---
title: >-
  GDPR Article 22 and the right to explanation: producing a meaningful record of
  an automated decision
description: >-
  When a credit or insurance decision is made solely by a model, the data
  subject has rights, to human intervention, to contest, and to meaningful
  information about the logic. Here is what a defensible explanation record
  contains.
author: murilo
date: '2026-06-16'
tags:
  - gdpr
  - automated-decisions
  - insurance
  - credit
categories:
  - compliance
---
Long before the EU AI Act, European data protection law already placed limits on automated decision-making. Article 22 of the General Data Protection Regulation gives individuals the right not to be subject to a decision based solely on automated processing, including profiling, where that decision produces legal effects concerning them or similarly significantly affects them. For firms that use models to decide who receives credit, what an insurance policy costs, or whether a claim is paid, Article 22 is directly relevant, and it has been in force since 2018.

The obligation is frequently misread as a simple prohibition. It is more nuanced than that, and the nuance is where the practical work lies. Article 22 permits solely automated decisions in defined circumstances, but only if the firm puts specific safeguards in place. Meeting those safeguards depends on being able to produce a meaningful record of the individual decision. This article sets out what Article 22 requires and what a defensible explanation record actually contains.

## What Article 22 permits, and on what conditions

Article 22 begins from a default position: individuals should not be subject to solely automated decisions with legal or similarly significant effects. It then provides exceptions. Such decisions are permitted where they are necessary for entering into or performing a contract, where they are authorised by law, or where they are based on the individual's explicit consent.

The exceptions are not a free pass. Where a firm relies on the contract or consent grounds, it must implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests. The regulation names, at a minimum, the right to obtain human intervention, the right to express one's point of view, and the right to contest the decision. A firm that makes solely automated credit or pricing decisions is therefore not merely allowed to do so, it is required to stand ready to intervene, to listen, and to reconsider, on a case-by-case basis.

## The right to an explanation

Alongside Article 22 sit the transparency provisions in Articles 13, 14, and 15. Where automated decision-making under Article 22 is taking place, the firm must provide the individual with meaningful information about the logic involved, as well as the significance and the envisaged consequences of the processing. Recital 71 goes further, describing the individual's ability to obtain an explanation of a decision reached after automated assessment.

There is a long-running legal debate about the precise scope of any "right to explanation". For a firm deploying AI, that debate is largely beside the point. Whatever its exact legal boundary, the practical expectation is unavoidable: if a customer is refused credit or charged a particular premium by a model, the firm must be able to say something meaningful about why. And the rights to contest the decision and to obtain human intervention are hollow if the firm cannot reconstruct what the model actually did. A human cannot meaningfully review a decision they cannot see the basis for, and a customer cannot meaningfully contest one the firm cannot explain.

## Why "the model decided" is not an explanation

The instinct, when asked to explain an automated decision, is to reach for a description of the model. The system considers these categories of input; it was trained on this kind of data; it produces a score that maps to an outcome. This is information about the model in general. It is not an explanation of the decision in particular.

Article 22's safeguards operate at the level of the individual. The customer is entitled to human intervention on their decision, to express their point of view on their decision, and to contest their decision. To support these rights, the firm needs a record of the specific decision: the inputs that described this individual, the output the model produced for them, the version of the model that produced it, and the context in which it was made. Without that record, the firm can describe its model but cannot account for the outcome the customer is questioning, and it is the outcome that the customer has rights over.

This is the same reconstruction problem that arises under the Consumer Duty and the EU AI Act, viewed from the data protection angle. The frameworks differ in their language and their enforcement, but they converge on a single underlying requirement: the ability to retrieve and explain a particular decision, made by a model, after the fact.

## What a defensible explanation record contains

A record that can support Article 22's safeguards has a recognisable shape. It captures the inputs the model received for that individual, recorded as they were at the time of the decision rather than as they stand now. It captures the output, the score, the classification, the price, the approval or refusal, exactly as produced. It records the model version, so that the firm can identify precisely which system made the decision, which matters when models are updated frequently. It captures the context that governed the decision: the policy, thresholds, or rules in force at that moment. And it does all of this in a form that is retained for as long as the decision may be questioned, and protected against later alteration.

The last point deserves emphasis in a data protection setting. If a customer contests a decision and the firm produces a record, that record must be trustworthy. A decision log that could have been edited after the fact is worth little as evidence of what actually happened. Tamper-resistance is not a nicety here; it is what allows the record to function as a genuine safeguard rather than a reconstruction the firm assembled in response to the complaint.

## A capability, not a one-off response

Firms often treat Article 22 explanations as something to be produced reactively, when a data subject exercises their rights. The volume and the stakes of automated decision-making in credit and insurance make that approach fragile. Decisions are made continuously; requests and complaints can arrive months or years later; and the firm must be able to respond to any one of them with a meaningful, trustworthy account.

The firms that handle this well build the explanation record as a standing capability, captured at the moment each decision is made, rather than as a forensic exercise after the fact. Aegis Trace was built to provide exactly that. A single integration captures complete provenance for every automated decision, inputs, output, model version, and context, with tamper-resistant storage and configurable retention, so that the right to human intervention, the right to contest, and the right to a meaningful explanation can all be honoured for any individual decision, whenever they are invoked.

### Make every automated decision explainable.

Request early access to Aegis Trace and our technical documentation.

[Request Access →](/request-access)