Fundamental Rights, the EU AI Act & EU GDPR

Fundamental rights

That term is littered throughout the EU AI Act and the EU GDPR, from their very first recitals, and the EU AI Act has added a new, key acronym for compliance practitioners: the FRIA, or the Fundamental Rights Impact Assessment.

So what are these ‘fundamental rights’?

Definition

Frustratingly, neither the EU AI Act (180 Recitals, 113 Articles and 13 Annexes), nor the GDPR (173 Recitals and 99 Articles) expressly define ‘fundamental rights’.

While their recitals point us to EU Treaties and the Charter of Fundamental Rights of the European Union (which everyone just calls ‘the Charter’), it would have been good to have a definition such as ‘fundamental rights means the rights set out in the Charter’. No such luck.

Happily, however, the EU has a page on Fundamental rights in the European Union, with a ‘Legal instruments’ section confirming:

Your fundamental rights are protected in the EU at:

• national level – by EU countries’ constitutional systems
• EU level – by the EU Charter of Fundamental Rights.

Next, how comprehensive is the Charter?

The Charter

As the EU’s Agency for Fundamental Rights states:

The Charter of Fundamental Rights is the European Union’s bill of human rights. Its 50 articles bring together the rights and freedoms belonging to everyone in the EU.

The FRA’s website has the text of the Charter in easily digestible format, caselaw and publications, it’s a great resource.

The EU, on its EU Justice site, helpfully confirms:

The Charter:

• brings together all the rights (personal, civic, political, economic, social) enjoyed by people within the EU, in a single text
• codifies them as a series of fundamental rights [and]
• contains more recent rights, such as data protection and good administration.

So the EU itself states that the Convention brings together all the rights enjoyed by people within the EU into a single text, which makes life easier for practitioners – with the caveat that you always need to be aware of other rights (if any) provided under any Member State or other legislation or case law specific to your industry and use case. It goes without saying this is an EU Treaty, not to be confused with the ECHR (more on that below).

The Fundamental Rights

The Charter sets out the fundamental rights in 50 Articles gathered into 6 groups or ‘Titles’, with 4 more Articles in the 7th Title dealing with scope, interpretation, effect etc.

• We’ve summarised the Titles and rights below. We’ve also put the whole English text of the Charter in a blog post for convenience, so you can run through the full list of rights in the Charter whenever you need to.
• The EU has created an EU mobile app with the Charter, case law and relevant publications.
• Note that Articles often contain more than one right, and often contain other relevant text.

Title 1: Dignity

Articles 1 to 5
Includes rights to human dignity and life, and the prohibition of torture and slavery, etc.

Title 2: Freedoms

Articles 6 to 19
Includes rights to liberty, respect for private and family life, protection of personal data, right to marry, freedoms of thought, conscience, religion, association, to engage in work, conduct a business, right to asylum etc.

Title 3: Equality

Articles 20 to 26
Includes equality before the law and between men and women, non-discrimination, rights of the child and the elderly and integration of persons with disabilities etc.

Title 4: Solidarity

Articles 27 to 38
Includes workers rights, prohibition of child labour, social security, health care, environmental protection, consumer protection, etc.

Title 5: Citizens’ Rights

Articles 39 to 46
Includes the right to vote and to stand as a candidate, to good administration, access to documents, freedom of movement and of residence etc.

Title 6: Justice

Articles 47 to 50
Includes the right to an effective remedy, a fair trial, presumption of innocence and right of defence etc.

Title 7: General Provisions Governing the Interpretation and application of the Charter

Articles 51 to 54
Contains rules on the field of application, scope and interpretation of rights and principles etc.

Rights called out by the EU AI Act

It’s interesting (well, we think it’s interesting!) to see what rights are expressly referred to in the EU AI Act, not least as examples of the fundamental rights you should consider first and foremost when you carry out a Fundamental Rights Impact Assessment.

In its first Recital, the Act refers to democracy, the rule of law and environmental protection:

The purpose of this Regulation is to improve the functioning of the internal market by laying down a uniform legal framework in particular for the development, the placing on the market, the putting into service and the use of artificial intelligence systems … while ensuring a high level of protection of health, safety, fundamental rights as enshrined in the Charter of Fundamental Rights of the European Union (the ‘Charter’), including democracy, the rule of law and environmental protection ….

Other Recitals and Articles in the EU AI Act call out the following fundamental rights, or impacts on them (using the Act’s wording, which tracks but isn’t always identical to the Convention’s Articles, it’s clear what they refer to):

• The right to privacy, data protection, respect for private and family life, protection of personal data,
• The right to non-discrimination
• The rights of the child, noting that children ‘have specific rights as enshrined in Article 24 of the Charter and in the United Nations Convention on the Rights of the Child, further developed in the UNCRC General Comment No 25 as regards the digital environment, both of which require consideration of the children’s vulnerabilities and provision of such protection and care as necessary for their well-being’
• The right to dignity
• The right to freedom of expression and information
• The right to freedom of assembly and of association
• The right to freedom of the arts and sciences
• The right to education
• The right to consumer protection
• Workers’ rights
• The rights of persons with disabilities
• The right to gender equality
• Intellectual property rights
• The right to an effective remedy or redress
• The right to liberty, a fair trial, the right of defence, the presumption of innocence
• The right to good administration
• The right to a high level of environmental protection
• The right to access to and enjoyment of certain essential private and public services and benefits necessary for people to fully participate in society or to improve one’s standard of living
• The right to social protection
• Access to financial resources or essential services such as housing, electricity, and telecommunication services
• Accountability
• The right to international protection
• The principle of non-refoulement, or to deny safe and effective legal avenues into the territory of the Union, including the right to international protection
• The right to vote

Rights called out by EU GDPR

GDPRs’s Recitals 1 and 4 confirm it’s not just about Privacy:

(1) The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.

(4) … The right to the protection of personal data is not an absolute right … This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

As well as the broad and specific references to rights in Recital 4, the EU GDPR relies throughout on a catch-all reference to the fundamental rights and freedoms of data subjects, which is one of the most commonly used terms in GDPR. This reflects the foundational nature of the right to protection of personal data and the dangers when that right is not protected. As GDPR’s Recital 3 states:

[GDPR] is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.

Of course, GDPR grants express rights to data subjects, such as:

• the right to complain,
• the right to compensation,
• the right to mandate certain others to represent you in a claim, and
• the extensive data subject rights such as access, erasure and objection (all of which you can nicely manage in Keepabl).

EU Treaties

GDPR’s Recitals refer to the Art 16 and Art 114 of the Treaty on the Functioning of the European Union (TFEU).

• Art 16 TFEU is essentially the same as Art 8 of the Convention, on the protection of personal data.
• Art 114 TFEU is quite short, certainly not a long list of rights we can use to check against and, as far as we’re concerned here, it says that certain rights are to be protected when working on the establishment and functioning of the internal market, including the right to free movement, the rights of employed persons, and a high level of protection concerning health, safety, environmental protection and consumer protection.

The TFEU is one of the EU’s two foundational treaties (the other is the Treaty on European Union (TEU) which isn’t relevant here). You’ll see that the TFEU also has many Articles setting out fundamental rights such as equality, anti-discrimination and the right to vote. It sits alongside the Convention but, as we saw above, the EU itself notes that the Convention codifies such rights into a single document.

The Convention = a Treaty

While it is called a Convention, since 2009, the Convention became legally binding, with the same effect as an EU Treaty, with the coming into force of the Treaty of Lisbon on 1 December 2009 (FRA).

Art 6(1) of the TFEU states:

The Union recognises the rights, freedoms and principles set out in the Charter of Fundamental Rights of the European Union of 7 December 2000, as adapted at Strasbourg, on 12 December 2007, which shall have the same legal value as the Treaties.

The ECHR

Art 6(2) of TFEU states that the EU ‘shall accede to The European Convention for the Protection of Human Rights and Fundamental Freedoms’ or the ECHR.

Despite its name, the ECHR is not an EU ‘thing’. For example, it’s been signed and ratified by the UK, Turkey and Russia.

• ‘The European Convention on Human Rights (ECHR) is an international treaty launched by the Council of Europe in 1950 to help protect people’s human rights and fundamental freedoms.’
• ‘The Council of Europe is not part of the European Union (EU). It is a separate international organisation, created in 1949, which promotes human rights, democracy and the rule of law.’

The ECHR ‘was opened for signature in Rome on 4 November 1950 and came into force on 3 September 1953’, brought into being in the aftermath of World War II and certainly predating the EU. ‘It was the first instrument to give effect to certain of the rights stated in the Universal Declaration of Human Rights and make them binding.’

All EEA Member States have signed the ECHR. As at 24 October 2025, the EU has not, though it’s expected to, and it’s obligated to under Art 6(2) of the TFEU.

Help for your FRIA

We hope this has been helpful in understanding what fundamental rights are for the EU GDPR and the EU AI Act, in particular the FRIA, the Fundamental Rights Impact Assessment required under Art 27. Now you now know where to look for them, and how to think about them.

You should consider all the fundamental rights when you do you FRIA, but don’t worry, there aren’t that many and you’ll be able to quickly write off rights that aren’t impacted, and zero in on the rights that are most relevant to your use.

Assessments in Keepabl

While the AI Office is mandated under the EU AI Act to ‘develop a template for a questionnaire, including through an automated tool, to facilitate deployers in complying with their obligations under this [Art 27] in a simplified manner’, they’ve not done so at the time of writing, and you’ll want to draft yours outside that system until you’re happy.

You can build ANY assessment in Keepabl and it’s super simple and usable, as Gamma Communications found in creating its DPIA:

We created our DPIA template in Keepabl and our Users couldn’t believe how easy the template builder was to use. You can tell every bit of Keepabl is created with the end user’s experience in mind.

See how Keepabl can help you with DPIAs, FRIAs and many more – book your demo now!