A solely automated decision is a legally defined term under GDPR Article 22 referring to a decision based exclusively on automated processing, including profiling, which produces legal effects concerning a data subject or similarly significantly affects them. The defining characteristic is the complete absence of meaningful human intervention in the decision-making loop.
Glossary
Solely Automated Decision

What is Solely Automated Decision?
A solely automated decision is a determination produced entirely by algorithmic processing without any meaningful human intervention in the outcome.
Data subjects have the explicit right not to be subject to such decisions, with narrow exceptions for contractual necessity, explicit consent, or member state law authorization. When permitted, the controller must implement suitable measures to safeguard the data subject's rights, including the right to human intervention, the ability to express one's point of view, and a contestability mechanism to challenge the decision.
Core Characteristics of a Solely Automated Decision
A solely automated decision is not merely a software calculation; it is a specific legal construct under GDPR Article 22 that triggers opt-out rights. The following characteristics distinguish a prohibited or restricted automated process from a standard algorithmic support tool.
Absence of Meaningful Human Intervention
The defining characteristic is the complete exclusion of human judgment from the final decision loop. A human merely rubber-stamping an algorithmic output does not constitute meaningful intervention.
- Competence Requirement: The human reviewer must have the authority and competence to override the decision.
- Substantive Review: The intervention must be a genuine assessment of all relevant data, not just a procedural check.
- Contrast: A loan officer who actively reviews an AI's credit score recommendation and can adjust the rate is not a solely automated decision.
Legal or Similarly Significant Effects
The decision must produce a binding consequence that significantly impacts the data subject's life. Trivial automations are not covered.
- Legal Effects: Decisions that affect a person's legal rights, such as contract termination or eligibility for social benefits.
- Similarly Significant Effects: Actions that have a comparable impact, including automatic denial of credit, e-recruiting without human review, or differential pricing that excludes individuals.
- Exclusion: Automated spam filtering or minor ad personalization typically does not meet this threshold.
Solely Algorithmic Processing
The decision path from input data to final output must be entirely deterministic and unaided by human cognition at any stage of the final execution.
- End-to-End Automation: The system autonomously ingests personal data, applies a model, and outputs a binding decision.
- No Human Bottleneck: There is no step in the workflow where a human pauses the process to evaluate the logic before the effect is applied to the data subject.
- Profiling Link: This often involves profiling—automated processing to evaluate personal aspects like work performance, economic situation, or health.
Explicit Consent or Contractual Necessity
For a solely automated decision to be lawful, it must fall under one of three narrow exceptions defined in GDPR Article 22(2).
- Explicit Consent: The data subject has given unambiguous, specific consent to the automated processing.
- Contractual Necessity: The decision is necessary for entering into or performing a contract between the data subject and the controller.
- Member State Law: The decision is authorized by Union or Member State law with suitable safeguards.
- Safeguard Overlay: Even when lawful, the controller must implement human intervention rights, data subject viewpoint expression, and contestability mechanisms.
Special Category Data Prohibition
The bar for lawful solely automated decision-making is raised significantly when sensitive personal data is involved.
- General Ban: GDPR Article 22(4) prohibits solely automated decisions based on special categories of personal data (e.g., health, ethnicity, political opinion).
- Narrow Derogations: The only exceptions are explicit consent or processing for substantial public interest, both requiring suitable measures to safeguard fundamental rights.
- Zero Tolerance: Unlike general data, contractual necessity is not a valid legal basis for automating decisions using sensitive data.
Right to Human Intervention
A procedural safeguard that must be architected into the system, not bolted on after the fact. It is the data subject's right to obtain human intervention on the part of the controller.
- Proactive Obligation: The controller must provide a simple, accessible mechanism for the user to express their point of view and contest the decision.
- Timeliness: The human review must occur within a reasonable timeframe to prevent the automated decision from causing irreversible harm.
- Technical Implementation: This requires a contestability mechanism in the user interface, not just a generic customer service email.
Frequently Asked Questions
Clarifying the legal and technical boundaries of algorithmic decisions made without meaningful human intervention under GDPR and the EU AI Act.
A solely automated decision is a determination produced entirely by algorithmic processing without any meaningful human intervention in the decision-making loop. Under Article 22 of the GDPR, this applies specifically to decisions that produce legal effects concerning the data subject or similarly significant effects, such as automatic refusal of an online credit application, e-recruiting practices without human review, or behavioral advertising that impacts economic opportunity. The key qualifier is the absence of human analysis, assessment, or the authority to override the algorithmic output. If a human merely rubber-stamps a machine-generated result without substantive review, the decision remains 'solely automated' in the eyes of regulators. The right enshrined in Article 22 is not a general prohibition but a qualified right: data subjects have the right not to be subject to such a decision, meaning they can opt out unless the processing falls under one of three specific exceptions—contractual necessity, explicit consent, or authorization by Union or Member State law—each of which requires suitable safeguards including the right to human intervention.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Solely Automated Decision vs. Human-in-the-Loop Decision
A comparison of decision-making architectures under GDPR Article 22, contrasting fully algorithmic processing with systems that incorporate meaningful human intervention.
| Feature | Solely Automated Decision | Human-in-the-Loop Decision | Human-on-the-Loop Decision |
|---|---|---|---|
Human intervention | |||
GDPR Article 22 applicability | |||
Opt-out right triggered | |||
Decision override capability | |||
Latency per decision | < 100 ms | Minutes to hours | Seconds to minutes |
Audit trail granularity | Algorithmic inputs and output only | Full human rationale recorded | System output with human sampling |
Scalability ceiling | Unlimited | Limited by human bandwidth | High with periodic review |
Right to explanation complexity | High (black-box logic disclosure) | Low (human rationale available) | Medium (system logic plus oversight) |
Related Terms
Understanding solely automated decision-making requires familiarity with the legal rights, oversight mechanisms, and technical safeguards that govern algorithmic outcomes.
Meaningful Human Intervention
The critical safeguard that distinguishes a solely automated decision from a supported one. Under GDPR, this requires a review by a qualified person with the authority and competence to override the algorithmic outcome. The intervention must be more than a token gesture—the human must actively assess all relevant data, not merely rubber-stamp the machine's output. Without this, the decision falls under Article 22 and triggers opt-out rights.
Right to Explanation
A data subject's legal entitlement under GDPR Article 22(3) and Recital 71 to receive meaningful information about the logic involved in an automated decision. This goes beyond mere transparency—it requires disclosing:
- The reasoning process behind the specific decision
- The significance and envisaged consequences
- The key features that influenced the outcome This right is the procedural counterweight to the opacity of black-box algorithms.
Contestability Mechanism
A technical and procedural interface that allows end-users to formally challenge an AI-driven decision and seek human review or remedy. Effective contestability requires:
- A clear channel for lodging disputes
- Access to a human reviewer with override authority
- Timely resolution timelines
- The ability to submit additional evidence Without this mechanism, a solely automated decision system violates the principle of procedural fairness.
Data Protection Impact Assessment
A mandatory GDPR Article 35 process for identifying and minimizing data protection risks before processing begins. For solely automated decision systems, the DPIA must specifically address:
- The logic of the algorithm and its accuracy
- The scope of automated decisions and their effects
- Safeguards for data subject rights
- Fallback procedures if the system fails Failure to conduct a DPIA for high-risk automated processing can result in fines up to €10 million or 2% of global turnover.
Algorithmic Impact Assessment
A structured evaluation framework that predates and complements the DPIA, focusing on the societal and ethical consequences of automated decision systems. Unlike the DPIA's privacy focus, the AIA examines:
- Disparate impact on vulnerable populations
- Fairness metrics across demographic groups
- Transparency of the decision logic
- Accountability chains for adverse outcomes This is increasingly mandated by regulations like Canada's Directive on Automated Decision-Making and the EU AI Act.
Audit Trail
A chronological, immutable record of all inputs, transformations, and outputs in an automated decision pipeline. For solely automated decisions, the audit trail must capture:
- The exact input data at decision time
- The model version and configuration
- The inference path and intermediate states
- The final output and confidence scores This record is essential for demonstrating compliance during regulatory investigations and enabling the right to explanation.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us