FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryprivacydata protectionGDPR

GDPR Article 22 and Automated Decision Making by AI: What Counts as a Decision

By Basel IsmailMay 15, 2026

GDPR Article 22 and Automated Decision Making by AI: What Counts as a Decision

Article 22 of the GDPR is one of those provisions that sounds straightforward until you actually try to apply it. The text gives data subjects "the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her." Clear enough on paper. In practice, every clause in that sentence is doing heavy lifting, and the boundaries are genuinely contested.

If you are deploying AI systems that touch personal data of EU residents, and especially if those systems influence outcomes for individuals, Article 22 is the provision most likely to create real legal exposure. Let's walk through where the actual lines are.

What "Solely Automated" Actually Means

The first gating question is whether a decision is "based solely on automated processing." This is where many organizations think they have an easy out. The logic goes: we have a human in the loop, so Article 22 does not apply.

The Article 29 Working Party (now the European Data Protection Board) addressed this directly in their Guidelines on Automated Individual Decision-Making and Profiling (WP251rev.01, adopted February 2018). They were explicit that a human review must be meaningful. If someone is rubber-stamping an algorithmic output, or if they lack the authority or competence to override it, the decision is still "solely automated" for Article 22 purposes.

The EDPB reinforced this in 2020, noting that the human involvement must be more than a "token gesture." They used the phrase "meaningful human oversight," which has since become a recurring concept in the EU AI Act as well. The test is functional, not formal. Putting a person's name on the decision letter is not enough if the system made the call and the person just clicked approve.

This matters enormously for deployment architecture. If your AI system generates a recommendation and a human reviewer overrides it 0.3% of the time, a regulator is going to have a strong argument that the decision is solely automated in substance. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) took exactly this position in a 2020 enforcement action against the Dutch tax authority's fraud detection system (the "childcare benefits scandal"), where algorithmic risk scores were treated as effectively determinative despite nominal human review.

Legal Effects and "Similarly Significant" Effects

Even if a decision is solely automated, Article 22 only applies if it "produces legal effects" or "similarly significantly affects" the individual. Legal effects are relatively easy to identify: denial of a credit application, termination of an insurance policy, rejection of a visa. These change someone's legal position.

The "similarly significantly affects" language is where things get interesting. The EDPB guidelines give examples including decisions that affect someone's financial circumstances, access to health services, access to education, or employment opportunities. They also note that the decision must have a "sufficiently great or important" impact, not just a trivial one.

Targeted advertising, for instance, generally does not meet the threshold. But dynamic pricing that results in materially different prices based on profiling might. The EDPB acknowledged this ambiguity and suggested case-by-case analysis, which is not especially helpful for compliance teams trying to build policies.

A useful reference point is the Austrian DPA's (DSB) January 2020 decision regarding a credit scoring company. The DSB found that a credit score communicated to a bank, which the bank then used to deny a loan, constituted a decision with legal effects under Article 22, even though the scoring company argued it was merely providing information. The reasoning was that the score was the operative factor in the bank's decision. The formal decision-maker was the bank, but the automated system was doing the deciding.

The Recommendation vs. Decision Distinction

This brings us to what I think is the most practically important question for companies deploying AI: when does a recommendation become a decision?

Organizations frequently structure their AI deployments as "decision support" rather than "decision making" precisely to avoid Article 22. The system recommends; the human decides. On paper, this works. In practice, it depends entirely on how the recommendation is consumed.

Several factors push a recommendation toward being a de facto decision:

Override rates. If the human almost never deviates from the recommendation, regulators will treat it as a decision. There is no bright-line percentage, but single-digit override rates are going to be hard to defend.
Information asymmetry. If the human reviewer does not have access to the underlying data or reasoning, and is essentially presented with a yes/no recommendation, meaningful review is structurally impossible.
Time pressure. If the workflow gives the reviewer 30 seconds per case and there are 200 cases in the queue, the review is not meaningful regardless of what the policy says.
Authority to override. If overriding the system requires escalation, additional justification, or managerial approval, the system has become the default and the human is the exception handler. The EDPB flagged this specific pattern.
Consequence asymmetry. If a reviewer faces no consequences for agreeing with the AI but must document their reasoning when they disagree, the incentive structure makes the AI the decision-maker.

The Court of Justice of the EU has not yet issued a definitive ruling squarely on the recommendation-vs-decision line under Article 22, but the December 2023 CJEU judgment in SCHUFA Holding (Case C-634/21) moved the needle significantly. The Court held that a credit score generated by a private company constitutes an "automated individual decision" under Article 22 when that score is "decisively" relied upon by a third party. The Court looked through the formal structure to the functional reality. This is the direction of travel.

Practical Implications for Compliance Architecture

If you are building or deploying AI systems in regulated sectors, the compliance question is not just "do we have a human in the loop" but "is the human in the loop actually making decisions." Documenting this requires more than a policy statement. You need evidence: override rates, reviewer training records, time-per-review metrics, and audit trails showing that reviewers had access to sufficient information.

You also need to think about Article 22(3), which provides that even where automated decisions are permitted (under contract necessity, EU/member state law, or explicit consent), the data controller must implement "suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention." This means explainability is not optional. If a data subject challenges an automated decision, you need to be able to explain the logic involved and give a real human a real opportunity to reconsider.

For organizations operating across multiple EU member states, note that several countries have layered additional requirements on top of Article 22. France's CNIL, for example, has issued specific guidance on automated decision-making in the context of public administration (Deliberation No. 2023-063), and Germany's Federal Data Protection Act (BDSG) Section 37 imposes additional notification requirements.

How FirmAdapt Addresses This

FirmAdapt's architecture is built around the principle that AI outputs in regulated workflows are recommendations, and the platform enforces the structural conditions necessary to keep them that way. This includes configurable review workflows with minimum time-per-review thresholds, mandatory access to underlying reasoning before a reviewer can approve or reject, and continuous monitoring of override rates with automated alerts when patterns suggest rubber-stamping.

The platform also generates the audit trail that Article 22(3) compliance requires: explainability logs, reviewer interaction records, and decision provenance documentation. For organizations subject to GDPR and deploying AI in areas like credit decisioning, insurance underwriting, or HR screening, FirmAdapt provides the infrastructure to demonstrate that human oversight is meaningful, not just nominal.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free