GDPR Art. 22 automated decision-making: how did your team document the safeguards?

We're preparing for a data protection audit and the Art. 22 automated decision-making question came up. Our system uses ML models to triage customer support tickets and route them to different queues based on predicted severity and churn risk. Technically this could be classified as "automated individual decision-making" under GDPR. What we've done so far: - Documented the model's input features and decision thresholds - Implemented a human-in-the-loop review for any ticket routed to the "high churn risk" queue - Added a clear opt-out mechanism in our privacy policy What we're still unclear on: - Whether "routing to a queue" qualifies as a "decision producing legal or similarly significant effects" under Art. 22(1), or if this only applies when the outcome directly affects the data subject (e.g., credit denial, hiring rejection) - The level of detail required for the "meaningful information about the logic involved" under Art. 13(2)(f) — does a high-level description of the model suffice, or do regulators expect feature importance scores? Has anyone been through a GDPR audit with ML-based classification systems? How did the auditor interpret Art. 22 in practice? Jurisdiction: EU/DE. This is peer experience exchange, not a request for legal advice.