What is automated decision-making?
Privacy, security and identity
Automated decision-making (ADM) means a decision reached by automated means without meaningful human involvement, where the result has a legal effect on a person or affects them in a similarly significant way. Data protection law treats solely automated decisions of this kind with particular caution. Under the EU and UK GDPR, such decisions are generally restricted, can rely only on limited legal grounds, and must come with safeguards including the right to obtain human intervention, to express a view and to contest the decision.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Organisations increasingly use software to assess people: to approve a loan, screen a job application, set an insurance premium or decide eligibility for a benefit. Automated decision-making describes the cases where the system, not a person, effectively makes the call, and where the result matters to the individual concerned. The law does not object to automation as such. It focuses on a narrower category: decisions taken solely by automated means that carry a legal or similarly significant effect.
Two features have to be present together. First, the decision must be "solely" automated, meaning no meaningful human involvement in reaching it. A person who merely signs off on whatever the system produces does not change that. Second, the effect must be serious: it changes someone's legal position, or it has a comparable impact on their finances, employment, access to services or other important interests.
ADM is closely related to, but distinct from, profiling. Profiling is the automated analysis or prediction of someone's characteristics, such as creditworthiness or behaviour. Profiling often feeds an automated decision, but the two are not the same: you can profile without making a decision, and you can make an automated decision without profiling. The law treats them as connected concepts and regulates both.
Why it matters
ADM matters because it concentrates power in a process the affected person usually cannot see. When a decision that shapes someone's life is taken by a system, three risks follow: the person may not know a machine decided; they may have no way to correct the data or reasoning behind it; and errors or bias can be applied consistently and at scale, affecting many people in the same flawed way.
The legal response centres on rights and contestability. Where ADM rules apply, the individual is entitled to be told that automated decision-making is taking place, to receive meaningful information about the logic involved, and to seek human review, put their side and challenge the result. These are not optional courtesies. They are the safeguards that make an opaque process accountable, and they are increasingly the hinge on which regulators and courts decide whether an organisation has acted lawfully.
For organisations, getting this wrong carries real exposure: regulatory enforcement, compensation claims, and the reputational damage of being seen to let "the computer say no" without recourse. For individuals, the stakes are access to credit, jobs, housing, insurance and public services.
How it works
The core definition: solely automated decisions with significant effects
The anchor in European and UK law is GDPR Article 22. It gives a person the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Regulators and the courts read this as a prohibition in principle, not merely a right the individual must invoke: the restriction applies whether or not the person asks for it. Recital 71 gives the textbook examples: automatic refusal of an online credit application, or e-recruitment practices with no human intervention.
What "solely automated" means
A decision is "solely" automated when there is no meaningful human involvement in reaching it. The key word is meaningful. Guidance from EU and UK regulators is consistent: token oversight does not count. To be meaningful, the human review must be carried out by someone with the authority and competence to change the decision, who actually considers the relevant data and other factors, and who reviews the matter before the decision takes effect. A reviewer who routinely waves through whatever the system recommends is "rubber-stamping", and the decision remains solely automated. The UK Data (Use and Access) Act 2025 puts this into statute: a decision is based solely on automated processing if there is "no meaningful human involvement", and in judging that, one must consider the extent to which the decision is reached by means of profiling.
What "legal or similarly significant effects" means
A legal effect changes someone's legal rights or status: ending a contract, denying a statutory benefit, or affecting their tax position. A "similarly significant" effect need not touch legal rights but must have a comparable practical impact. Regulators point to effects on a person's financial position, employment opportunities, access to essential services or health. Trivial matters, such as recommending a television programme, normally fall outside. Context matters: a decision that is minor for one person can be significant for a vulnerable individual or a child.
The grounds that permit ADM
Under the EU GDPR, a solely automated decision with significant effects is permitted only where it is: necessary for entering into or performing a contract between the person and the organisation; authorised by EU or member state law (for example, fraud or tax-evasion prevention); or based on the person's explicit consent. Decisions based on special category data (such as health, ethnicity or political opinion) face a higher bar: they generally require explicit consent or a substantial public interest basis, plus safeguards.
The safeguards required
Where ADM is permitted, the organisation must put safeguards in place. At a minimum the individual must be able to obtain human intervention, express their point of view and contest the decision. Recital 71 adds the right to an explanation of the decision reached. Separately, the GDPR's transparency provisions require organisations to tell people that automated decision-making is happening and to give meaningful information about the logic involved and the significance and envisaged consequences. Because this processing is treated as high risk, a Data Protection Impact Assessment is generally expected before it begins.
How the courts have read it: the SCHUFA and Dun & Bradstreet rulings
The Court of Justice of the European Union interpreted Article 22 for the first time in the SCHUFA case (C-634/21, judgment of 7 December 2023). Its ruling held that the automated establishment, by a credit information agency, of a probability value about a person's ability to meet future payments constitutes "automated individual decision-making" where a third party, such as a bank, "draws strongly on" that value to establish, implement or terminate a contract with that person. The Court set out three cumulative conditions for Article 22(1) to apply: there must be a "decision"; it must be based "solely" on automated processing, including profiling; and it must produce legal effects or similarly significantly affect the person. It read "decision" broadly, found the agency's scoring to be profiling, and reasoned that allowing the agency to escape Article 22 would leave a gap in protection because the bank could not explain a score it did not generate. The practical message: you cannot dodge ADM rules by splitting the scoring step from the formal decision step.
In a follow-on case, Dun & Bradstreet (C-203/22, judgment of 27 February 2025), the Court addressed the right to an explanation. It held that an individual subject to automated credit assessment is entitled to a "concise, transparent, intelligible and easily accessible" account of the procedure and principles actually applied, sufficient to understand which of their data was used and how a different result might have arisen. Disclosing the bare algorithm or a complex formula is not enough. Trade secrets do not justify a blanket refusal: where they are claimed, the information goes to the regulator or court to balance the competing interests.
The relationship with profiling
Profiling is defined in Article 4(4) GDPR as any automated processing of personal data to evaluate personal aspects of someone, such as performance at work, economic situation, health, reliability, behaviour or movements. Profiling and ADM overlap but are separate. Profiling becomes subject to the Article 22 restrictions only when it leads to a solely automated decision with legal or similarly significant effects. Equally, an automated decision can occur without profiling. The SCHUFA Court underlined how tightly the two can be linked in practice, treating the scoring (profiling) and its determining use (the decision) as part of one regulated chain.
How ADM relates to AI systems and high-risk classification
ADM and AI regulation are separate but overlapping. Data protection law governs the decision about the individual; AI-specific law governs the system. Under the EU AI Act, systems used for tasks such as creditworthiness assessment, recruitment and selection, and eligibility for essential public benefits are classified as high risk under Annex III. High-risk systems must be designed for effective human oversight (Article 14). Separately, Article 86 gives any affected person subject to a decision taken by a deployer on the basis of the output of an Annex III high-risk system, where that decision produces legal or similarly significant effects with an adverse impact on health, safety or fundamental rights, the right to obtain "clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision taken". These system-level duties sit on top of, and do not replace, GDPR Article 22. Importantly, building human oversight into a high-risk system does not automatically take a decision outside Article 22: if the human cannot influence the result in practice, the SCHUFA logic means it can still be a solely automated decision.
Examples
Instant online credit decision
A person applies for a loan online. Software checks credit records, runs affordability checks and returns an immediate yes or no with no human involvement. This is a classic solely automated decision with a significant effect. Regulators use the automatic refusal of an online credit application as the standard example. The SCHUFA ruling extends the reach upstream: the agency that produces the credit score the lender relies on heavily is itself within scope.
Recruitment screening
An employer uses a tool to filter, rank or score job applicants. If a manager then reviews a shortlist and exercises genuine judgement on whom to interview, the decision is not solely automated. But if candidates are rejected or advanced purely on the tool's output, it is ADM. The UK ICO's report "Recruitment Rewired", published on 31 March 2026 and drawing on evidence from more than 30 UK employers gathered between March 2025 and January 2026, found that "many employers engaging in automated recruitment are likely relying on solely automated decisions as part of this process ... without meaningful human involvement". The ICO wrote to 16 organisations it identified as likely operating outside data protection law, all of which committed to act on its recommendations. It also noted that most existing employer impact assessments lacked the specificity needed to satisfy legal obligations, and that where an AI tool assigns candidates a "fit" score relied on by hiring managers, employers could not demonstrate how they mitigated the risk of disproportionate reliance.
Insurance and benefits determinations
An insurance claim that is paid or rejected instantly with no review, or a system that dynamically sets premiums based on risk scoring, can be ADM where the effect is significant. Likewise, automated determination of eligibility for a welfare benefit carries both a legal effect and a significant practical impact on livelihood, placing it squarely within the ADM rules.
Common misunderstandings
"All automation is ADM"
No. The rules bite only where a decision is both solely automated and carries a legal or similarly significant effect. Routine automation, such as content recommendations, ticket prioritisation or back-office calculation, generally falls outside, although broader data protection principles still apply.
"A human signs off, so it is not solely automated"
Not necessarily. A human who merely rubber-stamps the system's result does not provide meaningful involvement. The reviewer must have the authority, competence and information to change the decision and must actually engage with it before it takes effect.
"Decision support is always safe"
Labelling a tool "decision support" does not settle the question. What matters is how it operates in practice. If the human cannot or does not influence the result, the law may treat it as a solely automated decision regardless of the label.
"Profiling and ADM are the same thing"
They are related but distinct. Profiling is automated evaluation of a person; ADM is making a decision by automated means. Profiling triggers the Article 22 restrictions only when it drives a solely automated decision with significant effects.
"ADM rules and AI rules are interchangeable"
They are separate regimes that can apply at once. Data protection law governs the decision about the individual; AI-specific law such as the EU AI Act governs the system. Complying with one does not discharge the other.
Risks and boundaries
The central legal risk is misclassification: treating a process as "decision support" or "human-reviewed" when, in substance, the system decides. Regulators look at reality, not labels, and the burden of showing meaningful human involvement sits with the organisation.
A second boundary concerns explanation and transparency. The Dun & Bradstreet ruling makes clear that affected people are entitled to an intelligible explanation of the logic, and that trade secrecy is not a blanket shield. Organisations relying on opaque or third-party models need a way to explain them in plain terms.
A third area is divergence between regimes. The UK has moved to a more permissive ADM model under the Data (Use and Access) Act 2025, broadening the lawful grounds and reserving the strictest controls for decisions involving special category data, while giving the Secretary of State power to define "meaningful human involvement" and "significant effect" by regulation. The EU retains its prohibition-with-exceptions model; the European Commission's Digital Omnibus proposal, published on 19 November 2025, would clarify that the contractual-necessity ground can apply even where the same result could also be reached by human means, but this remains a proposal under negotiation at the time of writing. Other jurisdictions take different routes again. Brazil's LGPD (Law No. 13.709/2018), Article 20, gives data subjects the right to request review of decisions made solely on automated processing that affect their interests, including decisions defining personal, professional, consumer and credit profiles; notably, a 2018 amendment removed the requirement that this review be carried out by a human. An organisation compliant in one place may not be compliant in another.
Finally, ADM frequently sits inside AI systems that are themselves regulated. That raises cumulative obligations: data protection safeguards for the individual decision, and system-level duties such as risk management, human oversight by design and documentation for high-risk AI.
What to do next
Start by mapping where automated processing influences decisions about people, and be honest about how much real human judgement is exercised at the point of decision. Identify which of those processes carry legal or similarly significant effects, since those are the ones the ADM rules target.
For each in-scope process, confirm a lawful basis (contract, legal authorisation or explicit consent under the EU model; the broader grounds available under the UK model), and check whether special category data is involved, which raises the bar. Then build the safeguards in: a genuine route to human intervention by someone empowered to change the result, a way for people to express their view and contest the decision, clear transparency about the existence and logic of the automation, and a documented Data Protection Impact Assessment.
Treat "meaningful human involvement" as a design requirement, not a checkbox. Train reviewers, give them authority and time, and record how and when they intervene. Prepare plain-language explanations of your decision logic now, including for third-party models, so you can respond to access requests and challenges without hiding behind trade secrets.
If you operate across borders, decide whether to run a single high-water-mark approach or separate frameworks for the EU, UK, US states and other markets. Re-examine your position when the benchmarks shift: finalised EU clarifications to Article 22 through the Digital Omnibus, new UK regulations defining the core ADM terms or updated ICO guidance, the staged application of EU AI Act obligations for high-risk systems, and the entry into force of US state regimes such as Colorado's in January 2027 and California's ADMT compliance date.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Is automated decision-making banned?
Not outright. Under the EU and UK GDPR, solely automated decisions with legal or similarly significant effects are restricted, not prohibited entirely. They are allowed on limited grounds, such as contractual necessity, legal authorisation or explicit consent, and only with safeguards. Many uses of automation fall outside the rules altogether because they lack a significant effect or involve genuine human judgement.
What is the difference between ADM and profiling?
Profiling is the automated evaluation or prediction of a person's characteristics. ADM is making a decision by automated means. Profiling often feeds an automated decision, but you can profile without deciding and decide without profiling. Profiling becomes subject to the Article 22 restrictions only when it leads to a solely automated decision with a legal or similarly significant effect.
Does a human "signing off" take a decision outside the rules?
Only if the involvement is meaningful. The reviewer must have the authority and competence to change the decision, must consider the relevant information, and must act before the decision takes effect. Routinely approving whatever the system recommends is rubber-stamping, and the decision stays solely automated.
Is there a "right to an explanation"?
There is a strong right to meaningful information about the logic of an automated decision, and to an explanation of a decision reached. The CJEU's Dun & Bradstreet ruling held that affected people must get an intelligible account of the procedure and principles applied, not just a raw algorithm, and that trade secrets do not justify refusing all information.
How does the EU AI Act relate to ADM?
The AI Act regulates AI systems; data protection law regulates decisions about individuals. They apply together. The AI Act requires high-risk systems to be designed for human oversight and, under Article 86, gives affected people a right to a clear and meaningful explanation of the role an Annex III high-risk system played in certain decisions. Meeting AI Act duties does not satisfy GDPR Article 22, and vice versa.
Has the UK changed its ADM rules?
Yes. The Data (Use and Access) Act 2025 replaced the old Article 22 with a more permissive regime. It restates the "no meaningful human involvement" and "significant decision" tests, broadens the lawful grounds for ADM, reserves the strictest controls for decisions involving special category data, and lets the Secretary of State define key terms by regulation. Safeguards (information, representations, human intervention, contesting the decision) remain.
Do US laws cover automated decision-making?
There is no single federal rule, but a growing patchwork. California's CCPA regulations create notice, opt-out and access rights for automated decision-making technology used in significant decisions, with compliance required from 1 January 2027. Colorado's Senate Bill 26-189, signed on 14 May 2026 and effective 1 January 2027, regulates "covered ADMT" used to materially influence consequential decisions in domains such as employment, lending, housing, insurance, healthcare, education and government services, giving consumers rights to access and correct data and to meaningful human review and reconsideration after an adverse outcome. Sectoral laws on credit and employment also apply.
What is the single biggest compliance mistake?
Misclassifying a solely automated decision as "decision support". Regulators assess what actually happens, not the label. If your reviewers cannot realistically change the result, you are likely making ADM and need the full set of safeguards.