TempusLex
← All posts
2026-04-29 · 7 min read

AI Act vs GDPR: how they overlap and where they don't

Both regimes apply to most modern AI products. They share some obligations, conflict on a few, and ignore each other on most. A practical map for builders.

If you're shipping AI in the EU and your system processes personal data — which most do — you operate under two regimes simultaneously: the GDPR (Regulation 2016/679) and the AI Act (Regulation 2024/1689). Most teams understand each one in isolation. Far fewer have a clear picture of where they overlap, where they don't, and where you have to do extra work to satisfy both.

This article is the map.

The headline difference

GDPR is about personal data. It applies if and only if you process personal data. The "what" can be anything: a relational database, a CSV file, an LLM prompt history.

The AI Act is about AI systems and models. It applies if you place an AI system on the EU market or its output is used in the Union. The "what" can be data-free in principle (Annex III still applies even if the system somehow operated on no personal data — though in practice almost all of them do).

You can be in scope of GDPR without the AI Act (a CRM that doesn't use AI). You can be in scope of the AI Act without GDPR (an AI safety component in an industrial machine processing only sensor telemetry). Most modern AI products are in scope of both.

Where the regimes overlap

1. Data governance for training data

  • GDPR Article 5(1) sets the principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, accountability.
  • AI Act Article 10 requires high-risk AI systems to have appropriate data governance and management practices for training, validation, and testing datasets — examination of biases (Art. 10(2)(f)), identification of data gaps (Art. 10(2)(g)), and so on.

These two regimes ask similar questions about your training data, but from different angles. GDPR asks: "do you have a lawful basis to process this person's data?" The AI Act asks: "is your dataset representative, free of bias, and documented?"

A well-built data governance policy answers both at once. The AI Act Article 10 obligations are *narrower in scope* (only high-risk systems) but *broader in content* (they cover non-personal data too — synthetic data, scraped technical corpora, sensor logs).

2. Impact assessments

Both regimes require an impact assessment, but they are different documents.

  • GDPR Article 35: Data Protection Impact Assessment (DPIA), required when processing is likely to result in a high risk to data subjects' rights and freedoms. Always required for systematic monitoring, large-scale processing of special-category data, or automated decision-making with legal effects.
  • AI Act Article 27: Fundamental Rights Impact Assessment (FRIA), required from deployers of high-risk AI systems in specific cases — public bodies, providers of essential public services, and certain private deployers (banking, insurance) when using Annex III(5) systems.

The DPIA focuses on data subjects and personal data. The FRIA focuses on the affected persons' fundamental rights — which is broader (privacy, but also non-discrimination, freedom of expression, dignity, etc.).

In practice, if you're a deployer of a high-risk system that processes personal data, you'll typically run one combined assessment that satisfies both.

3. Information rights and transparency

  • GDPR Articles 13–15: data subjects must be told what data is collected and how it's used, and have access rights to their own data.
  • AI Act Article 50: end-users must be told they're interacting with AI (chatbot), that content is synthetic (deepfake, generated media), or that they're being subject to emotion recognition / biometric categorisation.
  • AI Act Article 26(11): deployers of high-risk Annex III systems must inform affected persons that they are subject to a high-risk AI system.

GDPR transparency is *about the data*. AI Act transparency is *about the AI*. You need both notices, and they typically live in the same privacy/transparency surface but say different things.

4. Logging and accountability

  • GDPR Article 5(2) + Article 24: accountability — you must be able to demonstrate compliance.
  • AI Act Article 12: high-risk systems must enable automatic logging of events relevant to risk assessment and post-market monitoring.

Article 12 logs are *about the AI's behaviour*: input/output/timestamp/decision provenance/model version. GDPR logs are *about the data lifecycle*: who accessed what, who deleted what, who consented to what.

The two log streams should be designed together. You'll typically end up with a single event-log infrastructure carrying both kinds of records, segregated by retention policy.

Where the regimes diverge

Risk model

GDPR is risk-based but the risk is to *data subjects*. The AI Act is risk-tiered and the risk is to *anyone* — health, safety, fundamental rights, broad social outcomes.

A system can be GDPR-low-risk (you process only an email and a name) but AI Act-high-risk (it's a CV-screening tool). Annex III(4) doesn't care that the data footprint is small.

Enforcement

  • GDPR is enforced by 27 national Data Protection Authorities, with the EDPB coordinating. Italy's authority is the *Garante per la protezione dei dati personali*.
  • The AI Act is enforced by the AI Office (within the Commission) for GPAI obligations, and by national market surveillance authorities for AI systems. In Italy, this is being structured around AGID and the Garante depending on the use case.

The two enforcement tracks can both pursue the same incident from different angles. A serious AI incident (Art. 73 AI Act) involving personal data is also a personal data breach (Art. 33 GDPR), and you owe both notifications.

Penalties

  • GDPR: up to €20M or 4% of global annual turnover.
  • AI Act Article 99: up to €35M or 7% of global annual turnover for prohibited-practice violations; €15M or 3% for high-risk obligation breaches; €7.5M or 1% for misleading information to authorities.

The AI Act's prohibited-practice fine is the largest in EU regulatory law to date.

Lawful basis

GDPR requires a lawful basis (Article 6) for *every* processing operation. The AI Act doesn't introduce a new lawful basis — it inherits GDPR's. So if you're training an AI on personal data, you still need consent, contract, legal obligation, or legitimate interests under GDPR.

Special categories

GDPR Article 9 prohibits processing special-category data (health, biometrics, race, political opinions, …) absent specific exceptions. The AI Act's Article 5(1)(g) prohibits *biometric categorisation* that infers these same attributes. The two regimes converge on the conclusion: don't infer sensitive attributes from biometrics. They reach it through different doors.

Compliance overlap zones — where extra work pays off

Three areas where doing the work for one regime gets you most of the work for the other:

1. Data governance documentation

Write your AI Act Article 10 data governance policy in a form that explicitly references your GDPR Article 30 record of processing. One document covers both.

2. Combined impact assessment

If your system requires both a DPIA and a FRIA, run them together. The combined document is harder to write but easier to keep current.

3. Unified transparency surface

Your privacy policy (GDPR), your AI transparency notice (Article 50), and your high-risk-deployer notice (Article 26(11)) should live in the same place — usually a "Privacy and AI" page linked from every product surface. One canonical location reduces the chance of one regime saying something the other contradicts.

What to do if you're starting now

  1. Map your processing. GDPR Article 30 ROPA. If you don't have one, this is the first thing.
  2. Run the AI Act tier classification. The [free quiz](/quiz) does this in three minutes.
  3. Cross-reference. For each high-risk AI system, confirm there's a corresponding GDPR processing record. For each GDPR record involving AI, confirm you've classified the system under the AI Act.
  4. Build one transparency surface. Don't have separate "privacy" and "AI" notices that contradict each other.
  5. Run a combined DPIA/FRIA where both are required.

The full €299 assessment generates a draft data governance policy aligned with both Article 10 of the AI Act and the relevant GDPR principles, plus a combined-impact-assessment outline you can use as a starting point.

*Documentation tool, not legal advice. Both regimes have national variation; have qualified counsel review.*

Procedural-deadline updates in your inbox

Reforms, landmark rulings, extraordinary stays. No spam, unsubscribe anytime.