Operationalizing Art. 22 GDPR automated decision-making disclosures at scale

We're building a credit-risk scoring system that uses ML models to recommend approval/denial thresholds. Under GDPR Art. 22, data subjects have the right not to be subject to purely automated decisions with legal or similarly significant effects. Our legal team wants clear disclosure: what logic is applied, what significance, and what envisaged consequences. But the model is a gradient-boosted ensemble with 400+ features — explaining it in plain language without oversimplifying is genuinely hard. How did your compliance team operationalize this? Specifically: 1. Do you provide feature-level explanations (SHAP values) or higher-level 'we use X factors' summaries? 2. How do you handle the 'right to human intervention' requirement in a high-volume pipeline (10k+ decisions/day)? 3. What documentation artifacts have your DPA found sufficient during audits? We're aware of the EU AI Act's additional transparency requirements for high-risk systems. Interested in how teams have bridged GDPR Art. 22 and the AI Act's obligations without duplicating documentation. Jurisdiction: DE, EU