Appearance
EU AI Act vs GDPR
The EU AI Act and GDPR are the two binding EU regulations most relevant to AI programs. They do not replace each other — they apply in parallel. Almost every AI system that processes personal data is subject to both at the same time.
This page compares the two and shows how to run one integrated compliance program.
TL;DR
- GDPR regulates the processing of personal data — the data.
- EU AI Act regulates AI systems placed on or used in the EU market — the product.
- Most AI systems that process personal data are subject to both.
AI Omnibus notice
The Digital Omnibus on AI (proposed 19 November 2025, subject to trilogue) would amend several EU AI Act provisions referenced below. This page reflects the currently binding EU AI Act; expected changes are summarised on the EU AI Act landing page.
Side-by-side comparison
| Dimension | EU AI Act | GDPR |
|---|---|---|
| Publisher | European Parliament and Council | European Parliament and Council |
| In force | 2024, phased through 2026–2027 | 2018 |
| Type | Product regulation | Data-protection regulation |
| Regulated subject | AI systems and general-purpose AI models | Personal data processing |
| Primary roles | Provider, Deployer, Importer, Distributor | Controller, Processor |
| Risk logic | risk-tiered (prohibited / high-risk / limited-risk / minimal) | risk-based, case-by-case (Art. 35 DPIA) |
| Scope | AI placed on or used in the EU market (extraterritorial) | processing of EU residents' personal data (extraterritorial) |
| Conformity | conformity assessment + CE marking for high-risk | none (accountability principle) |
| Mandatory documentation | technical documentation (Annex IV), QMS, PMM | records of processing (Art. 30), DPIA when required |
| Human oversight | Art. 14 (mandatory for high-risk) | Art. 22 (rights around automated decisions) |
| Transparency to users | Art. 13, Art. 50 | Art. 13–14 |
| Enforcement authority | national AI authorities + AI Office (GPAI) | national Data Protection Authorities + EDPB |
| Max fines | up to €35M or 7% of global annual turnover | up to €20M or 4% of global annual turnover |
Where EU AI Act and GDPR overlap
Several requirements overlap. When you design controls, treat these as one control that satisfies both — it's the fastest way to avoid duplicating effort.
| Topic | EU AI Act | GDPR | One-control pattern |
|---|---|---|---|
| Data governance / data quality | Art. 10 | Art. 5 (accuracy, minimisation) | data lineage + quality metrics per AI system |
| Transparency to affected persons | Art. 13, 50 | Art. 13–14 | model card + privacy notice linked from the UI |
| Human oversight / automated decisions | Art. 14 | Art. 22 | oversight policy with role gates and escalation |
| Record-keeping | Art. 12 (logs) | Art. 30 (records of processing) | AI-system register + processing record |
| Risk / impact assessment | Art. 9 (risk mgmt), Art. 27 (FRIA) | Art. 35 (DPIA) | integrated assessment that covers both |
| Incident / breach notification | Art. 73 (serious incidents) | Art. 33–34 (data breaches) | single incident register, dual notification workflow |
| Security | Art. 15 | Art. 32 | ISMS (e.g., ISO 27001) linked to the AI system |
Where EU AI Act goes beyond GDPR
The EU AI Act imposes duties that have no GDPR equivalent:
- AI system classification — is it prohibited, high-risk, limited-risk, or minimal-risk?
- Conformity assessment and CE marking for high-risk systems.
- Quality management system (Art. 17) specifically for AI providers.
- Post-market monitoring (Art. 72) — a continuous duty after deployment.
- General-purpose AI (GPAI) model duties — documentation, copyright policy, systemic-risk obligations.
- AI literacy (Art. 4) for staff involved in operating AI systems.
Where GDPR goes beyond the EU AI Act
- Lawful basis for processing (Art. 6) — the EU AI Act assumes a lawful basis already exists.
- Purpose limitation and data minimisation (Art. 5) — applies even when the AI system itself is minimal-risk.
- Rights of data subjects — access, erasure, rectification, portability, object.
- International transfers (Chapter V) — SCCs, adequacy decisions, TIA.
Roles: EU AI Act vs GDPR
The two role systems do not line up one-to-one, and the mapping matters when you assign responsibility.
| EU AI Act role | Typical GDPR role | Notes |
|---|---|---|
| Provider (develops or places on market) | Usually Controller, sometimes Processor | providers decide the purpose of the AI system |
| Deployer (uses AI under their authority) | Usually Controller | deployers determine purpose of processing in the deployment |
| Importer / Distributor | Usually Processor or no role | GDPR role depends on actual handling of personal data |
A single organization can hold multiple roles across both regulations for the same AI system.
Running one integrated compliance program
Most enterprises build a single evidence pipeline that satisfies both regulations.
1
Inventory
One register of AI systems AND processing activities — linked
2
Classify
EU AI Act risk tier + GDPR risk (need for DPIA)
3
Assess
Integrated FRIA + DPIA for high-risk personal-data AI
4
Control
One control set satisfying both (overlap table above)
5
Evidence
Single evidence store, tagged to both regulations
6
Monitor
PMM (EU AI Act) + records + DSR handling (GDPR)
Related pages
EU AI Act guide
Risk tiers, high-risk obligations, conformity, post-market monitoring
GDPR guide
Principles, roles, DPIAs, and personal-data obligations
AI governance frameworks comparison
Side-by-side across EU AI Act, ISO 42001, NIST AI RMF, OWASP, GDPR, NIS2, DORA
How to comply with the EU AI Act
Step-by-step path to EU AI Act readiness
Disclaimer
This page is for general informational purposes and does not constitute legal advice. Consult qualified legal counsel for specific EU AI Act and GDPR questions.