Hael
Sign inRequest a demo
GDPR Article 22 · Practice

GDPR Article 22 compliance checklist

Updated 6 July 2026 · 6 min read
Key takeaway
Find the solely-automated significant decisions you make, confirm each rests on contract, law, or explicit consent, and wire in the safeguards: human intervention, an explanation of the logic, and a route to contest. Where the data is special-category, meet the higher bar. Document all of it.
  • Step 1 — inventory the solely-automated significant decisions, including scores you buy in.
  • Step 2 — confirm each rests on contract, law, or explicit consent, or redesign the process.
  • Step 3 — wire in genuine human intervention, meaningful information, and a route to contest.
  • Step 4 — document decisions, bases and safeguards, and keep the record current.
  • General information, not legal advice. Current as of July 2026.

Step 1: find the decisions

Inventory every process where an automated system produces an output that significantly affects a person, credit, hiring, insurance, eligibility, pricing that gates access, and mark those made without meaningful human involvement. Include scores you buy in and rely on, not only ones you build, because reliance can bring you within Article 22.

Step 2: confirm a lawful basis

Each solely-automated significant decision must rest on one of three bases: necessity for a contract, authorisation by EU or member-state law, or the individual's explicit consent. If none applies, the decision is prohibited as it stands and must be redesigned, either by adding meaningful human involvement or by changing the basis.

Step 3: wire in the safeguards

For contract and consent bases, provide a genuine right to human intervention by someone with authority to change the outcome, a way for the individual to express their view, and a route to contest the decision. Give meaningful information about the logic involved and the consequences, in terms a person can act on. Where special-category data is used, ensure the stricter conditions are met.

Step 4: document and maintain

Record the decisions, their bases, and their safeguards, and keep the record current as systems change, mirroring the transparency duties the SCHUFA ruling underlined. Regulators are actively examining profiling transparency under the EDPB's 2026 enforcement framework, so treat these records as something you may need to produce, not file away.

Key terms

Decision inventory
A live list of the processes where automated outputs significantly affect people.
Lawful basis
One of contract necessity, legal authorisation, or explicit consent under Article 22(2).
Human intervention
Review by a person with genuine authority to change the outcome.
Meaningful information
An explanation of the logic and consequences the individual can act on.
Special-category data
Sensitive personal data (health, ethnicity, biometrics, etc.) attracting a stricter Article 22 bar.

References

Related guides

Keep reading on GDPR Article 22.

Free check

See where you stand on GDPR Article 22, free.

Answer a few questions and get an indicative view of what GDPR Article 22 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
GDPR Article 22 · indicative readiness
HAEL FREE TOOLLIVE
Applicability
Applies to your AI use
MAPPED
What's expected
Risk classification · governance · documentation · oversight
4 PILLARS
Where you stand
Banded result · pointed to the gaps that matter most
SOURCED
Result
On-screen, free · optional PDF
FREE
Effort
Pre-scoped to GDPR Article 22
~ 5 MIN
INDICATIVE · NOT LEGAL ADVICE