--- title: "Custom AI for the DPO" description: "A Data Protection Officer reviewing an AI system asks four questions: does it trigger Article 35 DPIA, what is the lawful basis under GDPR, where does it sit under the EU AI Act, and can the system su" url: https://impetora.com/for/dpo role: "Data Protection Officer" audience: "Data Protection Officer" trace_spine: "Trust" author: Impetora --- # Custom AI for the DPO > Audience: Data Protection Officer. TRACE spine: Trust. A Data Protection Officer reviewing an AI system asks four questions: does it trigger Article 35 DPIA, what is the lawful basis under GDPR, where does it sit under the EU AI Act, and can the system support a data-subject rights request without forensic archaeology. Impetora designs every build to answer those four questions in writing before launch. GDPR Article 35 makes DPIA mandatory for systematic large-scale or sensitive processing. Article 22 protects data subjects from solely-automated decisions with legal effects. AI Act Article 10 sets data and data-governance obligations for high-risk systems. ## What DPOs actually care about ### DPIA scope and trigger AI systems involving systematic large-scale processing, special-category data, or automated decisions almost always trigger Article 35. ### Lawful basis Consent, contract, legitimate interest, legal obligation, vital interests, or public task. Documented per processing activity. ### Data minimisation and purpose limitation Only the fields needed, retention bounded, purpose locked. Built in, not retrofitted. ### Sub-processor register Every party touching personal data on the register with category, residency, legal basis, SCCs position when relevant. ### Data-subject rights Access, rectification, erasure, portability, objection, Article 22. Each supportable through the system. ### Cross-border transfer posture Where personal data leaves the EEA, transfer impact assessments, SCCs, adequacy decisions in place. ## TRACE pillar focus For DPOs, the spine is **Trust**. See https://impetora.com/methodology for the full TRACE framework. ## Use cases ### Customer support automation Resolution drafts and escalation routing with documented lawful basis, full audit trail, clear rights-request path. ### Decision support AI-augmented underwriting, claims, eligibility decisions designed around Article 22 safeguards. ### Internal knowledge AI Grounded employee Q&A with permission-scoped retrieval avoiding unnecessary personal-data exposure. ### Document processing Extraction with citation chain. Personal data processed only where the workflow requires it, retention bounded, purpose locked. ## What DPOs need from a partner, and what we ship ### DPIA template and pack Drafted DPIA covering processing description, necessity and proportionality, risks, mitigations, residual risk. ### ROPA entries Records of Processing Activities entries: controller, processor, categories of data subjects, categories of data, recipients, retention. ### Sub-processor register Current list of third-parties touching personal data with category, residency, legal basis, transfer mechanism, notification terms. ### Automated-decision exception flow Article 22 human-review surface, contestation path, EDPB-aligned design pattern. Documented and exposed in audit log. ### Data-minimisation evidence Documented mapping of fields ingested, retention period, purpose. Anything outside the envelope requires written exception. ### Rights-request playbook Documented procedure for SAR, rectification, erasure, portability, objection. Tested with sample request before launch. ## DPO questions, answered ### Will this trigger an Article 35 DPIA? Almost always, yes. AI systems with systematic large-scale processing, special-category data, profiling, or automated decisions trigger Article 35 by default. We assume DPIA is in scope and draft the pack in Discovery. ### How do you support data-subject rights requests? Audit log captures every interaction involving personal data. Erasure supports targeted deletion by data-subject identifier. Rectification re-runs against corrected upstream record. Article 22 contestation exposes human-review surface as first-class workflow. ### What is your sub-processor list? Published at impetora.com/sub-processors and updated when changed. Per engagement, you receive an engagement-specific register at DPA signing covering data category, residency, legal basis, transfer mechanism. Notified under contract when list changes. ### How do you handle cross-border data transfers? EU regions by default. EU-resident inference where provider supports it. Where data leaves the EEA: SCCs, transfer impact assessment under Schrems II logic, documented supplementary measures. Adequacy used where available (UK, Switzerland, others). ### How do you align with AI Act Article 10? Article 10 requires training, validation, testing datasets relevant, representative, free of errors, complete to extent possible. Where we fine-tune or build retrieval pipelines on your data, we maintain provenance, processing operations, assumptions, availability, known limitations documentation. Where we use foundation models, we rely on the provider's documented Article 10 posture and capture it in the regulator-pack. ## Contact Email: info@ainora.lt Discovery: https://impetora.com/for/dpo#discovery-call