GDPR + EU AI Act Applicability Wizard

A branching questionnaire that runs a client-side rules engine over your answers and returns a tailored obligation report — Article 22, DPIA, AI Act risk tier and Article 50/52 transparency duties, transfer flags, and DSAR-for-model-output exposure — each with a severity and a primary-source citation.

Answer in order. Later questions appear or disappear based on earlier answers (forward chaining). Nothing you enter leaves your browser. Reviewed 2026-05-17.

No data stored. Not legal advice.

Every answer is evaluated in your browser by a client-side rules engine. Nothing is sent to any server, no analytics run on this page, and no answers are persisted unless you copy the shareable link. This wizard maps your situation to obligations and primary sources to help you scope a review — it is not a substitute for advice from a qualified data-protection lawyer.

Are any of the people whose personal data your AI system processes in the EU/EEA (users, employees, or third parties named in inputs)?

Yes — EU/EEA data subjects are in scope No — no EU/EEA data subjects at all Not sure

Is your organisation established in the EU/EEA, or do you offer goods/services to (or monitor the behaviour of) people in the EU/EEA?

Established in the EU/EEA Not established, but I target / monitor EU/EEA people Neither

Does the system process personal data at all (anything that identifies or relates to an identifiable person — names, emails, IPs, behaviour, free-text that can mention people)?

Yes No — only synthetic / fully anonymised data

What is your role for this AI system under the AI Act?

Deployer — I use a model/system someone else built Provider of a general-purpose AI model (I train/release a foundation model) Provider of an AI system (I build & place a system on the market) Both deployer and provider

What does the LLM/AI actually do in your workflow? (select all that apply)

Hiring / CV screening / candidate ranking Credit scoring / lending decisions Insurance underwriting / pricing Content moderation / account action Customer support / eligibility checks Marketing personalisation / recommendations User-facing chatbot or voice agent Generates synthetic media (text/image/audio/video) Emotion recognition or biometric categorisation

Does the AI output decide, score, rank, accept, reject, or price something that affects a person (not just an internal draft nobody acts on)?

Yes — legal effect or similarly significant (eligibility, money, employment, access) Yes, but low-stakes / user can trivially get a different outcome No — output has no operational effect on anyone

Is there a human in the loop before that decision takes effect?

No human — the system acts automatically A human signs off, but reviews dozens/hour and rarely overturns A human reviews, but sees only the verdict, not the underlying data A human sees output + underlying data, has time and authority to overturn, override rate is non-trivial

If the decision is solely automated with significant effect, which Article 22(2) exception do you rely on?

Necessary for entering/performing a contract Authorised by EU/Member-State law Explicit consent of the data subject None / not sure

If a person contests an automated decision, is there an appeal route that does NOT run back through the same model, with a human who can overturn it?

Yes — documented, model-independent appeal channel No / not formalised

Do you train or fine-tune a model on user/customer data?

Yes — user data goes into training/fine-tuning No — inference only, provider contractually does not train on our inputs Not sure what the provider does with inputs

Can the model's outputs contain information about identifiable real people (names, claims, profiles), e.g. RAG over people-data or free-text about individuals?

Yes — outputs can describe / profile real people No — outputs never reference identifiable people

Does the processing involve special-category data (health, biometric, political, religious, sexual orientation, etc.) or data of children?

Yes — special-category data Yes — data of children / vulnerable people Both special-category and children/vulnerable Neither

Is personal data sent to a model provider or sub-processor outside the EEA (e.g. a US-headquartered LLM API)?

Yes — outside the EEA, provider NOT DPF-certified / unknown Yes — outside the EEA, but provider is DPF-certified No — EU-region inference endpoint only Not sure where inference runs

For that cross-border transfer, what lawful transfer mechanism is executed?

SCCs with a TIA and supplementary measures SCCs signed, but no TIA / no supplementary measures Relying on EU–US Data Privacy Framework adequacy None / not sure

Do you have, and monitor changes to, the provider's sub-processor list (infra regions, CDN, tooling vendors)?

Yes — list obtained, change notifications subscribed No / not tracked

If a data subject filed a DSAR / erasure request, could you identify and act on their personal data inside prompts, logs, retrieval stores, and any fine-tuned weights?

Yes — we can locate and delete across all of those Partly — prompts/logs yes, but not retrieval store or fine-tunes No real capability today

Related tools in this network

Other interactive tools across the network that pair well with this one.