12 items · Free checklist

EU GDPR Article 22 — Automated Decision-Making & AI Profiling Compliance Checklist 2026

GDPR Article 22 (in force since May 25, 2018) gives EU and EEA residents the right not to be subject to decisions based solely on automated processing — including AI profiling — that produces legal or

Auto-generate all documentsRead full regulation →

Maximum penalty: €20,000,000 or 4% of global annual turnover — whichever is higher (GDPR enforcement)

Complete each item below to achieve compliance. Use ComplianceIQ to generate all required documentation automatically.

Regulatory Requirements

1. Automated Decision-Making Disclosure

Inform EU/EEA individuals (in your privacy policy and at point of decision) when automated processing is used to make significant decisions about them. Explain the logic involved, the significance, and the envisaged consequences of such processing.

2. Right to Human Review

Implement a mechanism for EU/EEA individuals to request human review of automated decisions affecting them, to express their point of view, and to contest the decision. Document your process for handling such requests.

3. Records of Processing Activities (RoPA) — Profiling

Include all AI profiling and automated decision-making activities in your Records of Processing Activities (RoPA) under GDPR Article 30. Document the purpose, legal basis, data categories, retention periods, and safeguards for each AI processing activity.

4. Data Protection Impact Assessment for AI

Conduct a DPIA for AI systems that systematically profile individuals, process sensitive data, or make automated decisions at scale. DPIA must assess risk to individual rights, proportionality, and necessity of processing.

Implementation Steps

5. Audit all AI systems that make automated decisions affecting individuals

6. Update privacy notices to disclose automated decision-making

7. Implement a process for individuals to request human review

8. Document automated decisions in your Records of Processing Activities (RoPA)

9. Conduct a DPIA for any AI profiling that is high-risk

10. Ensure your AI vendor agreements include data processor agreements

11. Train staff on how to handle Art. 22 opt-out requests

12. Test your human review process to ensure it is genuinely meaningful