Most organizations treat GDPR as a cookie-banner problem settled years ago. It is the oldest law on the books that directly governs automated decisions about people, and in 2026 it is one of the most active. This unit maps the Article 22 exposure, the SCHUFA ruling, the 2026 enforcement action, and the records that turn the risk into a defensible position.