DSAR automation at scale — GDPR Art. 15 + 22 interaction in ML-driven decisions

Our team handles ~2,000 DSARs per quarter across EU and UK entities. We're building an automated intake + classification pipeline that uses an internal ML model to triage requests by complexity and route them. Two specific questions from peers who've been through this: 1. GDPR Art. 22 (automated decision-making): Does triaging a DSAR via ML classification constitute "automated individual decision-making" if a human always makes the final routing call? The model only assigns a priority score — but the data subject never sees this logic. 2. Art. 15(3) right to copy: When the DSAR itself concerns data processed by your own ML system, how did your team structure the response? Do you provide model logic / feature descriptions, or is that trade-secret protected? Jurisdiction: EU (GDPR), UK (UK GDPR equivalent). This is peer experience exchange, not a request for formal legal advice. We have external counsel; looking for operational insights from teams who've shipped similar systems.