Dutch DPA draft guidelines on the right to explanation in ADM – Key takeaways

Background and scope

The draft guidelines set out the Dutch DPA’s views on how organisations should meet the GDPR transparency requirements where fully automated decisions produce legal or similarly significant effects on individuals (e.g., loan applications or car rental approvals). Under Article 22 GDPR, organisations may only use ADM if:

1. it is necessary for the performance of a contract with an individual;
2. it is permitted by law; or
3. the individual has given explicit consent.

One of the required measures organisations must take to protect individuals from the risks associated with ADM, is to provide an explanation of the decision. According to the Dutch DPA, the purpose of the explanation is to enable individuals to check the lawfulness and accuracy of the data processed and exercise their rights to human intervention, express their point of view, and challenge the decision.

General and specific explanations

A central theme in the draft guidelines is the distinction between:

1. General explanations describing the decision-making process in general terms, including all categories of personal data that may be processed and the aggregate weighting of the factors. Organisations should always provide this explanation proactively, usually before a decision is made (e.g., when an individual completes an application form).
2. Specific or personal explanations tailored the individual's concrete decision, including: (i) the personal data used as factors in the decision; (ii) essential elements of the algorithm (e.g., the weighting of factors in the specific decision, the steps taken by the algorithm and intermediate steps such as scores or categorisation); and (iii) information on the relationship between the data processed and the decision. Organisations should make this explanation available upon request, typically in response to an access request.

Useful information about the underlying logic

The draft guidelines further detail what the Dutch DPA considers "useful information about the underlying logic” of an automated decision. The Dutch DPA emphasises that the term ‘logic’ should be interpreted broadly, referring not only to mathematical logic, but primarily to the relationship between the data processed and the ultimate decision. The explanation should cover the objective pursued by the algorithm, the procedures it follows, which variables are considered (and how much), and the data used.

For more complex models, the Dutch DPA discusses explanation techniques such as showing the weighting of factors (e.g., that "the amount of the loan requested and the income play an important role in this decision") and comparative explanations answering the question: "How would the data have to change in order to get a different outcome?" However, the Dutch DPA cautions that organisations may need to supplement such techniques with additional information.

Understandability

The draft guidelines require that explanations are “concise, transparent and comprehensible”. The Dutch DPA notes that technical transparency does not always result in an understandable explanation and recommends a layered approach, where the individual first receives a concise overview and can click through to further detail.

The first layer should draw attention to the individual’s rights and the first part of personal data processed (e.g., information about ADM, what the decision is, the importance and consequences thereof, the individual’s rights, and which personal data are most relevant to the decision). The second layer should include a personal explanation of the algorithmic decision (e.g., additional techniques and personal information used).

The Dutch DPA cites an Amsterdam court ruling that wording such as “may,” “could,” and “possibly” are unclear and should therefore be avoided.

Limitations: trade secrets and gaming the system

The draft guidelines acknowledge that organisations may in some cases need to limit explanations to protect trade secrets or prevent gaming the system but emphasise that such interests are not grounds for not giving an explanation to an individual at all. In both cases, a general concern is not sufficient, there must be genuinely protected rights at stake, and the organisation must be concrete about this. Where limitations apply, the organisation must find a way to reconcile the interests, for example, by explaining what the algorithm does even if the algorithm itself cannot be disclosed and must inform the individual that the explanation is limited and why.

Governance and explainability-by-design

The Dutch DPA emphasises that organisations must consider explainability from the design stage and recommends a three-phase approach for explainability-by-design:

1. Choices of explanation techniques: Choose which explanation techniques are needed for the model used and determine how these are integrated into processes.
2. Strategy for explaining: Formulate a strategy that explains how employees can make the explanation clear and simple, with the understanding of the individual as central.
3. Evaluation: Evaluate the process regularly, including by asking for feedback from stakeholders.

The draft guidelines also note that organisations should consider transparency when performing a Data Protection Impact Assessment (“DPIA”), which is likely required for ADM. This may include asking individuals for their opinion before the DPIA is finalised.

What companies should do now

Although the guidelines are still in draft, they provide a clear indication of how the Dutch DPA is likely to interpret and enforce the GDPR’s transparency and explanation requirements for ADM. Companies using ADM should expect closer scrutiny of both what they explain and how explanations are delivered, particularly in response to data subject requests.

Companies should therefore already assess whether their current ADM governance, documentation and explanations would stand up against the Dutch DPA’s expectations and identify where operational or legal uncertainties remain.

The consultation, through which organizations can submit comments until May 26, 2026, offers a strategic opportunity to seek clarification on feasibility issues, especially for complex or proprietary models.

In practical terms, companies should consider these following steps now:

• Engage with the consultation, particularly where ADM plays a material role in business operations.
• Identify and assess ADM use cases subject to Article 22 GDPR, including fully automated eligibility, scoring, or screening decisions.
• Review transparency practices to ensure both general (proactive) and specific (on request) explanations can be provided at the level of detail described in the draft guidelines.
• Test explainability and wording to ensure explanations are concrete, personalised and understandable, avoiding vague or speculative language.
• Embed explainability into governance and design, including model selection, DPIAs, staff guidance, and documentation.
• Evaluate reliance on trade secrets or gaming concerns, ensuring any limitations on explanations are specific, well reasoned, and proportionate.

Authored by Joke Bodewits, Julian Flamant, and July Baltus.