The GDPR does require algorithmic decisions to be non-final. However it provides no mechanism beyond allowing the company to just claim they manually reviewed the case and came to the same conclusion as the algorithm. The purpose of that requirement is really more to limit the effect of automated decisions by insurance companies and such.