GDPR & AI Compliance
GDPR Article 22 gives individuals the right not to be subject to solely automated decisions that produce legal or significant effects — and where such decisions are permitted, the right to obtain meaningful information about the logic involved. For AI systems making or supporting those decisions, the infrastructure must be able to produce that information on demand. AIEP builds it in by default.
The Article 22 accountability requirement
When an AI system is used to support decisions with legal or significant effects, GDPR requires:
| Obligation | What it means in practice |
|---|---|
| Meaningful information about the logic involved | Explainability of what evidence the system used |
| Right to contest and obtain human review | A record must exist that can be reviewed |
| Transparency about the automated nature of the decision | Documentation that the decision was AI-assisted |
None of these obligations can be satisfied by a chat log of the AI’s output. They require a tamper-evident record of what evidence was retrieved, what the system concluded from it, and when.
How AIEP satisfies Article 22
AIEP’s tamper-evident artefact chain provides:
- Source provenance — every piece of evidence used is recorded with its URL, content hash, and retrieval timestamp
- Response commitment — the output is hash-bound to its evidence chain at the moment of production; the binding cannot be altered after the fact
- Replayable reasoning chain — any authorised party can reconstruct the exact reasoning path from the ledger record
- Dissent records — where evidence is insufficient or contradictory, a signed record of that absence is created; the system does not silently omit uncertainty
This produces the “meaningful information about the logic involved” that Article 22 and its recital 71 require — not as a narrative explanation, but as a verifiable technical record.
GDPR and evidence architecture
AIEP’s evidence architecture is compatible with GDPR’s data minimisation and purpose limitation principles:
- Artefacts record what evidence was used — not the content of the evidence itself unless the operator explicitly stores it
- Deployments run as isolated instances — no customer query data transits a shared inference endpoint
- Cloudflare’s data processing infrastructure operates under EU-US Data Privacy Framework and GDPR-compliant DPA terms
For the full deployment and jurisdiction analysis, see Data Sovereignty.
UK GDPR
Post-Brexit, UK data controllers processing EU citizen data remain subject to GDPR-equivalent requirements under UK GDPR. AIEP’s evidence artefacts are structured to satisfy UK ICO guidance on AI accountability records. The ICO’s guidance on explaining AI decisions anticipates exactly the kind of tamper-evident, source-linked audit record AIEP produces.
Who this applies to
GDPR Article 22 applies to any organisation — regardless of sector — that uses AI to make or support decisions with legal or significant effects on individuals. This includes: credit decisions, hiring and promotion, insurance pricing, benefits assessments, personalised legal or medical recommendations, and any automated scoring that triggers a consequential outcome.
Related
→ EU AI Act Compliance · DPIA Implementation Guide · Data Sovereignty · Compliance · Regulated Industries