EU AI Act Compliance

DPIA vs FRIA EU AI Act: Do You Need Both, and When?

If your company uses AI that touches personal data, you may need both a GDPR Data Protection Impact Assessment and an EU AI Act Fundamental Rights Impact Assessment. Here's exactly when each applies and how to avoid doing double the paperwork.

· 6 min read · By

EU-law graduate (Maastricht University) · MSc International Tax Law (AI & technology). Builds AI systems and advises SMEs on EU AI Act compliance.

Two Assessments, One System, Real Confusion

The dpia vs fria eu ai act question is one of the most common ones HR Directors and Compliance Officers ask us. It is easy to see why. You deploy an AI tool for recruitment screening or employee performance monitoring. Someone flags that you need a DPIA under GDPR. Someone else says you also need a Fundamental Rights Impact Assessment under the EU AI Act. You wonder if these are the same document with different names, or two entirely separate exercises. They are neither. They overlap significantly, but they are not identical, and in some cases you genuinely need both.

This post gives you a clear side-by-side view, explains the legal basis for each, and shows you how to build one hybrid document that satisfies both obligations without doubling your workload.


What Is a DPIA and When Is It Required?

A Data Protection Impact Assessment is required under Article 35 of the GDPR whenever processing is likely to result in a high risk to the rights and freedoms of natural persons. Automated processing, systematic evaluation of individuals, and large-scale processing of sensitive data all trigger this obligation.

In practice, if you use AI to screen CVs, score employee performance, or analyse communication patterns, a DPIA is almost certainly mandatory. Your Data Protection Authority, such as the Dutch Autoriteit Persoonsgegevens or the Belgian APD/GBA, can and does audit for these. The AP published its enforcement priorities for 2024 and 2025 with explicit focus on AI and automated decision-making.

The DPIA asks: what are the risks to personal data, and how do you mitigate them? It looks at data flows, retention periods, lawful basis, data subject rights, and proportionality. It is privacy-centric.


What Is an FRIA and When Is It Required?

A Fundamental Rights Impact Assessment is a newer obligation introduced by the EU AI Act. Article 27 of the AI Act requires deployers of high-risk AI systems to carry out an FRIA before putting those systems into use.

Not every deployer. Article 27(4) specifies that public authorities must conduct the FRIA, and that certain private deployers operating high-risk AI in areas like employment, education, or access to essential services are also required to complete one. If you are a private employer using high-risk AI listed in Annex III of the AI Act for purposes like recruitment, task allocation, or performance monitoring, Article 27 applies to you.

The FRIA asks: what are the risks to fundamental rights broadly, including non-discrimination, dignity, and fairness? It is wider than the DPIA. It covers risks to people who may not even be data subjects in the traditional sense.

The deadline matters. High-risk AI systems already deployed before 2 August 2026 must be brought into compliance by that date. New high-risk systems must comply from the moment of deployment.


Side-by-Side: DPIA vs FRIA

DPIA (GDPR Art 35) FRIA (AI Act Art 27)
Legal basis GDPR 2016/679 EU AI Act 2024/1689
Triggered by High-risk data processing High-risk AI system (Annex III)
Focus Data protection, privacy Fundamental rights broadly
Who assesses Data Controller Deployer
DPO involvement Mandatory where DPO exists Recommended
When required Before processing begins Before deployment
Supervisory body Data Protection Authority National market surveillance authority
Reuse allowed N/A Yes, under Art 27(4)

The key insight: the DPIA and FRIA share significant common ground but are not substitutes for each other. You will often need both, and the AI Act explicitly acknowledges this.


The Article 27(4) Overlap Provision

This is the good news. Article 27(4) of the AI Act states directly that where a deployer has already carried out a DPIA under Article 35 of the GDPR, the FRIA shall be conducted in conjunction with that DPIA. You are not starting from scratch.

Specifically, you can reuse the following elements from your DPIA in the FRIA:

  • Description of the AI system and its purpose (identical in both)
  • Categories of individuals affected (data subjects map to rights-holders)
  • Data flows and processing logic (DPIA detail feeds FRIA system description)
  • Risk identification methodology (same structured approach)
  • Mitigation measures already identified (data minimisation, access controls, human oversight)

What the FRIA adds that the DPIA does not cover:

  • Assessment of non-discrimination and equality risks beyond personal data
  • Risks to freedom of expression, assembly, or access to justice
  • Impact on vulnerable groups who may not be direct users or data subjects
  • Alignment with the AI Act's transparency and human oversight requirements under Article 26

In short, your DPIA is a strong foundation. The FRIA builds one additional floor on top of it.


When You Definitely Need Both

You need a standalone DPIA and a separate (or integrated) FRIA when all of the following are true:

  1. Your AI system processes personal data at scale or in a sensitive category.
  2. The system is listed in Annex III of the AI Act as high-risk (employment, education, essential services, law enforcement, etc.).
  3. You are the deployer, not just a user of a third-party tool where all data stays with the vendor.

Common scenarios in SMEs:

  • Recruitment AI that scores candidates based on CVs or video interviews. High-risk under Annex III, para 4(a). Personal data involved. Both assessments required.
  • Performance monitoring software that tracks output, keystrokes, or communication sentiment. Annex III, para 4(b). Both required.
  • Credit or loan eligibility tools used by financial services SMEs. Annex III, para 5(b). Both required.

If your AI system does not involve personal data in any meaningful way, or if it is not classified as high-risk under Annex III, you may only need the DPIA (or neither). But for most SMEs in HR, finance, or healthcare, the overlap is real.


A Practical Hybrid Template Approach

The most efficient approach is a single combined document with clearly labelled sections. Structure it like this:

Section 1: System description (shared by both DPIA and FRIA) Name the AI system, its provider, its purpose, the categories of people it affects, and how decisions are made or supported.

Section 2: Data protection assessment (DPIA core, GDPR Art 35) Lawful basis, data minimisation, retention, data subject rights, security measures, DPO consultation.

Section 3: Fundamental rights assessment (FRIA core, AI Act Art 27) Rights at risk beyond privacy. Discrimination analysis. Impact on dignity, equality, access. Human oversight mechanisms under Art 26. Transparency measures under Article 50.

Section 4: Risk register and mitigations (shared) A single risk register referencing both frameworks. Each risk flagged by which instrument requires it to be addressed.

Section 5: Review schedule Both the DPIA and FRIA should be reviewed when the system changes materially, at least annually.

This format satisfies the Article 27(4) requirement to conduct the FRIA in conjunction with the DPIA. It also gives your DPA and market surveillance authority a single coherent document if they audit you.


One Action to Take This Week

Pull up the list of AI systems your company currently uses. For each one, answer two questions: does it process personal data, and is it in Annex III of the AI Act? If yes to both, you need a combined DPIA/FRIA before 2 August 2026 at the latest. Start the system inventory now, before the calendar fills up.

For a free 2-minute check on whether your AI tools require an FRIA, a DPIA, or both, use the compliance tool at comply.khairos.ai. It asks five plain-language questions and gives you a clear answer with no jargon.

Need help getting compliant?

The free 2-minute compliance check shows you exactly where your gaps are. No email gate to see your score.

Start the free check →