EDPB AI Audit Checklist

Overview

The European Data Protection Board (EDPB) coordinates the application of the GDPR across the EU and issues guidelines for data protection supervisory authorities. In the field of artificial intelligence, structured audits are becoming increasingly important.

Organisations should therefore not wait until a supervisory authority inquiry arrives before addressing audit questions. An internal AI audit checklist helps to identify regulatory weaknesses early.

This article provides a systematic self-assessment along key audit areas:

• Legal basis
• Purpose limitation and data minimisation
• Transparency
• Data subject rights
• Security
• Accountability

Legal Basis

Audit questions:

1. Is a specific legal basis defined for each AI-related processing activity?
2. Is the legal basis documented?
3. In the case of sensitive data, does an exception under Art. 9 GDPR apply?
4. Has a balancing of interests been carried out and documented for Art. 6(1)(f)?

Purpose Limitation and Data Minimisation

Audit questions:

1. Is the training and usage purpose clearly documented?
2. Were only necessary data collected?
3. Has a change of purpose been assessed and documented?
4. Are retention periods defined?

AI-specific review:

• Is data being reused for model improvement?
• Has this purpose been communicated transparently?

Transparency and Information Obligations

Audit questions:

1. Does the privacy notice include AI-specific information?
2. Is the logic behind automated decisions explained in an understandable manner?
3. Are third-country transfers disclosed?
4. Are retention periods and recipients clearly identified?

Automated Decisions (Art. 22 GDPR)

Audit questions:

1. Is an automated individual decision being made?
2. Does the decision have legal or similarly significant effects?
3. Is there an option for human review?
4. Has a DPIA been carried out?

Typical use cases:

• Credit scoring
• Recruiting AI
• Performance assessment

Data Protection Impact Assessment (DPIA)

Audit questions:

1. Has a DPIA screening been carried out?
2. Was a DPIA conducted in cases of high risk?
3. Is the risk analysis documented?
4. Have safeguards been implemented?

Security and Technical Measures

Audit questions:

1. Are access restrictions implemented?
2. Is training data stored in encrypted form?
3. Are API accesses secured?
4. Are logging and monitoring processes in place?
5. Are sub-processors contractually secured?

Third-Country Transfers

Audit questions:

1. Is data processed outside the EU?
2. Does a DPF certification exist?
3. Have SCCs been concluded?
4. Has a Transfer Impact Assessment been carried out?

Data Subject Rights

Audit questions:

1. Can access requests be answered efficiently?
2. Is erasure technically possible?
3. Can data be removed from training datasets?
4. Are processes in place for handling objections?

AI-specific challenge:

• Removability of individual data traces from models

Accountability and Documentation

Audit questions:

1. Is the record of processing activities up to date?
2. Are AI systems explicitly listed?
3. Are training sessions documented?
4. Has a responsible person been designated?

Interface with the EU AI Act

Although this checklist is primarily GDPR-focused, the following questions should also be addressed:

1. Has an AI Act risk classification been carried out?
2. Has a high-risk classification been identified?
3. Is technical documentation available?
4. Has a fundamental rights impact assessment been reviewed?

Compact Self-Audit Table

Typical Audit Risks in AI Systems

Governance Recommendation

An internal AI audit checklist should:

• Be conducted at least annually
• Be updated when systems change
• Be coordinated across disciplines

Early self-assessment significantly reduces the risk of formal complaints.

Next Steps

1. Carry out an internal AI self-assessment.
2. Document identified gaps.
3. Prioritise high-risk areas.
4. Implement missing safeguards.
5. Prepare systematically for potential supervisory authority inquiries.