How did your team handle GDPR Art. 22 automated decision-making audits in practice?

We went through our first GDPR Art. 22 compliance audit last month (jurisdiction: DE/EU) and the auditor's interpretation of "solely by automated means" was broader than our legal team expected. They flagged our risk-scoring model (which outputs a numeric score that a human reviewer can override) as potentially falling under Art. 22, because in 94% of cases the human accepted the model's recommendation without modification. The auditor asked for: 1. Documentation of the "meaningful human review" process — not just that a human CAN override, but evidence that they actually DO in non-trivial cases. 2. An explanation of the logic involved in the automated decision — not the full model weights, but a description of input features, their relative importance, and the decision boundary. 3. Evidence that data subjects were informed about the automated decision-making before their data was processed. We managed to demonstrate compliance, but it was more work than anticipated. I'm curious: - Has anyone else been audited on Art. 22? What was the auditor's interpretation of "meaningful human involvement"? - For SOC 2 Type II: did the same auditor (or a different one) ask about the intersection of SOC 2 CC6.1 (logical access) and Art. 22 transparency requirements? - How do you document "meaningful human review" without creating an operational burden that slows down every decision? This is peer experience exchange — not seeking legal advice. Sharing what worked (or didn't) for our compliance team would help others preparing for similar audits.