GDPR Articles 13, 14, 15, and 22, together with AI Act Article 86, give affected people different routes to understand and contest automated or AI-assisted decisions — but they cover different decisions, and the gap between them is where a deployer’s real obligation lives.
No consequential automated decision in Europe answers to a single regime, and the clearest illustration is what an affected person can demand in order to understand and contest one — a cluster of duties that now sits across two regimes, in two different shapes. For any deployer running a system that decides something consequential about a person, knowing where these rights overlap and where they diverge is operational, not academic: it determines what you must actually be able to tell someone who asks why a machine said no.