AI Act Data Quality and Management Procedure — Template

This procedure implements the data and data-governance requirements of Article 10 of Regulation (EU) 2024/1689 (the 'AI Act') for [aiSystemName] — a high-risk AI system within the meaning of Article 6. Intended purpose: [aiSystemPurpose]. The procedure is owned jointly by the AI Officer [aiOfficer] and the Data Steward [dataSteward], with input from the Data Protection Officer [dpoName] where personal data is processed. It enters into force on 2026-04-26 and is reviewed on or before [reviewDate] or upon any material change to the data inputs of the system.

Training, validation and testing data sets are subject to data-governance and management practices appropriate for the intended purpose of [aiSystemName], covering at minimum: relevant design choices; data collection processes and the origin of data, in the case of personal data the original purpose of the data collection; relevant data-preparation processing operations such as annotation, labelling, cleaning, updating, enrichment and aggregation; the formulation of assumptions, in particular with respect to the information that the data is supposed to measure and represent; an assessment of the availability, quantity and suitability of the data sets needed; examination in view of possible biases that are likely to affect the health and safety of natural persons, have a negative impact on fundamental rights, or lead to discrimination prohibited by Union law; appropriate measures to detect, prevent and mitigate possible biases; identification of relevant data gaps or shortcomings, and how those gaps and shortcomings can be addressed.

All data sources used to train, validate and test [aiSystemName] are documented with their origin, licensing or contractual basis, date range and any limitations on intended use. Where data is collected from data subjects, the GDPR lawful basis is recorded; where data is licensed from third parties, the licence terms and any restrictions on derivative use, redistribution or model training are recorded. Where data is obtained from publicly available web sources, technical and legal compliance with rights reservations expressed under Article 4(3) of Directive (EU) 2019/790 is documented. The data sources and their volumes are referenced from the AI System Inventory entry for [aiSystemName].

Training, validation and testing data sets are relevant, sufficiently representative, and to the best extent possible free of errors and complete in view of the intended purpose. They have the appropriate statistical properties, including, where applicable, as regards the persons or groups of persons in relation to whom the high-risk AI system is intended to be used. These characteristics of the data sets may be met at the level of individual data sets or at the level of a combination thereof. The data sets take into account, to the extent required by the intended purpose, the characteristics or elements that are particular to the specific geographical, contextual, behavioural or functional setting within which the high-risk AI system is intended to be used.

Bias evaluation is performed across protected groups under Union non-discrimination law and contextually relevant subgroups identified during the design phase. Evaluation covers selection bias, representation bias, measurement bias, aggregation bias and deployment bias, with quantitative metrics appropriate to the prediction task (demographic parity, equalised odds, calibration, false-positive/false-negative rate parity, etc.). Mitigation measures may include re-sampling, re-weighting, augmentation, fairness-aware training objectives, post-processing, or restriction of intended purpose. The selection of metrics and mitigations, and the residual disparities accepted, are documented and referenced from the technical documentation under Article 11.

Where strictly necessary for the purposes of ensuring bias detection and correction in relation to high-risk AI systems, providers of such systems may exceptionally process special categories of personal data referred to in Article 9(1) of the GDPR, subject to appropriate safeguards for the fundamental rights and freedoms of natural persons. Article 10(5) of the AI Act requires, in addition to the safeguards in the applicable Union law, that processing of other data, including synthetic or anonymised data, is not sufficient; technical limitations on the re-use of the personal data and use of state-of-the-art security and privacy-preserving measures (such as pseudonymisation) are applied; the special-category personal data are not transmitted, transferred or otherwise accessed by other parties; the special-category personal data are deleted once the bias has been corrected or the personal data has reached the end of its retention period; and records of processing activities under the GDPR include the reasons why processing was strictly necessary.

All data-governance steps, decisions and outcomes are recorded in the technical documentation file maintained for [aiSystemName] under Article 11 + Annex IV of the AI Act. The documentation includes: data-source inventories; preparation pipelines and code references; bias-evaluation reports with metrics and outcomes; mitigations applied and residual disparities; the rationale for any Article 10(5) special-category processing; data-retention and deletion policy; and links to the GDPR records of processing activities and any data-protection impact assessments. The file is held available for the supervisory authority [supervisoryAuthority] for ten (10) years after the system is placed on the market or put into service.

This procedure is reviewed at least annually, after every retraining of the model, after any material change to data sources or to the intended purpose, and after any incident or post-market monitoring finding that points to a data-quality issue. The Data Steward [dataSteward] reports the outcome of the review to the AI Officer [aiOfficer] and to the AI Ethics Review Board, and updates this procedure and the technical documentation accordingly. Where review identifies a material non-conformity, the corrective-action obligations of Article 79 apply and the supervisory authority [supervisoryAuthority] is notified through the post-market monitoring channel.