FRAMEWORK

GDPR

Europe's data-protection law as it bites on AI: Article 22 on automated decisions, Article 35 DPIAs, and the data-governance duties that apply to training and inference.

Book a demo See coverage

Coverage updated2 min ago

Coverage · GDPR

Framework coverage

86%

Coverage

Art. 22, Art. 35, Arts. 5/6

Obligations mapped

+4% wk

Files on record

Live · synced 2 min ago · 7-day trend

Recent activity

Annex IV v4Approved

FRIA v2Approved

Monitoring plan v1Draft

THE OBLIGATION

The AI obligations were in GDPR before “AI governance” had a name.

AI that makes decisions about people triggers GDPR directly: Article 22 governs solely-automated decisions with legal or similarly significant effects, and Article 35 requires a Data Protection Impact Assessment for high-risk processing — which most consequential AI is.

The lawful-basis, data-minimisation and transparency duties in Articles 5 and 6 apply to the data used to train and run models. These are live obligations with regulators already enforcing them.

At a glance

Applies toAnyone processing EU residents' personal data with AI

Your likely roleController and/or processor

Key deadlineIn force

Penalty exposureUp to 4% of global annual turnover or €20m

ARTEFACTS

The files this framework actually requires.

GDPR names the assessments and safeguards. Hael generates the DPIA and the Article 22 safeguards record from the system's real configuration.

Files · Evidence pack

PDFData Protection Impact Assessment — Art. 35v3updated 2 min agoApproved

PDFArticle 22 Safeguards Recordv2updated 14 MayApproved

PDFLawful Basis & ROPA Entryv2updated 11 MayApproved

PDFData Minimisation Recordv1updated 04 MayDraft

PDFTransparency Noticev1updated 02 MayApproved

GRC tools tell you these are missing. Hael generates them — from each system's real configuration.

THE DIFFERENCE

A checklist tells you what's missing. Hael puts it on record.

A checklist flags a missing DPIA. Hael generates it — from the system's actual data flows.

Typical GRC tool

Data Protection Impact Assessment — Art. 35upload required

Article 22 Safeguards Recordupload required

Lawful Basis & ROPA Entryupload required

Data Minimisation Recordupload required

Transparency Noticeupload required

Tracks the gap. You still author every document.

Hael

Data Protection Impact Assessment — Art. 35v3Generated 2 min agoview

Article 22 Safeguards Recordv2Generated · Approvedview

Lawful Basis & ROPA Entryv2Generated · Approvedview

Data Minimisation Recordv1Generated · Draftview

Transparency Noticev1Generated · Approvedview

Generated from each system's real configuration, versioned, and kept current as it changes.

HOW HAEL WORKS

Discover, classify, produce — for GDPR.

01DISCOVER

Find the systems in GDPR scope, including embedded third-party AI.

Inventory · 14 systems

Credit scoring enginehigh

HR screening bothigh

Salesforce Einsteinlimited

02CLASSIFY

Assess each against GDPR's risk tiers and obligations.

Risk tier

Prohib.HighLimitedMin.

Role: ProviderArt. 9 · 11 · 14

03PRODUCE

Generate the GDPR records, versioned and current.

Generated files

Annex IV v4Approved

FRIA v2Approved

Monitoring v1Draft

COVERAGE

Every obligation, mapped to the control that satisfies it.

Rows are the framework's clauses.

Columns are the controls and files that satisfy them.

Cells update as the underlying configuration changes.

Explore the platform

Coverage Map

Obligation → Control

4 obligations · 4 controls

86%

covered

DPIA

Art. 22 Record

ROPA

Transparency

Art. 22 Automated decisions

✓

—

✓

Art. 35 DPIA

✓

—

Art. 5 Principles

✓

—

✓

•

Art. 6 Lawful basis

—

✓

Art. 22 Automated decisions

DPIA

v3 · sealed

Approvedopen file →

MAPPING

Clause by clause.

Obligation
What it requires
Hael control / file
Status

Art. 22Safeguards for solely-automated decisionsArticle 22 Safeguards RecordApproved

Art. 35DPIA for high-risk processingData Protection Impact AssessmentApproved

Art. 5Principles incl. minimisationData Minimisation RecordDraft

Art. 6Lawful basis for processingLawful Basis & ROPA EntryApproved

REUSE

Author once. Satisfy many.

The DPIA and data-governance records GDPR requires overlap heavily with the EU AI Act's data-governance article and ISO 42001's data controls. One data-governance record, several regimes satisfied.

→ shared evidenceEU AI ActISO/IEC 42001DORA

Trust & Security

SOC 2 Type IIISO/IEC 27001EU & US data residencySSO / SCIMEncryption in transit & at restAudit logging

On record before the regulator asks, not reconstructed after a complaint.

Hael generates the DPIA, Article 22 safeguards and data-governance records from each system's real configuration.

Book a demo Explore the platform