GDPR Art. 22 automated decision-making: profiling in credit scoring pipelines

We're implementing a risk scoring system for B2B customer onboarding in the EU/DE jurisdiction. The pipeline uses ML models to flag high-risk applicants before human review. Key question from our experience: how are other teams handling the Art. 22(1) vs Art. 22(3) boundary? Our model outputs a risk score (0-100) that triggers either (a) auto-reject at >85, or (b) human review queue for everything else. Legal says this qualifies as 'automated individual decision with legal or similarly significant effect.' What we've done so far: - Implemented the 'right to obtain human intervention' (Art. 22(3)) - Added model explanation output (feature importance) to the review dashboard - Set a documented threshold rationale (85 = based on historical default rates) What we're still unsure about: - Is a score threshold + human review sufficient, or do we need a secondary model review step? - How do other teams document 'safeguards' for the DPIA? Our DPO wants algorithmic audit trails but our model is a gradient boosted tree — feature importance is available, but individual prediction attribution is harder. Sharing our approach to compare notes. Not seeking legal advice — looking for peer experience on what passed actual audits.