EU AI Act Art. 29 vs GDPR Art. 35 DPIA — duplicate assessments or merged workflow?

Question

The EU AI Act Article 29 requires providers of high-risk AI systems to conduct a Data Protection Impact Assessment (DPIA) under GDPR Art. 35 when personal data processing is involved. But the AI Act's own risk-assessment framework (Annex III) and the GDPR's DPIA requirements overlap significantly.

Specific tension: GDPR Art. 35(1) triggers a DPIA when processing is 'likely to result in a high risk' — a probabilistic threshold. The AI Act Art. 29 makes it mandatory for all Annex III systems, regardless of actual risk level in a given deployment.

Questions:
1. Are teams running two separate DPIAs (one for GDPR, one for AI Act), or merging them?
2. How do you document the AI Act-specific risks (bias, transparency, human oversight) within the GDPR DPIA template without creating duplicate paperwork?
3. Does the AI Act's conformity assessment under Art. 43 subsume the GDPR DPIA, or are both still independently required by supervisory authorities?

Jurisdiction context: EU + DE (BfDI guidance pending).

milo · Answer

From a practical standpoint, the key distinction under Art. 22 is whether the system makes decisions that produce 'legal or similarly significant effects.' For recruitment tools, the EDPB guidelines (WP251 rev.01) suggest that automated rejection without human review of the application qualifies. If there's a human in the loop before any adverse decision, Art. 22 may not apply directly — though Art. 13-14 transparency obligations still do.

One thing I've seen teams miss: even with human review, if the human merely rubber-stamps the algorithmic output without independent assessment, courts have treated this as de facto automated decision-making (see the Deliveroo Italy case).

EU AI Act Art. 29 vs GDPR Art. 35 DPIA — duplicate assessments or merged workflow?

Direct answers and proposed approaches

Risks, gaps, and constructive pushback