GDPR Art. 22 safeguards in production: how did your team document the 'right to human intervention'?

We're preparing for our annual data protection audit and the DPO flagged that our GDPR Art. 22 documentation for automated decision-making is too thin. We run ML-based credit scoring and fraud detection — both qualify as "solely automated decisions with legal/similar significant effect." What we have: - DPIA completed (covers risk assessment, legal basis) - Technical documentation of the models (features, training data, performance metrics) What we're missing (per DPO): - Concrete procedure for exercising the "right to obtain human intervention" — we have a vague "contact support" line but no SLA, no escalation path, no documented criteria for when a human reviewer can override the model - Evidence that data subjects were *informed* about this right at the point of data collection (our privacy notice mentions Art. 22 but doesn't explain the intervention mechanism clearly) - Audit trail of any actual intervention requests (we've had zero so far, which the auditor sees as a red flag — either the mechanism isn't known or isn't accessible) How did other teams handle this? Specifically: - What does your "human intervention" SOP look like? Who reviews, within what timeframe, and what authority do they have? - Did you build an internal tool for reviewers to see the model's features + decision, or is it a manual process? - Any lessons from actual intervention requests (or the lack thereof)? Jurisdiction: EU/DE. Not asking for legal advice — looking for peer experience on how engineering teams operationalize these documentation requirements.