GDPR Automated Means: Definition and Legal Scope

In one sentence. Under GDPR Article 2(1), “automated means” covers any processing carried out using equipment operating wholly or partly automatically — essentially any digital, computerised or algorithmic processing of personal data. The concept is the trigger for GDPR application (vs purely manual processing) and is referenced in five other GDPR articles, most notably Article 20 (portability) and Article 22 (automated individual decision-making). Origin: Convention 108 of the Council of Europe, incorporated into Directive 95/46/EC and now Article 2(1) of Regulation (EU) 2016/679.

The term is broader than people often assume: a spreadsheet on a server, a SaaS, an AI model, a CRM, a CCTV digital recording — all are “automated means”.

Key takeaways

• GDPR applies to “processing wholly or partly by automated means” (Article 2(1)).
• It also applies to manual processing intended to form part of a filing system.
• “Automated means” includes any digital tool — not only AI or algorithms.
• Article 22 narrows the concept for automated individual decisions (different threshold).
• Article 20 portability triggers only for automated processing under consent or contract.
• Concept inherited from Convention 108 (1981).

1. Article 2(1) official text

“This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”

Source: EUR-Lex Regulation (EU) 2016/679.

Two material scope triggers:

1. Processing by automated means — covered regardless of structure
2. Manual processing — covered only if part of a structured filing system (Article 4(6))

2. Origin and historical context

The concept comes from Convention 108 of the Council of Europe (1981), the first international data protection treaty. It defined “automatic processing” by reference to electronic data processing equipment. The 1995 Directive (95/46/EC) Article 3(1) carried it forward. GDPR Article 2(1) is its modern formulation, updated by Convention 108+ (2018).

3. What counts as “automated means”

EDPB and DPA practice consistently includes:

• Databases and spreadsheets stored electronically
• SaaS and cloud platforms
• CRM, ERP, HRIS
• Email systems
• Cookies and tracking tags
• Video surveillance with digital storage
• IoT devices
• AI and machine learning models
• Smart contracts

4. What does NOT count alone

• A purely paper-based file (covered only if part of a structured filing system)
• Spoken conversations not recorded
• Visual observation without recording

But the moment data enters a digital tool, the automated means trigger applies.

5. Article 22 — automated individual decisions

Article 22 is a specific, narrower use of the concept:

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

Three conditions:

• Solely automated (no meaningful human involvement)
• Legal or similarly significant effect
• Decision concerning the data subject

EDPB Guidelines on automated decision-making (WP251rev.01) detail the test. Examples: credit scoring rejection, automated CV screening, dynamic pricing affecting access.

6. “Solely” — the meaningful human review test

DPA decisions (notably ICO, CNIL, Garante) clarify “solely”:

• A rubber-stamp human review does NOT count as human intervention
• Reviewer must have authority and capability to change the decision
• Must have access to all relevant data
• Must consider the case on its merits

This is the heart of Article 22 enforcement.

7. Article 20 — portability and automated means

Article 20 portability applies “where (b) the processing is carried out by automated means”. This excludes purely paper-based controllers — rare in practice. The threshold is the same broad concept as Article 2(1).

8. Profiling vs automated means

Article 4(4) defines profiling as automated processing for evaluation. All profiling involves automated means; not all automated means involve profiling. Profiling triggers transparency obligations (Article 13(2)(f), 14(2)(g)) plus Article 22 if conditions met.

9. Case law

• CJEU C-634/21 SCHUFA (December 2023): credit scoring qualifies as “automated decision” under Article 22 even if a downstream human takes the formal credit decision, where the score is determinative.
• CJEU C-203/22 Dun & Bradstreet (2025): meaningful information about logic.
• CNIL Deliberation Clearview (2021): biometric matching qualifies as automated processing with high risk.
• Italian Garante on food delivery algorithms (2021): algorithmic worker management under Article 22.

10. Transparency obligations triggered

When automated means produce Article 22 effects, the controller must (Articles 13(2)(f), 14(2)(g), 15(1)(h)):

• Disclose the existence of automated decision-making
• Provide meaningful information about the logic
• Explain the significance and envisaged consequences

CJEU C-203/22 (2025) clarified “meaningful information”: enough to understand and challenge, not full source code.

11. Implementation checklist

1. Confirm GDPR applies — any digital tool = automated means (Article 2(1))
2. Identify Article 22 decisions in your processing inventory
3. Document “solely automated” assessment per activity
4. Ensure meaningful human review where Article 22 is excluded
5. Privacy notice mentions automated decision-making and logic
6. Provide right to obtain human intervention, contest, express view (Article 22(3))

12. Tooling

Legiscope flags Article 22-relevant activities in the ROPA, documents human review processes, and generates the required transparency disclosures including logic descriptions. Connects to the DSAR pipeline for Article 15(1)(h) responses.

For related: GDPR vs AI Act, Article 20 portability.

FAQ

What does “automated means” mean under GDPR?

Article 2(1): any processing of personal data wholly or partly by automated means — i.e. using equipment operating automatically. In practice this covers virtually all digital tools: databases, SaaS, CRM, AI, cookies.

Is “automated means” the same as automated decision-making?

No. “Automated means” (Article 2(1)) is the broad GDPR scope trigger — any digital processing. Article 22 “solely automated decision-making” is a much narrower, decision-specific concept with legal/significant effects.

Does a spreadsheet count as automated means?

Yes if stored on a computer system. The threshold is digital / electronic processing, not algorithmic sophistication.

What if a human reviews the AI decision?

Article 22 still applies if the human review is not meaningful (CJEU SCHUFA C-634/21). The reviewer must have authority, capability, access to data, and consider the case on its merits.

Where is the official definition?

EUR-Lex Regulation (EU) 2016/679, Article 2(1). Origin in Council of Europe Convention 108.