Article 22 of the EU General Data Protection Regulation gives data subjects the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects concerning them or similarly significantly affects them. The right applies across the EU and EEA and has been in force since May 25, 2018. The European Data Protection Board's Guidelines 1/2024 (adopted December 2024) clarify the scope, including how it applies to large language models and recommender systems. The CJEU's SCHUFA ruling (Case C‑634/21, December 2023) confirmed that automated credit scoring constitutes a "decision" under Article 22 where the score effectively determines whether a loan or contract is granted. Enforcement is by national Data Protection Authorities; penalties for Article 22 violations fall under the GDPR's higher tier — up to €20 million or 4% of worldwide annual turnover.
What does GDPR Art. 22 actually require?
Key obligations include: Identify any processing operation that produces a decision based solely on automated means and that has legal or similarly significant effects on a natural person.; Establish a lawful basis under Article 22(2): explicit consent, necessity for performance of a contract, or specific Member-State or Union law authorisation.; Provide meaningful information about the logic, significance, and envisaged consequences of the automated decision (Articles 13(2)(f), 14(2)(g), 15(1)(h)).; Implement suitable safeguards: at minimum the right to obtain human intervention, to express a point of view, and to contest the decision.; Carry out a Data Protection Impact Assessment (DPIA) where the processing is likely to result in high risk to the rights and freedoms of natural persons.; Apply heightened protections for special-category data (Article 9) and for children — processing of these populations triggers tighter restrictions..
Who is in scope of GDPR Art. 22?
GDPR Art. 22 is in_force in EU. Scope attaches based on jurisdiction and the role a company plays in the AI supply chain. See /frameworks/gdpr-article-22 for the full scope note and source links.
When does GDPR Art. 22 take effect?
The primary enforcement date is 2018-05-25. Some provisions may phase in earlier or later — see the framework brief for the full timeline.
What are the penalties?
Maximum penalties: Up to €20M or 4% of global annual turnover. Enforcement is carried out by the designated authorities in the jurisdiction.
Which vendors help with GDPR Art. 22 compliance?
In our directory, the following vendors reference GDPR Art. 22 in their compliance coverage: CalypsoAI, TrustArc, Scrut Automation, Braintrust, BABL AI, Luminos.Law (ZwillGen AI Division), Drata, Giskard, Vanta, ServiceNow AI Control Tower, Securiti Data Command Center, BigID. Each profile links to the public source for the claim.