EU AI Act vs GDPR: Key Differences, Overlaps & Compliance
The EU AI Act (Regulation (EU) 2024/1689) and the GDPR (Regulation (EU) 2016/679) are often mentioned in the same breath, and it is easy to assume one replaces or absorbs the other. It does not. They regulate different things — the GDPR governs the processing of personal data, while the AI Act governs AI systems by their level of risk, whether or not personal data is involved.
Most organisations deploying AI will have to comply with both at once. This guide sets out how the two regimes differ, where they overlap, and what that means in practice.
Two regimes, two objects of regulation
The cleanest way to keep them apart is to ask what each law regulates:
- The GDPR regulates the processing of personal data — collection, storage, use and sharing of information about identifiable individuals. It is a data-protection and privacy law.
- The EU AI Act regulates AI systems according to a risk-based framework: prohibited practices (Article 5), high-risk systems (Annex III), limited-risk systems with transparency duties (Article 50), and minimal-risk systems.
An AI system that processes no personal data at all — say, a model predicting machine failure from sensor data — still falls under the AI Act but largely outside the GDPR. Conversely, a simple spreadsheet of customer records engages the GDPR but not the AI Act.
Side-by-side comparison
| Dimension | GDPR | EU AI Act |
|---|---|---|
| Regulation | (EU) 2016/679 | (EU) 2024/1689 |
| Governs | Processing of personal data | AI systems, by risk category |
| Trigger | Personal data is involved | An AI system is placed on the market or used |
| Structure | Principles + lawful bases + rights | Risk tiers with tailored obligations |
| Maximum fine | €20M or 4% of worldwide turnover | Up to €35M or 7% for Article 5 breaches |
| Extraterritorial | Yes | Yes |
Note the fine ceilings differ: see our EU AI Act penalties guide for the full tier breakdown.
Where they overlap
The two regimes intersect wherever an AI system processes personal data — which is common. The main touch-points:
- Automated decision-making. GDPR Article 22 gives individuals rights around solely automated decisions with legal or similarly significant effects. Many such decisions are made by AI systems the Act classifies as high-risk, so both regimes apply to the same use case.
- Transparency. The GDPR requires informing data subjects about processing; the AI Act (Article 50) requires informing people when they interact with AI, when content is AI-generated, or when systems like emotion recognition are used.
- Risk and impact assessments. The GDPR's Data Protection Impact Assessment (DPIA) and the AI Act's risk management — plus the fundamental-rights impact assessment required of certain high-risk deployers — cover related but distinct ground.
- Lawful basis and data governance. High-risk AI training data obligations under the Act sit alongside the GDPR's requirements for a lawful basis and data minimisation.
DPIA vs AI Act risk assessment
These are easy to conflate but serve different purposes:
- A DPIA (GDPR) assesses risks to the rights and freedoms of data subjects arising from a specific processing operation. It is triggered by high-risk processing of personal data.
- The AI Act's risk management system is an ongoing, lifecycle obligation for high-risk AI systems, focused on the safety and performance of the system itself.
- Certain deployers of high-risk systems must also carry out a fundamental-rights impact assessment (FRIA) before deployment.
Where both apply, the assessments can be aligned and evidence reused — but one does not satisfy the other. You cannot file a DPIA and consider your AI Act risk-management duty discharged.
Why many organisations must comply with both
Because most business AI touches personal data, the two regimes stack rather than substitute. A hiring tool that screens CVs, for example:
- Processes personal data → GDPR applies (lawful basis, transparency, Article 22 safeguards, likely a DPIA).
- Is an AI system used for recruitment → AI Act classifies it as high-risk (Annex III), triggering risk management, documentation, human oversight and more.
Missing either exposes the organisation to separate penalty regimes. The two sets of fines are independent — a single system could, in principle, attract enforcement under both laws for different failings.
Practical implications for compliance teams
Treating the two regimes as one joined-up programme is far more efficient than running them in silos:
- Map once, use twice. An inventory of AI systems and the personal data they process feeds both your GDPR records and your AI Act risk classification.
- Align assessments. Design your DPIA and AI Act risk/FRIA processes to share inputs and evidence.
- Coordinate governance. Your DPO and AI governance owner should work from the same system inventory and risk register.
- Mind the deadlines. The AI Act phases in separately from the GDPR — prohibited practices and AI literacy applied from 2 February 2025, with high-risk obligations following on 2 December 2027.
Start by classifying your systems with our complete guide, then run the free risk checker to see which regimes each system engages.
Frequently asked questions
Does the EU AI Act replace the GDPR?
No. They are complementary and apply in parallel. The GDPR governs the processing of personal data; the AI Act governs AI systems by their risk level. An AI system that handles personal data can trigger both regimes at once.
Can an organisation be fined under both the AI Act and the GDPR?
Yes. The two penalty regimes are independent. A single AI system could attract enforcement under the GDPR (for a data-protection failing) and under the AI Act (for a separate breach) at the same time.
Is a GDPR DPIA the same as an AI Act risk assessment?
No. A DPIA assesses risks to individuals from processing personal data, while the AI Act's risk management addresses the AI system's safety and performance across its lifecycle. Some high-risk deployers must also run a fundamental-rights impact assessment. The assessments can be aligned but not substituted.
Does the AI Act apply if no personal data is involved?
Yes. The AI Act regulates AI systems by risk regardless of whether personal data is processed, so a system using only non-personal data can still fall within scope — while sitting largely outside the GDPR.
Free, no sign-up. Deterministic — not a chatbot.