Use case

GDPR Article 22 + automated AI decisions — receipts as legal-basis evidence

GDPR Article 22 restricts decisions based "solely" on automated processing. If a human supervised the AI, you can rely on Article 22(2)(a)'s exemption — but only if you can prove the supervision. Receipts are the proof.
Join the launch waitlistInstall MCP server

The Article 22 distinction

GDPR Article 22(1): a data subject has the right not to be subject to a decision based "solely" on automated processing. Article 22(2)(a) exempts decisions necessary for performing a contract, where suitable measures (including human oversight) safeguard the data subject. The dispositive question: was a human meaningfully involved? If yes, you're fine; if no, you're in 22(1) territory and need an explicit legal basis.

The evidence the DPA wants

When the data protection authority audits your AI use, they'll ask: "for AI-mediated decisions affecting individuals, where's the human review?". The compliant answer: receipts showing the human_id of the reviewer + the timestamp of review + the supervisor's explicit accept/reject decision. GenZAgents captures all of these natively; the audit log is the GDPR Article 22(2)(a) evidence layer.

How to operationalise this

For decisions affecting individuals: require receipts to include a reviewer_human_id field; tag the project with gdpr_in_scope=true; configure the anomaly detector to flag any in-scope receipt without a reviewer field. Engineers reviewing AI output get a one-click "I reviewed this" button that adds the reviewer_human_id signed by their own keypair. The audit trail is end-to-end.

Cross-border data transfer considerations

If the AI provider is in a third country (most are — Anthropic / OpenAI / Google are US-based), Article 44 transfer rules apply. The receipt doesn't change the transfer story (the LLM API call happened the same way) but it does provide audit trail: which receipts touched which data, where the LLM provider was based, what safeguards (DPF / SCCs) were in place. Useful for Schrems II / Schrems III-style challenges.

Subject access requests

A data subject asks "what did your AI decide about me?". Without GenZAgents: vague answer. With: the receipt feed query "show me receipts that involved processing of data subject X" — assuming you tagged appropriately — returns the AI activity. The DPO can respond with a detailed and accurate answer. Per-subject tagging is a project setup question worth doing for any consumer-facing org.

Compliance with the AI Act on top of GDPR

The EU AI Act and GDPR overlap. AI Act §10 (data governance) and §13 (transparency) extend GDPR's requirements. The same receipts that evidence GDPR Article 22 compliance also evidence AI Act §10 data-governance. One audit trail, multiple frameworks — see /use-cases/compliance-eu-ai-act for the AI-Act-specific framing.

Common questions

Does GenZAgents store EU personal data?

Receipts store the human_id (a DID, not a name) of the reviewer. The actual personal data being processed is between you and the LLM provider — GenZAgents doesn't see the prompt content unless you opt in to content storage. Standard DPA available; SCCs in place for non-EU transfer.

Can the reviewer field be falsified?

The reviewer field is signed by the reviewer's own keypair, so falsification requires forging the reviewer's signature — cryptographically infeasible. The chain of custody holds.

How do I demonstrate "meaningful" human review vs rubber-stamping?

The receipt includes the time the reviewer spent on the review (captured from the UI). Anomaly detection flags reviewers spending <5 seconds per review as potential rubber-stamping. The DPA evidence is "average review time per reviewer", which most regulators accept.

What if the AI provider stores prompts in their own logs?

That's a separate Article 28 processor relationship between you and them. GenZAgents covers your audit layer; you're still responsible for the processor-side DPA with Anthropic / OpenAI / Google.

Related

Use case: EU AI Act §50

EU AI Act §50 enters force August 2026. AI-generated content must be labelled and traceable. GenZAgents receipts are the labelling layer.

Use case: ISO 42001

ISO 42001 is the AI management system standard. GenZAgents provides the operational evidence for Clauses 6-10 — AI usage logs, risk treatment records, lifecycle controls.

Use case: ACL

Project-scoped access control lets you keep sensitive AI work confidential while still benefiting from org-wide de-dup on non-sensitive work.

Use case: SOC 2 audit trail

SOC 2 audit teams now ask about AI-assisted work. Most orgs say "we don't have an audit trail." GenZAgents auto-generates a SOC 2 evidence pack from receipts — CC6.1, CC7.1, CC7.2 covered.

Get the trust layer for your AI work

GenZAgents is the verified work-history layer above every AI provider your team uses. Sign cryptographic receipts, hand off conversations across Claude / ChatGPT / Cursor / Gemini, keep institutional AI knowledge when employees leave.

Join the launch waitlistInstall MCP server

Last reviewed · 3 min read· Open spec· Changelog