AI GDPR compliance checklist

In an era of rapid AI development, more and more organisations deploy systems based on AI models to improve operational efficiency and automate key processes. However, AI deployment raises significant legal challenges, particularly under the GDPR and the EU Artificial Intelligence Act.

To support organisations in this process, we created a comprehensive tool to assess quickly and effectively whether deployed AI systems comply with applicable rules. Our AI Checklist is a practical, intuitive solution that guides you step by step through key legal and technical aspects, enabling informed and lawful use of artificial intelligence.

Checklist structure

The checklist is divided into six sections covering the most important issues related to GDPR and AI. Before you proceed to the checklist, you can complete the metadata section the tool. It will help you document the key information about that tool.

General issues

The first section covers general issues such as legal basis, processing purposes, and categories of data subjects and data. This helps you inventory this important information. It can also support a data protection impact assessment (DPIA).

Relationship with the supplier

The second section concerns the relationship with the supplier that provides the tool. It mainly addresses re-use of data by the supplier, e.g. training its models on data relating to your customers, employees, etc.

Automated decisions

Using AI may lead to decisions based solely on automated processing or profiling within the meaning of Article 22 GDPR. The control questions and explanations help you assess whether the outcome of the AI system will amount to an automated decision.

Data quality

The "Data quality" section relates primarily to the principle of accuracy of personal data, but is also relevant to the principle of lawfulness and fairness.

Security

The "Security" section focuses on the safe use of the tool by employees in your organisation.

Accountability

The checklist ends with a section on accountability. Your organisation should not only comply, but also be able to demonstrate compliance. Helpful measures include data protection impact assessments, maintaining a record of processing activities, and internal policies.

Why is it worth ensuring AI compliance with the law?

Avoiding the risk of significant GDPR fines — infringements related to personal data processing in AI can result in penalties of up to tens of millions of euros.
Reducing legal and reputational risk — using artificial intelligence without adequate safeguards can undermine customer and business partner trust.
Preparing for the EU Artificial Intelligence Act — new EU rules will impose additional obligations on organisations deploying AI, so it is worth preparing now.

What does our tool offer?

A quick review of key compliance aspects — from legal bases to security and relationships with AI suppliers.
AI tool metadata — document essential information about the system being deployed to support audits and reporting.
A checklist divided into six key sections — covering legal bases, data security, profiling, automated decision-making, and relationships with AI suppliers.

Who is this tool for?

Organisations deploying ready-made AI solutions such as content generation tools, chatbots, data analytics systems, or decision-support tools.
Data protection and compliance specialists who need to verify that deployed AI solutions are compliant.
Managers and IT teams looking for effective tools to assess AI risk and compliance.

Check AI compliance with the GDPR

Metadata

Organisation

Details of person completing the checklist

Contact

Date and version number

Changes/notes

Tool name

Main function of the tool

Website

Documentation

Data processing agreement

Tool supplier

Type of supplier

Type of AI

AI model

Supplier's DPO

General requirements

Required

What legal bases may apply?

Are data subjects informed about data processing using AI?

What role does our organisation play?

For what purpose is the tool used?

What categories of data will be processed in the tool?

What categories of persons will be covered by this tool?

If special category data is processed, which exception may apply?

Relationship with the supplier

Required

Can the supplier use our data to train models?

Does the supplier have access to data entered by the organisation?

Can the supplier use data for other purposes?

Has a data processing agreement been concluded?

Does the supplier provide adequate guarantees of GDPR compliance?

Does a transfer of personal data take place?

Decision-making

Required

Does automated decision-making or profiling take place?

Is it possible to provide meaningful information about the logic involved in automated decision-making, as well as the significance and envisaged consequences of such processing for the data subject?

Human involvement. Is human intervention ensured in the case of automated decision-making?

Human involvement. Does the data subject have the right to express their own position and contest an automated decision?

Other appropriate measures.

Data quality

Required

How does the organisation ensure data accuracy?

How does the organisation ensure data minimisation?

How long is data retained?

Security

Required

Has a risk analysis been carried out?

Are separate administrator and user accounts in place?

Is login secured with an appropriate password and multi-factor authentication?

Does the administrator have control over users' use of the tool?

Are there logs documenting how the tool is used?

Accountability

Required

Has a DPIA been carried out?

Have processing activities been included in the record of processing activities?

Has the DPO's involvement been taken into account?

Are there internal AI policies?

Compliance checklist
AI & GDPR

30/06/2026

Document generated using the tool available at odo24.pl

1. Metadata

Organisation

No answer provided

Details of person completing the checklist

No answer provided

Contact

No answer provided

Date and version number

No answer provided

Changes/notes

No answer provided

Tool name

No answer provided

Main function of the tool

No answer provided

Website

No answer provided

Documentation

No answer provided

Data processing agreement

No answer provided

Tool supplier

No answer provided

Type of supplier

No answer provided

Type of AI

No answer provided

AI model

No answer provided

Supplier's DPO

No answer provided

2. General requirements

What legal bases may apply?

No answer provided

Are data subjects informed about data processing using AI?

No answer provided

What role does our organisation play?

No answer provided

For what purpose is the tool used?

No answer provided

What categories of data will be processed in the tool?

No answer provided

What categories of persons will be covered by this tool?

No answer provided

If special category data is processed, which exception may apply?

No answer provided

3. Relationship with the supplier

Can the supplier use our data to train models?

No answer provided

Does the supplier have access to data entered by the organisation?

No answer provided

Can the supplier use data for other purposes?

No answer provided

Has a data processing agreement been concluded?

No answer provided

Does the supplier provide adequate guarantees of GDPR compliance?

No answer provided

Does a transfer of personal data take place?

No answer provided

4. Decision-making

Does automated decision-making or profiling take place?

No answer provided

Is it possible to provide meaningful information about the logic involved in automated decision-making, as well as the significance and envisaged consequences of such processing for the data subject?

No answer provided

Human involvement. Is human intervention ensured in the case of automated decision-making?

No answer provided

Human involvement. Does the data subject have the right to express their own position and contest an automated decision?

No answer provided

Other appropriate measures.

No answer provided

5. Data quality

How does the organisation ensure data accuracy?

No answer provided

How does the organisation ensure data minimisation?

No answer provided

How long is data retained?

No answer provided

6. Security

Has a risk analysis been carried out?

No answer provided

Are separate administrator and user accounts in place?

No answer provided

Is login secured with an appropriate password and multi-factor authentication?

No answer provided

Does the administrator have control over users' use of the tool?

No answer provided

Are there logs documenting how the tool is used?

No answer provided

7. Accountability

Has a DPIA been carried out?

No answer provided

Have processing activities been included in the record of processing activities?

No answer provided

Has the DPO's involvement been taken into account?

No answer provided

Are there internal AI policies?

No answer provided

odo24.pl — AI GDPR compliance checklist

Disclaimer

The checklist is designed for organisations that want to use ready-made tools, mainly generative artificial intelligence. It does not cover situations in which the organisation:

Deploys its own tool
Develops and trains an AI model
Fine-tunes an AI model

The checklist concerns compliance with the GDPR. It does not cover the EU Artificial Intelligence Act or the requirements referred to therein.

Each processing operation is an individual case and may require additional assessments not covered by this checklist.
This is a supplementary and educational tool; the explanations provided do not constitute legal advice.
The checklist must not be used as the sole basis for decision-making by any entity or person using it at their own risk.

ODO 24 sp. z o.o. shall not be liable to any entity or person for any consequences arising from direct or indirect use of the checklist, in particular for damages including an obligation to pay compensation or compensation, administrative penalties, loss of benefits or other negative other negative consequences.