Automated Decision Making Under the GDPR

Automated Decision Making Under the GDPR

Most automated decision-making questions on the CIPP/E exam are lost in the first ten seconds, when a candidate decides the rule is a simple ban and stops reading. A bank refuses a loan in seconds, with no human in sight. That is the situation Article 22 of the GDPR was written for. The right on automated decision-making is one of the most misread of the data subject rights, and scenarios lean on it because the obvious instinct is usually wrong. It is not a blanket prohibition, and not every algorithm triggers it. Knowing when it bites is the whole game.

What the automated decision-making rule grants

Article 22(1) gives the data subject the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects them. The EDPB reads this as a prohibition by default, not a right the individual must invoke. A controller may not run such decisions at all unless one of the listed grounds applies. That reading matters for the exam: if you treat Article 22 as a mere right to object, you will mishandle every scenario built on it.

Profiling sits inside this rule but is not the same as it. Article 4(4) defines profiling as automated processing that evaluates personal aspects, such as performance, economic situation, health, preferences or behaviour. You can profile lawfully and never touch Article 22. The right only engages when a solely automated decision with a serious effect follows.

The three tests that decide if the right bites

Three conditions must all be present. The decision must be solely automated, it must usually involve profiling, and it must carry a legal or similarly significant effect. Miss one and Article 22(1) does not apply.

Solely automated, with no meaningful human input

"Solely" is the word candidates underestimate. A decision is solely automated when no human exercises real influence over the outcome. A person who rubber-stamps the system's output adds nothing; the EDPB guidance asks whether the reviewer has the authority and competence to change the decision. Token oversight does not move a process out of Article 22. Genuine human judgement does.

A legal or similarly significant effect

The effect threshold filters out the trivial. A legal effect changes someone's rights or status, such as cancelling a contract or denying a benefit. A similarly significant effect falls short of that but still bites hard: refusal of online credit, automated rejection from a job or pricing that shuts someone out of a service. A targeted advertisement will rarely qualify; a decision that shapes access to money, work or essential services usually will.

When automated decision-making is still allowed

The prohibition has three exceptions in Article 22(2). The decision may proceed where it is necessary for entering into or performing a contract, where Union or Member State law authorises it or where the data subject has given explicit consent. These are narrow gates, not loopholes; necessity means necessity, and consent must meet the full standard.

Two of those exceptions come with a string attached. Where the basis is contract or explicit consent, Article 22(3) requires suitable safeguards, including at least the right to obtain human intervention, to express a point of view and to contest the decision. Article 22(4) adds a further limit: decisions of this kind may not rest on special category data unless explicit consent or a substantial public interest applies, with safeguards in place. A scenario that grants an exception but forgets the safeguards is testing whether you will forget them too.

Transparency is the other half

A right the data subject cannot see is no right at all. The GDPR ties automated decision-making to transparency: Articles 13(2)(f) and 14(2)(g) require controllers to disclose the existence of such decisions and meaningful information about the logic involved, and Article 15(1)(h) lets the individual ask for the same through the right of access. The duty also reaches the significance and the envisaged consequences, which is more than a vague mention in a privacy notice.

The Court of Justice sharpened this in the SCHUFA ruling (Case C-634/21, December 2023). It held that an automated credit score can itself be a decision under Article 22(1) where a third party, such as a bank, draws heavily on it. The lesson for AI-driven decisions is direct: you cannot escape Article 22 by placing the scoring one step upstream of the final no.

What the exam rewards

The CIPP/E Body of Knowledge, the official blueprint of what the exam can test, places automated decision-making within Domain II on European data protection law, in the data subject rights group. Questions here reward precision over recall. Expect a scenario that hides one of the three tests, or hands you an exception and waits to see whether you remember the safeguards.

The traps repeat. Candidates treat profiling as if it automatically triggers Article 22; it does not. Many assume a human in the loop removes the rule; only a meaningful one does. Read for "solely", read for the effect, then check the grounds and the safeguards in that order.

Test yourself on a live example: take an automated decision your own organisation makes and run it through the three tests. More CIPP/E preparation is at 22academy.com/study.

Share this Post


Ready to kick-start your career?

GET STARTED NOW



About The Blog


Stay up to date with the latest news, background articles, and tips for your study.


Our latest video





22Academy

Tailored Training Solutions

Let's find the best education solution for your situation. We will contact you for Free Support!

Success! Your message has been sent to us.
Error! There was an error sending your message.
It’s for:
We will only use your email address to contact you regarding your education needs. We do not sell your personal data to third parties.