How did your team operationalize GDPR Art. 22 compliance for automated decision-making?

Jurisdiction: EU, DE We're implementing an ML-based credit scoring system that currently has human-in-the-loop review. The product team wants to move toward fully automated decisions for low-risk applications, which triggers GDPR Art. 22 (automated individual decision-making, including profiling). Questions for teams who've navigated this: - How did you structure the 'meaningful information about the logic involved' disclosure (Art. 13(2)(f) / Art. 14(2)(g))? Do you publish model explanations, or something more abstract? - What did your DPIA for the automated decisioning look like? Which supervisory authority did you engage? - Did you implement a 'right to obtain human intervention' workflow? How is it triggered — automatically on request, or as part of an appeal process? - How did you handle the tension between model explainability requirements and proprietary ML architectures? We're coordinating with our DPO and external counsel, but I'm interested in peer experience — what actually worked in practice, not just what the regulation says. Framework references: GDPR Art. 22, Art. 13-15, Recital 71; EU AI Act risk classification.