Javascript is required
logo-dastralogo-dastra

Modelo de auditoríaFundamental Rights Impact Assessment (FRIA) Questionnaire

AI

1. Initial Information for the Assessment

1.1. Company name
1.2. Postal address
1.3. Department involved and contact information
1.4. Intended purpose of the AI system
1.5. Name of the AI system
1.6. Evaluation start date
1.7. Evaluation time
1.8. Evaluation end date
1.9. Last update of this FRIA

2. AI System Description

2.1. Is the AI system a high-risk system as identified by Articles 6(2) and 27(1) of the AI Act?
2.2. If yes, explain how it fits the definition.
2.3. Is the AI system intended to be used in the area of Critical Infrastructures (point 2, Annex III)?
2.4. What kind of deployer are you?
2.5. In which specific process will the AI system be used?
2.6. What is the expected timeframe and frequency of the AI system's use?
2.7. Are you satisfied that you are a deployer of the relevant AI system and not a provider?
2.8. If not, explain. Note: for clarity on deployer/provider, see Articles 3(3) and 3(4) of the AI Act and Recital 13.
2.9. Are you satisfied that you are a deployer as identified by Article 27(1) of the AI Act?
2.10. If so, explain.
2.11. Are you, as the deployer of the AI system, established or located in the European Union?
2.12. Has the provider of the AI system submitted the information required under Article 13 of the AI Act?
2.13. If yes please attach here.
2.14. Has the provider carried out a previous fundamental rights impact assessment?
2.15. If yes please attach here.
2.16. Will the AI system have an impact on persons located within the Union?
2.17. If so, explain how.
2.18. Are you satisfied that the relevant system meets the definition of an AI system as contained in the official EU AI Office guidance?

3. Affected Individuals and Groups

3.1. Which categories of individuals or groups are likely to be affected by the AI system? Please list.
3.2. Are there any vulnerable or marginalized groups that may be disproportionately impacted?
3.3. If yes, please list them.
3.4. Does the activity involve the processing of large amounts of personal data, including special category data as defined by Article 9 GDPR?
3.5. If so, please outline the categories involved.

4. Fundamental Rights Impact Assessment

4.1. Which specific fundamental right is being assessed in this entry?
4.2. If so, explain how (Human dignity).
4.3. If so, explain how (Right to liberty and security).
4.4. If so, explain how (Respect for private and family life).
4.5. If so, explain how (Protection of personal data).
4.6. If so, explain how (Freedom of expression and information).
4.7. If so, explain how (Non-discrimination).
4.8. If so, please specify which right is affected and how.

5. Risk Identification and Analysis

5.1. What are the specific risks of harm to fundamental rights that your AI system might pose, their likelihood & severity of impact?

Copy & paste this table in your answer box.

Note that the risks should be analyzed pertaining to the specific trigger of your PIA.

Risk (source and nature of potential impact)

Likelihood of harm (Remote, Possible or Probable)

Severity of impact (Low, Medium, or High)

Overall risk (Low, Medium or High)

6. Mitigation Measures

6.1. What technical measures will you implement to mitigate the risks identified for each individual right concerned?

Please address each affected right separately, including the necessary mitigation measures.

6.2. What organisational measures (e.g. policies, procedures) will you put in place to address potential impacts on fundamental rights?
6.3. Is there a way for a human to take control of the system if necessary?
6.4. If yes, please develop here

7. Human Oversight and Training

7.1. Can you demonstrate considered human oversight in any/all systemic/high-risk operations of your AI system?
7.2. If so, please elaborate here.
7.3. How will human oversight be implemented in the operation of the AI system?
7.4. What training will be provided to staff involved in overseeing or operating the AI system?
7.5. Are your compliance/governance staff appropriately trained in AI compliance specifically for your AI systems, and is this demonstrable?
7.6. If so, please elaborate here (compliance/governance staff training).
7.7. Are the operators/developers of your AI systems trained in data protection/ethics?
7.8. If so, please elaborate here (operators/developers training).

8. Transparency and Explainability

8.1. How will you ensure transparency about the use of the AI system to affected individuals?
8.2. What mechanisms will be in place to explain AI-driven decisions to affected individuals? Outline all.
8.3. Is it clear how the AI system makes decisions/recommendations?
8.4. If so, please elaborate here.

9. Governance, Redress and Complaint Handling

9.1. What arrangements for internal governance have been taken in case risks materialize?
9.2. What procedures will be established for individuals to challenge decisions made / output produced by the AI system?
9.3. How will complaints related to fundamental rights impacts be handled and addressed?

10. Monitoring and Review

10.1. Is this the first version of the FRIA? How often will it be updated?
10.2. What key performance indicators (KPIs) will you use to monitor the AI system's impact on fundamental rights?

11. Stakeholder Consultation

11.1. Have you consulted with representatives of groups likely to be affected by the AI system?
11.2. If so, what feedback did you receive, and how has it been incorporated into your assessment?
11.3. Which relevant internal/external experts did you consult to support completion of the FRIA?

You may, for example, need to consult IT security experts, software developers, IT operations human rights lawyers, and others.

12. Data Protection Impact Assessment (DPIA) Alignment

12.1. Has a Data Protection Impact Assessment under Article 35 GDPR already been completed on the relevant AI system?

If ‘Yes’, Article 27(4) of the AI Act allows you to partly rely on this risk assessment and to complement it with any additional detail that is required for the FRIA.

12.2. If yes, please attach here.
12.3. If yes, how have you ensured alignment between the DPIA and this FRIA?
12.4. Please describe alignment between the DPIA and this FRIA.

13. Documentation, Implementation and Reporting

13.1. How will you document the FRIA process and its outcomes?
13.2. How will you implement the risk measures identified in the FRIA into your project plan?
13.3. Who in your organization will be responsible for reporting the results of the FRIA to the relevant market surveillance authority?
Creado el:02/06/2026
Actualizado el :02/06/2026
Licencia : © Creative commons :
Attribution / Pas d'utilisation commerciale
CC-BY-NC AttributionPas d'utilisation commerciale
Autor :
Leïla Sayssa
Leïla Sayssa
Número de usos :4
Utilizar este modelo de auditoría

Acceda a todos nuestros modelos de auditoría

Pruebe Dastra ahora mismo para acceder a la totalidad de nuestros modelos de auditoría que podrá adaptar a su organización. Es gratuito y sin compromiso durante los primeros 30 días (no se requiere tarjeta de crédito).

Utilizar este modelo de auditoría
Suscríbase a nuestro boletín

Le enviaremos algunos correos electrónicos para mantenerlo informado sobre nuestras novedades y las actualizaciones de nuestra solución.

* Siempre podrá darse de baja en cada boletín.