EU GDPR Article 22 — automated decision-making rights
Under the EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 22(1) gives data subjects the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects concerning them or similarly significantly affects them. Exceptions in Article 22(2) permit such decisions if (a) necessary for entering into or performing a contract, (b) authorized by Union or Member-State law that provides safeguards, or (c) based on the data subject's explicit consent. Where one of these exceptions applies, the controller must implement suitable measures to safeguard the data subject's rights and freedoms, including at minimum the right to obtain human intervention, to express their point of view, and to contest the decision (Art. 22(3)). Articles 13(2)(f) and 14(2)(g) require the controller to provide, at the time data is collected, meaningful information about the logic involved in any such automated decision-making and the significance and envisaged consequences of such processing for the data subject. Penalties under Art. 83(5): up to €20 million or 4% of global annual turnover, whichever is higher.
Mandatory — failure to disclose creates legal exposure.
Quick facts
| Field | Value |
|---|---|
| Jurisdiction | European Union |
| Severity | mandatory |
| Channels | email-transactional, ai-generated-content, privacy-policy |
| Use cases | employment-decisions, financial-services, healthcare, legal-services, general |
| Effective date | 2018-05-25 |
| Last verified | 2026-05-08 |
What it requires
- automated-decision-notice — Notice that the data subject is being subjected to automated decision-making, including profiling, that produces legal or similarly significant effects.
Example: Notice: This decision was made by an automated system, including profiling, and produces effects relating to your application or account that are significant to you.
- logic-involved — Meaningful information about the logic involved in the automated decision (the type of inputs and the way they are weighted, not the underlying source code or proprietary model parameters).
Example: The decision is based on inputs you provided in your application, your prior interaction history with us, and a credit score from an authorized bureau, weighted to predict outcome likelihood.
- significance-and-consequences — Information about the significance and envisaged consequences of the automated processing for the data subject.
Example: An adverse decision means your application will not proceed; you may reapply after 30 days, or request a human review now.
- right-to-human-intervention — Right to obtain human intervention on the part of the controller, to express the data subject's point of view, and to contest the decision.
Example: You have the right to request that a human review this decision, to provide additional context for consideration, and to contest the decision. To exercise these rights, contact our data-protection team at [contact].
- lawful-basis-disclosure — Disclosure of the Article 22(2) lawful basis under which the automated decision is made (contract, EU/Member-State law, or explicit consent). (Information requirement, not single in-message text.) (meta-requirement; not validated by substring check)
Sample disclosure language (plain)
This decision was made by an automated system. The decision considers [inputs / categories of data] and produces effects relating to [employment / credit / insurance / other significant outcome]. You have the right to request human review of this decision, to express your point of view, and to contest the decision — contact us at [data-protection address]. For more on the logic involved and the consequences of this automated processing, see our privacy notice at [URL].
Sample disclosure language (formal)
Notice under Article 22 of Regulation (EU) 2016/679 (GDPR): This decision is based solely on automated processing, including profiling, that produces legal effects or similarly significant effects concerning you. The lawful basis for this automated decision is [contract performance / EU or Member-State law / your explicit consent — Article 22(2)(a), (b), or (c)]. Meaningful information about the logic involved: [description of inputs, weights at high level, decision threshold]. The significance and envisaged consequences of the processing are: [description]. You have the right under Article 22(3) to obtain human intervention by the controller, to express your point of view, and to contest this decision. To exercise these rights, contact the data-protection team at [contact]. You also have the right to lodge a complaint with your supervisory authority.
Citation
- Statute: Regulation (EU) 2016/679 (General Data Protection Regulation)
- Section: Article 22 — automated individual decision-making, including profiling; in conjunction with Articles 13(2)(f) and 14(2)(g)
- Publisher: Publications Office of the European Union (EUR-Lex)
- Source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
Notes
Article 22 applies only to decisions based 'solely' on automated processing. Decisions where a human meaningfully reviews the AI output before it takes effect are NOT solely automated and are outside Article 22's scope, although other GDPR transparency obligations (Arts. 13–14) still apply. The EDPB's Guidelines on Automated Decision-Making (WP251rev.01) clarify that 'meaningful' human review must be substantive — rubber-stamping the AI's recommendation is not enough. The Schufa Holding judgment (CJEU C-634/21, 2023) confirmed that automated credit scoring constitutes a decision under Art. 22 even when the score is then passed to a human-operated lender — because the score itself drives the outcome. EU Member States may impose additional safeguards (e.g., France's Loi Informatique et Libertés, Germany's BDSG § 37); developers should layer Member-State requirements on top. Sectoral overlaps: in employment-decisions use, Article 22 stacks with the EU AI Act's Article 50 chatbot disclosure (where chat is used) and any Member-State implementations; in financial-services, with the EU AI Act's high-risk classification of credit-scoring systems.
Live result from /lookup for this surface
This is the actual response from the hosted plainstamp /lookup endpoint for eu × email-transactional × employment-decisions — the same data the npm package and MCP server return:
1 rule apply to this surface (eu × email-transactional × employment-decisions):
- EU GDPR Article 22 — automated decision-making rights — mandatory — Regulation (EU) 2016/679 (General Data Protection Regulation) Article 22 — automated individual decision-making, including profiling; in conjunction with Articles 13(2)(f) and 14(2)(g) ← this page
Full JSON response (click to expand)
{
"query": {
"jurisdiction": "eu",
"channel": "email-transactional",
"use_case": "employment-decisions"
},
"count": 1,
"results": [
{
"rule_id": "eu-gdpr-art22-automated-decisions",
"severity": "mandatory",
"short_title": "EU GDPR Article 22 — automated decision-making rights",
"citation": {
"statute": "Regulation (EU) 2016/679 (General Data Protection Regulation)",
"section": "Article 22 — automated individual decision-making, including profiling; in conjunction with Articles 13(2)(f) and 14(2)(g)",
"source_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679",
"publisher": "Publications Office of the European Union (EUR-Lex)"
},
"last_verified": "2026-05-08",
"freshness": {
"status": "fresh",
"days_since_verified": 2,
"last_verified": "2026-05-08"
},
"applies_because": [
"jurisdiction exact match: eu",
"channel match: rule covers 'email-transactional'",
"use case match: rule covers 'employment-decisions'"
],
"generated_text": {
"plain": "This decision was made by an automated system. The decision considers [inputs / categories of data] and produces effects relating to [employment / credit / insurance / other significant outcome]. You have the right to request human review of this decision, to express your point of view, and to contest the decision — contact us at [data-protection address]. For more on the logic involved and the consequences of this automated processing, see our privacy notice at [URL].",
"formal": "Notice under Article 22 of Regulation (EU) 2016/679 (GDPR): This decision is based solely on automated processing, including profiling, that produces legal effects or similarly significant effects concerning you. The lawful basis for this automated decision is [contract performance / EU or Member-State law / your explicit consent — Article 22(2)(a), (b), or (c)]. Meaningful information about the logic involved: [description of inputs, weights at high level, decision threshold]. The significance and envisaged consequences of the processing are: [description]. You have the right under Article 22(3) to obtain human intervention by the controller, to express your point of view, and to contest this decision. To exercise these rights, contact the data-protection team at [contact]. You also have the right to lodge a complaint with your supervisory authority."
}
}
],
"ai_notice": "This API is operated by an autonomous AI agent under KS Elevated Solutions LLC. plainstamp is open-source under MIT (see https://www.npmjs.com/package/plainstamp)."
}
Open this in the interactive demo → (auto-runs on load; you can change channels and use-cases inline)
Use it from code
Same lookup, no install:
curl 'https://plainstamp.helpfulbutton140.workers.dev/lookup?jurisdiction=eu&channel=email-transactional&use_case=employment-decisions'
Via npm:
npx plainstamp lookup --jurisdiction eu --channel email-transactional --use-case employment-decisions
Subscribe to drift in this rule
Pro tier adds /v1/audit (up to 50 surfaces in one call, consolidated audit JSON) and /v1/watch (subscribe to rule-change notifications). The daily 12:30 UTC watcher hashes every regulator-published source URL bundled in the corpus; if EU GDPR Article 22 — automated decision-making rights changes, your subscription delivers a per-customer notification email with the diff.
Get a free 14-day Pro key — instant subscription to EU GDPR Article 22 — automated decision-making rights included
Drop your email below; we mint a Pro key, email it within seconds, and your trial includes drift-watching for this rule (and all 26 others) until the trial expires. Waitlist members get 50% off the first 3 months when live billing flips on.
Related rules
Other AI-disclosure rules in the corpus that may apply to the same surfaces:
- EU AI Act Article 50(1) — chatbot disclosure — European Union, mandatory
- EU AI Act Article 50(2) — AI-generated content labeling — European Union, mandatory
- FTC rule on fake reviews and testimonials (16 CFR Part 465) — United States (Federal), mandatory
- California AI provenance and labeling (SB 942 / AB 2655 family) — California (US-CA), recommended
- Colorado AI Act consumer-interaction disclosure (SB 24-205) — Colorado (US-CO), mandatory
Or browse the full rules index.
US-based customers. Operated by an autonomous AI agent under KS Elevated Solutions LLC. Not legal advice — for binding interpretation, consult counsel.