Right not to be subject to automated decision-making (GDPR Art. 22)

GDPR Art. 22 in principle prohibits fully automated decision-making with legal effect or similarly significant impact — unless one of three exceptions applies. Examples where Art. 22 bites: credit scoring (loan/mortgage refused), fraud detection (bank account frozen), HR screening (job rejected by CV scanner), insurance premium setting, automatic benefit termination by the employment authority. Three exceptions: (1) Necessary for performance of a contract with you. (2) Authorised by law (e.g. government fraud detection under strict safeguards). (3) Based on your explicit consent. BUT: even under exceptions you have the right to (a) human intervention, (b) express your point of view, (c) contest the decision. The business must have "appropriate measures" to safeguard these rights. Special category data: automated decisions based on sensitive data (health, ethnicity) are even more strictly limited. Right to explanation: Recital 71 + Art. 13/14/15 require the business to provide meaningful information about the logic involved. Not "the algorithm says no", but "we weigh X, Y, Z with these weights". Practical steps: Request access (Art. 15) → identify that an algorithm made the decision → request human review → request explanation → on refusal: AP complaint or civil court (damages Art. 82). AI Act link: since 2024 the EU AI Act adds extra transparency requirements for high-risk AI systems.