What does GDPR Article 22 require for AI agents?

Article 22(1) gives individuals the right not to be subject solely to automated decisions with legal or similarly significant effects. When automated decisions are permitted (contract necessity, law authorization, or explicit consent under Art. 22(2)), Article 22(3) requires: measures to safeguard individual rights including human review, the right to express a point of view, and the right to contest. Articles 13-14 require proactive transparency about the decision logic. All require per-decision reasoning records to satisfy the individual explanation obligation.

What AI decisions qualify as 'solely automated with significant effects'?

Solely automated means no genuine human review before the decision produces effects. Significant effects include legal effects (credit denial, contract termination, insurance cancellation) or similarly significant effects (pricing differentiation, employment outcomes, healthcare access). Supervisory authorities have clarified that cursory human review that never overrides AI decisions does not break the 'solely automated' threshold.

Is a generic model description sufficient for GDPR Article 22 explanation?

No. Supervisory authorities (UK ICO, CNIL, BfDI) have consistently held that generic descriptions — 'our AI considers credit history and income' — are insufficient. The explanation must be specific to the individual's decision: which factors drove the outcome for this person, what their specific values were, and how each factor contributed. This requires per-decision structured factor records — not just model descriptions.

Can legitimate interests be used as the legal basis for Article 22 automated decisions?

No. Article 22(2) limits lawful bases for automated decisions to: (a) contract necessity, (b) EU/member state law authorization, (c) explicit consent. Legitimate interests (Article 6(1)(f)) is not a permitted basis for Article 22 automated decisions — a common compliance mistake. Organizations relying on legitimate interests for general processing cannot use it to justify automated decisions with legal or significant effects.

Does GDPR Article 22 require a DPIA for AI agents?

Yes. Article 35(3)(a) mandates a DPIA for systematic and extensive automated processing of personal data that produces legal or significant effects. This covers virtually all commercial AI agents making significant automated decisions. The DPIA must assess: the logic of the processing, measures to safeguard data subject rights, proposed retention periods, and how human review is implemented.

How does GDPR Article 22 interact with EU AI Act?

They are complementary. Article 22 is a data subject right — protection against automated decisions with explanation and review mechanisms. EU AI Act is a product safety framework — technical documentation, logging, and human oversight for high-risk AI. An AI system processing personal data and producing legal or significant effects is subject to both. A decision record satisfies both: per-decision reasoning chain satisfies Art. 22 explanation; tamper-evident record satisfies EU AI Act Art. 12 post-hoc reconstruction.

Does GDPR Article 22 apply to B2B AI agents?

Article 22 applies to processing of personal data about natural persons. B2B contexts where the AI processes personal data about individuals (employees, sole traders, personal data in business records) are in scope. Purely organizational-level data processing without personal data about individuals is not covered by Article 22 but may be covered by other GDPR provisions.

How long must AI decision records be retained for GDPR Article 22 compliance?

Article 5(1)(e) requires retention no longer than necessary. For Article 22 automated decision records: the period during which individuals may exercise explanation or contest rights (typically 1-3 years per member state limitation periods), plus the period for supervisory authority enforcement (up to the limitation period post-decision). Sector-specific requirements (financial services: 5-7 years) apply where longer. Use the longest applicable period.

GDPR Article 22 and AI Agents: What Automated Decision-Making Compliance Actually Requires

GDPR Article 22 gives individuals the right not to be subject solely to automated decisions that produce legal effects or similarly significantly affect them. For AI agents making credit, insurance, employment, or healthcare decisions, Article 22 creates three distinct compliance obligations: proactive transparency about decision logic at collection time (Articles 13-14), the right to individual explanation of each specific decision (Article 22(3) + Recital 71), and a genuine human review mechanism. The right to explanation cannot be satisfied with generic model descriptions — it requires capturing the per-decision factors that drove each individual outcome.

What Article 22 Actually Requires

Article 22(1) gives individuals the right not to be subject solely to automated processing that produces legal or similarly significant effects. Automated decisions are permitted under three lawful bases (Article 22(2)): necessary for a contract, authorized by EU/member state law, or explicit consent. Legitimate interests is not a permitted basis — a common compliance mistake. When automated decisions are permitted, Article 22(3) requires suitable measures including human intervention, the right to express a point of view, and the right to contest. Article 35(3)(a) mandates a DPIA for systematic automated processing with legal or significant effects.

Which AI Agent Decisions Are In Scope

Article 22 applies when a decision is (1) based solely on automated processing and (2) produces legal effects or similarly significant effects. Solely automated means no genuine human review — supervisory authorities have clarified that a human who never overrides AI decisions, processes hundreds without meaningful scrutiny, or lacks access to the same information the AI used does not constitute genuine human intervention. In-scope agent types: credit scoring and loan denial agents, insurance pricing and claims determination, HR candidate screening, prior authorization AI with auto-approve/deny, fraud detection with automatic service blocks.

What 'Meaningful Explanation' Means Under GDPR

Generic model descriptions fail Article 22: 'Our AI considers credit history and income' is insufficient. A meaningful explanation (Recital 71) must be specific to the individual's decision: the specific factors evaluated, the applicant's actual observed values, whether each factor contributed positively or negatively, and the relative weight of each factor. This is only possible if the AI's decision record captured structured per-decision factors with observed values and impact directions — not just the final output.

Implementation: Generating Explanations from Decision Records

Capture structured factor output in the AI decision record: each factor with name, observed value, policy threshold, impact direction (POSITIVE/NEGATIVE/NEUTRAL), and weight (PRIMARY/SECONDARY/MINOR). Store the record with tamper-evident signing. When a data subject exercises Article 22 rights, retrieve the record by application ID and generate an individual explanation from its structured factor content. The record_id links the explanation to the tamper-evident decision record, satisfying Article 5(2) accountability.

DPIAs and Article 5(2) Accountability for AI Automated Decisions

Article 35(3)(a) mandates a DPIA for systematic automated decision-making with legal or significant effects — covering virtually all commercial AI agents making significant decisions. The DPIA must address: the logic of the processing, retention periods, and safeguards. Recital 71 additionally prohibits automated decision-making on special categories of personal data (health, race, political opinion) without explicit consent or substantial public interest grounds. Article 5(2) accountability requires maintaining records of legal basis, safeguards, explanation requests, and override documentation — satisfied by tamper-evident decision records and linked override records.