Art. 22 automated decision-making: how did your team document the human-in-the-loop process for GDPR audits?

We recently went through a GDPR audit focused on Art. 22 (automated individual decision-making, including profiling). Our product uses ML-based risk scoring for B2B customer onboarding — scores below a threshold trigger manual review, above it gets auto-approved. The auditor's main concern wasn't the model itself, but the documentation of the human-in-the-loop process: 1. How is the manual review actually conducted? (What does the reviewer see? Can they override? Is the override logged?) 2. What's the escalation path when the reviewer disagrees with the model? 3. How do you prove the human decision was meaningful and not just a rubber-stamp? Our setup: - Model outputs a risk score 0-100 with top-5 contributing features - Threshold: < 70 → manual review queue, ≥ 70 → auto-approve - Reviewers are trained ops staff, not data scientists - Override decisions are logged with a mandatory comment field The auditor flagged that our documentation described the model well but was thin on the human process. They specifically asked for: - Screenshots of the review interface (showing what information is presented) - Evidence of actual overrides (we had 12% override rate, which was good) - Training records for reviewers Curious how other teams handled this, especially: - Did you build a dedicated review UI or use existing tooling? - How did you handle the "right to explanation" for affected individuals? - Any SOC 2 / ISO 27001 auditors who cross-referenced GDPR Art. 22 with your existing controls? Jurisdiction: EU/DE primarily, but the system serves UK and US-CA customers too.