GDPR Article 22 — safeguards for solely automated decisions.
How Hael produces the meaningful information records and human-review evidence for automated decisions GDPR Article 22 requires — generated, sealed and verifiable.
What Article 22 requires
GDPR Article 22 grants data subjects the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning them or similarly significantly affects them. The provision applies to automated credit scoring, automated hiring decisions, automated insurance underwriting, automated benefit determinations and similar decisions where the decision is fully automated and the effect is legally or similarly significant.
Where Article 22 applies, the data subject has the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision. Limited exceptions exist where the decision is necessary for entering into or performing a contract, authorised by Union or Member State law, or based on the data subject's explicit consent. Even within exceptions, suitable safeguards — including the rights to human intervention, expression and contestation — must be in place. The European Data Protection Board (EDPB) has issued substantive guidance.
How Hael runs it
Hael runs the Article 22 safeguards as wired workflows. Decisions classified as solely automated with legal or similarly significant effect are flagged at agent registration and trigger the safeguards by default. The right-to-human-intervention pathway is operationalised: a data subject request triggers a human-review workflow with a qualified reviewer, an SLA-tracked review window, and a sealed review record with reasons.
The right to express a view and the right to contest are wired into the same workflow surface. Each data-subject expression is captured, considered in the human review and reflected in the review record. Where the decision is overturned, the downstream effect is rolled back automatically via the platform's policy enforcement engine. The full chain — original automated decision, data-subject input, human review, outcome — is sealed in the audit chain for regulator engagement.
Questions
What counts as 'solely automated' under Article 22?
A decision is solely automated where there is no meaningful human involvement in the decision itself — token human review (rubber-stamping) does not satisfy the carve-out. The EDPB guidance is clear that the human reviewer must have the authority and competence to overturn the automated output for review to be substantive.
What constitutes a 'legal effect' or 'similarly significant effect'?
Legal effects affect a person's legal status or rights — denial of benefits, refusal of citizenship, contract termination. Similarly significant effects include credit decisions, insurance underwriting, employment decisions, access to essential services. EDPB guidance elaborates the threshold.
How does Article 22 interact with the EU AI Act?
GDPR Article 22 applies to automated decisions about individuals based on personal data. EU AI Act Annex III covers high-risk AI systems by use case. Many systems trigger both: an AI credit scoring system is an Article 22 solely automated decision and an Annex III high-risk AI system. Compliance requires both surfaces.
See Hael run your Article 22 safeguards.
Solely automated decision classification, human-review workflow, contestation pathway — wired against your AI decision systems.