GDPR A22-01: Safeguards Against Solely Automated Decision-Making
Article 22 of GDPR restricts automated decision-making that produces legal or significant effects on data subjects. Organizations must implement human review processes, obtain explicit consent, and provide contestation mechanisms—or qualify for specific exemptions. This control is critical for any business using automated profiling, credit decisions, or employment screening.
What this means
You cannot make binding decisions about individuals based purely on automated processing or profiling without safeguards. This applies to decisions with legal consequences (contract termination, credit denial, hiring rejection) or similarly significant effects (automated discrimination, price discrimination). You must either: obtain explicit consent, establish a lawful contract necessity, or identify another legal basis. Even with a legal basis, data subjects retain the right to request human review, express their perspective, and challenge the decision.
How to comply
- 1.Identify all systems and processes using automated decision-making or profiling that produce legal or significant effects on individuals.
- 2.Document the legal basis for each automated decision system (consent, contract necessity, legal obligation, or other lawful basis).
- 3.Implement a human review mechanism accessible to data subjects to contest or appeal solely automated decisions.
- 4.Provide clear, transparent information to data subjects about automated decision-making in privacy notices and at the point of decision.
- 5.Create a process for data subjects to request human intervention and express their viewpoint on the decision.
- 6.Maintain records of human review requests, contestations, and outcomes for audit and accountability purposes.
- 7.Test automated systems for bias and discriminatory effects; document and remediate any disparate impact.
- 8.Establish a timeline for responding to contestation requests (typically 30 days or per your legal basis terms).
Evidence auditors look for
- Privacy policy or notice explicitly stating the right to human review and decision contestation.
- Documented procedures for receiving, reviewing, and responding to contestation requests.
- Consent forms or records demonstrating explicit opt-in for profiling or automated decisions where consent is the legal basis.
- Audit logs showing human review interventions and decision overrides.
- Impact assessments or bias audits confirming automated systems do not produce discriminatory outcomes.
- Sample decision notifications sent to data subjects explaining the right to contest and how to exercise it.
- Registry or inventory mapping all automated decision-making processes to their legal basis and safeguards.
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates the mapping and monitoring of automated decision-making processes across your systems, tracks consent and legal basis documentation, and maintains audit logs of human review requests and contestations—eliminating manual tracking and reducing Article 22 violation risk.
See how GRCWatch handles this control automatically
Start free trial