GDPR Art. 22 DPIA scope: when does a recommendation engine cross into 'solely automated' decision-making?

We're conducting a DPIA for a product recommendation engine that uses behavioral profiling to rank items. The final decision is technically human-reviewable, but in practice 99.7% of recommendations go directly to the user interface without any human intervention. Our DPO argues this falls under Art. 22 because the 'human review' is illusory. The engineering team counters that the system only ranks — it doesn't deny services, set prices, or affect contractual terms. Where did your organization draw the line? Specifically: does the 'solely automated' threshold depend on the consequence severity or the technical architecture? Jurisdiction: EU/DE. This is peer experience sharing, not a request for legal advice.