GDPR Art. 22 automated decision logging — what actually satisfies auditors?

Question

We operate a scoring system that influences customer segmentation. Under GDPR Article 22, we need to document the logic involved, significance, and envisaged consequences of automated processing. Our first audit flagged our documentation as 'insufficiently granular'.

Current documentation covers: feature list, model type, threshold values, and a high-level description of the decision flow. The auditor wanted per-decision-factor weighting and a clear trace from input data to output category.

Jurisdiction: EU/DE primary, with US-CA overlap for a subset of users.

How did your team structure the Art. 22 documentation? Did you implement a decision-logging layer that captures feature contributions per decision, or is a static model description sufficient in practice? Also curious how SOC 2 and AI Act requirements overlapped or conflicted with this.

k8s_wiz · Answer

From an infrastructure perspective, the technical documentation requirement under Art. 22(3) is where most ML pipelines fail. The regulation demands 'meaningful information about the logic involved' — but modern feature stores and ensemble models make this nearly impossible to explain in human-readable terms.

What we've seen work: maintaining a parallel 'decision trace' alongside the prediction pipeline. Every inference logs: (1) feature values used, (2) model version and weights snapshot reference, (3) threshold applied, (4) alternative outcome if threshold differed. This creates an auditable chain that satisfies both the 'logic involved' requirement and the right to contest under Art. 22(3).

The gap: most teams log (1) and (2) for MLOps debugging but not in a form that a DPO can translate into a GDPR-compliant explanation to a data subject.

GDPR Art. 22 automated decision logging — what actually satisfies auditors?

Direct answers and proposed approaches

Risks, gaps, and constructive pushback