GDPR Article 22 Compliance for AI — Explanation Rights & Decision Records
GDPR Article 22 restricts solely automated decisions with legal or similarly significant effects on EU individuals, granting data subjects the right to human review, to express their point of view, and to obtain a specific explanation of the logic involved. Supervisory authorities have made clear that generic model descriptions do not satisfy Article 22 — individual-specific reasoning is required. Tenet captures the decision context, satisfies data minimization principles, and enables the right of erasure for AI agent decisions — in 2 lines of code.
GDPR Article 22: The Three Conditions for Permitted Automated Decisions
Article 22 is a prohibition, not a permission. The default rule is that solely automated decisions with legal or significantly similar effects are not allowed. There are three exceptions. First: the decision is necessary for entering into or performing a contract with the data subject. Second: EU or member state law specifically authorizes it with suitable safeguards. Third: the data subject gave explicit consent. That's it. Outside these three boxes, solely automated significant decisions are flatly prohibited regardless of technical sophistication. Where processing falls within an exception, Article 22(3) adds a floor: at minimum, controllers must implement the right to obtain human intervention, the right to express one's point of view, and the right to contest the decision. Not optional extras — minimum requirements. Recital 71 goes further. It says data subjects should be able to obtain an explanation of the decision based on individual circumstances, not just a description of how the model works in general. One thing that catches compliance teams off-guard: the "solely automated" threshold covers more ground than it looks. If a human technically reviews AI outputs but routinely approves them without meaningful evaluation — rubber-stamping 400 credit decisions a day — supervisory authorities can call that process solely automated despite the nominal human step. The substance of the review matters. The presence of a human in the chain does not automatically satisfy Article 22.
What a Meaningful Individual Explanation Requires
GDPR requires meaningful information about the logic involved in automated decisions — and supervisory authorities across the EU have consistently interpreted "meaningful information about the logic" to mean an explanation specific to the individual data subject and their specific decision, not a generic description of how the model operates. The Information Commissioner's Office (UK) guidance states that explanations must be intelligible to a layperson, specific to the individual case, and actionable for challenging the outcome. The French CNIL has enforced against credit scoring organizations whose explanations described model features in general terms rather than explaining which specific factors drove the individual's score. The German DSK has published guidance requiring that automated profiling decisions provide the specific input data and decision criteria that produced the outcome for that individual. A disclosure that an AI uses machine learning models considering 200 features to assess creditworthiness does not satisfy Article 22. An explanation that identifies the three specific factors most negatively affecting this specific applicant's score, in terms they can understand and challenge, moves toward compliance. Tenet captures what data drove each specific outcome and how factors were weighted — the raw evidence for individual-specific explanations.
GDPR DPIA Requirements for AI Systems
Most AI agents in regulated industries need a DPIA before going live. That's not an exaggeration — it's the math. The EDPB's WP248 guidelines list nine criteria that trigger mandatory DPIA when any two apply. Go through the list for a typical AI credit scoring or healthcare authorization system: evaluation or scoring (yes — it's scoring by definition); automated decision-making with legal or similar effects (yes — Article 22 use case); systematic processing (yes — running on every application); large-scale processing (almost certainly); data matching or combining from multiple sources (usually yes). Five criteria. Way over the threshold. Two is all you need. The DPIA has to happen before processing begins. Not before launch. Before you start processing personal data in testing or staging. A post-hoc DPIA conducted after deployment is a procedural GDPR violation, separate and additional to any substantive compliance issues. Controllers routinely discover this late — they build the system, then commission the DPIA, then find out the deployment date already passed. The DPIA also has to address ongoing monitoring — it's not a one-time document. As the AI system's behavior evolves (which it will, through drift if not through deployment), the DPIA risk assessment needs updating. Tenet captures the processing activity records that DPIA ongoing monitoring requires: what data was processed, what decisions were made, what outcomes resulted, with timestamped integrity for the full deployment period.
GDPR Article 30 Records of Processing for AI Agents
Article 30 requires data controllers to maintain written records of all processing activities under their responsibility. For AI agents, Article 30 records must cover: the name and contact details of the controller, and where applicable the DPO; the purposes of the AI processing; categories of data subjects and personal data categories processed; the recipients of personal data; any cross-border transfers and the safeguards used; envisaged erasure time limits; and a general description of technical and organisational security measures. For AI systems making automated decisions under Article 22, the Article 30 record must specifically describe the automated decision-making including profiling and the logic involved. Supervisory authorities expect Article 30 records to be sufficiently detailed to enable assessment of GDPR compliance — a generic entry noting "AI credit scoring" without describing the logic and safeguards does not satisfy the requirement. Tenet generates Article 30-compatible processing records from live agent execution, capturing the processing activity description at decision time rather than requiring manual documentation assembly.
GDPR Enforcement for AI Automated Decisions
Enforcement has arrived. EU supervisory authorities are not waiting for AI-specific frameworks — they are applying Article 22 now, against live production systems. The Swedish DPA fined a credit information company for exactly this: insufficient Article 22 explanations in automated credit decisions. Generic model descriptions. No individual specifics. That was the violation. The Netherlands DPA went after the tax authority's fraud detection AI — discriminatory automated profiling, no explanation rights. The ICO issued enforcement notices against credit scoring AI that failed Article 22. The Austrian and German DPAs have moved against automated profiling tools that explained nothing specific to the individual. What these cases share: the violation was not having a bad policy. It was having no workable capability to produce individual-specific explanations. Fines sit under the higher GDPR tier — up to EUR 20 million or 4% of global annual turnover. For a company with €500M annual revenue, that is €20M. For a company with €10B revenue, that is €400M. Controllers cannot satisfy Article 22 by publishing a privacy notice explaining that their system uses machine learning. They need to produce, on demand, the specific factors that drove this applicant's outcome. Tenet captures those factors at decision time — not reconstructed after the fact when the DPA inquiry arrives.
GDPR Erasure Rights and AI Model Training Data
When data subjects exercise erasure rights under GDPR Article 17, controllers must erase personal data without undue delay where the grounds for erasure apply. For AI systems, erasure obligations extend beyond production decision records to training data and model parameters where the individual's data was used for training or fine-tuning. Supervisory authorities expect controllers to document: what data was used in training; whether training data has been deleted following erasure requests; and what steps have been taken regarding model parameters when erasure was not technically feasible. The EDPB Guideline on the Right to Erasure (2020) addresses the technical complexity of erasing data from trained models and expects controllers to implement technical measures to minimize the impact of training data that cannot be erased — such as data minimization at the training stage, differential privacy, and documentation of residual risks. Tenet captures training data provenance trails that support erasure documentation, and the data minimization-first architecture of Ghost SDK ensures that only the decision-relevant context snapshot is captured, not raw personal data fields.
Behavioral Drift and GDPR Article 22 Accountability
GDPR Article 22 creates an ongoing accountability obligation — not a point-in-time compliance assessment. Controllers cannot declare compliance with Article 22 safeguards once and consider the obligation satisfied. Article 5(2) accountability principle requires controllers to demonstrate compliance on a continuous basis, and EDPB guidance is clear that automated decision-making systems must be monitored for consistent, non-discriminatory operation throughout their deployment lifecycle. Behavioral drift is the mechanism that breaks ongoing Article 22 compliance without any visible deployment event. A credit scoring AI can drift toward systematically different reasoning for applicants from certain regions or demographic groups — not because the model was retrained or the code changed, but because the context distribution shifted, the LLM provider updated a model, or fine-tuning data introduced a bias. The controller remains responsible for the discriminatory outcomes even when the drift was unintentional and undetected. Under Article 22(3), the safeguards — human review mechanisms, explanation capability, contest procedures — must function correctly throughout the processing period. If drift has changed how the AI reasons, the explanation a data subject receives may no longer accurately reflect the actual decision factors. That misalignment between the explanation given and the reasoning applied is an Article 22 violation. Tenet's Verification Replay engine detects drift by re-executing past decision records against the current agent state, identifying where reasoning has changed. The drift detection output provides the documentation that Article 5(2) continuous accountability requires — evidence that the controller actively monitored for reasoning inconsistencies, not just for output metric stability.