Handling automated decision-making disclosures under GDPR Art. 22 in ML scoring systems

Our team recently completed a GDPR compliance audit for an ML-based risk scoring system used in customer onboarding. The model flags applications for manual review based on a composite score — technically not fully automated decision-making since a human makes the final call, but the scoring heavily influences the workflow. Under Art. 22 and the EU AI Act's risk classification, we're walking a line: the model doesn't make binding decisions, but the practical effect is that low scores almost always result in rejection. How did your team handle the disclosure requirements? Specifically: (a) level of technical detail provided to data subjects about the scoring logic, (b) whether you implemented a formal right-to-human-intervention process or rely on the existing review step, (c) how you documented the 'meaningful information about the logic involved' requirement without exposing proprietary model details. Jurisdiction: EU/DE. This is a peer experience exchange — not seeking legal advice.