Two laws, two jobs. GDPR governs how you handle personal data. The EU AI Act governs how you build and deploy AI systems by risk level. If you run AI on personal data, both apply, and they do not cancel each other out.
Key takeaways
- GDPR governs personal data: lawful basis, data subject rights, security, and transfers.
- The EU AI Act governs AI systems by risk tier, whether or not personal data is involved.
- The two overlap on DPIAs and AI risk assessments, transparency duties, and automated decision-making.
- Many companies that run AI on personal data need to comply with both and run them as a single program.
What each law covers
GDPR is about personal data: lawful basis, data subject rights, security, transfers, and accountability. It applies whenever you process the personal data of people in the EU.
The EU AI Act is about AI systems: it sorts them into prohibited, high-risk, limited-risk, and minimal-risk, and attaches duties to each tier. It applies to providers and deployers of AI in the EU market, whether or not personal data is involved.
Where they overlap
- A DPIA under GDPR Article 35 and a risk assessment under the AI Act often cover the same system. You can build them to reuse evidence.
- Transparency duties exist in both: GDPR notice obligations and AI Act Article 50 disclosure for synthetic and interactive systems.
- Automated decision-making sits in both: GDPR Article 22 and the AI Act’s high-risk rules for systems that make significant decisions.
Where they differ
- GDPR is triggered by personal data. The AI Act is triggered by the AI system and its risk tier, even with no personal data.
- GDPR rights belong to individuals. AI Act duties sit with providers and deployers.
- The roles differ. A Data Protection Officer is a GDPR role. AI governance is a separate function, and the same person or firm can do both, but they are not the same job.
Key dates for the AI Act
- 1 August 2024: the Regulation entered into force.
- 2 August 2025: General Purpose AI model obligations apply.
- 2 August 2026: transparency duties and other provisions apply. Synthetic content labeling has a grace period to 2 December 2026, and a new prohibition on AI-generated non-consensual intimate imagery and CSAM takes effect on 2 December 2026.
- 2 December 2027: high-risk obligations for standalone Annex III systems.
- 2 August 2028: high-risk obligations for AI embedded in regulated products (Annex I).
The high-risk deferrals come from the Digital Omnibus on AI, agreed in May 2026, and take legal effect on formal publication, expected before 2 August 2026.
GDPR and the EU AI Act side by side
| Aspect | GDPR | EU AI Act |
|---|---|---|
| What it governs | Personal data | AI systems by risk |
| Trigger | Processing personal data of people in the EU | Placing or using an AI system on the EU market |
| Who holds the duty | Controllers and processors | Providers and deployers |
| Core document | Records and DPIA | Technical documentation and risk assessment |
| Lead role | Data Protection Officer | AI governance function |
| Transparency | Privacy notices | Article 50 content disclosure |
How to run both together
Treat them as one program, not two. Inventory your AI systems and your personal-data processing in the same exercise. Reuse assessment evidence across the DPIA and the AI risk assessment. Decide early who owns the AI governance function and how it reports alongside the DPO.
For a deeper treatment of where the two overlap and differ, see GDPR and the EU AI Act.
Engage Compliance scopes both obligations together and runs them as a single program.