Free Tool

DPIA + FRIA Generator

Run a GDPR Article 35 Data Protection Impact Assessment and the EU AI Act Article 27 Fundamental Rights Impact Assessment in one pass, with a shared risk register, and export a single combined evidence pack. Entirely in your browser.

When do you need a DPIA for AI? Read the DPIA for AI systems guide.

Completeness: 0%

Organisation (controller / deployer)

Assessor (name / role)

Section 1

GDPR Article 35(7)(a)

DPIA — Systematic Description of the Processing

Describe the processing operations and their purposes, including any legitimate interest pursued. This is the data-protection view of the same system the FRIA assesses for fundamental-rights impact.

Controller and DPO

Purposes of the processing

Categories of personal data

Flag any special-category (Art 9) or criminal-offence (Art 10) data.

Categories of data subjects

Retention and recipients

Section 2

GDPR Article 35(7)(b)

DPIA — Necessity & Proportionality

Assess the necessity and proportionality of the processing in relation to the purposes, the lawful basis, and the safeguards. Address automated decision-making under Article 22.

Lawful basis (Article 6) and conditions

Necessity and data minimisation

Automated decision-making (Article 22)

State whether decisions are solely automated with legal/similar effect, and the Art 22(3) safeguards.

Section 3

GDPR Article 35(7)(d)

DPIA — Measures to Address the Risks

Record the measures envisaged to address the risks, the safeguards and security measures, and any DPO advice or prior consultation with the supervisory authority (Article 36).

Safeguards and security measures

DPO advice and outcome

Review date

Section 4

Article 27(1)(a)

System Description & Intended Purpose

Describe the deployer's processes in which the high-risk AI system will be used, in line with the intended purpose defined by the provider.

AI system name and version

Provider and contact

Intended purpose (as defined by the provider)

Use the purpose stated in the provider instructions for use.

Deployer process where the system is used

Operational context and environment

Section 5

Article 27(1)(b)

Duration & Frequency of Use

Describe the period of time within which, and the frequency with which, the high-risk AI system is intended to be used.

Planned deployment start date

Expected duration

Frequency of use

Volume of decisions

Geographic scope

Section 6

Article 27(1)(c)

Categories of Affected Persons

Identify the categories of natural persons and groups likely to be affected by use of the system in the specific context.

Persons subject to AI-driven decisions

Third parties indirectly affected

Vulnerable groups requiring special attention

e.g. children, elderly, persons with disabilities, minorities, non-native speakers, low digital literacy.

Section 7

Article 27(1)(d)

Specific Risks to Fundamental Rights

Identify the specific risks of harm likely to impact the affected persons, taking into account the information provided by the provider under Article 13. Record each risk in the register below.

Fundamental rights potentially at risk

Provider information relied on (Article 13)

Risk register

No risks recorded yet. Add a row for each right or interest at risk, or load the worked example above.

Section 8

Article 27(1)(e)

Human Oversight Measures

Describe how human oversight will be implemented, in accordance with the instructions for use.

Designated oversight roles

Intervention capabilities

Qualifications and training

Section 9

Article 27(1)(f)

Measures if Risks Materialise: Governance & Complaints

Describe the measures to be taken if the identified risks materialise, including internal governance arrangements and complaint mechanisms.

Technical measures

Organizational measures

Complaint and redress mechanisms

Notification to the market surveillance authority

Article 27(3): notify the authority of the FRIA results, using the AI Office template once available.

Export one combined DPIA + FRIA evidence pack. Everything stays in your browser — nothing is uploaded.

DPIA and FRIA, Aligned

The Article 35(7) DPIA elements and the Article 27(1) FRIA elements in one flow — no duplicate work across the two regimes.

One Combined Record

A shared risk register and a single export, so your data-protection and fundamental-rights evidence stay consistent.

Private by Design

Everything stays in your browser. Nothing you type is uploaded, and your combined assessment exports straight to Markdown or JSON.

Disclaimer: This tool helps you draft a combined DPIA and FRIA based on GDPR Article 35 and EU AI Act Article 27. It is not legal advice. Confirm your obligations with qualified counsel familiar with your use case.