EU AI Act vs GDPR: Key Differences and Overlaps
People keep asking us to pick one. GDPR or the EU AI Act, which one applies? The honest answer is both, at the same time, the moment your AI system touches personal data inside the European Union. These are two separate laws with two different jobs, and they overlap more than most teams expect. Miss where they meet and you end up with two problems: gaps a regulator can walk straight through, and the same work done twice because nobody mapped the two regimes against each other.
So we wrote this to do exactly that. A clear side-by-side of where the two laws agree, where they split, and how to build one compliance approach that answers both.
Scope: What Each Regulation Covers
The two laws police different things. They start to overlap the moment an AI system processes personal data, and that overlap is where most of the confusion lives.
GDPR Scope
The GDPR applies to the processing of personal data by controllers and processors established in the EU, or by organisations outside the EU that offer goods or services to, or monitor the behaviour of, individuals within the EU. What triggers it is the activity, processing personal data, not the technology you use to do it.
EU AI Act Scope
The EU AI Act applies to providers, deployers, importers, and distributors of AI systems placed on the market or put into service within the EU. Here the trigger flips: it is the technology (AI systems) that pulls you in, not the type of data being processed. The AI Act applies whether or not personal data is involved, and it covers AI systems that process only non-personal data too.
Where They Overlap
The overlap shows up the instant an AI system processes personal data. Take a credit scoring algorithm that evaluates loan applications using individuals' financial histories. It answers to the GDPR (because it processes personal data) and to the EU AI Act (because it is an AI system classified as high-risk under Annex III). Neither law covers the whole picture on its own. You apply both.
Definitions: Different Terminology, Related Concepts
Same ideas, different vocabulary. The two laws name related roles and concepts with their own terms, and that mismatch trips up compliance teams more often than you would think.
| Concept | GDPR Term | EU AI Act Term |
|---|---|---|
| Entity responsible for the system | Data controller | Provider / Deployer |
| Entity acting on instructions | Data processor | (No direct equivalent; closest is downstream provider) |
| Affected individual | Data subject | (No specific term; references to "natural persons") |
| Regulatory authority | Data Protection Authority (DPA) | National competent authority / AI Office |
| Impact assessment | Data Protection Impact Assessment (DPIA) | Fundamental Rights Impact Assessment (FRIA) / Conformity assessment |
Get these mappings straight early. One team, your compliance or legal function, usually has to fulfil obligations under both frameworks at once, and lining up the vocabulary keeps people from talking past each other.
Automated Decision-Making: The Core Intersection
This is where the two laws sit closest together: automated decisions and how they land on real people. If you only learn one overlap, learn this one.
GDPR Article 22
GDPR Article 22 gives individuals the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Exceptions apply where the decision is necessary for a contract, authorized by law, or based on explicit consent.
Where automated decisions are permitted, the controller must implement suitable safeguards, including the right to obtain human intervention, to express a point of view, and to contest the decision.
EU AI Act Transparency and Human Oversight
The EU AI Act's transparency obligations (Article 13) and human oversight requirements (Article 14) for high-risk AI systems complement and extend GDPR Article 22. Under the AI Act:
- Deployers must inform individuals that they are subject to a decision made by or with the assistance of a high-risk AI system (Article 26(11)).
- High-risk AI systems must be designed to allow effective human oversight, including the ability to override or reverse automated decisions (Article 14).
- Transparency requirements mandate that the system's functioning is sufficiently understandable to deployers and, through them, to affected individuals.
So if you run AI for automated decision-making, you have to clear both bars: GDPR Article 22's safeguards and the AI Act's transparency and oversight requirements. Clearing one does not clear the other. Handing people GDPR-compliant information about your automated decision-making logic (under Articles 13 and 14 of the GDPR) does not, on its own, fulfil the AI Act's more detailed transparency obligations for high-risk systems.
Data Governance: Parallel but Distinct Requirements
Both laws demand data governance. They just come at it from opposite ends.
GDPR Data Governance
The GDPR's data governance framework centres on the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability (Article 5). These principles govern how personal data is collected, stored, processed, and deleted.
EU AI Act Data Governance (Article 10)
The AI Act's data governance requirements under Article 10 focus specifically on the quality and representativeness of training, validation, and testing data for high-risk AI systems. Key requirements include:
- Training data must be relevant, sufficiently representative, and as free of errors as possible.
- Appropriate data governance measures must address data collection, data preparation, the formulation of assumptions, prior assessments of data availability, and examination of possible biases.
- Where special categories of personal data (as defined in GDPR Article 9) are processed for bias detection and correction purposes, the AI Act provides a specific legal basis, subject to strict conditions and safeguards.
Read that last bullet again, because it is doing a lot of quiet work. The AI Act flat out acknowledges that catching and fixing bias in an AI system may mean processing sensitive personal data, such as data revealing racial or ethnic origin, and it gives you a legal framework to do it. Under the GDPR on its own, processing that kind of data is generally off the table unless a specific exception applies. The AI Act adds an exception of its own. But it does not get you off the hook: you still have to meet the GDPR's conditions for processing special category data, safeguards included.
Impact Assessments: DPIAs vs FRIAs
Both laws ask for an impact assessment. Different purpose, different scope, and you cannot assume one covers for the other.
Data Protection Impact Assessments (DPIAs)
Under GDPR Article 35, a DPIA is required when data processing is likely to result in a high risk to the rights and freedoms of individuals. DPIAs focus specifically on data protection risks and must include:
- A systematic description of the processing operations and their purposes.
- An assessment of the necessity and proportionality of the processing.
- An assessment of risks to the rights and freedoms of data subjects.
- Measures to address those risks.
Fundamental Rights Impact Assessments (FRIAs)
The EU AI Act requires deployers of high-risk AI systems (under certain conditions) to conduct a fundamental rights impact assessment before putting the system into use. FRIAs have a broader scope than DPIAs, covering not just data protection but all fundamental rights that may be affected, including:
- The right to non-discrimination.
- The right to an effective remedy.
- Freedom of expression.
- The right to human dignity.
- The right to fair working conditions.
- Consumer protection rights.
If you deploy a high-risk AI system that processes personal data, you are most likely on the hook for both a DPIA and a FRIA. You can fold them into one process, and we recommend it, but each set of requirements still has to be answered in full. A DPIA that ignores non-discrimination risks beyond data protection will not satisfy FRIA requirements, and a FRIA that skips the GDPR's data protection principles will not satisfy DPIA requirements.
Want a step-by-step way to run these assessments? Our EU AI Act risk assessment guide walks through the methodology in detail.
Enforcement: Different Bodies, Coordinated Action
Different regulators enforce each law. The two regimes know it, and they are built to coordinate when a case touches both.
GDPR Enforcement
GDPR enforcement runs through national Data Protection Authorities (DPAs), coordinated by the European Data Protection Board (EDPB). DPAs carry real teeth, including the power to impose administrative fines of up to 20 million EUR or 4% of worldwide annual turnover.
EU AI Act Enforcement
The EU AI Act establishes a multi-layered enforcement structure:
- The AI Office (within the European Commission) is responsible for overseeing GPAI model obligations and coordinating enforcement at the EU level.
- National competent authorities (designated by each Member State) are responsible for supervising the application of the Act at the national level.
- Market surveillance authorities oversee compliance for AI systems placed on the market.
In many Member States, the DPA may also be designated as the national competent authority for the AI Act, or the two bodies may operate independently but coordinate on cases involving both data protection and AI regulation.
Coordination Challenges
When an AI system breaks both the GDPR and the AI Act, more than one regulator can claim jurisdiction. A biased credit scoring AI system, for example, could set off:
- A GDPR investigation by the DPA (for unfair processing of personal data).
- An AI Act investigation by the national competent authority (for non-compliance with high-risk system requirements).
- Sector-specific enforcement by a financial regulator.
Plan for multi-agency investigations, and make sure your compliance documentation tells the same story across every framework. Inconsistencies between files are exactly what a coordinated probe is looking for.
Penalties: A Side-by-Side Comparison
Both laws hit hard in the wallet. The ceilings are not the same, and the AI Act's sit higher.
| Violation Type | GDPR Maximum Fine | EU AI Act Maximum Fine |
|---|---|---|
| Most serious violations | 20 million EUR or 4% of turnover | 35 million EUR or 7% of turnover |
| Significant violations | 10 million EUR or 2% of turnover | 15 million EUR or 3% of turnover |
| Administrative/procedural | 10 million EUR or 2% of turnover | 7.5 million EUR or 1.5% of turnover |
Here is the part that stings: these penalties can land concurrently. One AI system failure can draw fines under both the GDPR and the AI Act, plus whatever sector-specific penalty applies on top. There is one guardrail. The AI Act includes a provision (Article 99(4)) stating that, where administrative fines are imposed for the same conduct under both the AI Act and the GDPR, the total amount shall not exceed the higher of the two applicable penalties. That blocks pure double jeopardy. It does not erase the risk of heavy cumulative penalties for different pieces of non-compliance.
We break the AI Act's penalty framework down in full in our guide on EU AI Act fines and enforcement.
Building a Unified Compliance Framework
Running two separate compliance programmes, one for the GDPR and one for the EU AI Act, is how you end up paying twice and still leaving gaps. Build one framework that answers both. Here is how we structure it.
Step 1: Unified AI and Data Inventory
Keep one register that maps every AI system you run, the personal data each one touches, and the obligations that attach under both the GDPR and the AI Act. That register should pin down:
- The legal basis for processing personal data (GDPR).
- The risk classification of each AI system (AI Act).
- The roles and responsibilities under both frameworks (controller/processor under GDPR; provider/deployer under AI Act).
Step 2: Integrated Impact Assessments
Build one impact assessment template that covers DPIA and FRIA requirements together. You skip the duplicated effort and still catch every risk that matters. The assessment should weigh:
- Data protection risks (GDPR).
- Fundamental rights risks beyond data protection (AI Act).
- Technical risks related to accuracy, robustness, and cybersecurity (AI Act).
Step 3: Harmonised Documentation
Line up your technical documentation requirements under the AI Act with your records of processing activities (ROPA) under the GDPR. The formats differ, sure, but a lot of the underlying information is the same: descriptions of data sources, processing purposes, security measures, and risk mitigation strategies.
Step 4: Coordinated Governance
Give AI compliance a clear owner, and put it inside the data protection governance structure you already have. Your Data Protection Officer (DPO) and your AI compliance function should be in close contact, trading information and handling anything that crosses both laws. In a smaller organisation, that is often the same person or team wearing both hats.
Step 5: Joint Training Programmes
Run AI literacy training (required under AI Act Article 4) and data protection awareness training (required under GDPR accountability obligations) as one coordinated programme, not two disconnected slide decks. Anyone who touches an AI system that processes personal data has to know what they owe under both frameworks.
The Role of Data Protection in AI Training Data
One question lands in our inbox more than almost any other: what is the legal basis for using personal data to train AI models? Under the GDPR, every bit of personal data processing needs a lawful basis (Article 6). For AI training data, the bases teams lean on most are:
- Legitimate interest (Article 6(1)(f)): Often used for training models on datasets that include personal data, subject to a balancing test against the rights of data subjects.
- Consent (Article 6(1)(a)): Sometimes used but presents practical challenges for large-scale AI training due to the difficulty of obtaining informed, specific consent for broad model training purposes.
- Contract performance (Article 6(1)(b)): May apply where the AI training is necessary to provide a service contracted by the data subject.
The AI Act does not override or replace the GDPR's requirements for training data. You need a valid GDPR legal basis for any personal data that goes into AI training, on top of meeting the AI Act's data governance requirements under Article 10. Two laws, both in force, neither one cancelling the other.
Joint Controller Scenarios in AI Value Chains
AI systems rarely live with one party. The value chain stretches across model providers, platform operators, application developers, and the end-user organisations running it all. Under the GDPR, when two or more controllers jointly decide the purposes and means of processing, they are joint controllers, and they must put an arrangement in place under Article 26 of the GDPR.
Here is where it gets thorny. The AI Act's provider-and-deployer split does not map cleanly onto the GDPR's controller/processor framework. A GPAI model provider and a downstream deployer can each exercise real control over how personal data is processed, which can create a joint controllership scenario under the GDPR even when they hold distinct roles under the AI Act.
So look hard at your own AI value chain. Work out whether joint controllership applies, and if it does, get the GDPR arrangements in place right alongside your AI Act compliance measures.
Where This Leaves You
The GDPR and the EU AI Act are two halves of the same job. Together they cover the full picture for AI systems that process personal data. Apart, neither one is enough. Treat them as separate silos and you pay twice for half the protection.
The approach that actually works builds on the GDPR processes you already run, your DPIAs, data governance measures, and accountability documentation, then stretches them to cover what the AI Act adds: risk management, transparency, human oversight, and protection of fundamental rights. One framework, two laws answered.
For the full requirement list in one place, our EU AI Act Compliance Checklist lays it all out. And if you are weighing the tools that can carry an integrated GDPR and AI Act programme for you, we put them head to head in our comparison of the best EU AI Act compliance tools.
Start Your Free Compliance AssessmentUpdate: Where the Digital Omnibus Stands (June 12, 2026)
A quick note before you act on any date in this article. The Digital Omnibus is a simplification package the European Commission proposed on November 19, 2025. It would amend several EU digital laws at once, and for the AI Act it proposes two big changes: the high-risk obligations would apply later (December 2, 2027 for the stand-alone high-risk systems listed in Annex III, and August 2, 2028 for high-risk AI embedded in regulated products), and a number of requirements would be simplified along the way.
Here is the part that matters: none of this is law yet. The European Parliament and the Council reached a provisional agreement on May 7, 2026, and formal adoption is expected, but until the final text is adopted and published, nothing changes. The dates and obligations described in this article are the ones in force today. And the rules that already apply, like the prohibited practices and the AI literacy duty, stay exactly where they are no matter what happens to the Omnibus.
We are watching this closely. The moment the Omnibus is adopted, amended, or rejected, we will update this article to reflect the new EU AI compliance dates. Check back, or run the free 90-second risk check to see your obligations under the rules as they stand right now.