EU GDPR Article 22 — Automated Decision-Making & AI Profiling: AI Compliance Requirements
GDPR Article 22 (in force since May 25, 2018) gives EU and EEA residents the right not to be subject to decisions based solely on automated processing — including AI profiling — that produces legal or similarly significant effects (credit scores, hiring, insurance pricing, content moderation). Organizations must inform individuals of automated processing, provide meaningful explanations of logic, implement human review rights, and document their profiling activities. This applies independently from and in addition to the newer EU AI Act.
Key Facts
May 25, 2018
€20,000,000 or 4% of global annual turnover — whichever is higher (GDPR enforcement)
What Your Business Must Do
4 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.
Automated Decision-Making Disclosure
CriticalInform EU/EEA individuals (in your privacy policy and at point of decision) when automated processing is used to make significant decisions about them. Explain the logic involved, the significance, and the envisaged consequences of such processing.
Right to Human Review
CriticalImplement a mechanism for EU/EEA individuals to request human review of automated decisions affecting them, to express their point of view, and to contest the decision. Document your process for handling such requests.
Records of Processing Activities (RoPA) — Profiling
High PriorityInclude all AI profiling and automated decision-making activities in your Records of Processing Activities (RoPA) under GDPR Article 30. Document the purpose, legal basis, data categories, retention periods, and safeguards for each AI processing activity.
Data Protection Impact Assessment for AI
High PriorityConduct a DPIA for AI systems that systematically profile individuals, process sensitive data, or make automated decisions at scale. DPIA must assess risk to individual rights, proportionality, and necessity of processing.
Frequently Asked Questions
Does EU GDPR Article 22 — Automated Decision-Making & AI Profiling apply to my business?
GDPR Article 22 (in force since May 25, 2018) gives EU and EEA residents the right not to be subject to decisions based solely on automated processing — including AI profiling — that produces legal or similarly significant effects (credit scores, hir. Use ComplianceIQ's free scanner to get a personalized assessment in under 5 minutes.
What is the penalty for non-compliance?
The maximum penalty under EU GDPR Article 22 — Automated Decision-Making & AI Profiling is: €20,000,000 or 4% of global annual turnover — whichever is higher (GDPR enforcement). Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.
How do I comply with EU GDPR Article 22 — Automated Decision-Making & AI Profiling?
The 4 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.
Official Source
https://gdpr-info.eu/art-22-gdpr/Last updated: 2026-04-12 — verify at source before relying on this information.
Don't leave compliance to chance
ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.
Start your free compliance scan