Annex I: Auditing AI tools
Home » AI » Step by step » Annex I: Auditing AI tools
[1]According to the Spanish Data Protection Agency, audits should cover a large list of items, namely:

  • The existence or not of personal data, profiling or automatic decisions on data subjects without human intervention.
  • The effectiveness of anonymization and pseudonymization methods.
  • The existence and legitimacy of the processing of special categories of data, in particular the inferred information.
  • The legal basis for the processing and the identification of responsibilities.
  • In particular, where the legal basis is the legitimate interest, assessment of the balance between the various interests and the impacts on rights and freedoms of the data subjects in the light of the guarantees adopted.
  • The information and the effectiveness of the transparency mechanisms implemented.
  • The application of the principle of proactive accountability and risk management for the rights and freedoms of the data subjects and in particular, whether the obligation or need for the execution of the DPIAs and, if so, their results.
  • The application of data protection measures by design and by default, such as:
    • the analysis of the need of the quantity and extension of personal data processing in the different stages of the AI developmen;t
    • the analysis of the accuracy, reliability, quality and biases of the data used or captured for the development or operation of the AI component, as well as the data cleansing methods used;
    • the monitoring and implementation of testing and validation processes concerning the precision, accuracy, convergence, consistency, predictability and any another metric of the goodness of the algorithms used, profiled and the inferences made. In addition, checking that these parameters meet the processing requirements.
  • The adequacy of security measures to avoid risks to privacy.
  • The training and education of the staff of the controller linked to the development or implementation of the IAI component, where appropriate, in the latter case with particular attention to the correct interpretation of the inferences.
  • The need and, where appropriate, the capacity of the DPO.
  • The incorporation of mechanisms to ensure attention to the rights of data subjects, in particular the ex officio deletion of personal data, with special attention to the rights of minors.
  • The compliance with the limitations on automatic decisions without human intervention, the evaluation, where appropriate, of the quality of human intervention and the monitoring mechanisms adopted. In particular, when the legal basis is the explicit consent, identification of the guarantees adopted to determine whether the consent is free.
  • The application of the guarantees established in Chapter V of the GPRS in the case of international data transfers.




1AEPD (2020) Adecuación al RGPD de tratamientos que incorporan Inteligencia Artificial. Una introducción. Agencia Espanola Proteccion Datos, Madrid, p. 45-47. Available at: (accessed 3 June 2020).


Skip to content