AI Regulatory Intelligence โ€” by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NLยทENยทDE
Analysis

DPIA for HR AI: when is it mandatory and how do you combine it with the FRIA?

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

A DPIA (Art. 35 GDPR) is mandatory for large-scale, systematic monitoring and for high-risk AI in HR. This article explains what it must contain and how to combine the DPIA with the FRIA (fundamental rights assessment, Art. 27 AI Act) into one process. With a practical step plan.

Short answer: A data protection impact assessment (DPIA) is mandatory under Article 35 GDPR as soon as an HR AI application is likely to result in a high risk to the people concerned โ€” with large-scale or systematic monitoring and with high-risk AI, almost always. For those same applications the AI Act requires a fundamental rights assessment (FRIA) under Article 27. Do not run them separately but as one combined process: they overlap heavily and together produce a single well-founded file.

When is a DPIA mandatory?

Article 35 GDPR requires a DPIA for processing "likely to result in a high risk". In HR that arises quickly, in particular for:

  • Systematic and extensive evaluation of personal aspects, including profiling, on which decisions are based.
  • Large-scale processing of special categories of data.
  • Systematic monitoring of employees.

An AI system that scores performance, predicts behaviour or controls access almost always meets at least one of these criteria.

What must it contain?

The DPIA contains at least: a systematic description of the processing and its purposes; an assessment of necessity and proportionality; an assessment of the risks to the rights and freedoms of data subjects; and the measures envisaged to address those risks. If a high residual risk remains, prior consultation of the supervisory authority follows (Art. 36).

The interplay with the FRIA

For high-risk AI, Article 27 of the AI Act requires certain deployers โ€” including public bodies and providers of essential services โ€” to carry out a fundamental rights impact assessment (FRIA) before putting the system into use. It looks wider than data protection alone: at non-discrimination, human dignity and other fundamental rights. The AI Act expressly states that where a DPIA has already been done, the FRIA builds on it. Read the content of the assessment in the FRIA: fundamental rights assessment under Article 27.

One combined process

Because the DPIA and FRIA describe the same application, the same risks and largely the same measures, it is inefficient and confusing to produce two separate documents. Run one assessment that covers both legal requirements: the GDPR layer (data protection) and the AI Act layer (fundamental rights more broadly). Align this with the other high-risk obligations so the assessment fits the wider compliance picture.

Practical step plan

  1. Determine the need: is this large-scale/systematic monitoring or high-risk AI? If so, a DPIA is mandatory and possibly a FRIA too.
  2. Describe the processing: data, purposes, AI logic, data subjects, retention periods.
  3. Test necessity and proportionality: is there a less intrusive alternative?
  4. Assess the risks to privacy and to broader fundamental rights (discrimination, autonomy).
  5. Set measures: human oversight, bias checks, transparency, data minimisation.
  6. Secure the GDPR basis and transparency towards employees; see GDPR and employee data in AI.
  7. Consult the supervisory authority where a residual high risk remains, and repeat the assessment on changes.

One well-combined DPIA/FRIA process is not a paper duty but the place where you get the real risks of HR AI on the table โ€” before the system goes into production.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR): Art. 35 (data protection impact assessment) and Art. 36 (prior consultation).
  2. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): Art. 27 (fundamental rights impact assessment, FRIA).

Share on LinkedIn

Read next

W

AI in the workplace: the guide for employers and HR

AI in recruitment, workforce management and monitoring largely falls under the AI Act (Annex III, high-risk) and the GDPR, with one hard ban: emotion recognition at work. This guide brings together what applies to employers and where to start.

U

AI in recruitment and HR: what every employer needs to know

AI in recruitment, selection and workforce management falls under Annex III of the AI Act and counts as high-risk โ€” for every employer, regardless of sector or size. Emotion recognition in the workplace is banned, AI literacy already applies, and the GDPR runs in parallel for automated decisions.

U

AI and non-discrimination: equal-treatment law alongside the AI Act

An AI system that treats people unequally is caught not only by the AI Act but also by existing equal-treatment law. The two regimes apply side by side โ€” and the ban on discrimination applies even where your AI system is not high-risk.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.