A voice AI agent that declines a claim, refuses a credit application, or routes a caller to a "non-priority" collections track is no longer just handling a call. It may be making a "solely automated decision with legal or similarly significant effect", and under GDPR Article 22, that decision comes with a statutory right to human intervention that most enterprise deployments have never designed for, let alone documented.
Article 22 has been in force since May 2018. What has changed in 2026 is enforcement visibility. The ICO's AI Code of Practice (SI 2026/425, in force 12 May 2026) explicitly maps automated decision-making requirements to AI systems operating at scale. The EU AI Act places AI systems that support credit, insurance, employment, and essential services decisions in its high-risk Annex III. And ICO enforcement activity on automated decisions has materially increased. A voice agent handling any of those call types is now in the regulatory frame from two directions simultaneously, and the compliance obligation runs with the deployer, not the platform vendor.
This guide maps Article 22 to common enterprise voice AI use cases, identifies which deployments are genuinely in scope, and sets out the human-intervention design, audit trail, and documentation architecture that keeps a voice programme the right side of the obligation.
This guide is published by the team behind Dilr Voice, enterprise voice AI deployed across financial services, healthcare, and regulated industries. Our AI operating model service includes regulatory compliance architecture. See also our full EU AI Act voice AI obligations guide.
What Is GDPR Article 22 and Why Does It Matter for Voice AI?
Article 22 of the UK GDPR and the EU GDPR reads, in its core form: a data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
For enterprise voice AI, three words in that sentence determine the compliance exposure: "solely," "legal," and "similarly significantly."
Solely automated means a human with genuine decision-making authority has not reviewed or overridden the outcome before it takes effect. The word "genuine" is important: a human who rubber-stamps the AI's output after the fact, or who has access to override in theory but never does so in practice, is not providing meaningful human involvement, per ICO guidance. The test is not whether a human could intervene, but whether the process ensures they actually do.
Legal effects covers decisions that create, modify, or extinguish a legal right: a credit agreement, an insurance claim, a contractual entitlement. Voice agents in collections, FNOL, KYC, and financial advice triage are all capable of producing decisions with legal effects when they determine the outcome of a call.
Similarly significantly affects is the broader catch. The ICO's guidance uses examples including decisions that affect a person's access to services, financial circumstances, or health. A voice agent that routes a caller to a "standard" collections track, rather than a vulnerability-aware one, may significantly affect how that debt is pursued. An agent that scores a complaint as "low risk" and routes it to a standard queue may significantly affect how quickly it is resolved. The threshold is lower than legal effect, and most enterprise teams have underestimated it.
The third condition, processing personal data, is almost always met. Voice AI uses call audio, CRM history, telephony metadata, and often real-time behavioural signals to make its determinations. The data-processing element is structural.
The ICO's AI Code of Practice (SI 2026/425), which came into force on 12 May 2026, strengthens the existing Article 22 obligations with specific requirements on AI systems: transparency about when automated decisions are being made, documentation of the logic involved, and meaningful human oversight mechanisms. Compliance with the Code is the ICO's baseline expectation for any organisation operating AI at scale, and voice AI is explicitly in scope.
Which Voice AI Use Cases Actually Trigger Article 22?
The diagnostic question is not "does our agent make decisions?", it is "does the agent's determination cause something of legal or significant consequence to happen to the individual, without human review?" The following table maps common enterprise voice AI use cases against that test.
| Voice AI use case | The automated determination | Legal or significant effect? | Article 22 in scope? |
|---|---|---|---|
| KYC identity verification, agent fails check, call blocked | Identity not verified; access to financial service blocked | Yes, legal barrier to financial service access | Yes |
| Claims triage, FNOL scored "low risk, standard processing" | Claim routed to standard track with longer resolution timeline | Yes, affects outcome and timeline of a financial claim | Likely yes |
| Debt collections, agent determines "no agreed plan, litigation referral" | Call triggers legal action pathway against the individual | Yes, significant legal effect | Yes |
| Collections vulnerability screen, no flags detected, standard route applied | Determines which collections treatment is applied | Significant, affects how and how aggressively debt is pursued | Likely yes |
| Insurance renewal, agent captures data, generates a price | Affects the renewal price offered with no human underwriter review | Yes, significant financial effect | Yes if no human reviews |
| Fraud flag, agent suspends account on call behaviour | Account suspended before human reviews the flag | Yes, significant legal and practical effect on access | Yes |
| Appointment booking, agent books a routine service slot | Determines the appointment time | Generally no, unless the service is medical-critical or has statutory priority | Generally no |
| Queue routing to general service team | Determines which team answers | Generally no, provided no materially different service outcome results from the route | Generally no |
| Prescription reminder outbound call (pharmacy) | Reminds, does not decide | No, the agent does not make a determination with consequence | No |
The pattern is consistent: when the agent's output changes what happens to the individual's access to money, services, credit, housing, or legal process, Article 22 is in scope. When the agent handles information and routes the call without determining an outcome that affects the individual's rights or material position, it generally is not.
The most common enterprise misconception is that Article 22 only applies when the voice agent explicitly announces a "decision." It does not. An agent that triages a complaint as low-priority creates a significantly different service experience without ever saying "your complaint has been deprioritised." The significance test is effects-based, not language-based.
What Is the "Solely Automated" Test and How Do Enterprise Voice Deployments Fail It?
"Solely automated" is the pivotal limb. Many enterprise teams assume that because a human could review the AI's output, the decision is not solely automated. The ICO's guidance makes clear this is incorrect. The assessment is whether the process ensures meaningful human involvement in practice, not whether human override is theoretically available.
Common patterns that fail the test in voice AI deployments:
1. A human receives the AI's output but with no genuine decision authority. A collections agent who sees the AI's "litigation referral" flag in the CRM and completes the referral workflow is not exercising meaningful review if the system design assumes the flag will be actioned. Genuine human involvement requires the ability to substitute the AI's determination with their own.
2. The AI's determination operates faster than the human review window. In fraud-flagging, if an account is suspended the moment the AI scores the call as suspicious, a subsequent human review cannot be "prior" human involvement under Article 22. The suspension took effect before the human acted.
3. Human review is exception-based with no coverage guarantee. If the process is "the AI processes 10,000 calls per day and humans review flagged edge cases only," then the 9,800 calls with no flag were solely automated. The 200 flagged calls may meet the human-review requirement, but the 9,800 do not.
4. The "human in the loop" is a QA function, not a decision function. Reviewing a sample of calls after the fact for quality assurance is not meaningful human involvement in the specific decision. Article 22 requires the right to human intervention in respect of the individual decision, not statistical oversight of the programme.
Designing genuinely non-solely-automated voice AI in high-stakes use cases requires that for every decision in scope, there is a specific human review step with authority to substitute the AI's determination, occurring before the determination takes material effect. That design is achievable, but it changes the programme architecture materially compared to a pure-AI processing model.
The AI voice escalation and human handover guide covers the operational design for human handover points. The Article 22 requirement adds a legal dimension: the handover is not optional based on call complexity, it is mandatory for every in-scope decision.
What Are the Three Rights Under Article 22 and How Do You Design for Them?
For decisions that remain solely automated, either because the enterprise relies on an exemption (see below) or because the design is being remediated, Article 22(3) specifies three rights the data subject must be able to exercise. These are distinct requirements, not one composite right:
The individual can request that a human reviews the automated decision before it takes effect or is acted on.
The individual can express their point of view in relation to the automated decision before it is finalised.
The individual can contest the decision after it is made and have it reviewed by a human with authority to change it.
Designing these rights into a voice AI programme requires specific conversation design and process architecture decisions:
Disclosure on call. The voice agent must tell the caller, in plain language, that a determination is being made automatically. The disclosure must occur early enough that the individual can exercise their rights before the decision takes effect. Simply disclosing that "this call is handled by AI" at the start of the call is not sufficient if the specific automated decision is not disclosed at the point it is made.
In-call escalation route. The agent must have a live escalation path to a human with the authority to review and substitute the automated determination. This is not the same as the general escalation for complex calls, it is a specific compliance function. The AI voice escalation human handover design needs to distinguish between service escalation and Article 22 rights-based escalation.
Post-call contestation pathway. Even if the caller did not invoke their rights during the call, they must be able to contest the decision afterwards. The privacy notice, the agent's disclosure script, and any written confirmation of the decision (email, SMS, letter) must all include the contestation route, who to contact, and within what timeframe they can expect a response from a human reviewer.
Response timeframe. The ICO's guidance does not prescribe a specific timeframe for human intervention, but it must be within a reasonable period and must actually change the outcome if the review concludes the automated decision was incorrect. A human review that can never revise the determination is not meaningful intervention.
The enterprise AI voice governance framework covers the broader programme oversight model. Article 22 requires a specific governance strand within that, an owner, a review process, and documented evidence that the three rights are operationally enabled, not just described in a privacy notice.
What Exemptions Allow Automated Decisions and When Do They Apply to Voice AI?
Article 22(2) permits solely automated decisions with legal or significant effects in three circumstances:
1. Necessity for the performance of a contract. The solely automated decision must be necessary to enter into or perform a contract with the individual. The ICO interprets "necessary" strictly, it is not sufficient that automation makes the process more efficient. The contract genuinely cannot be performed without the automated decision, or entering into it requires the automation. Credit scoring for real-time lending (where the contract offer depends on the automated assessment) may qualify. A claims triage decision that routes a call to a standard queue does not typically qualify, the claims contract can be performed without the triage being automated.
2. Authorised by law. UK or EU law explicitly permits the automated decision, with suitable safeguards. This exemption applies in limited regulatory contexts, certain automated sanctions screening, for example. For most enterprise voice AI use cases, this exemption is unavailable.
3. Explicit consent. The individual has given explicit consent to the automated decision. Explicit consent under GDPR is a higher standard than ordinary consent, it must be specific to the automated decision type, freely given, informed, and as easy to withdraw as to give. It cannot be buried in general terms of service. A call-start disclosure that states "this call is handled by AI and your responses may be used to make decisions about your account" does not meet the explicit consent standard for Article 22 purposes.
Even where an exemption applies, Article 22(2)(b) requires suitable safeguards to protect the data subject's rights, freedoms, and legitimate interests. The minimum safeguards include: the right to obtain human intervention, the right to express their point of view, and the right to contest the decision. The exemptions reduce the compliance burden (automated decisions become permissible) but do not eliminate the rights-based obligations.
The practical implication for enterprise voice AI: most deployments in financial services, healthcare, and housing that make significantly consequential determinations cannot rely on the contractual-necessity exemption without legal analysis of each specific use case. The consent exemption requires a consent architecture that most voice AI programmes have not built. The result is that, for most Article 22-triggering voice AI decisions, the most defensible compliance architecture is removing the "solely automated" element, not claiming an exemption.
The consent capture in AI voice calls guide covers the lawful basis architecture for voice AI data processing more broadly. The Article 22 explicit consent requirement is distinct from the Regulation 21 PECR consent for the call itself and requires separate capture and documentation.
What Documentation and Audit Evidence Does Article 22 Require?
Article 22 compliance is not evidenced by having a privacy notice that mentions automated decisions. The ICO and the EU regulatory framework expect documented, auditable evidence that the obligations are met in practice. The minimum evidence set for a voice AI deployment in scope of Article 22:
- Decision mapping Written inventory of every call type where Article 22 may apply
- Logic documentation The factors the AI uses to reach each determination, and their relative weights
- Human intervention design Documented process for how the right to human intervention operates per use case
- Disclosure scripts Call scripts showing where and how the individual is informed of automated decisions
- Contestation process Written procedure for handling contestation requests, including response times
- DPIA reference Data Protection Impact Assessment addressing Article 22 risks at scale
- Training records Evidence that human reviewers understand and exercise their substitution authority
- Review cadence log Records of periodic review of automated decisions for accuracy, bias, and impact
A Data Protection Impact Assessment (DPIA) is mandatory under Article 35 for processing likely to result in high risk, and solely automated decision-making with significant effects is one of the Article 35 triggers. The voice AI DPIA template covers the full DPIA structure for a voice programme; for Article 22 specifically, the DPIA must address: the nature of the decisions being automated, the legal basis or exemption relied on, the safeguards in place, and the residual risk assessment.
The AI voice auditability guide covers the broader explainability architecture. For Article 22, the explainability requirement is specific: the individual must be able to understand the "meaningful information about the logic involved" in a decision that affects them, which means the programme must be able to produce an explanation of why the automated determination was reached, in terms the data subject can understand, on request.
The AI tool inventory guide covers the enterprise-level AI register that the ICO, FCA, and EU AI Act all expect as a baseline. The Article 22 documentation sits within the tool inventory as a compliance record for each system making automated decisions.
McKinsey's State of AI 2025 report found that only 33% of enterprises have AI governance in production at scale, meaning that for most organisations, the documentation described above does not yet exist. For voice AI specifically, where customer-facing decisions occur at high volume and high speed, the absence of this documentation represents live regulatory exposure.
How Does Article 22 Interact With the ICO Code of Practice and EU AI Act?
Article 22 does not operate in isolation. In 2026, two additional regulatory instruments layer on top of the existing GDPR obligations:
ICO AI Code of Practice (SI 2026/425, in force 12 May 2026). The Code explicitly addresses automated decision-making in AI systems. Key provisions include: transparency requirements (individuals must know when AI is making decisions that affect them), meaningful human oversight (not just theoretical oversight capacity), and accountability documentation. The Code applies to all organisations operating AI that processes personal data in the UK, which includes every enterprise voice AI programme. The ICO AI Code of Practice voice AI obligations guide covers the full Code requirements; the Article 22 overlap means that programmes already complying with the Code should find themselves broadly meeting the Article 22 documentation standard, but the reverse is not guaranteed, Article 22 adds the specific rights obligations (human intervention, point of view, contestation) that the Code does not exhaustively set out.
EU AI Act, Annex III high-risk classification. The EU AI Act classifies AI systems used in credit, insurance, employment and workers management, essential private and public services, law enforcement, migration, and administration of justice as high-risk. Where a voice agent operates in any of those sectors and makes or materially influences decisions, it may qualify as a high-risk AI system. The EU AI Act voice AI obligations guide covers the full Act requirements; the Article 22 relevance is that the Act imposes additional transparency and human oversight requirements on high-risk systems that complement the GDPR Article 22 obligations, both must be met, and they do not substitute for each other.
FCA Consumer Duty (in force July 2023, AI-specific guidance ongoing). For financial services voice AI, FCA Consumer Duty's "good outcomes" standard adds a further layer: the firm must ensure that automated processes produce outcomes that meet the Consumer Duty standard for each customer, including vulnerable customers. A voice agent that applies a standard collections treatment to a vulnerable customer, because its vulnerability detection missed the signal, creates both a Consumer Duty risk and, if the collections determination was solely automated, an Article 22 risk. The FCA AI governance for voice AI guide covers the FCA-specific obligations in depth.
- Treating "AI disclosure at call start" as sufficient. The Article 22 disclosure must be specific to the decision being made, at the point it is made, not a generic AI notice at the start of every call.
- Assuming human review makes a decision non-solely-automated when the human has no real authority. If the human cannot substitute the AI's determination, their involvement does not remove the solely-automated character.
- Relying on contractual-necessity exemption without legal analysis of each use case. The exemption is narrow; most queue-routing and triage decisions do not meet the necessity test.
- No post-call contestation pathway in the programme design. The right to contest applies after the call, and the caller must be told how to exercise it. If your programme has no contestation process, it is non-compliant by design.
- No DPIA completed before go-live. Solely automated decisions at scale are a mandatory DPIA trigger. Programmes live in production without one are in breach of Article 35 as well as Article 22.
- Subject access request process not scoped to include Article 22 decision records. When a DSAR lands on a voice programme, the [DSAR response architecture](/blog/voice-ai-subject-access-request-call-recordings-enterprise) must include the logic of any Article 22 decision made about that individual, not just the call recording and transcript.
Want to audit your voice programme against Article 22? Try Dilr Voice with compliance architecture built in, book a placement diagnostic that maps your Article 22 exposure, or read about our approach to regulated AI deployment.
Does a voice AI agent that routes callers to different service queues always trigger Article 22?
Not automatically. Queue routing triggers Article 22 only when the routing determines an outcome that materially differs in quality, speed, or rights implications for the individual. A routing decision that sends a caller to a general customer service queue versus a specialist team is unlikely to trigger Article 22 in isolation. A routing decision that sends a caller flagged as a collections risk to a litigation pathway, rather than a payment-support pathway, likely does. The test is always: what is the effect on the individual of the routing decision, not the routing decision itself?
Is "explicit consent" to automated decisions available as an exemption for outbound voice AI programmes?
In theory, yes. In practice, almost never for outbound voice AI. Explicit consent under Article 22(2)(c) must be specific to the type of automated decision, actively given (not implied), informed (the individual understands what kind of decisions will be made), and freely given (no detriment for refusal). In an outbound call context, the caller cannot meaningfully give Article 22 explicit consent before the call begins (they did not initiate the call) and obtaining it at call start is operationally complex and likely to reduce contact rates to the point that the programme fails commercially. Most outbound programmes that trigger Article 22 need a programme design that eliminates the solely-automated element for in-scope decisions, rather than building a consent capture for it.
How does Article 22 interact with the right to erasure and the DSAR process?
Where a voice AI has made an Article 22 decision about an individual, that individual's DSAR response must include: the fact that the decision was made, the logic involved (meaningful information about the automated processing), and the significance and envisaged consequences of the processing. This is separate from the DSAR obligations for the call recording and transcript, those are covered in the voice AI DSAR guide. The Article 22 decision record has its own retention logic: it must be retained long enough to respond to DSARs and contestation requests, even if the call recording itself has been deleted under the general data retention policy. The voice AI data retention GDPR guide needs to account for Article 22 decision records as a separate retention category.
What is the position if the voice AI platform vendor makes the automated decision, not us?
The controller-processor boundary does not move the Article 22 obligation. If your enterprise is the data controller, which it is in virtually all commercial voice AI deployments, you are responsible for Article 22 compliance regardless of whether the underlying processing is performed by your own systems or by a third-party platform. Your vendor may assist with implementation, but the disclosure obligation, the human-intervention design, the contestation process, and the DPIA are the controller's obligations. Your vendor should contractually commit to enabling compliance, through configurable escalation, decision logging, and audit trail access, but cannot discharge the obligation on your behalf. Review your voice AI MSA to confirm the vendor's obligations on Article 22 architecture and documentation.
Does Article 22 apply to AI voice programmes that have a human agent available on the line at the same time as the AI?
It depends on whether the human agent has genuine decision authority in the process, not merely physical availability. If the human can intervene and substitute the AI's determination at any point, and is trained and empowered to do so, the decision may not be solely automated. If the human's role is to handle escalations only when the AI flags them, then for all non-escalated calls the processing is solely automated and Article 22 applies. The voice AI architecture for regulated industries guide covers the design patterns that achieve genuine hybrid operation, as distinct from AI-primary with human backstop.
Deploy voice AI that passes the Article 22 audit.
30-min scoping call. No deck. Confidential. We will map your use cases against Article 22 and build the human-intervention and documentation architecture into the programme from week one.
Written by the Dilr.ai engineering team, practitioners who ship enterprise AI in regulated industries. Follow us on LinkedIn for compliance updates and deployment notes, or subscribe via the RSS feed.