Understanding the Interplay Between the EU AI Act and GDPR

Shared Foundations and Structural Similarities

One of the most notable aspects of the AI Act is how strongly it reflects the regulatory logic of the GDPR. Both frameworks are built on core principles such as transparency, accuracy, and security. In addition, each adopts a risk-based approach, requiring organizations to assess and mitigate potential harms proportionate to the level of risk involved.

In practical terms, the connection between the two regulations is inevitable. AI systems are frequently trained on large datasets, many of which contain personal data. This means that, in most cases, AI-related activities will fall within the scope of GDPR, triggering obligations around lawful processing, data minimization, and appropriate safeguards.

The AI Act reinforces this link explicitly. For instance, providers of high-risk AI systems must issue a declaration of conformity that includes confirmation of GDPR compliance where personal data is involved. Moreover, in several EU Member States, supervisory authorities responsible for data protection may also oversee AI Act enforcement, further aligning the two regimes.

Transparency Requirements: Parallel but Distinct

Transparency plays a central role in both legal frameworks, although the scope differs.

Under the GDPR, organizations must provide individuals with clear and accessible information about how their personal data is processed. This includes details such as the purpose of processing, legal grounds, data recipients, retention periods, and available rights.

The AI Act introduces additional transparency obligations tailored to AI systems. For example, users must be informed when they are interacting with AI, unless this is already obvious. Furthermore, deployers of high-risk AI systems must receive detailed instructions to ensure proper and compliant use.

While both frameworks aim to empower individuals through information, the AI Act extends this principle beyond data processing to the broader impact of AI-driven decision-making.

Risk Management: Different Entry Points, Shared Logic

Although both the GDPR and the AI Act rely on a risk-based approach, they differ in how and when risk is assessed.

The GDPR requires organizations to continuously evaluate risks associated with personal data processing and to implement proportionate technical and organizational safeguards. This allows for a degree of flexibility in balancing risks against legitimate interests.

In contrast, the AI Act introduces a more structured classification system. AI systems are categorized into different risk levels, including prohibited (unacceptable), high-risk, and lower-risk categories. High-risk systems are subject to extensive and predefined compliance requirements, particularly in areas such as risk management, testing, and monitoring.

Additionally, specific obligations apply to general-purpose AI models, especially those that may pose systemic risks.

Accountability and Documentation Obligations

Accountability is a cornerstone of both frameworks, requiring organizations to demonstrate not merely claim compliance.

Under the GDPR, this involves maintaining documentation such as records of processing activities and conducting Data Protection Impact Assessments (DPIAs) where necessary. Contractual arrangements between controllers and processors are also a key requirement.

The AI Act builds on this concept by introducing more detailed documentation obligations, particularly for high-risk systems. Organizations must document design decisions, development processes, and system performance in a way that allows regulators to assess compliance.

In addition, contractual arrangements must reflect the specific roles defined under the AI Act, such as provider and deployer, ensuring that responsibilities are clearly allocated across the AI value chain.

Risk Assessments: DPIA and Fundamental Rights Impact Assessment

Both frameworks require structured risk assessments, though with slightly different focuses.

The GDPR mandates DPIAs in situations where data processing is likely to result in high risks to individuals’ rights and freedoms. These assessments evaluate the necessity and proportionality of processing, as well as associated risks.

The AI Act complements this requirement by introducing a Fundamental Rights Impact Assessment (FRIA) for certain high-risk AI systems. Importantly, there is an effort to align these processes. Where a DPIA already addresses relevant risks, it can serve as a foundation for the FRIA, reducing duplication and supporting efficiency.

Processing of Sensitive Data

The treatment of sensitive personal data represents another important intersection.

The GDPR generally prohibits the processing of special categories of personal data unless specific exceptions apply. The AI Act, however, allows limited use of such data in narrowly defined circumstances, such as detecting and correcting bias in high-risk AI systems.

Even in these cases, organizations must still meet the strict conditions set out under the GDPR, meaning that compliance with both frameworks is required simultaneously.

Automated Decision-Making and Human Oversight

Both regulations address the risks associated with automated decision-making, though the AI Act adopts a more prescriptive approach.

The GDPR provides individuals with the right not to be subject to decisions based solely on automated processing where those decisions have significant effects. It also guarantees the right to request human intervention.

The AI Act goes further by requiring high-risk systems to be designed with built-in mechanisms for human oversight. This includes ensuring that qualified personnel can monitor system outputs, intervene where necessary, and even halt system operation if risks arise.

Additionally, the AI Act strengthens transparency by granting individuals, in certain cases, a right to receive explanations regarding decisions influenced by AI systems.

Incident Reporting Obligations

Both frameworks impose obligations to report incidents, though the nature and timelines differ.

Under the GDPR, organizations must report personal data breaches to supervisory authorities within 72 hours, where feasible, and in some cases notify affected individuals.

The AI Act introduces a separate reporting regime for serious incidents involving AI systems. Depending on the severity, reporting deadlines may range from a few days to up to two weeks, with stricter timelines applying in cases involving critical infrastructure or loss of life.

This dual reporting structure requires organizations to carefully coordinate their incident response processes.

Managing Dual Compliance in Practice

While there is clear overlap between the GDPR and the AI Act, compliance with one does not automatically ensure compliance with the other. Instead, organizations should view GDPR processes as a foundation that can be expanded to meet AI Act requirements.

Key practical steps include:

• Aligning AI Act roles (such as provider and deployer) with GDPR roles (controller and processor)

• Ensuring transparency information is accurate, accessible, and regularly updated

• Applying robust safeguards to training data containing personal information

• Maintaining comprehensive documentation across the AI lifecycle

• Coordinating DPIAs and fundamental rights assessments to avoid duplication

• Verifying legal grounds for processing sensitive data under both frameworks

• Differentiating between human intervention (GDPR) and ongoing human oversight (AI Act)

• Establishing clear internal timelines for incident reporting under both regimes

• Identifying relevant supervisory authorities and understanding their respective roles

Conclusion

The relationship between the GDPR and the AI Act reflects a broader evolution in EU regulation: from data protection toward a more holistic governance of digital technologies. While the GDPR focuses on personal data, the AI Act expands the regulatory lens to encompass the broader societal risks of AI systems.

For organizations, the challenge lies not only in complying with both frameworks but in integrating them into a coherent governance strategy. Legal professionals play a critical role in this process, ensuring that compliance efforts are aligned, efficient, and adaptable to future regulatory developments.