In forceEU

GDPR Article 22 — Automated Individual Decision-Making

GDPR Article 22 grants data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. Data controllers deploying AI for such decisions must implement safeguards including human intervention, explanation, and contestation rights.

Jurisdiction

EU

Enforcement

May 25, 2018

Maximum penalty

Up to €20M or 4% of global annual turnover

Key obligations

  • 01Lawful basis for automated decision-making
  • 02Data Protection Impact Assessment (DPIA)
  • 03Meaningful information about the logic involved
  • 04Right to human intervention
  • 05Right to contest the decision

Vendors that support GDPR Art. 22

Sorted by coverage level. Full coverage shown first.

4 vendors

VendorHQFoundedSizePricingCoverageLast verified
ArthurNew York, United States201851-200Shield has a free tier; enterprise monitoring is contact-only.PartialApr 21, 2026
CalypsoAISan Mateo, United States201851-200Enterprise only.PartialApr 21, 2026
Holistic AILondon, United Kingdom202051-200Enterprise-only with modular pricing by use case.PartialApr 21, 2026
Fiddler AIPalo Alto, United States201851-200Contact for pricingPartialApr 21, 2026

Compare across industries

See which vendors support GDPR Art. 22 in your sector.

Last verified April 21, 2026. Informational summary only — not legal advice. Consult qualified counsel for specific obligations.