GDPR Article 22 — Automated Decision-Making
GDPR Article 22 prohibits solely automated decisions that have significant effects on individuals without human oversight. With the EU AI Act reinforcing this in 2026, DPAs are actively targeting companies whose AI makes decisions without human review mechanisms.
The Developer Problem
Recommendation engines, credit scoring, HR screening tools, and content moderation systems are all subject to Article 22. Most developers have built these without human override, explanation, or opt-out mechanisms.
What You Must Build
These are the exact technical components regulators will check for:
Right to explanation — API endpoint returning why an AI made a specific decision
Human review request endpoint — users can flag AI decisions for human review
Opt-out mechanism from automated profiling
Audit trail of all automated decisions affecting specific data subjects
Consequences of Non-Compliance
Fines up to €20 million or 4% global annual turnover
Data processing suspension orders
Mandatory algorithm audits by DPA-appointed experts
Drop-In Code Solution
Instead of building this from scratch (2–6 weeks of engineering time), use this production-ready package that implements all the required components above.
A serverless Next.js edge middleware that automatically intercepts all LLM API calls, extracts required metadata (model, prompt hash, completion hash, timestamp, user context), and writes cryptographically signed audit records to the client's own storage bucket — never to VektorIndex servers.
// audit-logger.middleware.ts
import { withAuditLog } from './audit-logger.middleware'
export const POST = withAuditLog(
async (req: Request) => {
// Your existing AI API route — unchanged
const response = await openai.chat.completions.create({ ... })
return Response.json(response)
},
{
storage: 'supabase', // or 'r2', 's3'
tableName: 'ai_audit_logs',
hashPrompts: true, // SHA-256 hash, never stores raw prompts
includeUserContext: true,
complianceMode: 'eu-ai-act' // or 'colorado', 'both'
}
)