AI Act vs GDPR: Differences, Overlap Areas and Implications for Your Organisation

Since the GDPR entered into force in May 2018, European organisations have structured their practices around the protection of personal data. With the AI Act (EU Regulation 2024/1689), a new regulatory framework is being phased in from 2025 to 2026. But it does not replace the GDPR — it layers on top of it. Understanding where one ends, where the other begins and, above all, where they converge is now a baseline competency for any organisation that develops, deploys or uses artificial intelligence systems in Europe.

Two regulations, two fundamentally different objects

Confusion between the GDPR and the AI Act is understandable: both texts originate from European institutions, both adopt a logic of protecting individuals, and both impose significant obligations on organisations. But their regulatory objects are distinct.

The GDPR governs the processing of personal data. It is triggered whenever information that can identify a natural person is collected, stored, processed or transmitted — whether or not artificial intelligence is involved in the chain. A paper form, a CRM database or an Excel file containing names and email addresses falls under the GDPR.

The AI Act governs artificial intelligence systems themselves — their design, market placement, deployment and use within the European Union. It applies to any AI system present on the European market, regardless of whether it processes personal data. A predictive maintenance algorithm analysing anonymised sensor data, or a machine vision quality control system, remains fully subject to the AI Act if it falls within a high-risk category — even if the GDPR has no reason to apply.

The formula is simple: GDPR regulates what is done with data; the AI Act regulates what AI systems do. Both can apply simultaneously — and often do — but neither replaces the other.

The main structural differences

Personal and territorial scope

The GDPR applies to any organisation — public or private, established in the EU or not — that processes personal data of EU residents (extraterritoriality principle, Article 3). The AI Act applies to any organisation that places an AI system on the EU market or uses it within the EU, regardless of its location. A US company selling an AI software product in Europe will be subject to the AI Act. If that same software processes personal data of EU residents, it will also be subject to the GDPR — on a cumulative basis.

Roles and responsibilities

The GDPR distinguishes the data controller (who determines the purposes and means of processing) from the data processor (who processes on behalf of the controller). The AI Act distinguishes the provider (who develops and places the AI system on the market) from the deployer (who uses it in a professional context).

These categories do not automatically overlap. A deployer under the AI Act may be a data controller under the GDPR, or merely a data processor — depending on the data flows and decisions about purposes. The same organisation may also hold multiple roles: a company that develops an AI system and uses it internally is simultaneously a provider and deployer under the AI Act, and likely a data controller under the GDPR.

Nature of obligations

GDPR obligations are data-centric: lawfulness of processing (Article 6), minimisation, purpose limitation, data subject rights (access, rectification, erasure, portability), DPO appointment where required, 72-hour breach notification. AI Act obligations are system-centric: risk classification, risk management (Article 9), technical documentation (Annex IV), transparency (Article 50), human oversight (Article 14), robustness and cybersecurity (Article 15), CE marking and EU database registration for high-risk systems.

Supervisory authorities

GDPR compliance is supervised by national data protection authorities — in France, the CNIL; in Germany, federal and Länder authorities; in Spain, the AEPD. AI Act compliance will fall under AI supervisory authorities to be designated by each Member State, separate from data protection authorities. These two authorities can act independently, on different legal bases, and may open simultaneous proceedings.

Penalty regime

The GDPR provides for fines of up to €20 million or 4% of global annual turnover for the most serious violations. The AI Act provides for up to €35 million or 7% of global turnover for prohibited practices, €15 million or 3% for non-compliant high-risk systems, and €7.5 million or 1% for incorrect information. These penalties are cumulative: a single non-compliant AI system can be sanctioned under both regulations independently.

Overlap areas: when both apply simultaneously

While the regulatory objects of the two frameworks are distinct, many AI systems process personal data — and therefore fall under both texts at the same time. Here are the main overlap areas to be aware of.

Biometric recognition

A facial recognition system processes biometric data, which constitutes sensitive data under the GDPR (Article 9), the processing of which is in principle prohibited except under specific exceptions. That same system is a high-risk AI system under the AI Act (Annex III, point 1 — biometric identification). Both regulations apply cumulatively, with their own respective requirements: a specific legal basis and mandatory DPIA on the GDPR side; complete technical documentation, CE marking and human oversight on the AI Act side. The AI Act also prohibits real-time remote biometric identification in publicly accessible spaces for law enforcement purposes, with limited exceptions (Article 5).

Automated decision-making

Article 22 of the GDPR governs decisions based solely on automated processing that produce significant effects on individuals — credit refusals, candidate selection, insurance pricing. It grants data subjects the right to human intervention, the right to an explanation and the right to contest the decision. Article 14 of the AI Act reinforces these requirements for high-risk systems by mandating systematic human oversight enabling understanding, monitoring and, if necessary, neutralisation of the system. Both frameworks must be satisfied jointly — which requires designing systems that genuinely allow human intervention, not merely on paper.

Profiling and personalisation

AI systems used for behavioural profiling, content personalisation or individual scoring trigger both GDPR profiling rules (Articles 4 and 22) and, depending on their potential impact on individuals, AI Act obligations regarding transparency (Article 50 — disclosure of automated interactions) or risk management. Creditworthiness assessment systems and systems for evaluating natural persons are explicitly listed in Annex III as high-risk AI systems.

Impact assessments: a natural bridge between the two frameworks

The GDPR requires a Data Protection Impact Assessment (DPIA) for processing likely to result in a high risk to the rights and freedoms of individuals (Article 35). The AI Act requires a conformity assessment for high-risk systems — including technical documentation (Annex IV), a risk management system (Article 9) and, for public sector deployers, a fundamental rights impact assessment (Article 27).

These processes are distinct in form and purpose, but address related issues. Conducting them in a coordinated manner — with the same stakeholders, on the same timeline — allows organisations to identify synergies, pool documentation and avoid contradictions between the two assessments. Some organisations are beginning to develop cross-compliance GDPR/AI Act templates for this purpose.

Controller-processor contracts in AI contexts

When an organisation uses an AI provider that processes personal data on its behalf, the GDPR requires the conclusion of a data processing agreement (Article 28) defining the processor's obligations. The AI Act in turn imposes obligations on the deployer regarding system control. These two contractual dimensions must be coherent — an AI provider cannot commit to human oversight in its AI Act contract while disclaiming responsibility for data processing in its GDPR data processing agreement.

Developing or deploying an AI system and want to identify your cross-cutting AI Act / GDPR obligations? The free AiActo diagnostic assesses your risk level and compliance priorities in under 3 minutes.

Complementarity to organise, not to endure

Far from being redundant, the AI Act and GDPR fit together coherently within the European regulatory architecture. The GDPR laid the foundations for a data protection culture in Europe. The AI Act extends that logic to AI systems themselves, adding layers of requirements specific to their nature — robustness, explainability, human oversight, risk classification — that the GDPR did not and was not designed to cover.

For organisations subject to both texts, three structuring principles enable an efficient approach to dual compliance.

1. Map data processing and AI systems jointly — For each AI system, determine whether it processes personal data, under what role (controller, processor), and what AI Act classification applies. This cross-mapping is the starting point for any coherent compliance strategy
2. Coordinate impact assessments — When a DPIA is required by GDPR and a conformity assessment by the AI Act, running both processes in parallel with the same stakeholders makes it possible to identify overlaps, pool documentation and obtain consistent evaluations
3. Align governance — The DPO (Data Protection Officer, if required) and the AI compliance officer cannot operate in silos. AI system design decisions have simultaneous GDPR and AI Act implications — governance must reflect this reality

Tools like the AiActo documentation module help structure this approach by integrating the requirements of both regulations into a unified compliance logic.

Frequently asked questions

If I am already GDPR-compliant, am I automatically compliant with the AI Act?

No. GDPR compliance does not cover AI Act-specific obligations: risk classification, technical documentation (Annex IV), risk management (Article 9), CE marking, human oversight (Article 14), robustness (Article 15). The two compliance frameworks are independent. Some processes can be pooled — particularly impact assessments — but there is no shortcut: both texts must be addressed separately.

Does the AI Act only apply if my AI system processes personal data?

No. The AI Act applies to any AI system placed on the EU market or used within it, whether or not it processes personal data. A machine vision quality control system that identifies no individuals remains subject to the AI Act if it falls within a high-risk category. Processing of personal data triggers the GDPR — not the AI Act.

Which authorities can fine me, and for what?

The national data protection authority (such as the ICO in the UK, CNIL in France, or AEPD in Spain) can sanction GDPR violations — up to €20 million or 4% of global annual turnover. The AI supervisory authority can sanction AI Act violations — up to €35 million or 7% of turnover for prohibited practices, up to €15 million or 3% for non-compliant high-risk systems. These penalties are independent and can apply simultaneously to the same system.

Does a GDPR DPIA replace the AI Act conformity assessment?

No. These are two distinct processes with different purposes and content. A DPIA (Article 35 GDPR) evaluates the risks to the rights and freedoms of individuals from data processing. The AI Act conformity assessment covers design, technical documentation and robustness of the AI system. They can, however, be conducted in a coordinated manner to identify synergies and pool parts of the documentation.

Should my DPO be involved in AI Act compliance?

There is no legal obligation to this effect in the AI Act, which does not provide for a DPO-equivalent role. However, whenever an AI system processes personal data, the DPO has a legitimate role to play on the GDPR implications — and the need for consistency between the two compliance frameworks justifies close coordination. Some organisations are beginning to create "AI Compliance Officer" roles that work alongside the DPO.

How should I handle cross-cutting contractual obligations with an AI provider?

Contracts with an AI provider processing personal data must simultaneously meet the requirements of Article 28 GDPR (data processing agreement) and the AI Act provisions applicable to deployers. In particular, verify the coherence between human oversight obligations stipulated under the AI Act and the liability clauses in the GDPR DPA — contradictions between the two documents create areas of legal risk.

The AI Act and GDPR form a coherent European regulatory framework, joint mastery of which is now unavoidable for any organisation that develops or uses AI. Understanding where one ends and the other begins — and above all where they converge — is the starting point for a genuinely effective compliance strategy. The complete AI Act timeline on AiActo helps you plan your priorities around the regulation's key dates.