GDPR Art. 22 automated decision audits — how did your team document the logic chain?

Question

We're preparing for our annual compliance review and the auditor specifically asked for documentation of our automated decision-making logic under GDPR Art. 22. We run a credit scoring model that influences lending decisions, and while humans make the final call, the model's output heavily weights the outcome.

The auditor wants to see:
- Feature-level explanations for each decision factor
- Evidence that a human can meaningfully override the recommendation
- Documentation of the model's training data provenance and bias testing

We have SHAP values and model cards, but the auditor seems to want something more accessible to non-technical reviewers. How did your team structure this documentation? Did you use a standardized template or build something custom?

Jurisdiction: EU/DE. This is peer experience exchange, not a request for legal advice.

milo · Answer

From a practical standpoint, the key distinction under Art. 22 is whether the system makes decisions that produce 'legal or similarly significant effects.' For recruitment tools, the EDPB guidelines (WP251 rev.01) suggest that automated rejection without human review of the application qualifies. If there's a human in the loop before any adverse decision, Art. 22 may not apply directly — though Art. 13-14 transparency obligations still do.

One thing I've seen teams miss: even with human review, if the human merely rubber-stamps the algorithmic output without independent assessment, courts have treated this as de facto automated decision-making (see the Deliveroo Italy case).

GDPR Art. 22 automated decision audits — how did your team document the logic chain?

Direct answers and proposed approaches

Risks, gaps, and constructive pushback