Art. 26.9 EU AI Act: DPIA Obligation for High-Risk AI

Updated: June 2026 — full revision to Validai quality standard

Introduction: Two Frameworks, One Impact Assessment

Art. 26.9 creates an explicit link between the EU AI Act and the GDPR: "Deployers who are subject to obligations regarding data protection impact assessments under Regulation (EU) 2016/679 shall integrate the information relevant to the high-risk AI system into such impact assessment."

This provision does not create a new standalone obligation — it extends the existing GDPR Art. 35 DPIA framework to encompass the AI-specific elements required by the EU AI Act. For organisations already conducting DPIAs for AI-related processing, this means expanding the scope of those assessments.

When Is a DPIA Required?

Under GDPR Art. 35, a DPIA is required when processing is likely to result in "high risk" to individuals' rights and freedoms. The EDPB has identified specific types of processing that always require a DPIA, including:

• Systematic and extensive profiling with significant effects
• Large-scale processing of special categories of data
• Systematic monitoring of publicly accessible areas

High-risk AI systems under the EU AI Act will frequently trigger DPIA obligations under one or more of these criteria. A CV screening AI (Annex III, point 4) involves systematic profiling with significant effects on employment. A credit scoring system involves profiling with significant financial effects.

What to Include in the Integrated DPIA

An AI Act-integrated DPIA should cover, in addition to the standard GDPR elements:

• AI system classification: Risk class and classification rationale (Art. 6)
• Technical characteristics: System architecture, training data provenance, performance metrics
• Oversight arrangements: How human oversight is implemented (Art. 26.2)
• Bias risk assessment: Analysis of potential demographic disparities in AI outputs
• Input data quality measures: Data quality controls (Art. 26.4)
• Retention of AI logs: Log retention policy (Art. 26.6)
• Fundamental rights impact: For systems also requiring a FRIA under Art. 27, the analyses may be combined

Relationship with the FRIA

For public sector deployers of high-risk AI, Art. 27 also requires a Fundamental Rights Impact Assessment (FRIA). The DPIA and FRIA overlap significantly. Best practice is to conduct a combined DPIA/FRIA that satisfies both requirements simultaneously, with clearly labelled sections for each framework.

Compliance Checklist

1. Have you identified all high-risk AI systems that also process personal data (triggering GDPR jurisdiction)?
2. Has a DPIA been conducted for each such system?
3. Does the DPIA include the EU AI Act-specific elements listed above?
4. Has the DPO been consulted in the DPIA process?
5. Is the DPIA reviewed and updated when the AI system or its use case changes?
6. Is the DPIA documented and accessible for supervisory review?