EAB’s DPIA workflow is initiated directly from the processing activity record and draws on the AI system profile — risk classification, data governance documentation, and human oversight provisions are pre-loaded, not re-entered.
The assessment is structured, AI-assisted, and produces a sealed record linked to the processing activity and the AI system. The DPIA is not a form exercise — it is a governed workflow with a defensible output.
“A DPIA conducted without context from the AI system it governs is not a DPIA. It is a form — and forms are what supervisory authorities look past.”
The DPIA workflow in EAB begins from the processing activity record (VVT entry), not from a blank form. When a processing activity is identified as high-risk under Art. 35 criteria, EAB prompts initiation of a DPIA. The AI system linked to the processing activity is identified, and the relevant profile data — risk classification, training data governance, human oversight provisions, and the actor role — is pre-loaded into the assessment context.
Risk identification is AI-assisted: EAB identifies potential risks based on the system profile, processing purpose, and data categories involved. The assessor reviews, confirms, modifies, or adds risks — the AI suggestion is a starting point, not the final assessment. Each risk is documented with likelihood, severity, and affected rights categories.
DPO consultation is a structured step in the workflow, not a note field. The DPO reviews the draft assessment, provides a structured opinion, and the consultation is attributed and timestamped. The final DPIA record — including residual risk assessment and approval — is sealed and linked to both the processing activity and the AI system record. Both the GDPR and AI Act perspectives on the same system are in one place.
Part of the GDPR add-on module — available for Professional and Enterprise.
EAB evaluates whether a processing activity requires a DPIA based on Art. 35 criteria — systematic evaluation, large-scale special category data, public monitoring. The obligation is triggered automatically, not identified manually.
Based on the processing activity, data categories, and linked AI system profile, EAB proposes an initial risk set. The assessor reviews and confirms — the proposal is a structured starting point, not an automated conclusion.
The AI system's risk classification, data governance documentation, and human oversight provisions from the EU AI Act record are available in the DPIA context. The assessor does not re-enter information that already exists in the platform — and the connection between GDPR and AI Act obligations is explicit in the sealed record.
The DPO consultation is a structured workflow step — not a free-text note. The DPO reviews the draft assessment, records their opinion, and the consultation is attributed and timestamped in the DPIA record. Prior consultation with the supervisory authority is flagged where Art. 36 applies.
Each identified risk receives one or more defined measures. Measures are assigned to a responsible role, given a status, and evidenced. The residual risk after measures is assessed before the DPIA can be approved.
On approval, the DPIA is sealed — linked to the processing activity, the AI system, the supervisor who approved it, and the date. The record is immutable. Updates trigger a new version — the previous assessment remains in the history.
Available as part of the GDPR add-on module for Professional and Enterprise. Connected to the same AI system record as the EU AI Act module.
EU-hosted · Anchored to CELEX 32024R1689
Tell us about your organization and what you’re looking to address. We’ll follow up with the relevant information.
