Transparency rules in2 Aug 2026
Help center / Operational duties

When you need a DPIA

High-risk AI usually touches personal data, and that can require a data protection impact assessment under the GDPR. This is a GDPR duty the AI Act points you toward.

Updated May 2026

What the duty is

A data protection impact assessment is a structured look at how a system processes personal data and the risks that creates for people, with the safeguards you will put in place. It comes from GDPR Article 35, and the provider's system information helps you complete it.

When it applies

This is conditional. It applies when a system processes personal data and is likely to carry a high risk to people's rights, which covers most high-risk AI uses. Whether a DPIA is required in your case is a judgment for you and your data protection adviser.

Marking it done

Carry out the DPIA where it is needed, then mark the duty done on your roadmap. The related AI Act duty on input data is the Data Governance Procedure.

Veillo is compliance tooling, not a law firm. Even counsel-reviewed content is general reference, not legal advice on your specific situation.

Was this helpful?

Still need help?

Get in touch and a human will answer, or book a short walkthrough.

A note on cookies

We use strictly necessary cookies to run the site and keep it secure. With your OK, we also use privacy-respecting, EU-hosted analytics to see how Veillo is used. No advertising, no third-party trackers. Read our cookie policy.