Muss für jedes KI-System eine DPIA gemacht werden?

Nicht automatisch – aber für Hochrisiko-KI nach EU AI Act ist eine Datenschutz-Folgenabschätzung nach Art. 35 DSGVO häufig erforderlich. SimpleAct liefert die strukturierten Daten dafür.

Wo werden Kundendaten gespeichert?

Anwendungslayer bei Hetzner Nürnberg (Deutschland), Datenbank bei Supabase EU-Region Frankfurt. Kein Transfer in Drittländer.

Ist SimpleAct selbst DSGVO-konform?

Ja. AVV/DPA nach Art. 28 DSGVO liegt vor. Verarbeitungsverzeichnis, Subprozessoren-Liste und Security Whitepaper sind verfügbar.

Was ist der Unterschied zwischen EU AI Act und DSGVO für KI?

Die DSGVO regelt den Datenschutz bei der Verarbeitung personenbezogener Daten – auch durch KI. Der EU AI Act regelt zusätzlich die Risikoeinstufung, Dokumentation und Governance von KI-Systemen unabhängig vom Datenschutzbezug.

Wer gilt als Betreiber nach EU AI Act?

Betreiber (Deployer) sind Unternehmen, die ein KI-System in eigener Verantwortung einsetzen – unabhängig davon, ob sie es selbst entwickelt haben. SimpleAct hilft, diese Rollen und Verantwortlichkeiten pro System zu dokumentieren.

EU AI Act · Privacy

EU AI Act for Data Protection Officers

GDPR and the EU AI Act overlap precisely where AI meets personal data. As DPO you must ensure AI systems are documented in GDPR terms, DPIAs are carried out, and subprocessors are listed transparently. SimpleAct gives you the structural foundation to do that.

Get started

Art. 35

GDPR DPIA data basis

EU hosting

Frankfurt & Nuremberg

DPA

Under Art. 28 GDPR

30 days

Free trial

Typical challenges for DPOs

AI systems appear in the processing register – but without a risk classification under the EU AI Act
Who introduced which AI tool? Shadow AI is almost uncontrollable without a central inventory
DPIA under Art. 35 GDPR for automated decisions – the data basis is missing
Customers and clients ask whether all subprocessors are contractually covered
The supervisory authority asks – and the DPO has no current, defensible overview

What this looks like in practice

The data protection authority asks whether a DPIA was conducted for the AI-assisted applicant tracking system. Without SimpleAct: three departments need to be queried individually about whether the system is high-risk, who the provider is, and what data is processed. With SimpleAct: the system is in the inventory, risk class is documented, subprocessors are listed – the DPIA data basis is ready.

What SimpleAct delivers for DPOs

Central AI inventory as data foundation

All AI systems in the organisation captured – with purpose, data types, processing location, and responsible parties. The foundation for DPIAs and the processing register.

Subprocessors made transparent

SimpleAct lists Hetzner (DE), Supabase (EU region Frankfurt), Stripe, and Brevo. DPA under Art. 28 GDPR is in place. No third-country transfer without safeguards.

Automated decisions documented

High-risk AI under the EU AI Act often intersects with Art. 22 GDPR. SimpleAct captures whether human oversight is in place – critical for DPIA justifications.

Append-only audit log

Every change to AI system data is timestamped and non-deletable – defensible for regulatory enquiries and GDPR subject access requests.

What you get as DPO

Structured data basis for DPIA under Art. 35 GDPR
Inventory of all AI systems including purpose and data types
Subprocessor transparency with DPA documentation
Evidence of human oversight for automated decisions (Art. 22 GDPR)
Append-only audit log – timestamped, non-deletable
EU hosting documented – no third-country transfer

Frequently asked questions from DPOs

Does every AI system require a DPIA?

Not automatically – but for high-risk AI under the EU AI Act, a Data Protection Impact Assessment under Art. 35 GDPR is frequently required. SimpleAct provides the structured data for it.

Where is customer data stored?

Application layer at Hetzner Nuremberg (Germany), database at Supabase EU region Frankfurt. No transfer to third countries.

Is SimpleAct itself GDPR-compliant?

Yes. DPA under Art. 28 GDPR is in place. Processing register, subprocessor list, and security whitepaper are available.

What is the difference between the EU AI Act and GDPR for AI?

GDPR governs data protection in the processing of personal data – including by AI. The EU AI Act additionally governs risk classification, documentation, and governance of AI systems regardless of personal data involvement. Both sets of requirements apply together for high-risk AI.

Who counts as a deployer under the EU AI Act?

Deployers are organisations that use an AI system under their own responsibility – regardless of whether they developed it. SimpleAct helps document these roles and responsibilities per system.

AI inventory and GDPR foundation in one

Create transparency across all AI systems – as the data basis for DPIAs, the processing register, and AI Act compliance.