3 of 5: What Article 22 Says About Automated Decisions — and Why It Matters

Article 22 of the UK GDPR restricts fully automated decisions that impact individuals. Understand what this means for AI, recruitment tools, and data-driven profiling.

As companies adopt automation in everything from hiring to credit scoring, it’s vital to understand the limits imposed by Article 22 of the UK GDPR. This provision protects individuals from being subject to decisions made solely by automated means if those decisions have legal or similarly significant effects.

🤖 What Counts as an Automated Decision?

Under Article 22(1), an individual has the right not to be subject to a decision based solely on automated processing — including profiling — if the decision:

• Produces legal effects (e.g. approval or denial of a loan or visa)
• Significantly affects the individual (e.g. hiring decisions, insurance pricing)

“Solely automated” means there’s no meaningful human involvement in the final decision. Simply having a person click “approve” isn’t enough — human review must be real, informed, and not superficial.

🏢 How Companies Typically Use Automated Decision-Making

Common examples in professional services include:

• Applicant tracking systems (ATS) that auto-screen CVs and shortlist candidates
• Credit scoring algorithms used to assess customer risk
• Profiling tools that evaluate employee behaviour or performance

If these systems operate without human oversight and the outcome significantly affects an individual, Article 22 applies.

🔒 Exceptions and Conditions

There are only three lawful bases for automated decisions under Article 22(2):

1. Necessary for a contract (e.g. automatic fraud detection in banking)
2. Authorised by law (with safeguards in place)
3. Explicit consent from the individual

Even when these apply, companies must implement measures to protect rights, including the right to human intervention, to express a viewpoint, and to contest the decision.

⚠️ What This Means for Employers

Using algorithms to filter job applicants or evaluate performance? You must ensure decisions aren’t made solely by automation. Add a human review layer that’s active, trained, and accountable — or risk breaching GDPR.

💡 Tip:

If you rely on AI tools in hiring, document the decision-making process and keep records showing where human involvement occurs. Regulators expect evidence, not assumptions.