Progress 0 / 22 questions answered

GDPR AI Requirements Checklist

Assess your AI system's GDPR compliance. 22 questions, 5 categories.

Legal Basis & Transparency

Legal basis and information obligations according to GDPR Art. 6, 13-14

Do you have an appropriate legal basis (GDPR Art. 6) for processing personal data used by AI models?

A legal basis according to GDPR Art. 6 is required for all personal data processing (e.g., consent, contract, legal obligation, legitimate interest).

No documented legal basis Partial legal basis (some data only) Full legal basis documented for all data

Do you inform data subjects that an AI system processes their data?

GDPR Art. 13-14: Data subjects must be informed about automated decision-making and the logic involved in AI operations.

No information provided General information provided Detailed, understandable information about AI logic

Does your privacy policy contain AI-specific information (purpose, logic, consequences)?

The privacy policy must include the purpose of AI application, its logic, and expected effects on data subjects.

No AI-specific section Mentioned but incomplete Detailed AI chapter with all requirements

Does your AI process only the strictly necessary personal data (data minimization)?

GDPR Art. 5(1)(c): Only the minimum amount of data necessary to achieve the purpose may be processed.

No data minimization performed Partially applied Full data minimization with regular audits

Data Subject Rights in AI

Ensuring data subject rights according to GDPR Art. 15-22 in AI context

Can data subjects access their personal data processed by AI?

Data subjects have the right to know what data the AI processes, with what logic, and what consequences.

No access provided Manual retrieval upon request Automated self-service access

Is data rectification and erasure ensured in the AI system?

GDPR Art. 16-17: Data subjects can request rectification or erasure, which must also apply in the AI model.

Cannot modify/delete Possible but complex and slow Automated process, takes effect immediately

Can data subjects object to AI-based automated decision-making?

GDPR Art. 22: Data subjects have the right to object to decisions based solely on automated processing.

No objection possible Objection possible but not in all cases Full right to object with human review

Can data subjects export their AI-processed/generated data in machine-readable format?

GDPR Art. 20: Data portability - data must be provided in a structured, machine-readable format.

No export option Upon request in PDF format Automated export in JSON/CSV format

Automated Decision Making & Profiling

Automated decision-making rules according to GDPR Art. 22

Are there fully automated decisions (without human intervention) that have legal or similarly significant effects on data subjects?

GDPR Art. 22 prohibits fully automated decision-making except in special cases (consent, contract, legal provision).

Yes, without human review Yes, but rarely and with limited impact No, or always with human review

Can humans review and change AI decisions?

GDPR Art. 22(3): The right to human intervention must be ensured in automated decisions.

No human review Only in exceptional cases All critical decisions reviewed by humans

Is the logic and parameters used in profiling transparent to data subjects?

Data subjects must be informed about profiling logic and applied categories (e.g., age group, interest categories).

No transparency General description available Detailed, understandable explanation personalized

Does the AI process special categories of personal data (racial/ethnic origin, political opinions, religion, health, sexual orientation, etc.)?

GDPR Art. 9: Processing special categories is generally prohibited, permitted only under special conditions.

Yes, without special protection Yes, with enhanced protection Does not process sensitive data

Data Protection & Security

Technical and organizational measures according to GDPR Art. 25, 32, 35

Was the AI system developed according to Privacy by Design and Privacy by Default principles?

GDPR Art. 25: Data protection must be built into the AI system's design and must operate at the highest level by default.

Not considered Partially implemented Fully integrated into development process

Was a Data Protection Impact Assessment (DPIA) conducted for the AI system?

GDPR Art. 35: DPIA is mandatory if processing likely results in high risk (automated decisions, large-scale processing, sensitive data).

No DPIA conducted Simplified risk assessment Comprehensive DPIA documented

Are personal data processed by AI adequately protected (encryption, access control)?

GDPR Art. 32: Controllers must implement appropriate technical and organizational measures to protect data.

No special protection Basic security (access restriction) Multi-layer protection (encryption, access control, auditing)

Is there a process for identifying and handling AI-related data breaches?

GDPR Art. 33-34: Data breaches must be reported to the supervisory authority within 72 hours and data subjects must be informed.

No breach handling process Process exists but not tested Documented, tested process with 72h notification

Are there GDPR-compliant contracts with processors involved in AI development/operation?

GDPR Art. 28: Written contracts with processors must include the subject, duration, and obligations of processing.

No appropriate contracts Contract exists but incomplete Full contract according to GDPR Art. 28

Accountability & Documentation

Accountability and record-keeping obligations according to GDPR Art. 5, 24, 30

Are AI processing activities documented in the record of processing activities?

GDPR Art. 30: Controllers must maintain records of processing activities (purpose, categories, time limits, recipients, security measures).

No record kept Exists but incomplete Complete, regularly updated record

Is there a designated Data Protection Officer (DPO) overseeing AI data processing?

GDPR Art. 37-39: DPO designation is mandatory for large-scale, regular, systematic monitoring or processing of sensitive data.

No DPO DPO exists but no AI-specific responsibility DPO actively oversees AI data processing

Does the AI system transfer personal data outside the EU (third country)?

GDPR Art. 44-50: Data may be transferred to third countries only with adequate safeguards (adequacy decision, SCC, BCR).

Yes, without adequate safeguards Yes, but with Standard Contractual Clauses (SCC) No transfer, or only to countries with adequacy decision

Is the AI model regularly audited from a data protection perspective?

Regular reviews are necessary for accountability to ensure AI compliance.

No audit Occasional internal review Regular (min. 1x/year) independent audit

Are there defined and enforced data retention periods for data processed by AI?

GDPR Art. 5(1)(e): Data must be kept only as long as necessary, then deleted.

No retention policy, unlimited storage Policy exists but not automated Automated deletion after retention period

Your AI Security Assessment

/100

📧 Get your results via email

We will send you the complete report with all answers and recommendations

I accept the Terms of Use.

Want a deeper analysis?

Our experts can help with a detailed AI Red Team audit

Schedule Free Consultation →

Is your AI system 100% GDPR compliant? T

ake our 3-Minute GDPR & AI Checklist! Using AI creates serious data privacy risks (e.g., profiling, automated decision-making). This quick audit helps you assess your compliance with GDPR’s AI-specific requirements, from data minimization to data subject rights.

Complete it in just 3 minutes and avoid heavy fines! We’ll email you the instant evaluation.