Key takeaway
- GDPR covers what you do with personal data. The EU AI Act covers the risks your AI system creates — regardless of whether personal data is involved.
- If your AI processes personal data AND operates in the EU, both laws apply simultaneously. They do not cancel each other out.
- GDPR compliance gives you documentation habits, DPO relationships, and data governance that transfers — but the AI Act demands a separate risk management system, technical documentation, and human oversight obligations that GDPR does not.
- Article 22 GDPR (automated decisions) gives individuals some AI-related rights today — but the AI Act's high-risk obligations go far beyond it.
What Each Law Actually Governs
The confusion between GDPR and the EU AI Act is understandable — both apply to AI systems in EU contexts, both come from Brussels, and both use the word "risk." But they answer fundamentally different questions.
GDPR — the data question
Governs the processing of personal data of EU residents. The trigger is personal data — if no personal data is involved, GDPR does not apply.
- • Lawful basis for processing
- • Data subject rights (access, erasure, portability)
- • Data minimisation and purpose limitation
- • Breach notification (72 hours to DPA)
- • Data Protection Impact Assessments (DPIA)
- • Cross-border data transfer restrictions
EU AI Act — the risk question
Governs AI systems by the level of risk they create. The trigger is how the system works and what it affects — personal data is not required.
- • Risk classification (Prohibited/High/Limited/Minimal)
- • Technical documentation and transparency
- • AI-specific risk management systems
- • Human oversight requirements
- • Accuracy and robustness testing
- • Fundamental Rights Impact Assessments (FRIA)
The practical result: if your AI system processes personal data about EU residents, you are subject to both laws at the same time. If it processes only anonymised data or no personal data at all, the EU AI Act may still apply — but GDPR will not.
The laws were designed to work alongside each other. Recital 9 of the EU AI Act explicitly acknowledges GDPR and states that the two frameworks are complementary. Where they overlap, both sets of obligations apply — you do not get to choose.
Where They Overlap: The AI Data Intersection
Most commercially significant AI systems do process personal data. CV-screening tools, customer churn models, credit risk systems, personalisation engines, healthcare diagnostics — virtually all of them feed on personal data. In those cases, the two laws interact in several important ways.
DPIA vs FRIA: related but not the same
GDPR Data Protection Impact Assessments (DPIA) are required when processing is "likely to result in a high risk to the rights and freedoms of natural persons." Most high-risk AI systems processing personal data will already trigger a DPIA requirement under GDPR.
EU AI Act Fundamental Rights Impact Assessments (FRIA) are required for deployers of certain high-risk AI systems under Article 27. FRIAs cover effects on fundamental rights including dignity, non-discrimination, privacy, free movement, and effective remedies — going beyond the privacy focus of a DPIA.
Lawful basis and AI training data
Training an AI model on personal data requires a GDPR lawful basis — typically legitimate interest (with a balancing test), consent, or contractual necessity. The EU AI Act adds a parallel requirement: the training data must meet quality criteria, be documented in technical documentation, and any bias or skew that could cause discriminatory outputs must be addressed.
GDPR's data minimisation principle (only process what you need) aligns well with AI Act accuracy requirements — but GDPR does not require you to document or test your model for bias, while the AI Act does for high-risk systems.
Article 22 GDPR vs AI Act human oversight
GDPR Article 22 gives individuals the right not to be subject to decisions based solely on automated processing that have a significant effect — hiring, credit, insurance, and similar. Where Article 22 applies, individuals are entitled to human review, an explanation, and the ability to contest.
The EU AI Act's human oversight requirements for high-risk systems (Articles 14–15) go further: they require that the AI system itself be technically designed to allow meaningful human intervention, with documented procedures and staff trained to act on that oversight. An Article 22 complaint procedure is not the same as building human oversight into the system's design.
Key Differences Side by Side
| Dimension | GDPR | EU AI Act |
|---|---|---|
| Trigger | Processing personal data of EU residents | Placing or using an AI system in the EU market |
| Core question | Is personal data handled lawfully and securely? | Is this AI system safe, transparent, and overseen? |
| Risk assessment | DPIA (when likely high risk to individuals) | FRIA (deployers of certain high-risk AI) |
| Human review rights | Right to request human review of automated decisions | Mandatory design-level human oversight built in |
| Transparency | Privacy notices, purpose explanation | Chatbot disclosure, deepfake labelling, AI-generated content marking |
| Technical requirements | Security measures; no specific AI system design requirements | Technical documentation, accuracy testing, bias analysis, logging |
| Maximum fine | €20M or 4% of global annual turnover | €35M or 7% of global annual turnover (prohibited practices) |
| Enforcement body | National Data Protection Authorities (DPAs) | National market surveillance authorities (+ AI Office for GPAI) |
| Key dates | In force since May 2018 | Prohibited practices: Feb 2025. High-risk / transparency: Aug 2, 2026 |
What GDPR Compliance Gets You — and What It Doesn't
If your organisation has done genuine GDPR compliance work, you have assets that transfer to the EU AI Act:
What carries over
Data processing inventories
Your GDPR Article 30 Record of Processing Activities documents what personal data flows through your AI systems, which becomes the starting point for EU AI Act technical documentation on training data and inputs.
DPIA methodology and templates
Your team already knows how to run a structured risk assessment. The FRIA under the AI Act follows a similar methodology — document the system, identify affected groups, analyse potential harms, document mitigations.
Governance infrastructure
DPO relationships, legal review processes, and senior accountability for compliance decisions all translate to AI Act governance — you are adding a workstream, not rebuilding from scratch.
Vendor due diligence practices
GDPR data processor agreements have accustomed organisations to asking vendors hard questions. The AI Act deployer obligations require similar scrutiny of AI system providers — what technical documentation do they supply? What instructions for use?
What GDPR compliance does NOT cover
Technical documentation for the AI system itself
The AI Act requires high-risk AI providers to produce Annex IV technical documentation — architecture, training methodology, accuracy metrics, bias testing, performance on benchmarks. GDPR does not require any of this.
Automatic logging of system outputs
High-risk AI systems must generate logs that enable post-hoc review of outputs and the system's operation throughout its lifetime. GDPR has no equivalent requirement.
Conformity assessment and EU database registration
Certain high-risk AI systems must be registered in the EU AI Act public database before deployment. There is no GDPR equivalent. Self-assessment or notified-body assessment may be required depending on the category.
AI system-level risk management
The AI Act requires a living risk management system documented across the AI system's lifecycle — not just at deployment. GDPR's DPIA is a point-in-time assessment; AI Act risk management is continuous.
Transparency obligations beyond privacy notices
Article 50 of the AI Act requires chatbots to disclose they are AI, synthetic media to be watermarked, and emotion recognition systems to notify users. None of this is covered by GDPR's transparency requirements.
Practical Steps for Organisations Already GDPR-Compliant
If you have a functioning GDPR programme, here is how to extend it to cover the EU AI Act without duplicating work:
Extend your processing inventory to include AI system classification
Add a column to your Article 30 register: for each system that uses AI, note whether it might fall under Annex III (high-risk categories). Use the risk classifier tool to check each system.
Run a FRIA alongside any new DPIA for AI-involving processing
For any new AI system that also processes personal data, complete a DPIA and an AI Act FRIA together in one workflow. Separate them conceptually (different templates, different outputs) but do the fieldwork once — same stakeholder interviews, same system review.
Update vendor agreements to cover AI Act obligations
Your GDPR data processing agreements need a parallel AI Act annex for any vendor providing you with a high-risk AI system. Request: technical documentation (Annex IV), instructions for use, EU database registration number (where applicable), and a commitment to notify you of significant changes.
Add AI Act transparency checks to your privacy notice review cycle
When updating your privacy notices for GDPR accuracy, simultaneously audit whether any customer-facing AI (chatbots, recommendation systems, voice assistants) needs the Article 50 AI disclosure added. Both reviews can happen in the same annual governance cycle.
Assign your DPO or privacy lead as AI Act coordinator — provisionally
The AI Act does not require a designated "AI Officer" (unlike GDPR's DPO requirement), but someone needs to own it. Your existing DPO or privacy lead is the natural owner to start — they already have the governance instincts — while you assess whether dedicated AI Act expertise is needed.
Enforcement: Different Bodies, Potentially Simultaneous Investigations
GDPR is enforced by national Data Protection Authorities (DPAs) — the ICO in the UK, CNIL in France, BfDI in Germany, etc. The EU AI Act is enforced by national market surveillance authorities, which in most member states are separate bodies from the DPAs.
For GPAI model providers (companies building large AI models, not just deploying them), the EU AI Office has direct enforcement authority.
This means an AI incident — say, a biased hiring algorithm that disadvantages a protected group — could trigger two simultaneous investigations: your DPA investigating for GDPR breach (potentially discriminatory data use, lack of transparency, inadequate DPIA) and your national market surveillance authority investigating for AI Act breach (high-risk system without conformity assessment, inadequate human oversight). The €35M AI Act fine cap sits above the €20M GDPR cap; both can apply to the same incident. Plan your incident response to coordinate both.
Combined GDPR + AI Act Quick Compliance Checklist
For any AI system processing personal data about EU residents:
Frequently Asked Questions
We are fully GDPR-compliant. Does that mean we are also EU AI Act-compliant?
No. GDPR compliance tells you that your data handling meets EU privacy law — it says nothing about whether your AI systems are safe, transparent, or properly overseen under the AI Act. GDPR compliance is a valuable head start for documentation habits and governance, but the AI Act demands a distinct set of obligations that do not exist in GDPR.
Our AI system does not process any personal data. Does GDPR apply? Does the AI Act apply?
If there is genuinely no personal data (including indirectly identifying data), GDPR does not apply. The EU AI Act may still apply depending on the risk category — an AI system that controls physical safety infrastructure, for example, may be high-risk under Annex III even if it processes no personal data. Run the risk classifier to check.
Our DPA said our DPIA was adequate. Does that cover the AI Act FRIA?
No. DPAs assess GDPR compliance — they have no authority over the EU AI Act. An approved DPIA is useful evidence that you have thought seriously about risks, and the methodology transfers, but the DPA's assessment does not constitute AI Act compliance. The FRIA is a separate document with a different scope.
We are a UK company (post-Brexit UK GDPR). Does the EU AI Act still apply to us?
UK GDPR operates separately from EU GDPR, though they are closely aligned. The EU AI Act applies to any organisation that places AI systems on the EU market or whose AI systems affect EU residents — so a UK company providing services in Germany, France, or elsewhere in the EU is likely in scope for the AI Act regardless of its UK GDPR status.
Which fine is bigger — GDPR or the AI Act?
For the most serious violations, the AI Act imposes higher fines: up to €35M or 7% of global annual turnover for prohibited practices (vs GDPR's €20M or 4% cap). Both can be applied to the same incident by different authorities. For smaller violations the AI Act's lower tiers (€7.5M/1.5% and €15M/3%) are similar to GDPR's lower tier (€10M/2%).
We use a third-party AI tool (like a recruitment software with AI). Who is responsible under each law?
Under GDPR, you are the controller for the personal data you pass to the tool; the vendor is a processor, and you need a valid data processing agreement. Under the AI Act, the vendor is the provider (responsible for technical documentation, conformity, registration) and you are the deployer (responsible for human oversight, FRIA if applicable, and complying with the provider's instructions for use). Both responsibilities are real and simultaneous.
Related guides
Check Your AI Systems' EU AI Act Risk Level
The free risk classifier takes 5 minutes. Know whether your systems are minimal, limited, or high-risk — and what you need to do for each.
Start Free AssessmentFree · No signup · Not legal advice