GDPR & EU AI Act Compliance

Veylant IA includes a built-in compliance module for GDPR Article 30 record-keeping, EU AI Act risk classification, DPIA generation, and GDPR subject rights management. It is designed to serve as the primary compliance tool for enterprise AI deployments.

Article 30 requires organizations to maintain a written record of all data processing activities. For AI systems, this means documenting every use case where personal data may be processed — including through third-party LLM providers.

Required ROPA Fields

{[ { field: "use_case_name", req: "Name of the processing activity", ex: "Analyse de contrats fournisseurs" }, { field: "purpose", req: "Art. 5(1)(b) — purpose limitation", ex: "Identification automatique des risques dans les contrats" }, { field: "legal_basis", req: "Art. 6 — lawfulness of processing", ex: "legitimate_interest" }, { field: "data_categories", req: "Art. 30(1)(c) — categories of data subjects and data", ex: "[\"name\", \"financial\"]" }, { field: "retention_period", req: "Art. 5(1)(e) — storage limitation", ex: "3 ans" }, { field: "security_measures", req: "Art. 32 — security of processing", ex: "AES-256-GCM, anonymisation PII, audit logs" }, { field: "controller_name", req: "Art. 30(1)(a) — controller identity", ex: "Acme Corp — dpo@acme.com" }, { field: "processors", req: "Art. 30(1)(d) — recipients of data", ex: "[\"Anthropic via Veylant IA proxy\"]" }, ].map((row) => ( ))}

Field	GDPR Requirement	Example
{row.field}	{row.req}	{row.ex}

Legal Bases (Art. 6 GDPR)

consent — User has given explicit consent (Art. 6(1)(a))
contract — Processing necessary for a contract (Art. 6(1)(b))
legal_obligation — Required by law (Art. 6(1)(c))
vital_interests — Protecting someone's life (Art. 6(1)(d))
public_task — Public interest or official authority (Art. 6(1)(e))
legitimate_interest — Legitimate interests of the controller (Art. 6(1)(f))

EU AI Act Risk Classification

The EU AI Act (full enforcement from August 2026) classifies AI systems into four risk categories. Veylant IA automates the classification via a 5-question questionnaire (q1–q5), scoring each true answer as +1.

{[ { level: "Interdit (forbidden)", color: "border-red-400 bg-red-50 dark:bg-red-950/30", badge: "bg-red-100 dark:bg-red-900/40 text-red-700 dark:text-red-300", score: "Score 5", desc: "Déploiement interdit. Exemples : notation sociale des personnes, surveillance biométrique en temps réel dans l'espace public, IA exploitant des groupes vulnérables.", }, { level: "Haut risque (high)", color: "border-orange-400 bg-orange-50 dark:bg-orange-950/30", badge: "bg-orange-100 dark:bg-orange-900/40 text-orange-700 dark:text-orange-300", score: "Score 3–4", desc: "Évaluation de conformité obligatoire avant déploiement. AIPD (DPIA) requise. Exemples : IA dans le recrutement, le scoring crédit, la notation scolaire, les infrastructures critiques.", }, { level: "Risque limité (limited)", color: "border-amber-400 bg-amber-50 dark:bg-amber-950/30", badge: "bg-amber-100 dark:bg-amber-900/40 text-amber-700 dark:text-amber-300", score: "Score 1–2", desc: "Obligations de transparence : les utilisateurs doivent être informés qu'ils interagissent avec un système d'IA. Exemples : chatbots, systèmes de recommandation, service client automatisé.", }, { level: "Risque minimal (minimal)", color: "border-green-400 bg-green-50 dark:bg-green-950/30", badge: "bg-green-100 dark:bg-green-900/40 text-green-700 dark:text-green-300", score: "Score 0", desc: "Risque minimal. Code de conduite volontaire recommandé. Exemples : filtres anti-spam, recherche IA, recommandation de contenu.", }, ].map((item) => (

{item.level} {item.score}

{item.desc}

))}

Data Protection Impact Assessment (DPIA)

A DPIA is mandatory under GDPR Art. 35 for high-risk processing activities. High-risk AI systems under the AI Act (risk_level: "high") also trigger DPIA requirements. Veylant IA generates a DPIA template PDF from any processing entry.

Compliance Reports

All reports are available as PDF (default) or JSON (?format=json):

All accesses to compliance reports and audit logs are themselves logged. This satisfies data protection authority requirements for meta-logging of sensitive data access. PDF headers display the organisation name from server.tenant_name in{" "} config.yaml. Set this to your legal entity name before generating official compliance documents.

Veylant IA provides endpoints for responding to GDPR Art. 15 (access) and Art. 17 (erasure) requests. Implement the following workflow for data subject requests:

Next Steps

See the Admin — Compliance API for full endpoint documentation with request/response schemas, or navigate to{" "} Dashboard → Compliance to use the visual interface.