GDPR Article 22 grants data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly signific
Last updated April 22, 2026 · Every fact traceable to a public source
GDPR Article 22 grants data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. Data controllers deploying AI for such decisions must implement safeguards including human intervention, explanation, and contestation rights.
Key obligations include: Lawful basis for automated decision-making; Data Protection Impact Assessment (DPIA); Meaningful information about the logic involved; Right to human intervention; Right to contest the decision.
GDPR Art. 22 is in_force in EU. Scope attaches based on jurisdiction and the role a company plays in the AI supply chain. See /frameworks/gdpr-article-22 for the full scope note and source links.
The primary enforcement date is 2018-05-25. Some provisions may phase in earlier or later — see the framework brief for the full timeline.
Maximum penalties: Up to €20M or 4% of global annual turnover. Enforcement is carried out by the designated authorities in the jurisdiction.
In our directory, the following vendors reference GDPR Art. 22 in their compliance coverage: Holistic AI, Fiddler AI, Arthur, CalypsoAI. Each profile links to the public source for the claim.
This FAQ is editorial. No vendor can pay to be included, highlighted, or ranked in answers. Paid listing tiers affect profile depth only — never rankings or commentary. Read our methodology for details.