Processing records, DPIA logic, TOM profiles, and vendor governance — connected to the AI systems they govern, not filed separately in a tool nobody checks before the audit.
When an AI system processes personal data, the GDPR and EU AI Act obligations overlap. EAB connects them in one record instead of requiring two separate compliance workflows to produce the same answer.
“A DPIA conducted without context from the AI system it governs is not a DPIA. It is a form.”
The GDPR module covers the operational obligations that most organisations manage in a spreadsheet, a standalone DMS, or a dedicated GRC tool — disconnected from the AI systems that actually process the personal data in question. EAB structures these obligations as governed workflows: each processing activity has a record, each high-risk processing has a DPIA, each vendor relationship has a documented basis.
When you conduct a DPIA inside EAB, it has direct access to the AI system context: the risk classification result, the actor role, the training data characterisation, and the technical documentation. The assessment reflects the system as it actually operates — not a description someone wrote independently in a form tool.
At audit time, your GDPR and EU AI Act documentation share one record. An auditor who needs to verify both the Art. 35 DPIA and the Art. 9 risk management system for the same AI system does not need to reconcile two separate tools. The connection is already in the record.
Each capability is connected to the shared system inventory, evidence layer, and audit trail.
Structured VVT entries for every processing activity — purpose, legal basis, data categories, recipients, retention, and the AI systems involved. Not a spreadsheet. A governed record with version history.
AI-assisted data protection impact assessments, initiated directly from the VVT entry. Risk identification, measure definition, DPO consultation, and approval — structured and attributed. Context from the linked AI system is pre-loaded.
When a processing activity involves an AI system, the GDPR record links to the EU AI Act record. Risk classification, actor role, technical documentation, and evidence are shared — not duplicated. One system, one record, both frameworks.
Technical and organisational measures documented per processing activity — encryption, access control, pseudonymisation, incident procedures. Each measure is evidenced and linked to the obligation it satisfies.
Processor relationships documented with contractual basis, sub-processor chains, and review state. AVV status is tracked per vendor and linked to the processing activities that depend on it.
Legal basis per processing activity — consent, legitimate interest, contract, legal obligation — documented with justification and linked to the relevant VVT entry. Non-applicability is stated, not left blank.
Most organisations manage GDPR in one system and AI governance in another. When an auditor or supervisory authority asks about a specific AI system that processes personal data, the answer requires pulling from both — reconciling records that were never designed to connect.
In EAB, the connection is structural. The same AI system that is classified under the EU AI Act is the system that anchors the VVT entry, the DPIA, and the TOM profile. The risk management record under Art. 9 and the DPIA under Art. 35 are not two separate documents to reconcile — they are two views of the same governed record.
When the auditor arrives, you do not need to produce a GDPR folder and an AI Act folder and explain how they relate. EAB produces one record that contains both — with every decision attributed, every evidence item attached, and every connection explicit.
Available as an add-on for Professional and Enterprise. Shares one system inventory, one evidence layer, and one audit trail with the EU AI Act module.
EU-hosted · Anchored to CELEX 32024R1689
Tell us about your organization and what you’re looking to address. We’ll follow up with the relevant information.
