This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
If your business has started using software to screen applicants, score customers or recommend who receives a service, it is normal to be unsure whether the privacy policy needs to change. The important question is not whether the supplier markets the tool as artificial intelligence. It is whether personal data is used in a decision about a person, how much human involvement remains, and how strongly that decision affects them.
This guide explains how to review that situation, recognise the narrower category covered by GDPR Article 22, and organise a privacy-policy update for legal review.
In short: Review every AI-assisted decision involving personal data, but do not automatically describe all of them as Article 22 automated decision-making. The GDPR notice wording becomes especially important where a decision is made solely by automated processing and produces a legal or similarly significant effect. In those cases, Articles 13 and 14 refer to disclosing the existence of the decision-making, meaningful information about the logic involved, and its significance and expected consequences for the person.
Start with the real business use case
Consider an operations manager at a mid-size EU business introducing an applicant-screening tool. Before the review, the company privacy policy says that applicant data is used to manage recruitment, but it says nothing about automated ranking. Recruiters receive a score and may reject low-ranked applicants without looking at the underlying application.
After the review, the business can describe what the system does, determine whether the final decision is genuinely human or effectively automatic, explain the main factors in plain language, place the wording in the applicant privacy notice, and keep an internal record of why that description was chosen. That is the practical outcome to aim for.
Why this matters for an EU business
A vague privacy policy can create a gap between what people are told and what the business actually does with their information. That gap becomes more visible when a person is refused credit, filtered out of recruitment, denied access to a service or placed into a materially different price or risk category.
The immediate business problem is not simply the possibility of a regulatory complaint. Customer service, recruitment and compliance teams may be unable to answer a basic question such as, “Why did the system make this decision about me?” A useful notice forces the business to understand its own process before that question arrives.
The GDPR is technology-neutral, so the same principles can apply whether a decision uses a machine-learning model, a rules engine, a spreadsheet score or another automated method. The European Commission explains that the GDPR applies to personal-data processing regardless of the technology used. See the Commission's data protection overview.
What the GDPR says, in plain English
The GDPR draws an important line between automation in general and a decision based solely on automated processing that has a legal effect or similarly significant effect on a person. Article 22 addresses the second category. The European Commission gives examples such as an automatic refusal of an online credit application or automated recruitment practices without human intervention.
The starting point is the official text of Regulation (EU) 2016/679, particularly Articles 13, 14, 15, 22 and 35. The Commission also provides a plain-language page on restrictions on automated decision-making.
Three tests to classify the decision
First, is there a decision about an identifiable person? Ranking leads for a sales team's convenience may have little effect on the individual. Rejecting an applicant, changing a person's access to a service or determining their credit terms is much closer to a consequential decision.
Second, is the decision based solely on automated processing? A human clicking “approve” does not necessarily settle the question. The EDPB-endorsed guidelines on automated decision-making and profiling explain that human involvement should be meaningful rather than token. The reviewer should have authority, relevant information and a real ability to change the outcome.
Third, does the decision produce a legal effect or affect the person in a similarly significant way? Legal effects can change a person's rights or legal position. A similarly significant effect can materially influence their circumstances, behaviour or choices, depending on the context and severity.
These tests should be considered together. A recommendation that an employee freely evaluates may not be a solely automated decision, while a score that is routinely followed without genuine review may need closer examination.
What the privacy notice may need to explain
Articles 13 and 14 describe information to provide when personal data is collected from the person or obtained elsewhere. For automated decision-making referred to in Article 22(1) and (4), the text includes the existence of that decision-making, meaningful information about the logic involved, and the significance and expected consequences of the processing for the person.
This does not mean publishing source code, model weights or a mathematically complete account. The purpose is to give understandable information about how the decision process works and what it can mean for the individual. In February 2025, the Court of Justice of the European Union addressed “meaningful information about the logic involved” in a case concerning automated credit assessment. The judgment is available on EUR-Lex.
A practical disclosure structure
A clear notice can be organised around five questions:
- Where is automation used? Name the stage of the process, such as initial applicant screening or fraud-risk assessment.
- What data is considered? Describe the main categories, such as application answers, transaction history, account activity or verified qualifications.
- What is the system trying to assess? Explain the purpose, such as matching essential job criteria or identifying transactions that need review.
- What can happen to the person? State the likely consequence, such as progression to human review, a request for more information or refusal of an application.
- What review or challenge route exists? Explain how the person can contact the business and request the relevant form of review where applicable.
Avoid false precision: Do not copy a vendor's generic explanation into your privacy policy without checking how your own team uses the output. The same scoring product can be advisory in one business and effectively determinative in another.
Five steps to update the policy
1. Audit which tools influence decisions
List systems used in recruitment, lending, insurance, fraud prevention, pricing, customer access, employee management and eligibility checks. Include tools embedded inside larger platforms, not only products labelled as AI.
For each process, record the data used, the output produced, who receives it, who makes the final decision and whether staff commonly depart from the recommendation. This operational evidence is more useful than the product brochure.
2. Classify the significance and human involvement
Use the three tests above to separate ordinary automation, profiling and potentially Article 22 decisions. Record why the effect is or is not considered legal or similarly significant, and what the human reviewer actually does.
Where the position is uncertain, involve the organisation's data protection officer, privacy counsel or relevant EU supervisory authority. Need to Know AI does not determine whether a particular process falls within Article 22.
3. Write a plain-English disclosure
Write for the person affected, not for the software supplier. Replace phrases such as “proprietary predictive analytics” with a description of the main inputs, the assessment being made and the practical result.
A planning draft might read: “We use an automated screening system to compare information in your application with the essential criteria for the role. The system considers factors such as stated qualifications, relevant experience and answers to role-specific questions. Its output may affect whether your application progresses. Contact us at [channel] to ask about the process or the review options available to you.” This is illustrative wording, not a compliance certificate or a substitute for advice on the actual process.
4. Put the wording where people will find it
The disclosure should appear in the notice relevant to the relationship and the point of data collection. Applicant screening usually belongs in an applicant or recruitment privacy notice. Customer credit or fraud decisions usually belong in the customer-facing notice used when the application or account data is collected.
A short summary can link to a fuller explanation, provided the layered notice remains clear and accessible. Updating a general website privacy page alone may not help an applicant who never sees it during recruitment.
5. Publish, communicate and document the change
Record the approved wording, publication date, process owner, system version and evidence used for the classification. Update related forms, onboarding screens, scripts and internal procedures so that they do not contradict the notice.
Set a review trigger for material changes, such as a new data source, a change from advisory scoring to automatic rejection, removal of human review or expansion into a new decision context. A notice that was accurate at launch can become misleading when the workflow changes.
Rights, safeguards and impact assessments
Article 22 includes exceptions and safeguards, and the exact position depends on the basis and context of the decision. The GDPR text refers, in relevant cases, to safeguards that include the ability to obtain human intervention, express a point of view and contest the decision. Article 15 also covers access to information about automated decision-making in the circumstances described there.
High-risk processing may also require consideration of a data protection impact assessment under Article 35. The EDPB provides an SME guide to data protection impact assessments. A privacy-policy update is not a replacement for reviewing the underlying lawfulness, fairness, accuracy, data minimisation, security and governance of the process.
How the EU AI Act fits alongside the GDPR
The EU AI Act and the GDPR can apply to the same system, but they ask different questions. The GDPR focuses on personal-data processing and individual rights, while the AI Act introduces risk-based duties for certain AI systems and actors. Recruitment and creditworthiness are among the areas that can fall within the AI Act's high-risk framework, subject to the regulation's definitions, exclusions and application timetable.
Do not merge the two frameworks into one vague “AI compliance” paragraph. Map each requirement separately, then make sure the explanations given to people are consistent. The official text is Regulation (EU) 2024/1689.
Industry examples that need closer review
Recruitment: CV ranking, interview scoring and automatic rejection can affect access to employment. Check whether recruiters genuinely review the application and can depart from the result.
Financial services: Credit, affordability, fraud and insurance decisions may have direct legal or significant effects. The source and quality of data, the role of third-party scores and the explanation provided to the applicant all need attention.
Healthcare: Triage or eligibility tools can influence access to care. Health data is also a special category of personal data under Article 9, so the analysis extends beyond Article 22.
Education and employment management: Automated admissions, assessment, scheduling, performance scoring or disciplinary recommendations can materially affect a person. Human oversight should be examined as it operates in practice, not only as the procedure is written.
Privacy-policy update checklist
- Identify every system that screens, scores, ranks or recommends outcomes about people.
- Map the personal data, purpose, output, recipient and final decision-maker.
- Test whether the outcome is solely automated and legally or similarly significant.
- Describe the main factors and practical consequences in language the affected person can understand.
- State where people can ask questions or seek the applicable review.
- Place the wording in the notice used for that specific relationship and collection point.
- Check related GDPR issues, including lawful basis, special-category data, accuracy, fairness, retention, security and DPIA needs.
- Record the reasoning, owner, approval date and next review trigger.
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.
Related reading: our free AI acceptable use policy template and our AI governance by region.
Free tools: AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice | AI Compliance Checker to check whether your AI tools meet your compliance obligations.
Does every AI tool need to be named in the privacy policy?
Not necessarily. The useful question is what personal data is processed, for what purpose and with what effect on the person. Naming a vendor can help transparency in some contexts, but a product list alone does not explain the decision process. The notice should remain accurate when suppliers or versions change.
Is profiling the same as an Article 22 automated decision?
No. Profiling is automated processing used to evaluate personal aspects of a person. It can exist without a solely automated decision that has a legal or similarly significant effect. Profiling may still require transparency and compliance with the wider GDPR even when Article 22 is not triggered.
Does a human approval step always remove the process from Article 22?
No. The EDPB-endorsed guidance indicates that human involvement should be meaningful. A reviewer who automatically accepts the score, lacks authority or cannot examine the relevant information may not provide genuine human intervention. Assess what happens in practice.
How much of the model logic should the notice disclose?
The GDPR wording refers to meaningful information about the logic involved, not necessarily publication of source code or trade secrets. Aim to explain the main factors, how they influence the assessment and what the result can mean for the person. Obtain advice where the system is complex or the explanation is contested.
Can a business rely on the AI vendor's privacy documentation?
Vendor material is an input, not a complete answer. The vendor may explain the product, but your organisation determines how the output is used, whether staff override it and what consequence follows. Your notice should describe your real workflow and remain consistent with the controller and processor arrangements.
Is updating the privacy policy enough to address automated decision-making?
No. The notice is only the transparency layer. The business may also need to examine lawful basis, Article 22 conditions and safeguards, data quality, bias, security, contracts, records of processing, staff procedures and whether a DPIA is appropriate. A clear notice cannot correct an unsuitable underlying process.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
Use this guide as a planning checklist, then have the final wording and classification reviewed against your real decision process and the guidance of your EU supervisory authority.
Read the EU AI Act Explainer