If you are building AI systems that make decisions about people in the European Union, GDPR Article 22 is the most important regulation you have never read. It restricts automated individual decision-making, including profiling, and grants data subjects the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant impacts. For AI engineers building agentic systems that approve loans, screen resumes, or assess credit risk, Article 22 is not optional — it is a compliance requirement with teeth. Fines can reach 4% of global annual turnover or €20 million, whichever is higher.
Article 22: What It Actually Requires
Article 22 of the GDPR establishes three fundamental requirements for automated decision-making systems:
- The data subject has the right not to be subject to a decision based solely on automated processing — if the decision produces legal effects or similarly significantly affects the individual.
- If the decision is permitted (via explicit consent, contract necessity, or EU/state law), the controller must implement suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests.
- The data subject must have the right to obtain human intervention, express their point of view, and contest the decision.
The key phrase for AI engineers is "based solely on automated processing." If a human reviews the decision and has the authority to override it, Article 22's restriction does not apply. This creates a strong compliance incentive to build systems with human-in-the-loop review — but it also creates a record-keeping obligation. How do you prove that meaningful human review occurred? How do you demonstrate that the automated processing was fair, transparent, and non-discriminatory?
'The right to an explanation is not a technical nicety. It is a legal requirement. If your AI system makes a decision and cannot explain why, it is not compliant with GDPR.' — European Data Protection Board guidance on automated decision-making (2024)
Verification as a Compliance Primitive
This is where verification infrastructure becomes a compliance tool. SignalStack's platform provides the audit trail, explainability, and oversight mechanisms that GDPR compliance requires. Every verification request generates a verifiable record of what was checked, what sources were consulted, and what confidence level was achieved. This record is the raw material for the right to explanation.
Audit Trails with Webhooks
SignalStack's webhook system (/docs/guides/webhooks) provides real-time event streams for every verification event. When a claim is checked, a document is analyzed, or a business identity is verified, the system emits structured events containing the full evidence chain. These events can be routed to compliance databases, SIEM systems, or immutable audit logs.
For GDPR compliance, this means you can reconstruct exactly what the automated system decided, when, why, and based on what evidence. If a data subject exercises their right to contest a decision, you can produce a complete record of the automated processing. This is not just good engineering — it is the evidentiary foundation for demonstrating compliance.
Authentication and Access Control
GDPR Article 5 requires that personal data be processed in a manner that ensures appropriate security. SignalStack's authentication system (/docs/guides/authentication) provides API-key-based access control with granular permissions per verification type. Each API call is authenticated, authorized, and logged. This creates an access control trail that satisfies the GDPR's accountability principle.
For organizations processing data across multiple jurisdictions, SignalStack supports configurable data residency controls. Verification requests can be routed to specific regional processing endpoints, ensuring that personal data does not cross borders in violation of GDPR transfer restrictions. This is documented in detail at /security.
Building a GDPR-Compliant AI Decision System
Here is a practical architecture for building an AI decision-making system that satisfies GDPR Article 22 requirements using SignalStack's verification infrastructure:
Step 1: Separate Decision from Verification
The AI model makes a recommendation, but the decision is not executed until verification completes. This separation is structurally important for compliance — the model's output is a suggestion, not a decision. The decision occurs when the verified output is acted upon, and that action is logged with the verification evidence chain attached.
Step 2: Verify Every Claim with an Evidence Chain
Every claim that factors into the decision — credit score, income verification, identity check — should be independently verified. SignalStack's /product/claim-verification API returns both a trust score and a structured evidence chain. Store the evidence chain alongside the decision record. If a data subject later contests the decision, you can produce the complete verification trail.
Step 3: Implement Human-in-the-Loop with Escalation Paths
Configure trust score thresholds that trigger human review. A credit application with a trust score of 75 may be suitable for automated approval; one with a score of 40 requires human review. The evidence chain gives the human reviewer everything they need to make an informed decision. The human's decision, along with the evidence they reviewed, becomes part of the compliance record.
Step 4: Log Everything for the Right to Explanation
SignalStack's webhook events provide structured, machine-readable logs of every verification. Route these to your compliance database. When a data subject requests an explanation, you can query the verification events for their case and produce a human-readable summary of what was checked, what was found, and why the decision was reached.
// Example: GDPR-compliant decision logging
// Each verification event includes:
{
"event": "claim.verified",
"timestamp": "2026-02-24T14:30:00Z",
"claim_id": "clm_abc123",
"trust_score": 87,
"evidence_chain": [
{ "source": "credit_bureau_api", "result": "match", "confidence": 0.94 },
{ "source": "identity_document", "result": "verified", "confidence": 0.98 },
{ "source": "income_database", "result": "confirmed", "confidence": 0.89 }
],
"decision": "approved",
"review_type": "automated"
}Common Compliance Pitfalls for AI Engineers
Based on regulatory guidance and enforcement actions, here are the most common GDPR compliance failures in AI systems:
- No evidence chain — The system makes decisions but cannot explain how. This violates both Article 22's transparency requirement and Article 5's accountability principle.
- Black box verification — Using verification systems that provide a score without supporting evidence. A score alone is not an explanation. The evidence chain is what matters.
- Missing human review records — Implementing human-in-the-loop but failing to document the review. If you cannot prove human review occurred, Article 22 considers the decision fully automated.
- Cross-border data routing — Processing personal data in a region without adequate data protection agreements. SignalStack's regional routing options address this (see /security for details).
- No webhook audit trail — Relying on polling or periodic synchronization for verification records. Real-time webhook events provide the continuous, auditable trail that GDPR requires.
Start your GDPR compliance audit by mapping every automated decision your AI system makes. For each decision, identify: (1) what claims are being evaluated, (2) whether each claim is independently verifiable, (3) what evidence chain would be required to explain the decision, and (4) at what threshold human review is triggered. Most teams discover that they are making more automated decisions than they realized, and that many of those decisions lack any verification infrastructure at all. The /docs/guides/authentication docs and /docs/guides/webhooks docs provide the implementation patterns you need to close those gaps.
Conclusion
GDPR compliance for AI systems is not about avoiding fines — it is about building systems that are transparent, accountable, and fair. Verification infrastructure provides the technical foundation for that transparency. By separating decision-making from verification, maintaining auditable evidence chains, and implementing structured human review processes, AI engineers can build systems that satisfy both the letter and the spirit of GDPR Article 22. SignalStack provides the verification layer that makes this architecture practical. Start with /security for the compliance overview and /docs/guides/webhooks for the implementation guide.
Luke Swestun is the founder of SignalStack. He writes about trust infrastructure, hallucination detection, and building AI agents that can verify before they act.