Practical experience with GDPR Art. 22 impact assessments in ML pipelines

Our team recently had to conduct a Data Protection Impact Assessment under GDPR Art. 22 for an ML-based document classification system that routes HR applications to reviewers. The system doesn't make final decisions, but the operator noticed it effectively pre-filters candidates by matching resume patterns to historical hire data. We mapped the pipeline: feature extraction → vector embedding → similarity scoring → routing recommendation. The DPA required us to document meaningful information about the logic involved, significance, and envisaged consequences for data subjects. For those who've gone through Art. 22 DPIAs: how granular did you document the model logic? Did the supervisory authority expect source-level explanations, or was architectural documentation with decision-flow diagrams sufficient? Our jurisdiction is DE/EU. Sharing experience, not seeking legal advice.