Free Compliance Template
EU AI Act DPIA Template
A Data Protection Impact Assessment is required under Article 26(9) of the EU AI Act for high-risk AI systems. Generate one tailored to your specific AI use case — free, in under a minute.
What is a DPIA under the EU AI Act?
A Data Protection Impact Assessment (DPIA) evaluates how your AI system processes personal data and what risks it poses to individuals' rights. Under the EU AI Act, deployers of high-risk AI systems must conduct a DPIA before putting the system into use.
This isn't just a GDPR DPIA with "AI" added — the EU AI Act requires you to assess risks specific to AI systems: bias, transparency, human oversight, and the quality of training data your provider uses.
A complete EU AI Act DPIA covers:
- 1. System description — what AI system, provider, model, and purpose
- 2. Data processing scope — what personal data is processed, data subjects, retention
- 3. Necessity and proportionality — why AI is needed and whether it's proportionate
- 4. Risk assessment — bias, discrimination, transparency, accuracy, fundamental rights
- 5. Mitigation measures — human oversight, monitoring, data quality controls
- 6. Consultation — DPO sign-off, supervisory authority notification if needed
Who needs an EU AI Act DPIA?
Under Article 26(9), deployers of high-risk AI systems must perform a DPIA. You're a deployer if you use an AI system under your own authority — even if someone else built it.
Common high-risk use cases that require a DPIA:
- • Hiring and recruitment screening (Annex III, 4)
- • Credit scoring and financial assessments (Annex III, 5)
- • Medical diagnosis or triage (Annex III, 5)
- • Education scoring and student assessment (Annex III, 3)
- • Insurance pricing and claims (Annex III, 5)
Not sure if your use case is high-risk? Use the decision tree or scan your AI stack to find out.
Generate your DPIA in under a minute
Scan your AI stack, and we'll generate a DPIA tailored to your specific AI services, use cases, and risk level. Free, no credit card required.
Scan Your AI Stack FreeFree — no credit card required
EU AI Act DPIA vs. GDPR DPIA — what's different?
If you already have a GDPR DPIA, you're partway there. But the EU AI Act adds AI-specific requirements that a standard GDPR assessment doesn't cover.
| Aspect | GDPR DPIA | EU AI Act DPIA |
|---|---|---|
| Focus | Personal data processing | AI system risks + personal data |
| Bias assessment | Not required | Required for high-risk systems |
| Human oversight | Not required | Must document oversight measures |
| Training data | Not assessed | Must assess data quality & representativeness |
| Provider docs | Not required | Must reference provider documentation (Art. 13) |
| Fundamental rights | Broad privacy rights | Specific AI rights impact (Art. 27) |
Already GDPR compliant? The GDPR-to-AI-Act bridge guide shows how to extend your existing work.
What happens without a DPIA?
Deployers who fail to conduct a DPIA for high-risk AI systems face fines of up to €15 million or 3% of worldwide annual turnover — whichever is higher. Beyond fines, operating a high-risk AI system without a proper impact assessment can lead to:
- • Suspension of the AI system by market surveillance authorities
- • Liability claims from individuals affected by the AI system
- • Reputational damage and loss of customer trust
Related Guides
This template provides general guidance based on the EU AI Act text (Regulation 2024/1689). It is not legal advice. Consult a qualified legal professional for formal compliance guidance specific to your situation.