4 of 5: When Can You Use Automated Decision-Making? Legal Bases and Safeguards Explained

UK GDPR Article 22 restricts automated decisions — but there are exceptions. Learn when you can use automation lawfully and what safeguards you must have in place.

Article 22 of the UK GDPR generally prohibits companies from making decisions based solely on automated processing that have a significant or legal effect on individuals. However, there are exceptions — and in those cases, your business must implement strict safeguards.

✅ Lawful Grounds for Automated Decision-Making

Automated decision-making is permitted if at least one of the following three conditions applies:

1. Necessary for a contract: For example, automatically approving a loan or blocking a fraudulent transaction.
2. Authorised by law: Such as a statutory requirement to process data automatically (e.g. HMRC fraud checks).
3. Based on explicit consent: The individual has clearly agreed to the automated process, with full awareness of its consequences.

Each condition must be documented and justified. “Necessary for a contract” doesn’t mean “convenient for the business” — it must be essential to deliver the service.

🛡️ Required Safeguards

Where automated decisions are permitted, companies must also implement safeguards to protect the individual’s rights, freedoms, and legitimate interests. These include:

• The right to obtain human intervention — e.g., requesting a human review of the decision
• The right to express their point of view — especially in complex or contested cases
• The right to contest the decision — through a clear, accessible process

In practice, this means offering individuals a way to challenge outcomes — and ensuring someone with appropriate authority can revisit the case.

🏢 Practical Example: Hiring Software

A recruitment company uses an AI tool to score CVs based on keywords and work history. If that tool makes shortlisting decisions without any meaningful human review, it may breach Article 22. If automation is used to assist, but a trained recruiter ultimately decides, it may fall outside the scope — assuming the review is real and recorded.

⚙️ Systems and Controls to Consider

• Flag decisions with significant impact for human review
• Provide clear explanations of decision logic to individuals
• Document each automated process and its legal basis
• Test systems for bias and unintended outcomes

💡 Tip:

Don’t just rely on vendor assurances. If you’re using third-party software with automated features, ask for documentation on GDPR compliance — especially if the tool uses profiling or scoring systems.