Docs

Appearance

EU AI Act vs GDPR

The EU AI Act and GDPR are the two binding EU regulations most relevant to AI programs. They do not replace each other — they apply in parallel. Almost every AI system that processes personal data is subject to both at the same time.

This page compares the two and shows how to run one integrated compliance program.

Quick decision

  • AI use involves likely high-risk personal-data processing under GDPR Art 35 → assess a Data Protection Impact Assessment (DPIA).
  • Deploying an Art 27-covered high-risk AI system (specific deployer categories listed in Art 27(1) of the EU AI Act) → assess a Fundamental Rights Impact Assessment (FRIA).
  • Both triggers fire → coordinate the two assessments. They are distinct legal instruments under different regimes; one does not substitute for the other.
  • AI system placed on the market, put into service, or used in the Union → EU AI Act applies by territorial / use criteria (Art 2).
  • GDPR territorial scope (Art 3) applies when the controller or processor is established in the Union, or a non-EU controller/processor processes personal data of data subjects in the Union in the context of offering goods or services to them or monitoring their behaviour in the Union, or processing is by an EU Member State by virtue of public international law. Do not shorthand to "EU residents" or "personal data of individuals in the Union" — Art 3 is more nuanced.

TL;DR

  • EU AI Act is a binding EU regulation governing AI systems placed on the market, put into service, or used in the Union — a product regulation.
  • GDPR is a binding EU regulation governing the processing of personal data of individuals in the Union — a data-protection regulation.
  • The two operate in parallel and do not substitute for one another. An AI system that processes personal data is almost always subject to both, with overlapping but legally distinct duties.
  • Different role systems: provider / deployer / importer / distributor under the AI Act, controller / processor under GDPR. One organisation can hold multiple roles across both regimes for the same AI system.
  • Consequence: treat the two as one integrated compliance program with controls that satisfy both regimes — but do not assume GDPR compliance produces EU AI Act compliance, or vice versa.

AI Omnibus notice

The Digital Omnibus on AI reached a provisional political agreement on 7 May 2026 (pending formal adoption). Once formally adopted, it would amend several EU AI Act provisions referenced below. This page reflects the currently binding EU AI Act; agreed changes are summarised on the EU AI Act landing page.

Side-by-side comparison

DimensionEU AI ActGDPR
PublisherEuropean Parliament and CouncilEuropean Parliament and Council
In force2024, phased through 2026–20272018
TypeProduct regulationData-protection regulation
Regulated subjectAI systems and general-purpose AI modelsPersonal data processing
Primary rolesProvider, Deployer, Importer, DistributorController, Processor
Risk logicrisk-tiered (prohibited / high-risk / limited-risk / minimal)risk-based, case-by-case (Art. 35 DPIA)
ScopeAI placed on or used in the EU market (Art 2; extraterritorial)Art 3 — EU-established controller/processor, or non-EU processing tied to offering goods/services to or monitoring behaviour of data subjects in the Union, plus public-international-law cases
Conformityconformity assessment + CE marking for high-risknone (accountability principle)
Mandatory documentationtechnical documentation (Annex IV), QMS, PMMrecords of processing (Art. 30), DPIA when required
Human oversightArt. 14 (mandatory for high-risk)Art. 22 (rights around automated decisions)
Transparency to usersArt. 13, Art. 50Art. 13–14
Enforcement authoritynational AI authorities + AI Office (GPAI)national Data Protection Authorities + EDPB
Max finesup to €35M or 7% of global annual turnoverup to €20M or 4% of global annual turnover

How EU AI Act and GDPR map onto each other

Several requirements overlap. When you design controls, treat these as one control that satisfies both regimes — it's the fastest way to avoid duplicating effort. The legal triggers and remedies remain separate; the operational implementation can be shared.

TopicEU AI ActGDPROne-control pattern
Data governance / data qualityArt. 10Art. 5 (accuracy, minimisation)data lineage + quality metrics per AI system
Transparency — to deployers and to natural personsArt. 13 (information to deployers); Art. 50 (transparency to natural persons interacting with AI); Art. 26(11) / Art. 86 also relevantArt. 13–14 (information to data subjects)model card + deployer documentation + privacy notice linked from the UI
Human oversight (high-risk AI) / solely automated significant decisions (data-subject right)Art. 14 (provider design obligation enabling oversight)Art. 22 (data-subject right against solely automated significant decisions)oversight policy with role gates and escalation — see clarification under "Where they overlap"
Record-keepingArt. 12 (logs)Art. 30 (records of processing)AI-system register + processing record
Risk / impact assessmentArt. 9 (risk mgmt), Art. 27 (FRIA)Art. 35 (DPIA)integrated assessment that covers both
Incident / breach notificationArt. 73 (serious incidents)Art. 33–34 (data breaches)single incident register, dual notification workflow
SecurityArt. 15Art. 32ISMS (e.g., ISO 27001) linked to the AI system

When to choose which

For most AI programs both regulations apply at the same time. The question is usually which one your team's effort sits closer to in a given moment.

Where EU AI Act is your dominant focus

  • You are a provider placing a high-risk AI system or a GPAI model on the EU market.
  • You are running an AI Act conformity assessment or readying for CE marking.
  • You are scoping AI literacy training under Art 4.

Where GDPR is your dominant focus

  • You are setting lawful basis for processing personal data in or for an AI system.
  • You are handling data-subject rights (access, erasure, objection) on AI-system outputs.
  • You are running international transfers of training or operational data outside the EU.

When you need both in lockstep

  • High-risk AI systems that process personal data (most enterprise use cases).
  • Automated decision-making — overlapping but legally distinct duties under Art 22 GDPR and Art 14 EU AI Act (see below).
  • Serious-incident handling — separate notification regimes that must be coordinated.

Where they overlap

The EU AI Act and GDPR overlap most clearly on risk and impact assessment, transparency, record-keeping, human oversight of automated decisions, incident reporting, and security. The overlap is operational, not legal substitution — an integrated program can satisfy both with one control set, but each regime keeps its own legal triggers, remedies, and enforcement authority.

Where EU AI Act goes beyond GDPR

The EU AI Act imposes duties that have no direct GDPR equivalent:

  • AI system classification — is it prohibited, high-risk, limited-risk, or minimal-risk?
  • Conformity assessment and CE marking for high-risk AI systems, with notified-body involvement only where the applicable Art 43 conformity-assessment route requires it.
  • Quality management system (Art 17) specifically for AI system providers.
  • Post-market monitoring system (Art 72) — a continuous provider duty after deployment.
  • General-purpose AI (GPAI) model regime under Arts 51–56 — Art 53 covers the direct provider duties (documentation, training-data summary, copyright policy), Art 55 covers the additional obligations for GPAI models with systemic risk, and Art 56 covers codes of practice.
  • AI literacy (Art 4) for staff involved in operating AI systems.

Where GDPR goes beyond the EU AI Act

GDPR imposes duties that have no direct EU AI Act equivalent:

  • Lawful basis for processing (Art 6) — the EU AI Act assumes a lawful basis already exists.
  • Purpose limitation and data minimisation (Art 5) — applies even when the AI system itself is minimal-risk.
  • Rights of data subjects — access, erasure, rectification, portability, restriction, objection.
  • International transfers (Chapter V) — SCCs, adequacy decisions, supplementary measures.

Why GDPR Art 22 ≠ EU AI Act Art 14

The mapping table above pairs Art 22 with Art 14. They address adjacent but legally distinct concerns and do not substitute for one another:

  • GDPR Art 22 is a data-subject right concerning solely automated decisions, including profiling, producing legal or similarly significant effects, addressed to controllers.
  • EU AI Act Art 14 is a high-risk-AI provider design obligation to enable effective human oversight, with corresponding deployer operation duties elsewhere (e.g., Art 26).

Different regimes, different triggers, different remedies. Complying with one does not extinguish the other.

Roles: EU AI Act vs GDPR

The two role systems do not line up one-to-one, and the mapping matters when you assign responsibility.

EU AI Act roleTypical GDPR roleNotes
Provider (develops or places on market)Usually Controller, sometimes Processorproviders decide the purpose of the AI system
Deployer (uses AI under their authority)Usually Controllerdeployers determine purpose of processing in the deployment
Importer / DistributorUsually Processor or no roleGDPR role depends on actual handling of personal data

A single organization can hold multiple roles across both regulations for the same AI system.

What this looks like in Modulos

Most enterprises build a single evidence pipeline that satisfies both regulations. In Modulos this is implemented as one integrated control set tagged to both regimes.

EU AI Act guide

Risk tiers, high-risk obligations, conformity, post-market monitoring

GDPR guide

Principles, roles, DPIAs, and personal-data obligations

AI governance frameworks comparison

Side-by-side across EU AI Act, ISO 42001, NIST AI RMF, OWASP, GDPR, NIS2, DORA

How to comply with the EU AI Act

Step-by-step path to EU AI Act readiness

Disclaimer

This page is for general informational purposes and does not constitute legal advice. Consult qualified legal counsel for specific EU AI Act and GDPR questions.