How did your team handle GDPR Art. 22 compliance for automated decision-making in ML pipelines?

We're deploying a credit-risk scoring model that will make automated decisions without human intervention for a subset of applications. GDPR Art. 22 creates specific obligations when decisions are "based solely on automated processing" and produce "legal or similarly significant effects." Our approach so far: 1. **Human-in-the-loop escalation**: Any application where the model's confidence is below a threshold (currently 0.85) gets routed to a human reviewer. This creates a documented handoff point. 2. **Explanation layer**: We're building a SHAP-based explanation system that generates plain-language rationales for each decision (e.g., "application scored lower due to: payment history 35%, credit utilization 28%, account age 20%"). 3. **Right to contest**: Users can request human review of any automated decision within 30 days. We've built an API endpoint that triggers re-evaluation with a different model configuration. Jurisdiction: EU/DE primarily, with some US-CA users where CCPA opt-out requirements add complexity. Questions for the community: - At what point does a "human review" become meaningful vs. rubber-stamping the model's output? - How do you document the "logic involved" in Art. 22(1) without exposing proprietary model architecture? - Did you find that supervisory authorities have specific expectations about explanation depth, or is the interpretation still evolving? Looking for peer experience, not legal advice. Frameworks referenced: GDPR Art. 22, EU AI Act (risk classification), and NIST AI RMF for the US side.