The classic trap
Article 22 is exploding with the massive arrival of AI models in HR, credit, insurance and anti-fraud processes. The CNPD and CNIL sanction three recurring blind spots: controllers who label their decision as semi-automated when the human merely validates without any real power to overturn (the famous rubber stamping), the absence of clear information on the underlying logic required by Article 13(2)(f), and the outright omission of the right to human intervention in user journeys. The EDPB (guidelines WP251 rev.01) reminds that the mere presence of a human in the loop is not enough: that human must have the authority, competence and data to overturn the decision.
The four tests that qualify an Article 22 processing
- Automated decision: no human intervenes, or the intervention is purely formal (mass validation without individual review).
- Legal or similarly significant effect: credit refusal, insurance termination, job application rejection, account suspension, discriminatory dynamic pricing, anti-fraud score blocking a payment.
- Legal basis among the three exceptions: strict contractual necessity, authorisation by EU/national law, or explicit consent. Other bases (legitimate interest, general legal obligation) do NOT validate an Article 22 processing.
- Effective safeguard measures: enhanced information on the logic, one-click access to human intervention, right to express a point of view, right to contest with a documented review.
The AI Act trap that adds up
Since the EU AI Act (Regulation 2024/1689) entered into force, any system making an Article 22 RGPD decision is very often qualified as a high-risk AI system (Annex III: employment, credit, essential services, law enforcement). You then accumulate the obligations of GDPR Article 22 AND the obligations of the AI Act (technical documentation, risk management, human oversight, logging). The CNPD now coordinates its inspections with the Luxembourg AI supervisory authority.
How Luxgap automates this risk
Our Luxgap Algorithmic Decision Sentinel makes it impossible to deploy a non-compliant automated decision in production: a specialised AI agent analyses your decision pipelines (Salesforce flows, Python scripts in production, MLflow models, SAP business rules, n8n/Zapier scoring, Odoo workflows) and qualifies in real time each decision point against the four Article 22 tests, with automatic generation of the merged GDPR Article 22 + AI Act Annex III accountability file.
- Automatically detects automated decisions in production via native connectors to Salesforce, Workday, SAP SuccessFactors, Odoo, MLflow, GitHub Actions and Azure ML, without manual declaration from the business.
- Classifies each decision against the EDPB WP251 grid and alerts on Teams or Slack as soon as a decision crosses the significant effect threshold without a valid Article 22(2) legal basis.
- Generates the human intervention module ready to use: hosted web page, contestation form, escalation workflow to a qualified agent, measured and logged SLA.
- Automatically drafts the Article 13(2)(f) notice on the underlying logic, calibrated to the model complexity (deterministic rules, linear scoring, gradient boosting, neural network), in accessible non-technical language.
- Produces the cross GDPR Article 22 + AI Act Annex III file, enforceable during a CNPD inspection, with cryptographic timestamping of decisions, contestations and human reviews.
- Calculates a CNPD requalification probability score for each process, based on EDPB case law and published decisions from European authorities.
Available in addition to a Luxgap DPO mandate or as a dedicated SaaS brick depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real decision pipelines, with a free 48h white audit to map your automated decision points and measure your exposure before any engagement.
