Herramienta gratuita

Generador de DPIA + FRIA

Ejecuta una evaluación de impacto relativa a la protección de datos del Article 35 del GDPR y la evaluación de impacto sobre los derechos fundamentales del Article 27 del EU AI Act en una sola pasada, con un registro de riesgos compartido, y exporta un único paquete de evidencia combinado. Todo en tu navegador.

¿Cuándo necesitas una DPIA para IA? Lee la guía de DPIA para sistemas de IA.

Completeness: 0%

Organisation (controller / deployer)

Assessor (name / role)

Section 1

GDPR Article 35(7)(a)

DPIA — Systematic Description of the Processing

Describe the processing operations and their purposes, including any legitimate interest pursued. This is the data-protection view of the same system the FRIA assesses for fundamental-rights impact.

Controller and DPO

Purposes of the processing

Categories of personal data

Flag any special-category (Art 9) or criminal-offence (Art 10) data.

Categories of data subjects

Retention and recipients

Section 2

GDPR Article 35(7)(b)

DPIA — Necessity & Proportionality

Assess the necessity and proportionality of the processing in relation to the purposes, the lawful basis, and the safeguards. Address automated decision-making under Article 22.

Lawful basis (Article 6) and conditions

Necessity and data minimisation

Automated decision-making (Article 22)

State whether decisions are solely automated with legal/similar effect, and the Art 22(3) safeguards.

Section 3

GDPR Article 35(7)(d)

DPIA — Measures to Address the Risks

Record the measures envisaged to address the risks, the safeguards and security measures, and any DPO advice or prior consultation with the supervisory authority (Article 36).

Safeguards and security measures

DPO advice and outcome

Review date

Section 4

Article 27(1)(a)

System Description & Intended Purpose

Describe the deployer's processes in which the high-risk AI system will be used, in line with the intended purpose defined by the provider.

AI system name and version

Provider and contact

Intended purpose (as defined by the provider)

Use the purpose stated in the provider instructions for use.

Deployer process where the system is used

Operational context and environment

Section 5

Article 27(1)(b)

Duration & Frequency of Use

Describe the period of time within which, and the frequency with which, the high-risk AI system is intended to be used.

Planned deployment start date

Expected duration

Frequency of use

Volume of decisions

Geographic scope

Section 6

Article 27(1)(c)

Categories of Affected Persons

Identify the categories of natural persons and groups likely to be affected by use of the system in the specific context.

Persons subject to AI-driven decisions

Third parties indirectly affected

Vulnerable groups requiring special attention

e.g. children, elderly, persons with disabilities, minorities, non-native speakers, low digital literacy.

Section 7

Article 27(1)(d)

Specific Risks to Fundamental Rights

Identify the specific risks of harm likely to impact the affected persons, taking into account the information provided by the provider under Article 13. Record each risk in the register below.

Fundamental rights potentially at risk

Provider information relied on (Article 13)

Risk register

No risks recorded yet. Add a row for each right or interest at risk, or load the worked example above.

Section 8

Article 27(1)(e)

Human Oversight Measures

Describe how human oversight will be implemented, in accordance with the instructions for use.

Designated oversight roles

Intervention capabilities

Qualifications and training

Section 9

Article 27(1)(f)

Measures if Risks Materialise: Governance & Complaints

Describe the measures to be taken if the identified risks materialise, including internal governance arrangements and complaint mechanisms.

Technical measures

Organizational measures

Complaint and redress mechanisms

Notification to the market surveillance authority

Article 27(3): notify the authority of the FRIA results, using the AI Office template once available.

Export one combined DPIA + FRIA evidence pack. Everything stays in your browser — nothing is uploaded.

DPIA y FRIA, alineadas

Los elementos de la DPIA del Article 35(7) y los elementos de la FRIA del Article 27(1) en un único flujo: sin trabajo duplicado entre los dos regímenes.

Un único registro combinado

Un registro de riesgos compartido y una sola exportación, para que tu evidencia de protección de datos y de derechos fundamentales se mantenga coherente.

Privado por diseño

Todo permanece en tu navegador. Nada de lo que escribes se sube, y tu evaluación combinada se exporta directamente a Markdown o JSON.

Aviso legal: Esta herramienta te ayuda a redactar una DPIA y una FRIA combinadas basadas en el Article 35 del GDPR y el Article 27 del EU AI Act. No constituye asesoramiento jurídico. Confirma tus obligaciones con asesores cualificados familiarizados con tu caso de uso.