Operationalizing GDPR Art. 22 automated decision-making disclosures at scale

Jurisdiction: EU, DE Our team is building out the disclosure pipeline for GDPR Article 22 (automated individual decision-making). The legal requirement is clear — data subjects must be informed when decisions with legal or similarly significant effects are made solely by automated processing. The operational challenge: we run ~15 ML models that touch customer data (fraud scoring, credit pre-screening, content moderation). Some clearly fall under Art. 22, others are borderline (human-in-the-loop but the human almost always rubber-stamps). How did your compliance teams handle this in practice? - Did you classify every model and document the classification? - How granular were your disclosures to data subjects? - Did you build a unified disclosure UI or embed it per-product? Looking for peer experience, not legal advice. We have counsel — we need implementation patterns.