) — data subject has the right not to be subject to a decision based *solely* on automated processing (incl. profiling) producing legal or similarly significant effects.
  - Art. 22(2) — three exceptions to the prohibition - (a) contractual necessity, (b) Union/Member State law authorisation with safeguards, (c) explicit consent.
  - Art. 22(3) — for exceptions (a) and (c) the controller must implement suitable measures to safeguard rights, including *at least* the right to obtain human intervention, to express POV, and to contest the decision.
  - Art. 22(4) — special categories of personal data (Art. 9(1)) are excluded from the (a)-(c) exceptions unless 9(2)(a) explicit consent or 9(2)(g) substantial public interest applies AND suitable safeguards are in place.
  - Linked recitals - Recital 71 (profiling, decisional logic, anti-discrimination), Recital 72 (EDPB guidance on profiling), Recital 91 (DPIA necessity).
---

# GDPR Article 22 — Automated individual decision-making, including profiling (text)

Primary source. Reproduces the operative text of [[concepts/gdpr-article-22|Article 22 of the General Data Protection Regulation]] as published by gdpr-info.eu. **The textual anchor for the entire legal-risk cluster on AI-driven process automation.**

> ⚠️ **Citation note.** gdpr-info.eu is a private publication. For formal citation use the authoritative version on **EUR-Lex** — *Regulation (EU) 2016/679 of 27 April 2016, OJ L 119, 4.5.2016, p. 1, Article 22*. This source page is for working reference, not authority.

## Article 22 — full text

**1.** The data subject shall have the right not to be subject to a decision based **solely** on automated processing, including profiling, which produces legal effects concerning him or her or **similarly significantly affects** him or her.

**2.** Paragraph 1 shall **not apply** if the decision:
- **(a)** is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- **(b)** is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
- **(c)** is based on the data subject's explicit consent.

**3.** In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, **at least the right to obtain human intervention** on the part of the controller, **to express his or her point of view** and **to contest the decision**.

**4.** Decisions referred to in paragraph 2 shall **not be based on special categories of personal data** referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

## Operative concepts

- **"Solely automated"** — interpreted by WP29 / EDPB and Amsterdam case-law as requiring *meaningful* prior human intervention to lift the prohibition. Nominal rubber-stamping does not satisfy. See [[sources/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance|Lazcoz & de Hert 2023]] for the doctrinal analysis.
- **"Legal effects or similarly significantly affects"** — covers e.g. credit scoring (CJEU *SCHUFA* C-634/21, Dec 2023), employment decisions, insurance underwriting, online platform deactivation (Amsterdam *Uber/Ola* cases 2021–2023).
- **"Profiling"** — defined in Art. 4(4) GDPR: any form of automated processing of personal data evaluating personal aspects, in particular to analyse or predict aspects concerning performance, economic situation, health, preferences, behaviour, location, movements.
- **The three exceptions** are exhaustive. (b) is vaguely drafted — silent on what "suitable measures" satisfy.
- **Three types of decisions** (per Lazcoz & de Hert 2023 Fig. 1):
  1. **No-Art. 22 decisions** — no legal/significant effect → out of scope.
  2. **Art. 22(1) decisions** — solely automated + legal/significant effect → prohibited unless human-in-the-loop.
  3. **Art. 22(2) decisions** — meet one of three exceptions → allowed, but require Art. 22(3) safeguards (right to obtain intervention, express POV, contest).

## Linked recitals

- **Recital 71** — Profiling. The data subject should have the right not to be subject to a decision based solely on automated processing. Such processing should be subject to suitable safeguards including specific information, the right to obtain human intervention, the right to express POV, the right to obtain an explanation of the decision reached, the right to challenge.
- **Recital 72** — Profiling subject to GDPR rules; EDPB shall issue guidance.
- **Recital 91** — DPIA (Art. 35) necessity, particularly for processing operations using new technologies.

## Connection to other regimes

- **AI Act (Reg. EU 2024/1689)** Art. 14 — human oversight requirement for high-risk AI systems; explicitly extends GDPR's framework to the development phase. See [[sources/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance]].
- **CCPA proposed ADMT rules** — opt-out parallel rather than opt-in; see [[sources/2025-okan-btlj-blog-ccpa-vs-gdpr-automated-decision-making]].
- **DORA + NIS2** do not duplicate Art. 22 but apply on top in regulated sectors — operational-resilience layer over the data-protection layer.

## Connections

**Concepts:** [[concepts/gdpr-article-22]] · [[concepts/automated-decision-making]] · [[concepts/profiling]] · [[concepts/human-oversight]]
**Related sources (in this wiki):** [[sources/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance]] (doctrinal analysis) · [[sources/2025-okan-btlj-blog-ccpa-vs-gdpr-automated-decision-making]] (US comparison) · [[sources/2025-navaie-iapp-engineering-gdpr-compliance-agentic-ai]] (engineering implementation)
**Syntheses:** [[syntheses/legal-risk-mapping-ai-process-automation]]