GDPR Art. 22 automated decision-making: how did your team document the 'human in the loop'?

We recently completed our first GDPR compliance audit and Art. 22 (automated individual decision-making) was the most time-consuming part. The auditor wanted documentation proving that our automated scoring system had meaningful human oversight — not just a rubber-stamp approval button. What we ended up providing: - A decision-flow diagram showing exactly where human judgment enters the pipeline. - Audit logs showing ~12% of automated decisions were overridden by human reviewers over a 90-day period. - Training records for the review team (they had to demonstrate understanding of the scoring model's limitations). - A documented escalation path for data subjects contesting automated decisions. The auditor accepted it, but noted that 'meaningful human involvement' is still loosely defined in practice. How did other teams handle Art. 22 documentation? Specifically: - What evidence satisfied your auditor/regulator? - Did you build a separate review UI, or integrate it into existing tooling? - How do you track and report override rates? Jurisdiction: EU/DE. Not seeking legal advice — just peer experience exchange on what worked during an actual audit.