How to explain AI-generated outputs in a DSAR response

From recruitment screening to fraud detection and workforce analytics, AI systems are generating more information about individuals than ever before. 

When someone submits a Data Subject Access RequestA verbal or written request made by a data subject to access their data (in a portable format if requested), be informed about how it is used, to have their data modified if it is incorrect, or to have it deleted. (DSAR), any scores, labels, and predictions made by AI systems about that person may need to be disclosed since they fall within scope of personal dataInformation which relates to an identified or identifiable natural person.. The challenge is not just disclosing the outputs but explaining them in a way that is meaningful and proportionate. 

This blog outlines what organisations need to disclose and how to structure clear, practical explanations when responding to a DSAR. 

• When do AI outputs become personal data? 
• What should be explained to the data subject? 
• How to structure your explanation in practice 
• Practical steps for organisations 
• Frequently asked questions 

When do AI outputs become personal data?

Under the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR), personal data is any information that relates to an identifiable individual. Many assume this simply means identifiers such as names and addresses, but the definition is much broader. 

Personal data goes beyond information that a data subject has given you directly. It also includes data that has been derived, inferred, or generated by a system. This can include AI-generated outputs, such as a scores, risk ratings, or predictions. For example: 

• A retail business assigning a ‘high return risk’ score to a customer 
• A construction firm categorising employees into ‘high’ or ‘low productivity’ bands 
• A fraud system marking a customer as ‘requires enhanced monitoring’ 

If the information relates to an identifiable person, it is still personal data and should be disclosed as part of a Data SubjectAn individual who can be identified or is identifiable from data. Access Request (DSAR). 

What should be explained to the data subject?

There is no standalone, express ‘right to explanation’ written into the GDPR. However, organisations are required to be transparent about how they use personal data, including data generated by automated systems.  

In practice, this should be addressed both before and after a DSAR is submitted. 

Be transparent from the onset about how automationA process or a system that operates automatically. is used 

People should already know if automated processing is taking place. Your Privacy NoticeA clear, open and honest explanation of how an organisation processes personal data. should clearly explain if you use profiling, scoring, or automated decision-making, and what that means for individuals — particularly where decisions could significantly affect them. 

Learn how to update your Privacy Notice for AI 

Provide meaningful information when asked

If someone submits a Data Subject Access Request (DSAR), you must provide access to any personal data generated about them, including any scores, classifications, or predictions made by AI systems, along with information about the systems. 

Recent case law, including the Schufa decision, confirms that when responding to a DSAR, organisations are not required to reveal trade secrets or detailed mathematical formulas. You do not need to hand over source code, disclose algorithms, reveal the weighting of each factor, or share proprietary models.  

But you can’t disclose an AI output without context. If an automated output has been created about someone, particularly where it influences decisions about them, you need to provide ‘meaningful information’. This should be clear enough for the individual to understand: 

• What information was used about them 
• How that type of information influenced the result 
• What the outcome means in practical terms

The purpose is not to provide a technical breakdown of your system. Rather, it is to ensure individuals can understand what happened and, where relevant, challenge the outcome. 

Organisations operating across the UK and EU should also be aware that the EU AI ActThe EU Artificial Intelligence Act was approved by the EU Council on 21 March 2024. A world-first comprehensive AI law, intended to harmonise rules for the development, deployment, and use of artificial intelligence systems across the EU. and the UK’s Data Use and Access Act (DUAA) 2025 introduce additional governance and transparency requirements for certain AI systems. Whilst these frameworks do not create new access rights beyond the GDPR, they reinforce the importance of being able to interpret and clearly explain AI-generated outputs. 

How to structure your explanation in practice 

When responding to a DSAR involving AI-generated data, the goal is clarity. A simple three-part structure can help ensure your response is both compliant and commercially appropriate. 

1. Describe the types of data used

Explain what categories of information the system considered, such as purchase and return history or attendance and shift records. You do not need to list every data point — a clear explanation of the types of information used is usually sufficient. 

This helps the individual understand what information about them fed into the result. 

2. Provide a high-level explanation of how the system works 

Explain in general terms how the system reaches a type of outcome. This explanation should be broad enough to protect commercial sensitivity, but clear enough to show how the output was produced. 

For example, depending on the AI system used, the following could be sufficient: 

• ‘The system compares your return history with patterns seen across our wider customer base.’ 
• ‘The tool reviews application responses and experience levels to prioritise candidates for manual review.’ 
• ‘The model analyses production data and absence records to identify potential workforce trends.’ 

Other AI systems may require deeper explanations. 

3. Explain what the output represents 

Start by clearly describing what the AI-generated data is, avoiding jargon and using plain language. The individual should immediately understand what the label, score, or classification means. 

For example: 

• ‘You were assigned a “high return risk” score as part of our fraud-prevention processA series of actions or steps taken in order to achieve a particular end..’ 
• ‘Your application was categorised as “requires further review” by our recruitment system.’ 
• ‘Your performance data was used to place you within a productivity band.’ 

Practical steps for organisations

• Map where AI generates personal data
  Understand which systems generate outputs, where those outputs are stored, who can access them, and whether they are used to inform decisions.  
• Pre-draft plain-English explanations
  You should prepare standard, approved explanations in advance to avoid inconsistent responses, overly technical explanations, and last-minute legal reviews. 
• Ensure human oversight is clear
  Where AI outputs influence significant decisions, be clear internally about whether human review takes place and who is responsible for intervention. 
• Align HR, Legal, and IT teams
  DSARs involving AI-generated outputs often cut across departments, so teams should be aligned on how outputs are disclosed before a request is received.
• Stress-test your response process
  Confirm you can confidently locate, retrieve, and explain AI-generated outputs within DSAR timeframes, particularly during high-volume periods such as restructures.  

Frequently asked questions 

Do we have to disclose our algorithm in a DSAR?

No. Data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data. does not require organisations to reveal source code, proprietary algorithms, or detailed weightings. However, you must provide meaningful information about how the output was generated and what it means for the individual. 

Are AI-generated score or risk ratings really personal data?

Yes, if they relate to an identifiable individual. Even if the person did not provide the information directly, scores, classifications, and predictions generated about them are likely to be personal data.

What does ‘meaningful information’ mean in practice?

It means explaining, in clear language, what data was used, how the system generally works, and what the outcome represents. The explanation should allow the individual to understand and, where relevant, challenge the result.

Do we only need to explain the AI-generated outputs if the decision was fully automated?

No. Even where a human is involved in the final decision, AI-generated outputs that relate to an individual may still need to be disclosed in a DSAR. Additional safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... apply where decisions are based solely on automated processing and have significant effects.

The DPO Centre has extensive experience supporting organisations with DSAR responses, from routine access requests to complex cases involving automated decision-making and AI-generated outputs. Contact our team today to learn more.  

In case you missed it…

• Using AI for DSAR responses: What every organisation should know
• How to write a clear and compliant Privacy Notice 
• THE DATA CHASE: DSAR compliance under the UK’s new data law