Kostenloses Tool

DPIA-+-FRIA-Generator

Führen Sie eine Datenschutz-Folgenabschätzung nach GDPR Article 35 und die Grundrechte-Folgenabschätzung nach EU AI Act Article 27 in einem Durchgang durch, mit einem gemeinsamen Risikoregister, und exportieren Sie ein einziges kombiniertes Nachweispaket. Vollständig in Ihrem Browser.

Wann benötigen Sie eine DPIA für KI? Lesen Sie den Leitfaden zur DPIA für KI-Systeme.

Completeness: 0%

Organisation (controller / deployer)

Assessor (name / role)

Section 1

GDPR Article 35(7)(a)

DPIA — Systematic Description of the Processing

Describe the processing operations and their purposes, including any legitimate interest pursued. This is the data-protection view of the same system the FRIA assesses for fundamental-rights impact.

Controller and DPO

Purposes of the processing

Categories of personal data

Flag any special-category (Art 9) or criminal-offence (Art 10) data.

Categories of data subjects

Retention and recipients

Section 2

GDPR Article 35(7)(b)

DPIA — Necessity & Proportionality

Assess the necessity and proportionality of the processing in relation to the purposes, the lawful basis, and the safeguards. Address automated decision-making under Article 22.

Lawful basis (Article 6) and conditions

Necessity and data minimisation

Automated decision-making (Article 22)

State whether decisions are solely automated with legal/similar effect, and the Art 22(3) safeguards.

Section 3

GDPR Article 35(7)(d)

DPIA — Measures to Address the Risks

Record the measures envisaged to address the risks, the safeguards and security measures, and any DPO advice or prior consultation with the supervisory authority (Article 36).

Safeguards and security measures

DPO advice and outcome

Review date

Section 4

Article 27(1)(a)

System Description & Intended Purpose

Describe the deployer's processes in which the high-risk AI system will be used, in line with the intended purpose defined by the provider.

AI system name and version

Provider and contact

Intended purpose (as defined by the provider)

Use the purpose stated in the provider instructions for use.

Deployer process where the system is used

Operational context and environment

Section 5

Article 27(1)(b)

Duration & Frequency of Use

Describe the period of time within which, and the frequency with which, the high-risk AI system is intended to be used.

Planned deployment start date

Expected duration

Frequency of use

Volume of decisions

Geographic scope

Section 6

Article 27(1)(c)

Categories of Affected Persons

Identify the categories of natural persons and groups likely to be affected by use of the system in the specific context.

Persons subject to AI-driven decisions

Third parties indirectly affected

Vulnerable groups requiring special attention

e.g. children, elderly, persons with disabilities, minorities, non-native speakers, low digital literacy.

Section 7

Article 27(1)(d)

Specific Risks to Fundamental Rights

Identify the specific risks of harm likely to impact the affected persons, taking into account the information provided by the provider under Article 13. Record each risk in the register below.

Fundamental rights potentially at risk

Provider information relied on (Article 13)

Risk register

No risks recorded yet. Add a row for each right or interest at risk, or load the worked example above.

Section 8

Article 27(1)(e)

Human Oversight Measures

Describe how human oversight will be implemented, in accordance with the instructions for use.

Designated oversight roles

Intervention capabilities

Qualifications and training

Section 9

Article 27(1)(f)

Measures if Risks Materialise: Governance & Complaints

Describe the measures to be taken if the identified risks materialise, including internal governance arrangements and complaint mechanisms.

Technical measures

Organizational measures

Complaint and redress mechanisms

Notification to the market surveillance authority

Article 27(3): notify the authority of the FRIA results, using the AI Office template once available.

Export one combined DPIA + FRIA evidence pack. Everything stays in your browser — nothing is uploaded.

DPIA und FRIA, aufeinander abgestimmt

Die DPIA-Elemente aus Article 35(7) und die FRIA-Elemente aus Article 27(1) in einem Ablauf – keine doppelte Arbeit über die beiden Regelwerke hinweg.

Ein kombinierter Nachweis

Ein gemeinsames Risikoregister und ein einziger Export, damit Ihre Nachweise zu Datenschutz und Grundrechten konsistent bleiben.

Datenschutz von Grund auf

Alles bleibt in Ihrem Browser. Nichts, was Sie eingeben, wird hochgeladen, und Ihre kombinierte Bewertung wird direkt nach Markdown oder JSON exportiert.

Haftungsausschluss: Dieses Tool hilft Ihnen, eine kombinierte DPIA und FRIA auf Grundlage von GDPR Article 35 und EU AI Act Article 27 zu entwerfen. Es stellt keine Rechtsberatung dar. Bestätigen Sie Ihre Pflichten mit qualifizierten Rechtsberatern, die mit Ihrem Anwendungsfall vertraut sind.