GDPR Article 22: automated decision-making explained

Article 22 of the GDPR gives individuals the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects — with three narrow exceptions.

RegulationIn forceEU

GDPR Article 22 — Automated Individual Decision-Making

Article 22 of the EU General Data Protection Regulation gives data subjects the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects concerning them or similarly significantly affects them. The right applies across the EU and EEA and has been in force since May 25, 2018. The European Data Protection Board's Guidelines 1/2024 (adopted December 2024) clarify the scope, including how it applies to large language models and recommender systems. The CJEU's SCHUFA ruling (Case C‑634/21, December 2023) confirmed that automated credit scoring constitutes a "decision" under Article 22 where the score effectively determines whether a loan or contract is granted. Enforcement is by national Data Protection Authorities; penalties for Article 22 violations fall under the GDPR's higher tier — up to €20 million or 4% of worldwide annual turnover.

Jurisdiction

Enforcement

May 25, 2018

Maximum penalty

Up to €20M or 4% of global annual turnover

Key obligations

01Identify any processing operation that produces a decision based solely on automated means and that has legal or similarly significant effects on a natural person.
02Establish a lawful basis under Article 22(2): explicit consent, necessity for performance of a contract, or specific Member-State or Union law authorisation.
03Provide meaningful information about the logic, significance, and envisaged consequences of the automated decision (Articles 13(2)(f), 14(2)(g), 15(1)(h)).
04Implement suitable safeguards: at minimum the right to obtain human intervention, to express a point of view, and to contest the decision.
05Carry out a Data Protection Impact Assessment (DPIA) where the processing is likely to result in high risk to the rights and freedoms of natural persons.
06Apply heightened protections for special-category data (Article 9) and for children — processing of these populations triggers tighter restrictions.
07Maintain Records of Processing Activities (Article 30) that document automated decision-making logic, safeguards, and review cadence.

Vendors that support GDPR Art. 22

Sorted by coverage level. Full coverage shown first.

15 vendors

Vendor	HQ	Founded	Size	Pricing	Coverage	Last verified
Scrut Automation	Palo Alto, US	2021	51-200	Contact for pricing	Comprehensive	Apr 24, 2026
Braintrust	San Francisco, US	2023	51-200	Contact for pricing	Comprehensive	Apr 24, 2026
Giskard	Paris, France	2021	11-50	Contact for pricing	Comprehensive	Apr 24, 2026
Aporia	San Jose, US	2019	51-200	Enterprise pricing only. Not publicly listed.	Comprehensive	Apr 27, 2026
Luminos.Law (ZwillGen AI Division)	Washington, DC, US	2019	51-200	Contact for pricing	Partial	Apr 24, 2026
Drata	San Francisco, US	2020	501-1000	Contact for pricing	Partial	Apr 24, 2026
Vanta	San Francisco, USA	2018	500-1000	Contact for pricing	Partial	Apr 26, 2026
ServiceNow AI Control Tower	Santa Clara, USA	2004	1000+	Contact for pricing	Partial	Apr 26, 2026
Securiti Data Command Center	San Jose, USA	2018	500-1000	Contact for pricing	Partial	Apr 26, 2026
BigID	New York, USA	2016	500-1000	Contact for pricing	Partial	Apr 26, 2026
CalypsoAI	Dublin, IE	2018	51-200	Enterprise licensing; contact sales for quote, depending on deployment (SaaS/on-prem/hybrid) and plan.	Partial	Apr 26, 2026
TrustArc	Walnut Creek, US	1997	501-1000	Enterprise subscription; contact sales for quote; modular pricing based on scope and modules	Partial	Apr 26, 2026
Naaia	Louveciennes, FR	2021	11-50	No public pricing tiers; demo and quote requested via website.	Partial	Apr 27, 2026
BABL AI	Iowa City, US	2018	11-50	Contact for pricing	Adjacent	Apr 24, 2026
2021.AI	Copenhagen, DK	2016	51-200	Contact for pricing	Adjacent	Apr 27, 2026

Frequently asked

In-depth answers about GDPR Art. 22.

What does GDPR Article 22 require?

Compare across industries

See which vendors support GDPR Art. 22 in your sector.

GDPR Art. 22 in Defense & National Security GDPR Art. 22 in Education GDPR Art. 22 in Employment & HR GDPR Art. 22 in Energy & Utilities GDPR Art. 22 in Financial Services GDPR Art. 22 in Government & Public Sector GDPR Art. 22 in Healthcare GDPR Art. 22 in Insurance GDPR Art. 22 in Legal Services GDPR Art. 22 in Manufacturing GDPR Art. 22 in Media & Entertainment GDPR Art. 22 in Retail & E-commerce GDPR Art. 22 in SaaS & Technology GDPR Art. 22 in Telecommunications

Last verified April 28, 2026. Informational summary only — not legal advice. Consult qualified counsel for specific obligations.