PREAMBLE
This Algorithmic Transparency Statement for [Company Name] effective [Date] discloses the use of automated decision-making systems and algorithmic processing of personal data. Legal Basis: GDPR Art. 13-14 (transparency), GDPR Art. 22 (automated decisions), EU AI Act Arts. 13-14 (transparency).
1. ALGORITHMIC SYSTEMS IN USE
1.1 Systems Covered: Company uses following automated decision-making systems:
| System Name | Purpose | Data Processed | Decision Type |
|---|
| [e.g., Credit Risk Scoring] | [e.g., Loan qualification] | [Income, credit history, employment] | β Binding β Recommendation |
| [e.g., Content Recommendation] | [Feed personalization] | [Browsing history, likes] | β Binding β Recommendation |
| [e.g., Employee Screening] | [Resume ranking for hiring] | [Resume, skills, experience] | β Binding β Recommendation |
1.2 High-Risk Classification: Systems classified as HIGH-RISK under EU AI Act Annex III if used for: (a) employment/HR decisions, (b) credit/loan decisions, (c) law enforcement, (d) migration/asylum, (e) essential services (utilities, healthcare)
2. TRANSPARENCY DISCLOSURES (GDPR ART. 13/14)
2.1 Identity of Controller: Data Controller = [Company Name], [Address], contact: [privacy@company.com] per GDPR Art. 13(1)(a)
2.2 Automated Processing Notification: Your data is processed using automated decision-making algorithms. THIS IS NOT HUMAN REVIEW β decisions made by machine learning model trained on historical data.
2.3 Logic of Algorithm: The algorithm works as follows:
- Input: [Which data points feed the algorithm: age, income, location, etc.]
- Processing: [Mathematical model: neural network, logistic regression, decision tree, etc.]
- Output: [Decision or score: 0-100 risk score, approve/reject recommendation, rank/tier assignment]
- Training Data: Model trained on [X million historical records] from [date range]
2.4 Significance & Consequences: Decisions have [significant / limited] consequences:
- Loan approval/denial (financial consequence)
- Job screening/ranking (employment opportunity loss)
- Content filtering/shadow-banning (service access limitation)
- Price discrimination (financial impact)
3. HUMAN OVERSIGHT & EXPLAINABILITY
3.1 Human Review: Automated decisions are subject to:
- β Human review by employee (optional, upon request): Response within [5-10 business days]
- β Mandatory human review if user objects (requests reconsideration)
- β NO human review (automated only β not applicable per GDPR Art. 22(3) exception)
3.2 Appeal / Objection Process: If user disagrees with algorithmic decision:
1. Submit objection within [30 days]
2. Provide reason for objection + additional information
3. Company reviews + provides human decision within [10 business days]
4. User may appeal to data protection authority if unsatisfied
3.3 Explainability: Upon request, Company provides:
- β Which input factors influenced the decision (top 3-5 factors)
- β Approximate weight/importance of each factor
- β Whether decision was fully automated or involved human judgment
- β Exact algorithm code (proprietary β not disclosed)
- β Training data samples (privacy-sensitive β not disclosed)
4. BIAS, FAIRNESS & NON-DISCRIMINATION
4.1 Bias Testing: Company conducts regular bias audits per EU AI Act Art. 15 to ensure:
- No gender discrimination: Accuracy β₯95% across all genders
- No racial/ethnic discrimination: Accuracy β₯95% across racial groups
- No age discrimination: Accuracy β₯95% across age groups
- No disability discrimination: System accommodates accessibility needs
4.2 Fairness Metrics: Algorithm checked for:
- Equal Opportunity: Approval rates similar across demographics
- Calibration: Predictions equally accurate for all subgroups
- False Positive/Negative Rates: Similar error rates across groups
4.3 Protected Characteristics: Algorithm explicitly CANNOT use:
- β Race, ethnicity, skin color (protected per German AGG (Anti-Discrimination Act))
- β Religion, ideology, political opinions
- β Union membership or political affiliation
- β Genetic data, health data, sex life
- β ALLOWED (if necessary): Age, disability (if documented accommodation)
5. DATA RETENTION & RIGHTS
5.1 Data Retention: Personal data retained for [3 months - 1 year] after decision for:
- Appeal/objection handling
- Bias audit & fairness testing
- Regulatory compliance (GDPR Art. 15 access requests)
- Legal defense (contractual disputes)
5.2 User Rights (GDPR): You have right to:
- Access (Art. 15): Request copy of your data + decision reasons
- Rectification (Art. 16): Correct inaccurate data
- Erasure (Art. 17): Delete data (except legal retention period)
- Portability (Art. 20): Download your data in machine-readable format
- Object (Art. 21): Opt-out of algorithmic decisions (human review only)
Submit requests to [privacy@company.com]. Company responds within [30 days] per GDPR Art. 12
6. MONITORING & INCIDENT REPORTING
6.1 Ongoing Monitoring: Algorithm performance monitored continuously for:
- Accuracy degradation (if accuracy drops >5%, investigation triggered)
- Bias drift (fairness metrics checked monthly)
- Data quality issues (missing/corrupt input data)
- Cybersecurity incidents (unauthorized access)
6.2 Incident Reporting: If serious incident discovered (discrimination, data breach, system failure affecting >100 users):
- Company notifies affected users within [15 days]
- Data protection authority notified if personal data breach per GDPR Art. 33
- Corrective measures implemented immediately
7. CONTACT & DATA PROTECTION AUTHORITY
7.1 Data Protection Officer: [DPO Name], [email / phone]
7.2 Regulatory Authority: Complaints to:
7.3 Legal Rights: You have right to lodge complaint + seek judicial remedy per GDPR Art. 77-79
8. GOVERNING LAW
Law: GDPR 2016/679 (EU) | EU AI Act 2024/1689 (if applicable) | German BGB
CRITICAL TRANSPARENCY REQUIREMENTS: Must disclose: (1) that algorithmic decision-making used, (2) logic/purpose of algorithm, (3) consequences of decision, (4) human review option available, (5) bias testing conducted, (6) user rights (access/object/appeal). Mandatory human review option if decision has significant consequences. Explainability required (top factors, not code). Protected characteristics must not be used. Monitoring + incident reporting required. Non-compliance = GDPR fines up to EUR 20M or 4% revenue.
Company: [Company Name] | Effective Date: [Date] | Last Updated: [Date]