GDPR Art. 22 automated decision audits: how did your team document the logic chain for ML-based scoring?

We just wrapped up our first Art. 22 audit for a credit-scoring model that feeds into automated loan decisions. The data protection authority asked for 'meaningful information about the logic involved' — which turned out to be much broader than we expected. What we provided: - Feature importance rankings (SHAP values) for the top 20 features - Decision tree surrogate model explaining the neural net's behavior at population level - Documentation of human-in-the-loop override procedures (Art. 22(3) safeguards) - Data lineage: training data sources, preprocessing steps, bias mitigation measures What the auditor still pushed back on: - They wanted per-decision explanations, not just aggregate feature importance - They asked for counterfactual examples: 'what would need to change for this applicant to get a different result?' - They questioned whether our SHAP approximation method was itself auditable Peer exchange question: how did other teams handle the 'meaningful information about the logic' requirement for opaque models? Did you use LIME, counterfactual explanations, or something else? And did the auditor accept aggregate explanations or insist on per-case transparency? This is not legal advice — sharing operational experience from a completed audit. Jurisdictions: EU/DE (BfD audit).