Javascript is required
logo-dastralogo-dastra

Audit modelDPIA Template for AI Systems – GDPR and EU AI Act Compliance

AIPIA
Ensuring GDPR & EU AI Act Compliance This DPIA template is designed to assess and document how an AI system processes personal data in a lawful, fair, and transparent manner. It identifies potential privacy risks across the entire data lifecycle — from collection and training to inference and retention — and defines mitigation strategies to ensure compliance with GDPR and the EU AI Act. Through this assessment, organizations can demonstrate accountability, strengthen data governance, and ensure the protection of individuals’ rights and freedoms.

1. General information

1.1. What is the processing operation subject to the assessment?

Provide a concise overview: its name, purpose(s), expected benefits, and usage context

1.2. What are the responsibilities related to the processing?

Describe the roles and responsibilities of the stakeholders

1.3. What reference frameworks apply?

Indicate here which reference frameworks apply to the processing. These frameworks serve as normative standards and help guide the completion of the assessment.

1.4. Does the processing rely on an artificial intelligence algorithm or an automated decision-making process?
1.5. If yes, specify the type of algorithm used (e.g. supervised learning, generative, etc.) and the purpose of the AI use (e.g. sorting, scoring, prediction, generation, etc.).

2. Description

2.1. What data are being processed?

List the data collected and processed, specifying their retention periods, recipients, and persons with access.

2.2. How does the data lifecycle unfold? (functional description)

Describe the data lifecycle here. You may attach a flow diagram as an appendix to your response.

2.3. What are the data storage media?

Detail the data storage media here — for example, the application or software used to process the data.

3. Proportionality and necessity of data

3.1. Are the purposes of the processing determined, explicit, and legitimate?

Explain how the purposes of the processing are determined, explicit, and legitimate.

3.2. What is the legal basis that makes your processing lawful?

Specify the legal basis associated with your processing — for example, consent, legal obligation, or legitimate interest.

3.3. Are the data collected adequate, relevant, and limited to what is necessary for the purposes for which they are processed (data minimization)?

Explain how each data item is necessary to achieve the purposes of the processing.

3.4. Are the data accurate and kept up to date?

Describe the measures implemented to ensure data quality.

3.5. What are the data retention periods?

Explain how the planned retention period for each data item is necessary to fulfill the purposes of the processing.

3.6. How do you assess the measures implemented?
3.7. Why is the use of AI justified in relation to the purpose pursued?
3.8. Have less intrusive alternatives been considered (e.g. non-AI, manual processing)?
3.9. If yes, which ones?

4. Protective measures for rights

4.1. How are data subjects informed about the processing? (transparency)

Indicate here the methods used to inform data subjects (data charter, forms, etc.) and the content of the information provided.

4.2. If applicable, how is the consent of data subjects obtained?

Indicate here the methods used to collect consent.

4.3. How can data subjects exercise their right of access and right to data portability?

Indicate here the procedures for exercising these rights.

4.4. How can data subjects exercise their right to rectification and right to erasure (right to be forgotten)?

Indicate here the procedures for exercising these rights.

4.5. How can data subjects exercise their right to restriction and right to object?

Indicate here the procedures for exercising these rights.

4.6. Are the obligations of processors clearly defined and contractually established?

A data processing agreement must be concluded with each processor, specifying all elements required under Article 28 of the GDPR.

4.7. In case of data transfers outside the European Union, are the data protected in an equivalent manner?

Specify the country of transfer and the transfer mechanism used.

4.8. How do you assess the measures implemented?
4.9. Are individuals explicitly informed about the use of AI?
4.10. Is human intervention guaranteed?
4.11. Does the system enable the exercise of the right to an explanation regarding the algorithmic logic?

5. Lawfulness of data processing

5.1. What could be the main impacts on data subjects if the risk materialized?
5.2. What are the main threats that could lead to the occurrence of the risk?
5.3. What are the sources of risk that could be at its origin?
5.4. What existing measures contribute to addressing the risk?
5.5. How do you assess the severity of the risk, particularly in light of potential impacts and initial measures?
5.6. How do you assess the likelihood of the risk, particularly in view of threats, sources of risk, and initial measures?

6. Security of personal data

6.1. What could be the main impacts on data subjects if the risk materialized?
6.2. What are the main threats that could lead to the occurrence of the risk?
6.3. What are the sources of risk that could be at its origin?
6.4. What existing measures contribute to addressing the risk?
6.5. How do you assess the severity of the risk, particularly in light of potential impacts and initial measures?
6.6. How do you assess the likelihood of the risk, particularly in view of threats, sources of risk, and initial measures?

7. Data subjects’ rights

7.1. What could be the main impacts on data subjects if the risk materialized?
7.2. What are the main threats that could lead to the occurrence of the risk?
7.3. What are the sources of risk that could be at its origin?
7.4. What existing measures contribute to addressing the risk?
7.5. How do you assess the severity of the risk, particularly in light of potential impacts and initial measures?
7.6. How do you assess the likelihood of the risk, particularly in view of threats, sources of risk, and initial measures?

8. Quality and lawfulness of training data

8.1. What could be the main impacts on data subjects if the risk materialized?
8.2. What are the main threats that could lead to the occurrence of the risk?
8.3. What are the sources of risk that could be at its origin?
8.4. What existing measures contribute to addressing the risk?
8.5. How do you assess the severity of the risk, particularly in light of potential impacts and initial measures?
8.6. How do you assess the likelihood of the risk, particularly in view of threats, sources of risk, and initial measures?

9. Unlawful and unsecured transfer of personal data

9.1. What could be the main impacts on data subjects if the risk materialized?
9.2. What are the main threats that could lead to the occurrence of the risk?
9.3. What are the sources of risk that could be at its origin?
9.4. What existing measures contribute to addressing the risk?
9.5. How do you assess the severity of the risk, particularly in light of potential impacts and initial measures?
9.6. How do you assess the likelihood of the risk, particularly in view of threats, sources of risk, and initial measures?

10. Mitigation measures: lawfulness of processing

10.1. Security measure: definition and limitation of purposes

As both provider and deployer, it is important to verify that:

10.2. Security measure: unlimited data retention

As both provider and deployer, it is important to verify that:

10.3. Security measure: violation of the data minimization principle

As both provider and deployer, it is important to verify that:

10.4. Provide details on the action plan you intend to implement
10.5. How do you assess the severity of the risk, particularly in light of potential impacts and envisaged measures?
10.6. How do you assess the likelihood of the risk, particularly in view of threats, sources of risk, and envisaged measures?

11. Mitigation measures: security of personal data

11.1. Recommended mitigation measures for the risk: insufficient data protection

As both provider and deployer, it is important to verify that:

11.2. Provide details on the action plan you intend to implement
11.3. How do you assess the severity of the risk, particularly in light of potential impacts and envisaged measures?
11.4. How do you assess the likelihood of the risk, particularly in view of threats, sources of risk, and envisaged measures?

12. Mitigation measures: data subjects’ rights

12.1. Security measure: absence of human intervention

As both provider and deployer, it is important to verify that:

12.2. Security measure: no human intervention for significant processing

As both provider and deployer, it is important to verify that:

12.3. Security measure: refusal to grant data subjects their rights

As both provider and deployer, it is important to verify that:

12.4. Provide details on the action plan you intend to implement
12.5. How do you assess the severity of the risk, particularly in light of potential impacts and envisaged measures?
12.6. How do you assess the likelihood of the risk, particularly in view of threats, sources of risk, and envisaged measures?

13. Mitigation measures: quality and lawfulness of training data

13.1. Security measure: incorrect classification of training data

As both provider and deployer, it is important to verify that:

13.2. Security measure: unlawful processing of training data

As both provider and deployer, it is important to verify that:

13.3. Security measure: unlawful processing of sensitive or criminal data

As both provider and deployer, it is important to verify that:

13.4. Provide details on the action plan you intend to implement
13.5. How do you assess the severity of the risk, particularly in light of potential impacts and envisaged measures?
13.6. How do you assess the likelihood of the risk, particularly in view of threats, sources of risk, and envisaged measures?

14. Mitigation measures: unlawful and unsecured data transfer

14.1. Security measure: unlawful transfer of personal data

As both provider and deployer, it is important to verify that:

14.2. Provide details on the action plan you intend to implement
14.3. How do you assess the severity of the risk, particularly in light of potential impacts and envisaged measures?
14.4. How do you assess the likelihood of the risk, particularly in view of threats, sources of risk, and envisaged measures?

15. Opinion of data subjects

15.1. Have you received the opinion of data subjects or their representatives?
15.2. Indicate the opinion here

16. Opinion of the DPO

16.1. Have you obtained the DPO’s opinion?
16.2. Indicate the opinion here

17. Validation

17.1. The validation by the data controller is formalized.
17.2. Attach the signed analysis

The assessment must be signed by the data controller. In this case, it will be the organization’s legal representative or their authorized delegate.

Created at:10/07/2025
Updated on :10/07/2025
License : © Creative commons :
Attribution / Pas d'utilisation commerciale
CC-BY-NC AttributionPas d'utilisation commerciale
Author :
Jérôme de Mercey
Jérôme de Mercey
Uses :13
Build my audit

Access all our audit templates

Try Dastra now to access all of our audit templates that you can customize for your organization.It's free and there's no obligation for the first 30 days (no credit card required)

Build my audit
Subscribe to our newsletter

We'll send you occasional emails to keep you informed about our latest news and updates to our solution

* You can unsubscribe at any time using the link provided in each newsletter.