[F1Section 4AU.K.Automated individual decision-making
Article 22AU.K.Automated processing and significant decisions
1.For the purposes of Articles 22B and 22C—
(a)a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and
(b)a decision is a significant decision, in relation to a data subject, if—
(i)it produces a legal effect for the data subject, or
(ii)it has a similarly significant effect for the data subject.
2.When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling.
Article 22BU.K.Restrictions on automated decision-making
1.A significant decision based entirely or partly on processing described in Article 9(1) (processing of special categories of personal data) may not be taken based solely on automated processing, unless one of the following conditions is met.
2.The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent.
3.The second condition is that—
(a)the decision is—
(i)necessary for entering into, or performing, a contract between the data subject and a controller, or
(ii)required or authorised by law, and
(b)point (g) of Article 9(2) applies.
4.A significant decision may not be taken based solely on automated processing if the processing of personal data carried out by, or on behalf of, the decision-maker for the purposes of the decision is carried out entirely or partly in reliance on Article 6(1)(ea).
Article 22CU.K.Safeguards for automated decision-making
1.Where a significant decision taken by or on behalf of a controller in relation to a data subject is—
(a)based entirely or partly on personal data, and
(b)based solely on automated processing,
the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with paragraph 2 and any regulations under Article 22D(3).
2.The safeguards must consist of or include measures which—
(a)provide the data subject with information about decisions described in paragraph 1 taken in relation to the data subject;
(b)enable the data subject to make representations about such decisions;
(c)enable the data subject to obtain human intervention on the part of the controller in relation to such decisions;
(d)enable the data subject to contest such decisions.
Article 22DU.K.Further provision about automated decision-making
1.The Secretary of State may by regulations provide that, for the purposes of Article 22A(1)(a), there is, or is not, to be taken to be meaningful human involvement in the taking of a decision in cases described in the regulations.
2.The Secretary of State may by regulations provide that, for the purposes of Article 22A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant effect for the data subject.
3.The Secretary of State may by regulations make the following types of provision about the safeguards required under Article 22C(1)—
(a)provision requiring the safeguards to include measures in addition to those described in Article 22C(2),
(b)provision imposing requirements which supplement what Article 22C(2) requires the safeguards to consist of or include (including, for example, provision about how and when things described in Article 22C(2) must be done or be capable of being done), and
(c)provision about measures which are not to be taken to satisfy one or more of points (a) to (d) of Article 22C(2).
4.Regulations under paragraph 3 may not amend Article 22C.
5.Regulations under this Article are subject to the affirmative resolution procedure.]
Textual Amendments
F1Ch. 3 Section 4A substituted for Art. 22 (19.6.2025 for specified purposes) by Data (Use and Access) Act 2025 (c. 18), ss. 80(1), 142(1)(2)(h)