GDPR Article 22 vs EU AI Act: How Automated Decision Rules Overlap

GDPR Article 22 has been on the books since May 25, 2018. The EU AI Act entered into force in August 2024 and its high-risk rules will bite in waves through 2027 and 2028. Both regulate automated decisions about people. They do it in different ways with different triggers and different remedies. After the CJEU's December 2023 Schufa ruling and the May 2026 AI Omnibus, the overlap is now the most important compliance question for any organisation deploying AI in employment, credit, insurance, public services, or education.

This guide walks through GDPR Article 22's prohibition and exceptions, the Schufa ruling and what it actually changed, EU AI Act Article 14 human oversight, and where the two regimes stack.

GDPR Article 22(1) is a prohibition, not a right to object

The headline of Article 22(1) GDPR: data subjects have "the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her" (A&O Shearman).

The key word, established by the CJEU in Schufa, is prohibition. Article 22(1) is not merely a right an individual can invoke. It is a prohibition the controller has to clear before processing, regardless of whether a data subject ever asks. That changes the burden of proof. The controller has to demonstrate one of the three exceptions in Article 22(2) applies, not wait for a complaint.

Three conditions trigger Article 22(1):

1. A decision must be made.
2. It must be based solely on automated processing, including profiling.
3. It must produce legal effects or similarly significantly affect the individual (IAPP).

All three conditions are doing work after Schufa. Especially condition 1.

The three exceptions in Article 22(2)

Even when Article 22(1) applies, processing is permitted if one of the three exceptions in Article 22(2) is met:

• 22(2)(a): the decision is necessary for the performance of a contract between the data subject and a controller;
• 22(2)(b): the decision is authorised by EU or member-state law subject to appropriate safeguards;
• 22(2)(c): the decision is based on the data subject's explicit consent.

Where (a) or (c) apply, the controller must still provide three safeguards: (i) the right to obtain human intervention, (ii) the right to express one's point of view, and (iii) the right to contest the decision (IAPP / A&O Shearman).

Those three safeguards are the operational backbone of Article 22 compliance in practice. They are what your customer-service workflow, model documentation, and grievance procedure have to deliver.

The Schufa ruling (Case C-634/21, December 7 2023)

The CJEU's Schufa decision was the most important automated-decisions ruling since the GDPR took effect. The court ruled that a credit reference agency's automated calculation of a credit score constitutes "automated individual decision-making" under Article 22(1) GDPR when a third party draws strongly on that score to establish, implement, or terminate a contractual relationship (A&O Shearman / JULIA Project).

Two broader impacts of Schufa:

First, the concept of "decision" is broad. It includes intermediate outputs like credit scores if a downstream decision-maker relies heavily on them. A human formally signing off on a decision does not escape Article 22 if in practice they defer entirely to the algorithm (Legiscope). Rubber-stamping is automation, in the eyes of the court.

Second, the ruling confirmed Article 22(1) provides a prohibition in principle. Infringement does not need to be invoked individually by a data subject. DPAs can act directly, and where Article 22 applies, data subjects have a right to full judicial review of a DPA's response (A&O Shearman).

The practical consequence for any vendor of risk-scoring, credit-scoring, or AI-driven recommendation tools is that the legal exposure now includes both the model output and the downstream decisions that depend on it. "We only produce a score, the human makes the decision" is no longer a clean defence if the human defers.

EU AI Act Article 14: human oversight, but as a system requirement

The EU AI Act tackles a similar problem from a different angle. Article 14 requires high-risk AI systems to be designed with appropriate human-machine interface tools so they can be effectively overseen by natural persons during use (artificialintelligenceact.eu). Deployers must ensure oversight measures are implemented.

The overlap with GDPR Article 22 is clean and complementary. Article 22 is an individual data-subject right. Article 14 is a systemic design requirement applicable to the AI system itself. Both apply cumulatively (CookieYes).

Article 14(4)(d) gives human overseers a specific power: they must be able to decide not to use the AI system, or to otherwise disregard, override, or reverse its output (artificialintelligenceact.eu). That is more than the GDPR's right-to-contest. It is a positive design requirement that the system must accommodate override.

For biometric identification AI systems falling under Annex III point 1(a), Article 14 requires that no action or decision is taken unless separately verified and confirmed by at least two natural persons. Two-person verification is the strictest oversight bar in the Act.

How Annex III high-risk categories map to Article 22 territory

The AI Act's Annex III high-risk list and GDPR Article 22's significant-effects threshold overlap heavily. The most obvious overlap categories:

• Employment and recruitment (Annex III, point 4). CV-sorting, interview scheduling, promotion tools. These are textbook automated HR decisions with significant effects (EU Commission). See our NYC Local Law 144 guide for the parallel US framework.
• Credit scoring and financial services (Annex III, point 5). Schufa territory exactly. Credit scoring AI used to establish or refuse contractual relationships triggers both regimes.
• Access to essential public and private services (Annex III, point 5). Government service determinations and access to private services like insurance and housing all carry significant effects.
• Health and life insurance (Annex III, point 5). AI used for risk assessment and pricing overlaps with both regimes (A&O Shearman). See our AI compliance tools for insurers guide.

For any of these, you should expect both Article 22 obligations and AI Act Article 14 obligations to apply.

The DPIA plus FRIA dual requirement

Processing that falls within Article 22(1) typically requires a Data Protection Impact Assessment under Article 35 GDPR. Automated decision-making with significant effects is explicitly listed in Recital 71 and reinforced in WP29/EDPB guidance as DPIA-triggering (Legiscope).

If the same AI system also qualifies as high-risk under the EU AI Act, deployers must additionally conduct a Fundamental Rights Impact Assessment (FRIA) under AI Act Article 27. The Act allows the DPIA and FRIA to be conducted together where appropriate (CookieYes). Most large deployers should integrate the two into a single combined assessment with clearly mapped sections.

A combined DPIA+FRIA template should cover: (i) the data processing description and lawful basis, (ii) the AI system description and intended purpose, (iii) the significant effects on data subjects and fundamental rights, (iv) the safeguards including human intervention, transparency, and right-to-contest, and (v) the bias and fairness testing approach. That last bullet is also where the AI Omnibus's clarification on using GDPR special category data for bias detection lands.

Penalties stack

GDPR Article 22 violations fall under Article 83(5) GDPR with administrative fines up to €20 million or 4% of total worldwide annual turnover, whichever is higher.

EU AI Act Article 14 violations fall under Article 99 AI Act with administrative fines up to €15 million or 3% of total annual worldwide turnover, whichever is higher.

The two regimes do not consume each other. A single AI deployment that fails both the GDPR Article 22 prohibition and AI Act Article 14 design requirements can attract both fines. That is the worst-case stack. Realistically, regulators coordinate. Expect one lead authority to take primary enforcement and other authorities to defer or coordinate through the European Data Protection Board and the AI Office.

A practical compliance playbook

If your AI touches employment, credit, insurance, public services, or any other Annex III category:

1. Map every use case where AI output materially drives a decision that affects a person. Apply the Schufa test: would the human approver realistically diverge from the AI?
2. For each mapped use case, document the lawful basis under Article 22(2). Contract necessity, explicit consent, or member-state law authorisation.
3. Design and operate the three safeguards: human intervention, point-of-view expression, right to contest. Build them into the product, not just policy.
4. If the AI also falls under Annex III, layer the AI Act Article 14 oversight: who the human overseer is, what they can override, what training they have, and how decisions are documented.
5. Run a combined DPIA + FRIA. Update annually or after material changes.
6. For bias testing, use the AI Omnibus carve-out that permits GDPR special category data where strictly necessary. Document the necessity test.

If you operate in Germany, expect particularly active DPA enforcement after Schufa. If you operate in France, the CNIL has been signalling Article 22 enforcement priorities since 2024. The Italian Garante has also issued public guidance on AI and automated decisions.

For the broader Act landscape, see our EU AI Act framework page and the deadline extension explainer. For the article 50 transparency rules that often co-apply with article 22, our Article 50 deep dive breaks down the chatbot, deepfake, and watermarking obligations.

One note on direction of travel. The CJEU has two more automated-decisions cases pending that will further sharpen Article 22's perimeter. Treat Schufa as a floor on Article 22's reach, not a ceiling.

References

1. A&O Shearman. CJEU Rules That a Credit Score Constitutes Automated Decision-Making Under the GDPR. January 10, 2024. https://www.aoshearman.com/en/insights/ao-shearman-on-data/cjeu-rules-that-a-credit-score-constitutes-automated-decision-making-under-the-gdpr
2. IAPP. Key Takeaways from the CJEU's Recent Automated Decision-Making Rulings. December 19, 2023. https://iapp.org/news/a/key-takeaways-from-the-cjeus-recent-automated-decision-making-rulings
3. JULIA Project. CJEU Case C-634/21 case summary. https://www.julia-project.eu/database/case-law/216
4. artificialintelligenceact.eu. Article 14 — Human oversight. https://artificialintelligenceact.eu/article/14/
5. CookieYes. GDPR and AI Act overlap. https://www.cookieyes.com/blog/gdpr-ai-act/
6. Legiscope. GDPR Article 22 — Automated decision-making. https://www.legiscope.com/blog/gdpr-article-22-automated-decision-making.html
7. A&O Shearman. Zooming In on AI 10 — EU AI Act Obligations for High-Risk AI Systems. https://www.aoshearman.com/en/insights/ao-shearman-on-tech/zooming-in-on-ai-10-eu-ai-act-what-are-the-obligations-for-high-risk-ai-systems
8. European Commission. Regulatory framework for AI. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai