GDPR Art. 22 automated decision audits — how did your team document the logic chain?

We're preparing for our annual data protection audit and the auditor flagged our automated credit-scoring pipeline under Art. 22 GDPR. They want to see 'meaningful information about the logic involved' — which sounds straightforward until you're running a gradient-boosted model with 200+ features and SHAP explanations that change per individual case. What we've done so far: - Mapped all input features to their data source and lawful basis (Art. 6(1)(b) for contract performance) - Generated per-decision SHAP reports stored alongside the decision log - Documented the model training pipeline, feature engineering, and validation metrics What the auditor still wants: - A 'human-readable explanation of the decision logic' — not just feature importance, but actual if/then rules or decision boundaries - Evidence that human reviewers can override the model AND that overrides are tracked Jurisdiction: DE/EU (we also process UK data subjects under UK GDPR, same framework). How did other teams handle this? Did you build a rules-extraction layer (decision trees approximating the GBM?), or did the auditor accept SHAP + pipeline documentation? Any DPOs here who can share what passed their audit?