Automated decision-making

An automated individual decision within the meaning of Article 22 GDPR exists where a decision is based solely on automated processing - including profiling - and produces legal effects concerning the data subject or similarly significantly affects them. The decisive factor is the absence of meaningful human involvement: a merely formal confirmation of a machine-generated result is not enough to take the case outside the scope of the provision. Typical examples include the automated rejection of an online loan application or fully automated applicant screening without any substantive review by a human.

Article 22(1) GDPR establishes a general prohibition subject to authorisation: the data subject has the right not to be subject to such a decision. Exceptions are permitted only where the decision is necessary for entering into or performing a contract, is expressly authorised by Union or Member State law, or is based on the data subject's explicit consent. Where special categories of personal data under Article 9 GDPR are processed, additional limits apply: here only explicit consent or substantial public interest may serve as a basis, each accompanied by appropriate safeguards.

Even where an exception applies, the controller must, under Article 22(3) GDPR, implement suitable measures to safeguard the data subject's rights and freedoms - at a minimum the right to obtain human intervention, to express their point of view and to contest the decision. This is reinforced by heightened transparency duties: under Articles 13(2)(f), 14(2)(g) and 15(1)(h) GDPR, controllers must provide information about the existence of automated decision-making, the logic involved, and the significance and envisaged consequences. In practice a Data Protection Impact Assessment is regularly required, since automated decisions with legal effects typically constitute a high risk.