GDPR Article 22
aka Article 22, automated decision-making restriction, ADM restriction
The GDPR provision that gives data subjects a right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. Constrains how Irish employers and lenders can use AI to make decisions.
Last reviewed May 2026
Definition
Article 22 of the GDPR states that the data subject 'shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her'. Three exceptions apply: the decision is necessary for entering into or performing a contract, it is authorised by EU or member state law, or it is based on the data subject's explicit consent. Where one of these exceptions applies, the controller must still implement safeguards: the right to obtain human intervention, the right to express a point of view, and the right to contest the decision. For Irish businesses, the article restricts using AI alone to make consequential decisions: shortlisting CVs, approving credit applications, setting insurance premiums, terminating employment, refusing a service. The threshold is 'solely automated' - a human reviewer who genuinely considers the AI recommendation and can override it takes the decision outside Article 22; a rubber-stamp human who never disagrees with the model probably does not. The Court of Justice's December 2023 SCHUFA ruling (C-634/21) clarified that producing an automated credit-scoring profile that another organisation then relies on is itself an Article 22 decision, broadening the article's scope. Article 22 also caps the use of special category data (health, racial origin, political views, biometric data identifying an individual) in automated decisions to explicit-consent or substantial-public-interest grounds. The EU AI Act layers further obligations on high-risk AI systems used for employment, credit, education, and essential services - but Article 22 is the GDPR floor and is directly enforceable by the DPC today.
Why it matters for software choice
Irish employers using AI to filter CVs, lenders using AI to score loan applications, insurers using AI to set premiums, and platforms using AI to ban users all need to test their workflow against Article 22 - not against the EU AI Act timeline. The article is in force, the DPC enforces it, and remediation (introducing genuine human review, offering an appeal route) is straightforward when caught early and expensive when caught after a complaint.
Authority sources
- GDPR Article 22 - Automated individual decision-making, including profiling (gdpr-info.eu)
- Court of Justice of the EU - Judgment C-634/21 (SCHUFA) (curia.europa.eu)
Software categories this affects
Vendors covered by this term
ChatGPT Enterprise
OpenAI's enterprise AI assistant with advanced reasoning, data analysis, and custom GPTs
Claude for Business
Anthropic's AI assistant with strong safety focus, long context handling, and business-grade data privacy
Microsoft Copilot
AI assistant integrated into Microsoft 365, with EU data boundary for European customers
Gemini Business
Google's AI assistant integrated with Google Workspace, with EU data processing for European customers
Related terms
Data Protection Commission
Ireland's national data protection authority. Lead supervisory authority for many large US tech companies headquartered in Dublin under the GDPR's one-stop-shop mechanism.
DPC Guidance on AI
Published positions from Ireland's Data Protection Commission on how AI and large language models interact with GDPR. The closest thing to an official Irish AI rulebook for SMEs.
DPIA for AI
A documented assessment under GDPR Article 35 that an Irish controller must complete before deploying an AI tool likely to result in high risk to data subjects. The DPC treats most AI deployments as triggering this obligation.
AI Risk Categories
Four-tier risk classification under the EU AI Act: unacceptable-risk (banned), high-risk (regulated), limited-risk (transparency), minimal-risk (unregulated). Determines a system's compliance burden.
EU AI Act
EU regulation on artificial intelligence, in force from 1 August 2024. Bans some practices, regulates 'high-risk' AI systems, and imposes transparency obligations on general-purpose AI models.