GDPR Article 22 after SCHUFA vs ICO guidance: where is the red line?

Summary — On 7 December 2023, the CJEU (Case C‑634/21 “SCHUFA”) held that a probability score used decisively by a third party can amount to an “automated individual decision” under GDPR Article 22. The UK ICO takes a more flexible view where there is “meaningful human involvement.” This creates direct implications for LU‑UK cross‑border groups and providers.

The case

The Court ruled that an automated credit score produced by a credit reference agency (SCHUFA) constitutes an automated decision within the meaning of Article 22 where the recipient “heavily relies” on that score to enter into, perform or terminate a contract with the data subject. Thus, even if the agency does not make the final decision itself, the scoring may fall under the general prohibition in Article 22(1), unless an Article 22(2) exception applies (contract, Union/Member State law, explicit consent) and subject to Article 22(3) safeguards (human intervention, the ability to express one’s view and to contest). See “SCHUFA Holding (Scoring)” C‑634/21 on EUR‑Lex: eur-lex.europa.eu.

Meanwhile, the UK ICO (outside the EU) explains that Article 22 (UK GDPR) “limits the circumstances” in which decisions “based solely on” automated processing having legal or similarly significant effects may be taken and details when human review renders a process “not solely” automated. ico.org.uk.

Legal reasoning

• In EU law, Article 22(1) GDPR sets a general prohibition: “the data subject shall have the right not to be subject to a decision based solely on automated processing […] which produces legal effects concerning him or her or similarly significantly affects him or her.” The Article 22(2) exceptions are narrow; Article 22(3) safeguards are required. The Luxembourg CNPD restates this in its “Chapter III — Rights” and “Right to contest an automated process” pages. cnpd.public.lu ; cnpd.public.lu. For an overview of the Article 22 GDPR framework, see our reference page.
• The former WP29/now EDPB Guidelines on Automated Decision‑Making and Profiling (WP251 rev.01, endorsed by the EDPB) confirm the “prohibition + exceptions” approach and require “meaningful” human involvement—i.e., genuine, informed and with real authority to change the outcome, not a mere rubber stamp. edpb.europa.eu.
• The key contribution of “SCHUFA” is to treat as an “automated decision” a case where the algorithm does not itself close the process but in practice determines the outcome at a third party. Article 22(1) applies if the recipient “heavily relies” on the score to establish, maintain or terminate a contract. eur-lex.europa.eu.
• ICO position: under UK GDPR, the ICO describes Article 22 as restricting “solely” automated decisions and explains that “meaningful human involvement” can take the processing out of scope. It details criteria (expertise, power to change the decision, sufficient time and information). ico.org.uk.
• Practical divergence: post‑SCHUFA, EU authorities (EDPB and CNIL) tend to consider that a decisively used score equals an automated decision, even if a human later clicks “approve/deny” without a real ability to deviate from the algorithm. The CNIL states this clearly in its thematic pages on AI and “fully automated decisions.” cnil.fr.

In short: in the EU/Luxembourg, post‑SCHUFA + WP251, the threshold is high to claim that human review “de‑automates” a decision. In the UK/ICO, the door remains open if the review is truly meaningful.

What changes in practice

• Credit, insurance, telecoms, e‑commerce, HR: if you import a third‑party score (creditworthiness, fraud, HR risk, “trust score”) and that score effectively dictates the outcome (contract accepted/refused, account blocked, application rejected), expect Article 22 to apply in the EU even if an agent “re‑validates” mechanically. You will need an Article 22(2) exception and Article 22(3) safeguards. Reference: CJEU C‑634/21; WP251 rev.01. eur-lex.europa.eu.
• LU‑UK data chains: a UK provider may consider that a well‑designed “human‑in‑the‑loop” suffices to escape Article 22. In the EU/LU, CNPD/CNIL will likely require evidence of substantial human intervention: power to overturn/modify, clear guidance, real‑time context, audit trails of reviews, and a non‑negligible rate of altered outcomes. Reference: ICO guidance; CNIL/EDPB. ico.org.uk. To operationalise this, strengthen your AI governance compliance (documentation, bias testing, registers, DPIAs).
• Information and rights: in all cases, provide Articles 13/14 information on the logic, significance and envisaged consequences (and Article 15(1)(h) for access), plus a channel enabling human intervention and contestation (Art. 22(3)). The CNPD highlights these data subject rights. cnpd.public.lu. For local specifics and CNPD compliance in Luxembourg, ensure evidence of effective human overruling.

Common pitfalls

1. Purely formal “human validation”. A click by an agent without real authority to override the score does not “de‑automate” under CJEU/EDPB. Expect Article 22(1) to apply. Refs: CJEU C‑634/21; WP251 rev.01. eur-lex.europa.eu.
2. Relying on the UK provider’s policy. In the EU, what matters is the decisive effect of the score and the reality of human intervention, not a contractual “human‑in‑the‑loop” label. Refs: ICO vs CJEU/EDPB. ico.org.uk.
3. Forgetting Article 22(3) safeguards. Even under a 22(2) exception, you must organise human intervention and enable views/contestation. Refs: GDPR text; CNPD. cnpd.public.lu.
4. Insufficient Articles 13/14/15(1)(h) information. Provide “meaningful information about the logic involved, as well as the significance and envisaged consequences.” Refs: CNPD; EDPB/WP29. cnpd.public.lu.
5. Assuming “contract necessary” suffices. Article 22(2)(a) is construed narrowly; a DPIA (Art. 35) is often required in practice for decisions with significant effects. Refs: WP251 rev.01; CNIL. edpb.europa.eu ; cnil.fr.

Official sources

• CJEU — Judgment of 7 December 2023, C‑634/21, SCHUFA Holding (Scoring), ECLI:EU:C:2023:957 — eur-lex.europa.eu
• EDPB — WP29 Guidelines “Automated decision‑making and profiling” (WP251 rev.01) — edpb.europa.eu
• ICO (UK) — Automated decision‑making and profiling (UK GDPR) — ico.org.uk
• CNPD (Luxembourg) — Chapter III — Rights; Automated process — cnpd.public.lu ; cnpd.public.lu
• CNIL (France) — Profiling and fully automated decisions — cnil.fr

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.