What is automated decision-making (GDPR Art. 22)?

Automated decision-making = decision made solely by algorithm, without meaningful human involvement, and with legal effect or similarly significant effect. GDPR Art. 22: in principle prohibited, unless one of three exceptions (see our deep-dive on right not to be subject to automated decision-making). What's covered? Credit scoring, automated CV screening, dynamic insurance premiums, automatic fraud filter on bank transactions. What is NOT? Routine ad targeting (Art. 21 objection). Algorithm-assisted but human-decided (not Art. 22). Difference vs profiling: profiling = analysis, automated decision = decision. Often combined — profiling first, decision after. Your rights: human review, explanation, contest the decision (Art. 22(3)). For explanation see right to explanation. AI Act overlap: high-risk AI systems fall under AI Act + GDPR Art. 22 simultaneously — double set of requirements.