What is ADM under GDPR?
Automated Decision-Making (ADM) covers decisions about individuals made solely by automated means — including profiling — without meaningful human involvement (GDPR Article 22). Article 22 grants data subjects the right not to be subject to such decisions when they produce “legal effects” or “similarly significantly” affect them. Common ADM examples: automated credit scoring, automated CV screening, dynamic pricing, automated fraud blocks.
Article 22 prohibition and exceptions
- Prohibition default: data subjects have a right not to be subject to solely automated decisions with legal/significant effects.
- Exceptions: (a) necessary for performance of a contract; (b) authorised by Member State law with safeguards; (c) based on explicit consent.
- Safeguards in all cases: right to obtain human intervention, express the data subject’s point of view, contest the decision.
ADM and AI Act overlap
The EU AI Act overlays additional duties on high-risk ADM (e.g., recruitment scoring, creditworthiness): risk management, data governance, transparency, human oversight (Article 14). For ADM systems classified as high-risk AI, both GDPR Article 22 and AI Act Articles 9-15 apply concurrently.
KVKK kapsamında ADM
KVKK Madde 11(g) “münhasıran otomatik sistemler vasıtasıyla analiz edilmesi suretiyle kişinin kendisi aleyhine bir sonucun ortaya çıkmasına itiraz etme” hakkını veri sahibine tanır — GDPR Madde 22’nin paralelidir. Türk pratiğinde özellikle bankacılık (kredi skorlama), sigortacılık (premium hesaplama) ve istihdam (ön eleme algoritmaları) için açıklanabilirlik ve insan müdahalesi mekanizmaları artıyor. SPK, BDDK ve KVKK Kurulu sektör spesifik rehberler yayınlıyor.
Do: document the legal basis (contract necessity / consent / law); build human review pathways into the UX; explain logic and consequences in privacy notices.
Don’t: rely on “we have a human somewhere reviewing edge cases” — GDPR requires meaningful intervention by someone authorised to change the outcome.