Inferensys

Glossary

Solely Automated Decision

A decision made entirely by an algorithm without any meaningful human intervention, which is subject to specific opt-out rights under GDPR.
Cinematic overhead of a WeWork creative suite room with multiple curved monitors showing AI decision dashboards, executives in casual attire reviewing data, dramatic pendant lighting.
GDPR Article 22

What is Solely Automated Decision?

A solely automated decision is a determination produced entirely by algorithmic processing without any meaningful human intervention in the outcome.

A solely automated decision is a legally defined term under GDPR Article 22 referring to a decision based exclusively on automated processing, including profiling, which produces legal effects concerning a data subject or similarly significantly affects them. The defining characteristic is the complete absence of meaningful human intervention in the decision-making loop.

Data subjects have the explicit right not to be subject to such decisions, with narrow exceptions for contractual necessity, explicit consent, or member state law authorization. When permitted, the controller must implement suitable measures to safeguard the data subject's rights, including the right to human intervention, the ability to express one's point of view, and a contestability mechanism to challenge the decision.

DEFINING THE BOUNDARY

Core Characteristics of a Solely Automated Decision

A solely automated decision is not merely a software calculation; it is a specific legal construct under GDPR Article 22 that triggers opt-out rights. The following characteristics distinguish a prohibited or restricted automated process from a standard algorithmic support tool.

01

Absence of Meaningful Human Intervention

The defining characteristic is the complete exclusion of human judgment from the final decision loop. A human merely rubber-stamping an algorithmic output does not constitute meaningful intervention.

  • Competence Requirement: The human reviewer must have the authority and competence to override the decision.
  • Substantive Review: The intervention must be a genuine assessment of all relevant data, not just a procedural check.
  • Contrast: A loan officer who actively reviews an AI's credit score recommendation and can adjust the rate is not a solely automated decision.
02

Legal or Similarly Significant Effects

The decision must produce a binding consequence that significantly impacts the data subject's life. Trivial automations are not covered.

  • Legal Effects: Decisions that affect a person's legal rights, such as contract termination or eligibility for social benefits.
  • Similarly Significant Effects: Actions that have a comparable impact, including automatic denial of credit, e-recruiting without human review, or differential pricing that excludes individuals.
  • Exclusion: Automated spam filtering or minor ad personalization typically does not meet this threshold.
03

Solely Algorithmic Processing

The decision path from input data to final output must be entirely deterministic and unaided by human cognition at any stage of the final execution.

  • End-to-End Automation: The system autonomously ingests personal data, applies a model, and outputs a binding decision.
  • No Human Bottleneck: There is no step in the workflow where a human pauses the process to evaluate the logic before the effect is applied to the data subject.
  • Profiling Link: This often involves profiling—automated processing to evaluate personal aspects like work performance, economic situation, or health.
04

Explicit Consent or Contractual Necessity

For a solely automated decision to be lawful, it must fall under one of three narrow exceptions defined in GDPR Article 22(2).

  • Explicit Consent: The data subject has given unambiguous, specific consent to the automated processing.
  • Contractual Necessity: The decision is necessary for entering into or performing a contract between the data subject and the controller.
  • Member State Law: The decision is authorized by Union or Member State law with suitable safeguards.
  • Safeguard Overlay: Even when lawful, the controller must implement human intervention rights, data subject viewpoint expression, and contestability mechanisms.
05

Special Category Data Prohibition

The bar for lawful solely automated decision-making is raised significantly when sensitive personal data is involved.

  • General Ban: GDPR Article 22(4) prohibits solely automated decisions based on special categories of personal data (e.g., health, ethnicity, political opinion).
  • Narrow Derogations: The only exceptions are explicit consent or processing for substantial public interest, both requiring suitable measures to safeguard fundamental rights.
  • Zero Tolerance: Unlike general data, contractual necessity is not a valid legal basis for automating decisions using sensitive data.
06

Right to Human Intervention

A procedural safeguard that must be architected into the system, not bolted on after the fact. It is the data subject's right to obtain human intervention on the part of the controller.

  • Proactive Obligation: The controller must provide a simple, accessible mechanism for the user to express their point of view and contest the decision.
  • Timeliness: The human review must occur within a reasonable timeframe to prevent the automated decision from causing irreversible harm.
  • Technical Implementation: This requires a contestability mechanism in the user interface, not just a generic customer service email.
SOLELY AUTOMATED DECISION-MAKING

Frequently Asked Questions

Clarifying the legal and technical boundaries of algorithmic decisions made without meaningful human intervention under GDPR and the EU AI Act.

A solely automated decision is a determination produced entirely by algorithmic processing without any meaningful human intervention in the decision-making loop. Under Article 22 of the GDPR, this applies specifically to decisions that produce legal effects concerning the data subject or similarly significant effects, such as automatic refusal of an online credit application, e-recruiting practices without human review, or behavioral advertising that impacts economic opportunity. The key qualifier is the absence of human analysis, assessment, or the authority to override the algorithmic output. If a human merely rubber-stamps a machine-generated result without substantive review, the decision remains 'solely automated' in the eyes of regulators. The right enshrined in Article 22 is not a general prohibition but a qualified right: data subjects have the right not to be subject to such a decision, meaning they can opt out unless the processing falls under one of three specific exceptions—contractual necessity, explicit consent, or authorization by Union or Member State law—each of which requires suitable safeguards including the right to human intervention.

DECISION GOVERNANCE COMPARISON

Solely Automated Decision vs. Human-in-the-Loop Decision

A comparison of decision-making architectures under GDPR Article 22, contrasting fully algorithmic processing with systems that incorporate meaningful human intervention.

FeatureSolely Automated DecisionHuman-in-the-Loop DecisionHuman-on-the-Loop Decision

Human intervention

GDPR Article 22 applicability

Opt-out right triggered

Decision override capability

Latency per decision

< 100 ms

Minutes to hours

Seconds to minutes

Audit trail granularity

Algorithmic inputs and output only

Full human rationale recorded

System output with human sampling

Scalability ceiling

Unlimited

Limited by human bandwidth

High with periodic review

Right to explanation complexity

High (black-box logic disclosure)

Low (human rationale available)

Medium (system logic plus oversight)

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.