The Rule
GDPR Article 22: data subjects have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects. Exceptions: contract necessity, explicit consent, authorized by law.
The CJEU’s December 2023 SCHUFA ruling (C-634/21) clarified that even probability scores qualify as “decisions” when third parties rely on them — broadening Article 22 well beyond final approval/denial. The 2024 OQ Chemicals follow-up extended the principle to employment scoring. “Solely automated” is interpreted narrowly: rubber-stamp human review doesn’t break the chain. “Significant effects” includes denial of credit, insurance, employment, housing, education, and access to essential services.
CRM Relevance
Automated lead scoring affecting service level. AI decisioning on customer routing. Agent auto-close of cases affecting customer rights. These trigger Article 22 when consequential.
In-scope examples. A lead-score that gates which prospects receive premium support tiers — affects access to a service. An AI router that sends low-score callers to longer queues — significant effect. An automated policy-renewal denial — legal effect. Out of scope: pure productivity AI like email summarization or next-best-action suggestions where a human makes the decision and reasonably reviews the AI input.
Compliance Patterns
Meaningful human review as default. Right to explanation (describe the logic, not disclose the model). Right to contest and obtain human review. Clear disclosure that automated decisions occur.
Article 13(2)(f) and 14(2)(g) require informing the data subject at collection that automated decision-making exists, with “meaningful information about the logic involved” and the consequences. Implementation: a one-paragraph plain-language explanation in privacy notices, plus an in-product disclosure at the moment of decision. Provide an unambiguous channel to request human review — typically a web form routed to a trained reviewer with a documented 30-day SLA. Log every challenge and outcome for the supervisory authority.
Intersection with AI Act
AI Act’s high-risk categories overlap with Article 22 scenarios. Compliance efforts compound — one integrated program covers both. Separating them creates duplicated work and policy gaps.
The AI Act’s Article 26(11) explicitly requires deployers to inform data subjects subject to high-risk AI decisions, mirroring GDPR Article 22’s transparency duty. The Article 27 FRIA overlaps with the GDPR Article 35 DPIA — many DPOs now run a combined assessment. Where the two diverge: Article 22 cares about the individual decision; the AI Act cares about the system. A unified governance program inventories systems, runs combined assessments, designs a single human-review workflow, and maintains one log feeding both regulators.
Common Failure Modes
Treating any human in the loop as breaking “solely automated” — courts test for meaningful review, not presence. Conflating the right to explanation with full model disclosure — the obligation is logic and consequences, not weights. Failing to log challenges and outcomes, leaving no defense in a regulator inquiry.
What to Do This Week
Inventory every AI-driven decision touching customers and tag each as solely-automated, human-mediated, or out-of-scope, with the lawful basis under Article 22(2) noted for each automated case.
