GDPR regulates personal data wherever it is processed; the EU AI Act regulates AI systems as products, with or without personal data. Most AI projects involving people must comply with both at once: GDPR for lawful data use and the AI Act for system classification, transparency, and oversight. Fines under the two regimes can apply in parallel.
EU AI Act vs GDPR: How the Two Laws Overlap and Differ
What Is the Difference Between the EU AI Act and GDPR
The two regulations answer different questions. The General Data Protection Regulation, applicable since 2018, asks: is this processing of personal data lawful, fair, and transparent toward the individuals concerned? The AI Act, Regulation (EU) 2024/1689, asks: is this AI system safe, trustworthy, and appropriately controlled for its purpose? GDPR follows the data; the AI Act follows the system. An AI model optimising machine maintenance with purely technical sensor data sits under the AI Act alone. A paper HR file involves GDPR alone. A CV-screening algorithm sits squarely under both: the candidate data engages GDPR, the system and its employment purpose engage the AI Act's high-risk regime. Neither law yields to the other; the AI Act states explicitly that it applies without prejudice to EU data protection law.
Side-by-Side Comparison
| Aspect | GDPR | EU AI Act |
|---|---|---|
| Object of regulation | Processing of personal data | AI systems and general-purpose AI models |
| Key roles | Controller, processor | Provider, deployer, importer, distributor |
| Approach | Principles applied to all processing | Risk tiers with obligations by category |
| Core tools | Lawful basis, transparency, rights, DPIA | Classification, conformity assessment, FRIA, registration, human oversight |
| Top fines | 20 million euros or 4 percent of worldwide turnover | 35 million euros or 7 percent for prohibited practices |
| Regulators | Data protection authorities | Market surveillance authorities and the AI Office |
| Applies since | May 2018 | Staged, February 2025 to August 2027 |
Where the Two Laws Meet in Practice
Almost any business AI that touches people creates a joint compliance surface. Training data: building or fine-tuning a model on customer or employee data requires a GDPR lawful basis, purpose compatibility analysis, and minimisation, while the AI Act adds data governance duties for high-risk systems, quality, relevance, and bias examination of training, validation, and testing sets. Operation: each prediction about a person is processing under GDPR and system output under the AI Act. Transparency: GDPR requires informing people about processing and automated decision-making; the AI Act layers on disclosure that one is interacting with AI, marking of synthetic content, and, for high-risk workplace systems, informing workers before use. Security: GDPR demands appropriate technical measures for the data; the AI Act demands accuracy, robustness, and cybersecurity of the system itself. Teams that map these pairs once can collect evidence that serves both files simultaneously.
Automated Decisions: Article 22 Meets the High-Risk Regime
GDPR's Article 22 gives individuals the right not to be subject to decisions based solely on automated processing with legal or similarly significant effects, subject to exceptions requiring safeguards including human intervention. The AI Act approaches the same scene from the system side: high-risk classification for employment, credit, education, and essential services, mandatory human oversight designed into the system, deployer duties to assign competent overseers, and a right for affected persons to obtain a clear and meaningful explanation of the role of a high-risk system in decisions affecting them. The combined effect is practical: a lender or employer running automated decisions needs a GDPR basis and safeguards for the decision, and AI Act controls for the system making it. Designing the human review step once, with real authority and documented competence, satisfies the core of both regimes; designing it as a rubber stamp satisfies neither.
DPIA and FRIA: Two Assessments, One Workflow
GDPR requires a data protection impact assessment where processing is likely to result in high risk to individuals, which captures most substantial AI deployments on personal data. The AI Act requires certain deployers of high-risk systems, public bodies, private operators providing public services, and deployers using high-risk AI for credit scoring or life and health insurance pricing, to conduct a fundamental rights impact assessment before first use, covering the deployment context, categories of affected persons, specific risks, oversight measures, and complaint channels. The Act explicitly anticipates the overlap: where a DPIA already covers elements, the FRIA complements rather than repeats it. The efficient pattern is one combined assessment template with a data protection section and a fundamental rights section, owned jointly by the privacy function and the AI system owner, updated when either the processing or the system materially changes.
Where the Laws Genuinely Diverge
Three divergences prevent full merger of the programmes. Scope: the AI Act covers systems processing no personal data at all, industrial, infrastructure, and scientific AI, where GDPR is silent; GDPR covers vast non-AI processing the AI Act ignores. Philosophy: GDPR is rights-based and largely self-executed by controllers, while the AI Act is product-safety law, with conformity assessment, CE marking, registration databases, and market surveillance imported from product regulation. Documentation style: GDPR records explain processing purposes and bases; AI Act technical documentation describes architecture, training, metrics, and risk management to an engineering standard. Organisations should expect the AI Act file to feel closer to product compliance than to privacy work, and staff the effort accordingly, pairing the privacy office with engineering rather than asking either to carry the Act alone.
Running One Combined Programme
Duplicated governance is the main avoidable cost in this space. A workable combined design has five elements. A single inventory listing systems, the personal data they process, GDPR bases, and AI Act classifications side by side. One intake process for new tools and use cases that triggers both analyses together. A combined impact assessment template as above. Vendor management that asks one questionnaire covering processor terms under GDPR and provider documentation under the AI Act, instructions for use, logging, incident notification. And one incident pathway, because a malfunctioning AI system that harms individuals will often be simultaneously a GDPR breach candidate, with its 72-hour notification clock, and an AI Act serious incident, with its 15-day provider reporting duty for high-risk systems. Companies that wired these together report that the AI Act added a manageable increment to mature GDPR operations, while companies running parallel silos pay roughly double for a worse outcome.
A Worked Example: One Recruitment Tool, Two Files
Consider a mid-sized employer that licenses a CV-screening tool from a software vendor. Under GDPR, the employer is the controller: it needs a lawful basis for processing candidate data, candidate-facing information about the processing and any automated decision-making, an Article 22 analysis if decisions are made solely by the machine, a data protection impact assessment, a processor contract with the vendor, and defined retention periods. Under the AI Act, the same tool is high-risk because employment screening sits in Annex III, the vendor is the provider, and the employer is the deployer: it must use the system according to the instructions for use, assign trained human oversight with real authority to intervene, ensure the input data under its control is relevant for the intended purpose, keep the automatically generated logs for at least six months, inform workers and their representatives before use, and be ready to explain the system's role in a decision to an affected candidate. Written out side by side, roughly half the evidence serves both files: the vendor's instructions for use feed the DPIA's description of the processing, the oversight design doubles as the Article 22 human-intervention safeguard, and one well-drafted notice to candidates can carry both laws' transparency content.
Penalty Structures Side by Side
| Feature | GDPR | EU AI Act |
|---|---|---|
| Top ceiling | 20 million euros or 4 percent of worldwide turnover, whichever is higher | 35 million euros or 7 percent, whichever is higher, for prohibited practices |
| Second level | 10 million euros or 2 percent | 15 million euros or 3 percent for most operator obligations |
| Third level | None | 7.5 million euros or 1 percent for misleading information to authorities |
| SME treatment | Discretionary, through proportionality factors | Structural: each fine capped at the lower of the fixed sum or the percentage |
| Who decides | Data protection authorities | Market surveillance authorities; the Commission for GPAI model providers |
One incident can engage both columns at once, because the laws protect different interests: a flawed automated decision can be unlawful processing under GDPR and a breach of high-risk duties under the AI Act, sanctioned by two different regulators. This is why incident response should notify the privacy team and the AI system owner simultaneously rather than sequentially.
Different Clocks: Why Timing Trips Teams Up
GDPR has applied in full since May 25, 2018; there is no transition left, and data protection authorities enforce with mature case practice. The AI Act is staged: prohibitions and AI literacy since February 2, 2025, general-purpose AI model duties since August 2, 2025, the broad high-risk and transparency wave from August 2, 2026, and rules for AI embedded in Annex I regulated products from August 2, 2027. Two planning consequences follow. First, never park a GDPR gap on an AI Act timeline; the data protection exposure is current regardless of when the related AI Act duty matures. Second, use the established GDPR machinery as the carrier: adding AI Act fields to an existing records-of-processing inventory and an existing DPIA template is far faster than building parallel structures from zero.
Frequently Confused Pairs
Four pairs cause most cross-regime mistakes. Controller and provider are not the same role: the controller decides why and how personal data is processed, while the provider develops and markets the system, and your vendor can be your GDPR processor while being the AI Act provider, with you as both controller and deployer. A personal data breach and a serious incident run on different clocks: the controller notifies a breach to the data protection authority within 72 hours, while the provider of a high-risk system reports a serious incident to the market surveillance authority as a rule within 15 days, so one event can start two different countdowns owned by two different companies. The DPIA and the FRIA are siblings, not twins: one centres on personal data and data subjects, the other on the deployment context and the fundamental rights of affected persons. And GDPR transparency is not AI Act transparency: telling people how their data is used does not by itself tell them they are talking to a machine or that content is synthetic.
A Ten-Minute Joint Health Check
Five questions reveal whether the two programmes are wired together. Does one inventory show, per system, the GDPR lawful basis next to the AI Act risk class? Does new-tool intake trigger both assessments from a single form? Can the privacy office name the AI Act role, provider or deployer, for the five most important systems? Would an incident tonight reach both the 72-hour and the 15-day owners before morning? And has anyone checked that vendor contracts cover both processor terms and the AI Act information duties? Each no is a seam where cost doubles and evidence falls between two stools; each yes is a sign the organisation is running one programme, which is the only economical way to live under both laws.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.