Artifact GuideEU GDPR

GDPR Article 22 Automated Decision-Making and Profiling

Use this guide to decide when profiling or an automated decision is inside GDPR Article 22, what transparency and safeguards are required, and what evidence should be retained.

Grounded in the GDPR text and DPIA guidance for product, privacy, legal, data science, support, HR, marketing, security, and vendor owners.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

GDPR profiling is any automated processing of personal data used to evaluate personal aspects of a natural person, such as work performance, economic situation, health, preferences, interests, reliability, behaviour, location, or movements. Article 22 adds a narrower rule for decisions based solely on automated processing, including profiling, when the decision produces legal effects or similarly significant effects for the person.

Section 1

Article 22 scoping test

Treat Article 22 as a focused scoping question, not as a label for every model, score, or recommendation. The decision must be based solely on automated processing, including profiling, and it must produce legal effects or similarly significant effects for the data subject.

Record the decision being made, the point in the journey where it occurs, whether a human can materially change the outcome before it affects the person, and the practical effect on access, eligibility, pricing, employment, services, or other rights and interests.

  • In scope: a solely automated eligibility, access, employment, credit, fraud, pricing, or service decision with legal or similarly significant effect.
  • Still regulated but not necessarily Article 22: segmentation, ranking, recommendations, risk scores, or profiling used for human-supported decisions.
  • Out of scope for Article 22 only after review: automation that does not decide anything about an identifiable person or does not significantly affect that person.
  • Escalate when profiling uses special-category data, vulnerable groups, new technology, large-scale monitoring, or effects that may become more significant over time.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Defines profiling in Article 4(4) and sets the Article 22 rule for solely automated decisions with legal or similarly significant effects.
Section 2

Lawful route and Article 22 exceptions

A controller still needs a GDPR lawful basis for the personal data processing. If the decision is inside Article 22, the controller also needs one of the Article 22 exceptions: necessary for entering into or performing a contract with the data subject, authorised by Union or Member State law with suitable safeguards, or based on the data subject's explicit consent.

Do not treat ordinary consent, generic terms acceptance, or a broad legitimate-interest assessment as enough for an Article 22 decision. For contract and explicit-consent routes, Article 22 requires suitable measures to protect the person's rights, freedoms, and legitimate interests.

  • Name both layers: the Article 6 lawful basis for processing and the Article 22 exception for the solely automated decision.
  • For contract necessity, explain why the decision itself is necessary for entering into or performing the contract, not merely useful to the business.
  • For explicit consent, keep the consent wording, capture method, withdrawal path, and fallback handling when consent is refused or withdrawn.
  • For Union or Member State law, cite the specific law and the safeguards it lays down; do not infer national authorisation from general public-sector duties.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 22(2) lists the contract, law-authorisation, and explicit-consent exceptions to the Article 22(1) right.
Section 3

Transparency and access information

Privacy notices and access responses need to say when Article 22 automated decision-making, including profiling, exists. At least in those cases, GDPR Articles 13, 14, and 15 call for meaningful information about the logic involved and the significance and envisaged consequences for the data subject.

Useful transparency is specific to the person-facing decision. Explain the decision purpose, the main categories of input data, the broad factors that influence the outcome, the consequences of the outcome, and the routes for human intervention, point-of-view submission, and contesting the decision.

  • Link the notice text to the real product flow where the automated decision occurs.
  • Avoid exposing security-sensitive model details, but do not hide the existence, purpose, broad logic, or consequences of Article 22 processing.
  • Keep separate access-response text for data subjects who ask about a specific decision affecting them.
  • Update notices before materially changing inputs, logic, decision effects, or data sources.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Articles 13, 14, and 15 require information about automated decision-making, including profiling, and meaningful information about logic, significance, and envisaged consequences.
Section 4

Safeguards and human intervention

For Article 22 decisions relying on contract necessity or explicit consent, the controller must implement suitable safeguards. GDPR identifies at least three: the right to obtain human intervention from the controller, to express a point of view, and to contest the decision.

A safeguard is not meaningful if the reviewer can only rubber-stamp the automated output. The review workflow should give a trained person enough context, authority, and time to change the result when the facts, data quality, or proportionality analysis support a different outcome.

  • Publish a clear route for requesting human intervention and contesting the decision.
  • Give reviewers the data, rule version, model or score explanation, notice version, and prior contact history needed to reassess the outcome.
  • Log the person's point of view, the reviewer decision, any corrected data, and whether the automated outcome changed.
  • Measure whether contests reveal recurring data-quality, bias, explainability, or proportionality issues.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 22(3) names human intervention, expression of the data subject's point of view, and contesting the decision as minimum safeguards for contract and explicit-consent cases.
Section 5

DPIA and risk review

GDPR Article 35 makes a DPIA mandatory for high-risk processing, including systematic and extensive evaluation of personal aspects based on automated processing, including profiling, where decisions produce legal or similarly significant effects. DPIA guidance in the grounding materials treats automated decision-making and profiling as risk criteria that should be assessed early and revisited when the processing changes.

The DPIA record should connect the Article 22 analysis to necessity and proportionality, data minimisation, accuracy, retention, transparency, rights handling, security controls, processor involvement, and residual risk. If a prior DPIA is reused for similar processing, document why the nature, scope, context, and purposes remain sufficiently similar.

  • Start the DPIA before deployment or material change, once the decision purpose, data flows, and expected effects are understood.
  • Map generated personal data such as scores, profiles, risk flags, eligibility outcomes, and reviewer notes.
  • Record safeguards for inaccurate data, unfair exclusion, discrimination, loss of access, inability to contest, and excessive retention.
  • Review the DPIA when decision effects, user groups, data sources, vendors, model logic, or operational context changes.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 35(3)(a) identifies systematic and extensive automated evaluation, including profiling, leading to legal or similarly significant decisions as a DPIA case.
Data Protection Commission - Data Protection Impact Assessments
DPIA guidance describes high-risk triggers, automated decision-making risk criteria, project review, stakeholder involvement, record keeping, and residual-risk handling.
CNIL - Privacy Impact Assessments: CNIL publishes its PIA manual
CNIL PIA methodology supports documenting context, fundamental principles, data-subject rights controls, security risks, and validation of the PIA.
Section 6

Evidence to keep

Evidence should let a reviewer reconstruct the decision system without relying on memory. Keep a single record that ties the automated decision, Article 22 conclusion, lawful route, transparency text, DPIA, safeguards, and contest outcomes together.

Evidence should also show what is not Article 22. Where a tool produces a score or recommendation but a human makes the effective decision, preserve proof that human review is real, documented, and able to change the outcome before it affects the person.

Does every profiling activity trigger GDPR Article 22?

No. Profiling is broadly defined as automated processing of personal data used to evaluate personal aspects of a person. Article 22 is narrower: it concerns decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects.

What must a controller offer when Article 22 applies?

Where the Article 22 decision relies on contract necessity or explicit consent, the controller must use suitable safeguards, including at least human intervention by the controller, the ability for the person to express a point of view, and the ability to contest the decision.

When should an automated decision-making project trigger a DPIA?

A DPIA is required when processing is likely to result in high risk. GDPR specifically calls out systematic and extensive automated evaluation, including profiling, where decisions produce legal or similarly significant effects.

  • Article 22 memo: decision description, affected groups, solely automated status, legal or similarly significant effects, and exception if used.
  • Profiling inventory: input data, generated scores or segments, purposes, data sources, recipients, retention, and downstream decisions.
  • Transparency pack: notice language, access-response language, release date, product placement, and change history.
  • Safeguard records: human intervention requests, point-of-view submissions, contest decisions, reviewer authority, corrections, and outcome changes.
  • DPIA and risk file: risk criteria, data-flow map, safeguards, residual risk, DPO advice where designated, processor inputs, and review triggers.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Primary source for profiling definition, Article 22 rights and safeguards, transparency information, and DPIA triggers.
Data Protection Commission - Data Protection Impact Assessments
Supports keeping DPIA records, documenting risks and solutions, and reviewing DPIAs as project design changes.
Recommended next step

Use this Article 22 guide as a cited review record

Sorena can help convert automated decision-making and profiling reviews into source-linked scoping records, DPIA evidence, transparency updates, and human-review workflows.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about Article 22 scope, profiling, DPIA triggers, transparency, safeguards, and evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your automated decision-making workflow, Article 22 scoping, human intervention route, and DPIA evidence with Sorena.

Explore next step
Primary sources

References and citations

Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Primary source for profiling definition, Article 22 rights and safeguards, transparency information, and DPIA triggers.
"Automated individual decision-making, including profiling"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.