GovCompass
Knowledge base
ReferenceAccountabilityPrivacy

Art. 26.9 EU AI Act: DPIA obligation for high-risk AI

By Michel Venniker· · Aligned with the consolidated EU AI Act, including the 2026 Omnibus amendments.

Art. 26.9 links the EU AI Act to the GDPR: where a data protection impact assessment (DPIA) is required under GDPR Art. 35, deployers of high-risk AI must use the information from the provider's documentation to support that assessment.

Updated: June 2026

Introduction: two frameworks, one impact assessment

Art. 26.9 creates an explicit link between the EU AI Act and the GDPR: "Deployers who are subject to obligations regarding data protection impact assessments under Regulation (EU) 2016/679 shall integrate the information relevant to the high-risk AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → into such impact assessmentimpact assessmentThe design-time discipline of describing a system, mapping stakeholders, identifying harms, rating probability × severity, choosing mitigations and documenting a signed decision — the skeleton under DPIAs, FRIAs and AIAs.Open full entry →."

This provision does not create a new standalone obligation, it extends the existing GDPR Art. 35 DPIADPIAData Protection Impact Assessment — required before likely-high-risk processing (systematic profiling with significant effects, large-scale special categories, public monitoring); AI development triggers it constantly.Open full entry → framework to encompass the AI-specific elements required by the EU AI Act. For organisations already conducting DPIAs for AI-related processing, this means expanding the scope of those assessments.

When is a DPIA required?

Under GDPR Art. 35, a DPIA is required when processing is likely to result in "high risk" to individuals' rights and freedoms. The EDPB has identified specific types of processing that always require a DPIA, including:

  • Systematic and extensive profiling with significant effects
  • Large-scale processing of special categories of data
  • Systematic monitoring of publicly accessible areas

High-risk AI systems under the EU AI Act will frequently trigger DPIA obligations under one or more of these criteria. A CV screening AI (Annex IIIAnnex IIIThe EU AI Act's list of high-risk use-case areas — biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.Open full entry →, point 4) involves systematic profiling with significant effects on employment. A credit scoring system involves profiling with significant financial effects.

What to include in the integrated DPIA

An AI Act-integrated DPIA should cover, in addition to the standard GDPR elements:

  • AI system classification: Risk class and classification rationale (Art. 6)
  • Technical characteristics: System architecture, training data provenance, performance metrics
  • Oversight arrangements: How human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry → is implemented (Art. 26.2)
  • Bias risk assessment: Analysis of potential demographic disparities in AI outputs
  • Input data quality measures: Data quality controls (Art. 26.4)
  • Retention of AI logs: Log retention policy (Art. 26.6)
  • Fundamental rights impact: For systems also requiring a FRIAFRIAFundamental Rights Impact Assessment — required of public bodies and certain private deployers before using some high-risk AI systems under the EU AI Act.Open full entry → under Art. 27, the analyses may be combined

Relationship with the FRIA

For public sector deployers of high-risk AI, Art. 27 also requires a Fundamental Rights Impact Assessment (FRIA). The DPIA and FRIA overlap significantly. Best practice is to conduct a combined DPIA/FRIA that satisfies both requirements simultaneously, with clearly labelled sections for each framework.

Compliance checklist

  1. Have you identified all high-risk AI systems that also process personal data (triggering GDPR jurisdiction)?
  2. Has a DPIA been conducted for each such system?
  3. Does the DPIA include the EU AI Act-specific elements listed above?
  4. Has the DPO been consulted in the DPIA process?
  5. Is the DPIA reviewed and updated when the AI system or its use case changes?
  6. Is the DPIA documented and accessible for supervisory review?
Legal referencesArt. 26

More on Accountability

Art. 10 EU AI Act: data and data governance for high-risk AI

Reference

Art. 10 requires that the training, validation, and testing data for high-risk AI systems meets quality criteria: relevant, sufficiently representative, and as free of errors and complete as possible for the intended purpose. It also requires documented data governance practices covering collection, preparation, bias examination, and gap mitigation, and it permits the limited processing of special-category data where strictly necessary to detect and correct bias, under safeguards.

Art. 12 EU AI Act: record-keeping and logging for high-risk AI

Reference

Art. 12 requires high-risk AI systems to technically allow for the automatic recording of events (logs) over their lifetime. The logging must enable traceability of the system's functioning at a level appropriate to its intended purpose, support post-market monitoring, and help identify situations that may lead to risk or substantial modification. It is a design obligation on the provider that makes the system auditable by construction.

Art. 19 EU AI Act: keeping the automatically generated logs

Reference

Art. 19 requires providers of high-risk AI systems to keep the logs that the system automatically generates (under Art. 12) for as long as they control them, for a period appropriate to the intended purpose and at least six months unless other law requires longer. It is the retention counterpart to the Art. 12 logging capability, and it works alongside the deployer retention duty in Art. 26.6.

Art. 26.1 EU AI Act: following provider instructions as a deployer

Reference

Art. 26.1 requires deployers to use high-risk AI systems strictly in accordance with the provider's instructions for use. This means using the system only for its intended purpose, within its specified technical configuration, and by qualified users, and documenting that compliance. Deviating from the instructions can shift liability entirely to the deployer.

More on Privacy

Art. 10 EU AI Act: data and data governance for high-risk AI

Reference

Art. 10 requires that the training, validation, and testing data for high-risk AI systems meets quality criteria: relevant, sufficiently representative, and as free of errors and complete as possible for the intended purpose. It also requires documented data governance practices covering collection, preparation, bias examination, and gap mitigation, and it permits the limited processing of special-category data where strictly necessary to detect and correct bias, under safeguards.

Art. 26.4 EU AI Act: input data quality for deployers

Reference

Art. 26.4 requires deployers of high-risk AI to ensure that input data is relevant and sufficiently representative for the system's intended purpose. The deployer is responsible for data quality in operation, even though the provider sets the specifications under Art. 10.

Control-level compliance: the EU AI Act as an instrumented system

Analysis

Control-level compliance means satisfying the EU AI Act through engineered, evidenced controls rather than policy documents. The technical articles translate directly into system controls: immutable logs (Art. 12, 19), a kill switch (Art. 14(4)(e)), data masking before the model (Art. 10), configurable block policies (Art. 26), risk scoring and incident reporting within deadline (Art. 9, 73), and workspace isolation with role-based access (Art. 14, 26). Compliance at this level is an instrumented system, not a policy as PDF.

EU AI Act and GDPR: how do the two regulations relate?

Guide

The EU AI Act and the GDPR create overlapping but distinct obligations for AI systems that process personal data. They align on data quality, impact assessments, transparency, and individual rights, but differ in scope, accountability roles, and incident-reporting timelines, so the efficient approach is integrated compliance, such as a combined DPIA/FRIA.