EU AI Act + GDPR 2026: When Your AI System Needs Both a DPIA and a Conformity Assessment

Post #1404 in the sota.io EU AI Compliance Series — EU-AI-ACT-GDPR-DUAL-COMPLIANCE-2026 #1/5

August 2, 2026 is the EU AI Act's first major enforcement date for high-risk AI systems. But many SaaS developers are discovering that their AI compliance checklist doesn't start with the AI Act — it starts with an obligation they already have under GDPR: the Data Protection Impact Assessment (DPIA) under Article 35.

Two different laws. Two different assessment processes. One AI system that triggers both.

This guide cuts through the confusion. You'll learn exactly when your AI system requires a GDPR DPIA, when it requires an EU AI Act conformity assessment, and — critically — the six scenarios where you need both and how to run them without duplicating work.

The Two Assessment Regimes

Before mapping the overlap, you need to understand what each assessment is designed to do.

GDPR Article 35: Data Protection Impact Assessment

A DPIA is required when processing "is likely to result in a high risk to the rights and freedoms of natural persons." Under GDPR Article 35(3), three categories always require a DPIA:

1. Systematic and extensive evaluation of personal aspects based on automated processing, including profiling, which produces decisions that significantly affect individuals
2. Large-scale processing of special categories of data (health, ethnicity, religious beliefs, etc.) or data relating to criminal convictions
3. Systematic monitoring of publicly accessible areas on a large scale

The European Data Protection Board (EDPB) has also identified nine criteria that, when met in combination, indicate high processing risk. For AI systems, the most relevant are: automated decision-making with significant effects, systematic monitoring, innovative use of technology, and data processing that prevents individuals from exercising their rights or using a service.

A DPIA must describe the processing, assess necessity and proportionality, identify risks, and document the measures taken to address those risks. Crucially, if residual risk remains high after measures, you must consult your supervisory authority before proceeding.

EU AI Act Conformity Assessment

The EU AI Act (Regulation 2024/1689) requires conformity assessments for high-risk AI systems as defined under Article 6 and Annex III. These assessments verify that a high-risk AI system meets the requirements in Articles 9 through 17 before market placement.

Under Article 43, most high-risk AI systems in Annex III categories (employment, essential services, education, biometrics) can use self-assessment — an internal review against the AI Act's requirements. However, AI systems covered by specific EU harmonisation legislation (medical devices, machinery, aviation safety components) may require third-party conformity assessment bodies (notified bodies).

The conformity assessment documents compliance with:

• Article 9: Risk management system
• Article 10: Data and data governance
• Article 11: Technical documentation
• Article 13: Transparency and provision of information to deployers
• Article 14: Human oversight
• Article 17: Quality management system

The Overlap: Six Scenarios That Trigger Both

Scenario 1: Automated HR Decisions at Scale

What it looks like: An AI system that screens CVs, ranks candidates, and produces shortlists used by hiring managers to determine interview selections.

GDPR trigger: GDPR Article 22(1) prohibits solely automated decisions that produce significant effects on individuals — hiring/rejection decisions clearly qualify. If the system processes personal data at scale, Article 35(3)(a) directly applies.

AI Act trigger: Annex III, point 4(a) explicitly lists "AI systems intended to be used for recruitment or selection of natural persons" as high-risk.

Both required: Yes. The DPIA must document the automated decision-making basis, assess discrimination risks in training data, and ensure candidates have meaningful human review. The AI Act conformity assessment must verify the Art.9 risk management system addresses bias and error rates, and Art.14 human oversight ensures a qualified human can override AI recommendations.

Streamlining opportunity: The bias and discrimination risk analysis in your DPIA directly feeds into your Art.10 data governance documentation for the conformity assessment. Write it once, reference it in both.

Scenario 2: Employee Performance Monitoring and Promotion Decisions

What it looks like: An AI system that monitors employee productivity metrics (keystrokes, application usage, communication patterns) and feeds into performance scores used for promotion or termination decisions.

GDPR trigger: Systematic monitoring of employees' communication and work patterns constitutes large-scale processing with significant effects. EDPB guidelines on employee monitoring make clear this triggers a DPIA requirement.

AI Act trigger: Annex III, point 4(b) covers "AI systems intended to be used to make decisions affecting the conditions of work relationships." Point 4(c) covers task allocation and monitoring.

Both required: Yes. The DPIA must document employee consent or legitimate interest legal basis (noting that meaningful consent is questionable in employment contexts), assess workplace dignity risks, and establish proportionality. The conformity assessment must document Art.13 transparency obligations — employees must be informed that an AI system is being used to evaluate them.

Scenario 3: AI-Powered Credit Scoring or Loan Assessment

What it looks like: A fintech SaaS that uses machine learning to assess creditworthiness, generate risk scores, or recommend loan approval/rejection for financial institutions.

GDPR trigger: Credit decisions are "significant effects" automated decisions under Article 22. If the model uses any inferred categories (illness patterns from spending, ethnicity from names) it may process special category data. Article 35(3)(a) applies.

AI Act trigger: Annex III, point 5(b) covers "AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score."

Both required: Yes. This is one of the highest-risk dual-obligation scenarios. Your DPIA must document the right to explanation under GDPR Article 22(3). Your conformity assessment under Art.9 must include specific risk management measures for discrimination and model drift. DORA obligations may also apply if your customer is a financial institution.

Scenario 4: AI-Assisted Benefits Eligibility Assessment

What it looks like: A government SaaS platform that uses AI to assess applications for social benefits, housing priority, or healthcare entitlements.

GDPR trigger: Public sector processing of personal data for benefit eligibility assessments at scale triggers Article 35(3)(a) — systematic evaluation producing significant effects. Special categories of health data or economic status data are likely involved.

AI Act trigger: Annex III, point 5(c) covers "AI systems intended to be used to assess eligibility of natural persons for public benefit and social services."

Both required: Yes. DPIA must document the legal basis (public task under Article 6(1)(e)) and assess risks to vulnerable populations. Conformity assessment must document Art.14 human oversight in ways that allow case workers to review and override AI recommendations before decisions become final.

Scenario 5: Biometric Identification in SaaS Products

What it looks like: A SaaS platform that offers facial recognition, voice authentication, or fingerprint-based access control as a feature.

GDPR trigger: Biometric data is explicitly a special category under GDPR Article 9(1). Any processing of biometric data for identification purposes at scale requires a DPIA under Article 35(3)(b).

AI Act trigger: Annex III, point 1 covers real-time and post remote biometric identification systems. Note: real-time remote biometric identification is prohibited in public spaces under Article 5 except for narrow law enforcement exceptions.

Both required: Yes. The DPIA must identify the specific GDPR Article 9(2) exception that permits special category processing (typically explicit consent under 9(2)(a) or employment context under 9(2)(b)). The conformity assessment must document the technical safeguards in Art.10 for data quality and representativeness to prevent identification errors.

Scenario 6: AI-Powered Medical Symptom Checking or Health Risk Assessment

What it looks like: A digital health SaaS that uses AI to triage symptoms, estimate disease risk scores, or recommend care pathways for users.

GDPR trigger: Health data is special category data under Article 9. AI systems processing health data at scale for risk assessment trigger Article 35(3)(b) directly.

AI Act trigger: If the system is not a regulated medical device under MDR/IVDR, it may still fall under Annex III, point 5(a) if it makes assessments affecting access to healthcare services. If it qualifies as a medical device, Article 8 of the EU AI Act applies: medical device regulations provide a lex specialis pathway, but AI Act requirements still apply unless explicitly superseded.

Both required: Likely yes, with the medical device pathway potentially allowing integrated compliance documentation.

Unified Dual-Assessment Workflow

Running a DPIA and an AI Act conformity assessment separately creates significant duplication. The following workflow integrates both.

Phase 1: Trigger Assessment (Week 1)

Run the 20-item checklist below to determine which obligations apply. Document your conclusions with evidence.

Phase 2: Data Processing Inventory (Week 1–2)

Serves both: Both assessments require a complete picture of data flows.

Document:

• Categories of personal data processed (Art.10 EU AI Act + GDPR Art.35 DPIA prerequisite)
• Data sources and origin (training data, inference-time data)
• Retention periods and deletion procedures
• Sub-processors and data transfers

For AI systems, add the training/validation/test dataset split and any known demographic representation gaps. This document serves as the foundation for both Art.10 data governance (conformity assessment) and the DPIA data inventory section.

Phase 3: Risk Assessment (Week 2–3)

Primarily serves DPIA, feeds Art.9 risk management.

Map the risks to individuals:

• Error risks (false positives, false negatives and their consequences)
• Discrimination and bias risks (demographic performance disparities)
• Rights violation risks (denial of service, chilling effects on freedom)
• Security risks (data breach consequences)

For each risk: likelihood × severity = risk level. Document mitigations. Check whether residual risk is acceptable.

This risk mapping directly feeds the Art.9 risk management system's risk identification requirement. The mitigations you identify become Art.9 risk management measures.

Phase 4: Technical and Organisational Measures (Week 3–4)

Primarily serves Art.11–17, supplements DPIA.

Document the safeguards:

• Art.9: Risk management procedures, test sets, acceptance criteria
• Art.10: Data validation, bias testing, special category data safeguards
• Art.13: Documentation provided to deployers (accuracy metrics, known limitations)
• Art.14: Human oversight interface — what can the human reviewer see, override, escalate?
• Art.17: Quality management procedures, audit logs, version control

The organisational measures section of your DPIA draws directly from this work.

Phase 5: Consultation Decision (Week 4)

GDPR requirement: If your DPIA concludes residual risk remains high, you must consult your Data Protection Authority (DPA) under GDPR Art.36 before proceeding.

AI Act alignment: If your conformity assessment identifies unmitigable risks that call the system's lawfulness into question, escalation to a supervisory authority may also be required. Some NCAs will expect to see your DPIA as part of market surveillance audits.

Phase 6: Documentation and Sign-Off (Week 4–5)

Produce two documents:

1. DPIA report (GDPR Art.35 record, signed off by DPO where applicable)
2. Technical documentation file (EU AI Act Annex IV, referenced by conformity assessment)

Both documents reference the same underlying evidence: the data inventory, risk assessment, and measure documentation from Phases 2–4.

20-Item Decision Checklist

Work through this checklist before your next AI system launch.

GDPR DPIA Triggers

• Does the system make automated decisions that have legal or similarly significant effects on individuals?
• Does the system process data at scale about identifiable individuals?
• Does the system process special categories of data (health, biometrics, ethnicity, religion, political opinion, sexual orientation)?
• Does the system systematically monitor behaviour in publicly accessible areas?
• Does the system use personal data in a new or innovative way that individuals would not reasonably expect?
• Could the system prevent individuals from exercising their rights or using a service?
• Does the system involve vulnerable data subjects (children, employees, patients)?
• Does the system combine or cross-reference datasets in ways that create more comprehensive profiles than any single dataset?
• Has your DPA published a list of processing operations requiring a DPIA — and does your system appear on it?
• Has your DPO confirmed whether a DPIA is mandatory in writing?

EU AI Act Conformity Assessment Triggers

• Does the system fall into any of the Annex III high-risk categories (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice)?
• Is the system used in a context where an Annex III use case applies, even if that is not the primary use case?
• Does the system affect the terms or continuation of an employment relationship?
• Does the system affect access to education, credit, benefits, or essential services?
• Is the system or a component of it a medical device under MDR/IVDR (requiring combined compliance pathway)?
• Do you have the Art.9 risk management system in place and documented?
• Do you have Art.11 technical documentation (training data description, architecture, performance metrics) complete?
• Has Art.13 transparency documentation been prepared for deployers?
• Does the system include an Art.14 human oversight mechanism that deployers can activate?
• If deploying rather than developing: have you verified that your provider has completed their conformity assessment and provided you with the Art.13 documentation?

What Happens If You Skip One

If you skip the DPIA: Enforcement by your national DPA. Fines under GDPR can reach €10 million or 2% of global annual turnover for Art.35 violations. More importantly, you cannot proceed with high-risk processing without a valid DPIA — meaning product deployment may need to pause.

If you skip the AI Act conformity assessment: Once the August 2, 2026 enforcement deadline passes, AI systems that are placed on the market or put into service without a conformity assessment violate Article 43. NCAs can order withdrawal from the market, prohibit use, and issue fines under Article 99 reaching €15 million or 3% of global annual turnover.

If you skip both: Both fines stack. You also face reputational risk and potential injunctions from data protection supervisory authorities.

Key Deadlines

Next in This Series

This is the first post in the EU-AI-ACT-GDPR-DUAL-COMPLIANCE-2026 five-part series covering the intersection of EU AI Act and GDPR for SaaS developers:

1. When You Need Both a DPIA and a Conformity Assessment (this post)
2. Art.10 Data Governance + GDPR Art.5: Aligning AI Training Data Requirements
3. Art.13 Transparency + GDPR Privacy Notices: What Deployers Must Tell Users
4. Human Oversight (Art.14) + GDPR Art.22 Right to Explanation: The Developer's Implementation Guide
5. Finale: Complete EU AI Act + GDPR Dual Compliance Toolkit for SaaS Teams

The August 2026 deadline is 64 days away. Start your dual assessment now — the six-week unified workflow above fits before the deadline if you begin this week.

sota.io helps European SaaS developers build on infrastructure that keeps data in the EU. Deploy on Hetzner Germany from €9/mo — no CLOUD Act exposure, no US parent company.