What is GDPR Article 22 and how does it protect me from AI decisions?

GDPR Article 22(1) gives every individual in the EU/EEA the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning them or similarly significantly affects them. This covers algorithmic credit scoring, automated insurance underwriting, AI recruitment screening, and benefit eligibility algorithms - provided the decision is solely automated and has legal or similarly significant effects. Under Article 22(3), you have the right to obtain human intervention, express your point of view, and contest the decision. Separately, GDPR Articles 13(2)(f), 14(2)(g), and 15(1)(h) require organizations to provide meaningful information about the logic involved in automated decision-making. The CJEU confirmed in the SCHUFA case (C-634/21, December 2023) that automated credit scoring can itself fall under Article 22 when the score decisively determines the outcome. These rights are fully enforceable now.

What is the EU AI Act and when does it take effect?

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive legislation regulating artificial intelligence. It entered into force on 1 August 2024 with a phased implementation timeline. Prohibited AI practices (Article 5) - including social scoring, workplace emotion recognition, and manipulative AI - have been banned since 2 February 2025. Governance obligations and GPAI model requirements became effective on 2 August 2025. The full framework for high-risk AI systems becomes enforceable on 2 August 2026. Penalties are severe: up to EUR 35 million or 7% of global annual turnover for prohibited practices, EUR 15 million or 3% for other violations.

Which AI decisions can I challenge under EU law?

Under GDPR Article 22, you can challenge any decision based solely on automated processing that has legal or similarly significant effects on you. This includes: credit application rejections, insurance premium calculations or claim denials, job application screening and recruitment decisions, benefit eligibility determinations, automated fraud flagging, platform account suspensions, and algorithmic risk assessments by public authorities. The key test is whether the decision was 'solely' automated (no meaningful human involvement) and whether it has legal or significant effects on you. Under the AI Act, additional rights apply specifically to decisions made by high-risk AI systems.

What are the prohibited AI practices under Article 5 of the AI Act?

Article 5 prohibits AI systems that: (a) use subliminal, manipulative, or deceptive techniques to distort behavior causing significant harm; (b) exploit vulnerabilities related to age, disability, or socioeconomic situation; (c) evaluate or classify individuals based on social behavior for detrimental treatment (social scoring); (d) assess individual criminal offense risk based solely on profiling; (e) create or expand facial recognition databases through untargeted scraping; (f) infer emotions in the workplace or educational institutions (except for medical/safety); (g) categorize individuals based on biometric data to infer sensitive attributes; (h) use real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions). These bans are enforceable since 2 February 2025.

What can I do if I am a victim of a deepfake?

Report to the hosting platform immediately using their synthetic media/deepfake reporting tools - most major platforms have expedited processes. File a police report, especially for non-consensual intimate imagery, fraud, or extortion. Send a GDPR Article 17 erasure request and Article 9 complaint to the platform (processing your biometric data without consent is illegal). From 2 August 2026, EU AI Act Article 50 will impose mandatory disclosure obligations for deepfakes; deployers who fail to label AI-generated content will face fines of up to EUR 7.5 million or 1.5% of global turnover under current law. In Italy, Law 132/2025 specifically criminalizes unlawful deepfake dissemination with 1-5 years' imprisonment.

Which authority should I complain to about an AI decision?

Start with the organization's Data Protection Officer (DPO) - this is a legal prerequisite before escalating. If the DPO does not respond or responds inadequately, file with your national Data Protection Authority: UODO (Poland), BfDI (Germany), CNIL (France), AEPD (Spain), ICO (UK), Garante (Italy), AP (Netherlands). For AI Act-specific violations, each EU member state has designated national competent authorities (market surveillance authorities) since August 2025. For prohibited practices or systemic cross-border issues, the EU AI Office coordinates enforcement. For financial services, consider also filing with the relevant financial regulator (BaFin, ACPR, FCA, KNF).

Can I claim compensation for an unfair AI decision?

Yes. GDPR Article 82 gives you the right to compensation for both material damage (financial loss resulting from the decision) and non-material damage (distress, anxiety, reputational harm). To claim compensation, you generally need to demonstrate: (1) an infringement of the GDPR occurred, (2) you suffered material or non-material damage, and (3) there is a causal link between the infringement and the damage. You can pursue compensation through your national courts. The AI Act does not create a direct compensation right, but the parallel AI Liability Directive (proposed) is intended to complement the AI Act by establishing rules for civil liability related to AI systems.

Is AI credit scoring legal under EU law?

AI credit scoring is legal but heavily regulated. Under GDPR Article 22, it must not be the sole basis for a decision with legal or significant effects unless the individual has given explicit consent, it is necessary for a contract, or it is authorized by member state law - and in all cases, the individual retains the right to human intervention and to contest the decision. The EU AI Act classifies credit scoring as a high-risk AI system under Annex III, Category 5(b). From August 2026, credit scoring AI must comply with comprehensive obligations including risk management, data governance, transparency, accuracy requirements, human oversight, and technical documentation. The SCHUFA ruling by the CJEU (Case C-634/21, December 2023) confirmed that automated credit scoring constitutes 'automated individual decision-making' under GDPR Article 22.

DocuGov.ai

Official Letters in Minutes | Appeals, Complaints & More

🌍 Legal expertise in 130+ countries | 5 languages

EU AI Act Compliance Letters - Challenge Unfair AI Decisions

An algorithm denied your loan, rejected your job application, or someone created a deepfake of you. European law gives you powerful rights to fight back. We generate formal, legally grounded letters that invoke your GDPR rights (Articles 13-15, 22) and cite the EU AI Act where applicable - creating a documented legal record that organizations must answer within 30 days.

✓ Cites exact GDPR and EU AI Act articles applicable to your case✓ Works for solely automated decisions with legal or significant effects, prohibited AI practices, and deepfake complaints✓ Available in 5 languages for cross-border EU complaints✓ Expert verification available

€35M

maximum fine for prohibited AI practices under the AI Act

80%+

of large employers now use AI in recruitment decisions

Art. 22

GDPR right not to be subject to solely automated decisions - enforceable now

Choose your situation

Click your case - we'll generate the right letter in minutes

🏦

Appeal Algorithmic Credit Decision

💼

Appeal AI Hiring Rejection

🛡️

GDPR Article 22 Objection

🚫

Prohibited AI Practice Complaint (Art. 5)

🔍

Right to Explanation Request

🎭

Deepfake Complaint (Art. 50 AI Act)

The problem

Algorithms are making life-changing decisions about you - without explaining why

Every day, AI systems make decisions that profoundly affect people's lives. A bank's algorithm rejects your mortgage application based on hundreds of data points you never see. A recruitment AI filters out your CV before a human ever reads it. An insurer's model sets your premium based on behavioral patterns you cannot challenge because you do not know they exist. A government agency's algorithm flags you for fraud or denies your benefit application. A deepfake of you circulates online, and platforms do nothing.

These are not hypothetical scenarios. Credit scoring AI is used by virtually every major European bank. Over 80% of Fortune 500 companies use AI-powered recruitment tools that screen candidates before any human involvement. Insurance companies across Europe use algorithmic risk models to set premiums and reject claims. Public administrations in multiple EU member states use predictive analytics for fraud detection, benefit eligibility, and law enforcement. And deepfake technology has become accessible to anyone with a laptop.

The fundamental problem is the same in every case: the algorithm decides, and you are not told why. The rejection letter says 'your application did not meet our criteria.' The recruiter sends a generic 'we have decided to proceed with other candidates.' The insurer cites 'risk assessment.' The government agency says 'you do not meet the eligibility requirements.' No specifics. No explanation of which factors mattered. No opportunity to challenge the logic. No human to talk to.

Most people accept these decisions because they believe they have no recourse. They assume the algorithm must be correct, or that challenging it is too complex, too expensive, or too time-consuming. This is wrong. European law provides some of the strongest individual rights in the world when it comes to algorithmic decision-making - but these rights are useless unless you exercise them. That requires a formal, legally precise letter that cites the right provisions and forces the organization to respond.

The solution

Generate a formal letter that invokes your AI rights under EU law

DocuGov.ai generates professional, legally grounded letters for every major AI rights scenario - from challenging a bank's algorithmic credit rejection to filing a formal complaint about a prohibited AI practice with your national authority. Every letter cites the exact legal provisions applicable to your situation.

Our system covers two overlapping legal frameworks that together create comprehensive protection. The General Data Protection Regulation (GDPR), which has been fully enforceable since 2018, gives you the right under Article 22 not to be subject to decisions based solely on automated processing that produce legal or significant effects. This includes the right to human review, to express your point of view, to contest the decision, and to receive meaningful information about the logic involved. These rights apply right now, today, to any organization processing your personal data in the EU.

The EU AI Act (Regulation 2024/1689), which entered into force on 1 August 2024, adds a comprehensive layer of regulation specifically targeting AI systems. Prohibited practices under Article 5 - including social scoring, workplace emotion recognition, and manipulative AI - have been banned since 2 February 2025. The full framework for high-risk AI systems (including credit scoring, insurance underwriting, recruitment AI, and public administration algorithms) becomes enforceable on 2 August 2026, with obligations covering risk management, transparency, human oversight, technical documentation, and individual rights including the right to explanation under Article 86.

You describe your situation in plain language - what happened, which organization made the decision, what the decision was. Our AI generates a complete letter that identifies the applicable legal framework, cites the specific articles, makes the legally required requests (human review, explanation, objection), and sets a response deadline. The letter is formatted for immediate submission to the organization, its Data Protection Officer, or the relevant regulatory authority.

How It Works

How it works - 3 simple steps

Describe your situation - Tell us what happened: which organization made a solely automated decision about you, what the decision was, and how it affects you. Whether it is a credit rejection, hiring decision, deepfake, or another automated decision with legal or significant effects, we tailor the letter to your specific case.

Review your personalized letter - Our AI generates a complete, legally grounded letter citing the GDPR articles applicable today (Articles 13-15, 22, 77, 79, 82) and, where relevant, EU AI Act provisions already enforceable (Article 5 prohibited practices, Article 85 complaints) or applying from August 2026 (Articles 26(11), 50, 86). The letter includes the specific legal requests you are entitled to make and sets a response deadline under GDPR Article 12(3).

Submit and track - Download your letter in DOCX or PDF format. Send it to the organization's Data Protection Officer, the regulatory authority, or both. The letter creates a legally enforceable paper trail. If the organization fails to respond adequately, you have documented grounds for a formal complaint to your national Data Protection Authority or AI competent authority.

Use cases

When to use an AI rights letter - common scenarios and applicable law

✓

Algorithmic credit rejection (bank, insurer, fintech)

Your bank, insurer, or fintech denied your application using an automated scoring system. GDPR Article 22 applies immediately - you have the right to human review and explanation. The EU AI Act classifies credit scoring as high-risk AI under Annex III, Category 5(b). From August 2026, deployers must comply with full transparency, risk management, and human oversight obligations. Your letter invokes both frameworks.

✓

AI-powered recruitment rejection

An employer used an AI tool to screen your application - automated CV filtering, video interview analysis, gamified assessment, or algorithmic ranking - and rejected you without meaningful human review. The EU AI Act classifies recruitment AI as high-risk under Annex III, Category 4. GDPR Article 22 applies to hiring decisions that produce legal or significant effects. You can demand to know whether AI was used, request an explanation, and require human review.

✓

Deepfake targeting you

Someone created AI-generated or manipulated content depicting you - whether non-consensual intimate imagery, identity fraud, or reputational attack. Today, your strongest tools are GDPR (Article 9 protects biometric data; Article 17 gives you the right to erasure) and national criminal law - notably Italy's Law 132/2025, which specifically criminalizes unlawful deepfake dissemination. From 2 August 2026, EU AI Act Article 50 will add mandatory disclosure obligations for deployers of deepfake AI systems. Your letter addresses the platform, law enforcement, and regulatory authorities.

✓

Prohibited AI practice (social scoring, workplace emotion recognition, biometric surveillance)

You have evidence that an organization is deploying an AI system banned under Article 5 of the AI Act - such as social scoring, workplace emotion recognition, manipulative AI, or untargeted facial image scraping. These prohibitions have been enforceable since 2 February 2025. Violations carry the highest tier of penalties: up to EUR 35 million or 7% of global annual turnover. You can file a formal complaint with your national competent authority.

✓

Opaque algorithmic decision with no explanation

Any organization - bank, insurer, employer, government agency, platform, or service provider - made an automated decision affecting you and failed to provide a meaningful explanation. Under GDPR Article 15(1)(h), you have the right to 'meaningful information about the logic involved.' From August 2026, EU AI Act Article 86 creates an explicit right to explanation for decisions made by high-risk AI systems. Your letter demands specific, actionable information about how the algorithm processed your data.

✓

Government algorithm affecting your rights

A public authority used an automated system to determine your eligibility for benefits, housing, permits, or services - or flagged you in a predictive analytics system (fraud detection, tax audit selection, risk profiling). GDPR Article 22 applies to public sector automated decisions. The AI Act classifies many public administration AI systems as high-risk. You have the right to object, request human review, and demand an explanation of the algorithmic logic.

Watch out

Common mistakes when challenging AI decisions - and how to avoid them

❌ Sending an informal email to customer service instead of a formal legal request

Why it fails: Customer service agents are not trained to handle GDPR Article 22 requests and have no authority to override algorithmic decisions. Your email gets filed as a generic complaint and answered with a template response.

✓ Solution: Address your letter to the organization's Data Protection Officer (DPO) - they are legally obligated to process data subject requests. Cite the specific GDPR articles to trigger formal legal obligations and response deadlines.

❌ Asking for 'an explanation' without specifying what you want to know

Why it fails: Organizations interpret vague requests as narrowly as possible. They will respond with 'we use an automated system to assess applications' - technically an explanation, but useless for understanding or challenging the decision.

✓ Solution: Request specific information: which personal data was used as input, how factors were weighted, which variables were most influential in the outcome, whether human review occurred, and what result different inputs would have produced.

❌ Not setting a response deadline

Why it fails: Without a deadline, the organization has no urgency to respond. Requests sit in queues indefinitely. You lose momentum and the window for effective challenge narrows.

✓ Solution: Reference GDPR Article 12(3) which requires a response within one month. State the deadline explicitly in your letter: 'I expect your substantive response within 30 calendar days of receipt of this letter, in accordance with Article 12(3) GDPR.'

❌ Not preserving evidence (especially for deepfakes)

Why it fails: Digital content disappears quickly. Platforms remove posts, accounts get deleted, URLs change. Without preserved evidence, your complaint to law enforcement or a DPA has no foundation.

✓ Solution: Screenshot everything with timestamps before reporting. Download content where possible. Use web archiving tools. Save URLs, metadata, and any identifying information about the perpetrator or hosting platform.

❌ Giving up after the first refusal

Why it fails: Many organizations initially refuse or provide inadequate responses to GDPR requests, hoping the data subject will not follow through. This is a known pattern.

✓ Solution: If the organization refuses or gives an inadequate answer, file a formal complaint with your national Data Protection Authority. Include your original letter, proof of delivery, the organization's response, and an explanation of why it is inadequate. DPAs have enforcement powers including fines.

Success factors

What makes an AI rights letter effective

A successful AI rights letter is not an emotional complaint - it is a legal instrument that creates enforceable obligations. The difference between a letter that gets results and one that gets ignored comes down to precision, specificity, and correct legal framing.

✓

Precise legal citation

Every claim in the letter must reference the exact legal provision. 'I exercise my right under Article 22(1) GDPR' triggers a specific legal obligation with a defined response deadline. 'I think this decision was unfair' triggers nothing.

✓

Correct addressee - the Data Protection Officer

Addressing the letter to the DPO (not customer service, not 'To Whom It May Concern') ensures it enters the formal data protection compliance workflow. The DPO is legally responsible for handling your request.

✓

Specific, answerable questions

Rather than asking 'why was I rejected,' ask: 'Which categories of personal data were used as input variables in the automated scoring system that processed my application reference [X]?' Specific questions are harder to deflect.

✓

Documented evidence of automation

If the decision was instant (application rejected within seconds), mention this. If the privacy policy references automated decision-making, quote it. If no human was involved at any stage, state this clearly. The burden shifts to the organization to prove human involvement.

✓

Clear escalation path

State what you will do if the organization does not comply: file a complaint with [specific DPA name], seek judicial remedy under GDPR Article 79, and/or claim compensation under Article 82. This is not a threat - it is a statement of your legal rights.

What you get

What your AI rights letter includes

✓Precise citation of GDPR rights enforceable today (Articles 13-15, 22, 77, 79, 82) with clear distinction of AI Act provisions applying now (Art. 5, 85) vs. from August 2026 (Art. 26(11), 50, 86)
✓Formal identification of the automated decision and its effects on you
✓Legally required requests: human review, meaningful explanation of the logic involved, opportunity to contest
✓Reference to the specific EU AI Act risk category applicable to the AI system (Annex III classifications)
✓Clear response deadline with reference to GDPR Article 12(3) timeframes
✓Statement of consequences for non-compliance (DPA complaint, judicial remedy, compensation claim)
✓Identification of the correct regulatory authority for escalation
✓Professional formatting ready for immediate submission

★★★★★

4.8/5

Get started

Generate Your Letter

Answer a few questions and get your professional letter in minutes

See how it works step by step

Answer a few questions and get your professional letter in minutes

Type

Details

Payment

Done

Step 1: Choose the document type

Select the document type that best matches your situation.

🔒 Secure & private⚡ Result in ~10 min✓ 1 free revision⚖️ Proper legal structure & tone🌍 130+ countries

Pricing

Lawyer-quality letters at a fraction of the cost

Pay per document. No subscriptions. No hidden fees.

⚖️

Lawyer consultation for this type of letter

costs $200-500/hr and takes days. DocuGov does it in minutes for $9.

$200+

Lawyer

→

DocuGov

Frequently asked questions about AI rights and algorithmic decisions

EU AI Act and GDPR - your rights at a glance

The EU AI Act and GDPR together form the most comprehensive individual rights framework in the world for challenging algorithmic and AI-driven decisions. Understanding how these two regulations interact is essential for effectively exercising your rights.

GDPR Article 22 is your immediate, enforceable right. It applies now, to any organization processing your personal data in the EU. If an algorithm made a decision about you that has legal or significant effects - a credit rejection, insurance decision, hiring outcome, benefit determination - you can object, demand human review, and require an explanation. The organization must respond within one month.

The EU AI Act adds sector-specific requirements. From 2 August 2026, high-risk AI systems - credit scoring, insurance underwriting, recruitment AI, public administration algorithms, and more - must meet stringent obligations for risk management (Article 9), data governance (Article 10), transparency toward deployers (Article 13), human oversight (Article 14), and accuracy (Article 15). Deployers of certain high-risk systems (notably public bodies and those in Annex III categories 5(b) and 5(c)) must conduct fundamental rights impact assessments (Article 27). Article 26(11) will require deployers to explain AI-assisted decisions to affected persons. Article 86 will establish an explicit right to explanation for individuals affected by high-risk AI decisions from Annex III (excluding category 2). Already enforceable today: Article 85 gives any person the right to lodge a complaint about an AI system with the relevant market surveillance authority.

Prohibited practices carry the highest penalties. Article 5 bans on social scoring, manipulative AI, workplace emotion recognition, biometric surveillance, and other unacceptable-risk practices have been enforceable since 2 February 2025, and Article 85 already allows any person to file a complaint with market surveillance authorities about these practices. Violations carry fines of up to EUR 35 million or 7% of global turnover - the most severe penalties in EU regulatory history.

National regulatory landscapes are evolving rapidly. Each EU member state has designated national competent authorities to enforce the AI Act alongside existing DPAs. Italy's Law 132/2025 introduced specific criminal penalties for deepfakes. Germany's BfDI has been particularly active on algorithmic transparency. France's CNIL published AI guidelines as early as 2024. The UK, while not covered by the EU AI Act, has adopted a sector-specific AI regulatory framework through existing regulators (FCA, ICO, EHRC). As enforcement infrastructure matures through 2026 and 2027, the practical ability to challenge AI decisions will only strengthen.

Who it's for

Who should use this service

•Anyone whose credit application, loan, or mortgage was rejected by an algorithmic scoring system (SCHUFA, Experian, internal bank models)
•Job applicants rejected by AI recruitment tools (automated CV screeners, video interview analyzers, gamified assessments)
•Individuals whose insurance premium, coverage, or claim was determined by algorithmic risk assessment
•Anyone who wants to formally object to an automated decision under GDPR Article 22
•People who have been affected by a deepfake (non-consensual imagery, identity fraud, reputational harm)
•Whistleblowers or concerned citizens who want to report a prohibited AI practice (social scoring, workplace emotion recognition, biometric surveillance)
•Anyone who wants to understand how an algorithm decided about them and demand a meaningful explanation
•Consumers, employees, tenants, benefit recipients, or patients affected by a solely automated decision with legal or similarly significant effects in the EU

Related guides

More templates

Also Available

Insurance Appeal Letter - Fight Your Denied ClaimLearn more →Administrative Appeal Letter - Challenge Any Government DecisionLearn more →Response to Government Letter - Reply With ConfidenceLearn more →Complaint to Authority Letter - Make Your Voice HeardLearn more →Speeding Ticket Appeal – Fight Your Fine and WinLearn more →Visa Denial Appeal Letter - Overturn Your Visa RejectionLearn more →Demand Letter Generator - Get Your Money BackLearn more →

Ready to fight back?

Join thousands of people who got professional government letters without hiring a lawyer.