DPIA Summary
This is a plain-English summary of the Data Protection Impact Assessment (DPIA) we maintain for Echo — what Echo processes, the risks we assess, and how we mitigate them. The full DPIA, a fundamental-rights impact assessment and a Data Processing Agreement (DPA) are available to customers on request. This summary is not legal advice.
What Echo processes
Echo scores an individual’s decisions and behaviours inside realistic scenarios, measured against that person’s own baseline. It does not measure personality, identity or protected characteristics, and it does not rank people against colleagues.
How outputs may be used
By default Echo is a development tool. Where a client organisation chooses to enable it, Echo’s outputs may also inform people decisions — such as hiring, promotion or readiness — as one input to a decision made by a person. Enabling this is the client’s choice, not the individual’s.
Risks we assess
- Impact on individuals where scores inform employment-related decisions.
- Fairness and bias across groups.
- Transparency — whether people understand how they are assessed.
- Data minimisation and purpose limitation.
- Security and access.
How we mitigate them
- Human oversight. No decision with legal or similarly significant effects is ever based solely on automated processing (Article 22 GDPR; EU AI Act requirements for employment AI). A competent person with authority to reach a different outcome makes the final call.
- Individual rights. A person can ask for the logic to be explained, put their point of view, and contest a result and have it reconsidered by a person.
- Purpose & visibility set by the client. The client organisation defines the purpose and configures who can see scores (the individual, their manager, HR or a coach), and informs affected individuals where the law requires.
- Bias & validation. We apply bias and validation checks and review them over time.
- Records & data protection. We keep activity logs; data is minimised, encrypted in transit, access is role-based and least-privilege, and retention follows the customer agreement.
Roles & responsibilities
Who does what, in one view — this split applies to Echo deployments. For this marketing website itself, BioQuant IQ GmbH is the controller (see the Privacy Policy). Responsibilities are set out in full in the DPA.
| Role | Who | Responsibility |
|---|---|---|
| Provider (EU AI Act) · Processor (GDPR) | BioQuant IQ GmbH | Builds and operates Echo; processes personal data only on documented instructions; maintains the DPIA, bias & validation checks, security and activity logs. |
| Deployer (EU AI Act) · Controller (GDPR) | The client organisation | Decides purposes; configures competencies, score visibility and retention; informs affected individuals; owns every people decision. |
| Human reviewer | Named people on the client side | Scores inform development conversations; a competent person with authority to reach a different outcome makes any decision with legal or similarly significant effect. |
| Individual | The professional using Echo | Sees their own scores; can ask for the logic to be explained, put their point of view, and contest a result (GDPR/FADP rights). |
| Sub-processors | Hosting & AI infrastructure | Engaged under data-processing agreements; list available on request via the Privacy Policy contact. |
Ask us
For the full DPIA, a fundamental-rights impact assessment, the DPA or a sub-processor list, contact letustalk@bioquantiq.ch.