Data protection and AI: navigating the GDPR-AI Act intersection

Most AI systems process personal data at some stage — whether in training, operation, or output generation. This makes the intersection of the GDPR and the EU AI Act one of the most practically important compliance considerations for European organizations.

Two frameworks, not one

The EU AI Act and the GDPR are distinct legal instruments with different objectives, different enforcement mechanisms, and different territorial scopes. They apply in parallel, not as alternatives. An AI system that complies with the EU AI Act is not automatically compliant with the GDPR, and vice versa.

The GDPR governs the processing of personal data. Any AI system that involves personal data — in its inputs, outputs, training data, or operational logs — triggers GDPR obligations in addition to any AI Act obligations.

Where the frameworks converge

Despite being distinct, the two frameworks converge in important areas:

Data governance. The EU AI Act requires high-risk AI systems to have data governance practices covering training, validation, and testing data — including relevance, representativeness, and freedom from bias. This intersects directly with GDPR principles of data minimisation, purpose limitation, and accuracy.

Transparency. Both frameworks require transparency — the GDPR to data subjects, the AI Act to users and affected persons. For AI systems that make or inform decisions about individuals, transparency obligations under both frameworks need to be addressed together.

Automated decision-making. Article 22 of the GDPR restricts solely automated decisions with significant effects on individuals. The EU AI Act's human oversight requirements for high-risk systems operate alongside — not instead of — Article 22. Organizations need to assess both.

Documentation. GDPR requires Records of Processing Activities (ROPAs); the AI Act requires technical documentation for high-risk systems. These are not the same document, but they share overlapping content and should be designed with cross-referencing in mind.

Data subject rights. GDPR rights — access, rectification, erasure, objection — apply to personal data processed in AI systems just as to any other processing. AI systems need to be designed in a way that makes responding to data subject requests operationally feasible.

Special categories of data

AI systems that process health data, biometric data, genetic data, or other special category data trigger additional GDPR restrictions. This is particularly relevant in healthcare AI, HR analytics, and security applications. The combination of special category processing and high-risk AI classification under the Act creates a heightened compliance burden.

Practical approach

The most effective approach is to treat GDPR and AI Act compliance as an integrated exercise rather than two separate workstreams. Data protection impact assessments (DPIAs) required under GDPR for high-risk AI processing should be coordinated with the risk management and documentation requirements of the AI Act. Data governance policies should address both frameworks simultaneously.

Organizations with a Data Protection Officer should ensure the DPO is involved in AI governance planning from the outset.