AI Governance

EU AI Act vs GDPR: Key Differences and How They Interact

Standarity Editorial Team·AI Governance & Data Protection Practitioners
··9 min read

The core difference in the EU AI Act vs GDPR debate is one of subject matter: the GDPR (Regulation (EU) 2016/679) is a data-protection law that governs how organisations process personal data, while the EU AI Act (Regulation (EU) 2024/1689) is a product-safety-style regulation that governs AI systems by the risk they pose. The GDPR asks whether you may use someone’s personal data and on what terms; the AI Act asks whether an AI system is safe and trustworthy enough to be placed on the EU market or put into service. Neither replaces the other. When an AI system processes personal data — which most do — both apply at the same time, and organisations building or deploying AI in the EU have to satisfy the two regimes together.

We wrote this guide for teams who already have GDPR programmes and now face AI-specific obligations, or who are standing both up at once. Below we set out what each law governs, where they overlap, how the penalties and regulators differ, and a practical way to comply with both without duplicating work. For a deeper walk-through of AI Act obligations on their own, see our eu-ai-act-compliance-guide, and for the data-protection foundation, our how-to-implement-gdpr guide.

What the GDPR governs

The GDPR regulates the processing of personal data — any information relating to an identified or identifiable natural person. Its focus is the individual whose data is being used, not the technology using it. Whether you process data with a spreadsheet or a large language model, the same obligations bite: you need a lawful basis for processing (Article 6), you must respect the data subject rights of access, rectification, erasure, objection and portability, you must apply data-protection-by-design and by default, and higher-risk processing requires a Data Protection Impact Assessment under Article 35. Many organisations must also appoint a Data Protection Officer.

One GDPR provision matters enormously for AI. Article 22 gives individuals the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects — subject to limited exceptions, and with safeguards such as the right to human intervention and to contest the outcome. Any AI system that scores loan applicants, screens CVs or triages benefits claims runs straight into Article 22, entirely independently of the AI Act.

What the EU AI Act governs

The EU AI Act regulates AI systems themselves, using a risk-based, product-safety model rather than a data-centric one. It classifies systems into tiers and attaches obligations to each tier, and it places duties on defined economic operators — principally providers (those who develop an AI system or place it on the market) and deployers (those who use it under their own authority). The four risk levels are:

  • Prohibited: practices banned outright, such as untargeted scraping of facial images to build recognition databases and certain social-scoring or manipulative systems.
  • High-risk: systems used in areas like recruitment, credit, education, critical infrastructure and law enforcement, subject to the heaviest obligations — risk management, data governance, technical documentation, logging, human oversight and conformity assessment.
  • Limited-risk: systems with transparency duties, for example telling people they are interacting with a chatbot or labelling AI-generated content and deepfakes.
  • Minimal-risk: the large majority of AI applications, such as spam filters, which carry no specific obligations under the Act.

The Act also sets rules for general-purpose AI models. Its obligations phase in over time rather than landing all at once, so the exact duties that apply depend on your role and the calendar. If you are building an internal AI capability, our what-is-an-ai-management-system article explains how a management system helps you operationalise these duties across products.

EU AI Act vs GDPR: the key differences

The two laws share the EU’s protective, rights-focused DNA, but they are structured very differently. The clearest contrasts:

  • Object of regulation: the GDPR regulates personal data processing; the AI Act regulates AI systems as products, whether or not they touch personal data.
  • Trigger: the GDPR applies whenever personal data is processed; the AI Act applies based on an AI system’s risk classification and your role as provider or deployer.
  • Structure: the GDPR is principles-and-rights based; the AI Act is risk-tiered and product-safety based, with conformity assessment and market surveillance.
  • Who is regulated: GDPR duties fall on controllers and processors; AI Act duties fall on providers, deployers, importers and distributors.
  • Core instrument: the GDPR relies on lawful basis and the DPIA; the AI Act relies on risk classification, technical documentation and, for some deployers, a fundamental-rights impact assessment.
  • Penalties: the two regimes have separate, and different, maximum fines (see below).

Where the EU AI Act and GDPR overlap

The overlap appears the moment an AI system processes personal data, which is the norm for recruitment, credit-scoring, biometric and profiling systems. Here the two laws stack, and two areas cause the most confusion.

The first is the assessment question: DPIA vs FRIA. Under GDPR Article 35 you carry out a Data Protection Impact Assessment when processing is likely to result in a high risk to individuals’ rights and freedoms; it focuses on data-protection risk. The AI Act adds a separate instrument in Article 27 — the Fundamental Rights Impact Assessment (FRIA) — which certain deployers of high-risk systems, notably public bodies and private entities providing public services, must perform before first use. The FRIA is broader than the DPIA: it looks at the processes the system is used in, the categories of people affected, the specific risks of harm, human-oversight measures and governance and complaint arrangements, and its results are notified to the market surveillance authority. The two assessments are complementary, and the Act allows a FRIA to build on an existing DPIA rather than repeat it, so a well-run DPIA is the natural foundation. Our iso-42005-ai-impact-assessment guide shows how a single structured impact-assessment method can serve both.

Both instruments are legally distinct. A DPIA under GDPR Article 35 does not discharge the FRIA obligation under AI Act Article 27, and vice versa — but Article 27 expressly lets deployers reuse relevant work already done for a DPIA, so the smart move is one integrated assessment that produces the evidence each regulator expects (Regulation (EU) 2024/1689, Article 27; Regulation (EU) 2016/679, Article 35).

The second overlap is automated decision-making. GDPR Article 22 governs the individual’s right regarding solely-automated decisions with significant effects, while the AI Act classifies many of the same systems — credit, hiring, benefits — as high-risk and imposes human-oversight, transparency and documentation duties on them. In practice a single system can be a high-risk AI system under the Act and a source of Article 22 rights under the GDPR simultaneously, so your human-in-the-loop design has to satisfy both at once.

Penalties and regulators

The two laws are enforced by different authorities under different penalty ceilings. The GDPR is enforced by national data protection authorities (supervisory authorities), coordinated through the European Data Protection Board, with fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher, for the most serious infringements (and up to €10 million or 2% for lesser ones). The AI Act is enforced by national market surveillance authorities, supported at EU level by the European AI Office and the AI Board. Its penalties are steeper at the top: up to €35 million or 7% of worldwide annual turnover for prohibited practices, up to €15 million or 3% for breaches of most other obligations, and up to €7.5 million or 1% for supplying incorrect information to authorities (with lower, capped amounts for SMEs and start-ups).

The regimes are cumulative, not alternative. A single non-compliant AI deployment that mishandles personal data could face action from a data protection authority under the GDPR and from a market surveillance authority under the AI Act — two investigations, two penalty regimes, potentially two fines (Regulation (EU) 2024/1689, Article 99; Regulation (EU) 2016/679, Article 83).

How to comply with both

Because the laws overlap rather than conflict, the efficient path is one governance workflow that produces evidence for both regulators. A practical sequence:

  • Inventory your AI systems and the personal data they process, capturing your role — controller or processor under GDPR, provider or deployer under the AI Act — for each one.
  • Classify each system’s AI Act risk tier and confirm its GDPR lawful basis; a system can be minimal-risk under the Act yet still need a solid lawful basis.
  • Run one integrated impact assessment that satisfies both DPIA (Article 35) and, where required, FRIA (Article 27), reusing shared analysis instead of duplicating it.
  • Design human oversight and contestability so the same controls answer GDPR Article 22 and the AI Act’s high-risk oversight duties.
  • Meet transparency duties on both sides: GDPR privacy information for data subjects, plus AI Act disclosure that people are dealing with, or seeing content from, an AI system.
  • Keep records — technical documentation, logs, assessments and decisions — that market surveillance authorities and data protection authorities can both inspect.
  • Govern it continuously with a management system so classifications, assessments and controls stay current as models and uses change.

The organisations that handle this best stop treating AI and privacy as separate compliance silos and run them as one accountable programme. A recognised management-system standard is the connective tissue: ISO/IEC 42001 for AI management sits naturally alongside your existing GDPR controls, giving you a single audit trail across both laws. Get the inventory, classification and integrated assessment right, and the EU AI Act vs GDPR question stops being a source of duplicated effort and becomes one coherent workflow.

Frequently Asked Questions

Is the EU AI Act the same as the GDPR?

No. The GDPR (Regulation (EU) 2016/679) is a data-protection law governing how personal data is processed, while the EU AI Act (Regulation (EU) 2024/1689) is a product-safety-style law governing AI systems by risk tier. They are separate regulations that apply together whenever an AI system processes personal data.

Does the EU AI Act replace the GDPR?

No. The AI Act does not replace or override the GDPR. The two operate in parallel: the GDPR continues to govern personal data processing, and the AI Act adds obligations on AI systems on top. An AI project that uses personal data must comply with both at the same time.

What is the difference between a DPIA and a FRIA?

A DPIA (GDPR Article 35) assesses risks to individuals from high-risk personal-data processing. A FRIA (AI Act Article 27) is a broader fundamental-rights impact assessment that certain deployers of high-risk AI systems must perform before first use, covering affected groups, specific harms, human oversight and governance. Article 27 lets a FRIA build on an existing DPIA, but neither discharges the other.

How does GDPR Article 22 relate to the AI Act?

GDPR Article 22 gives individuals rights against solely-automated decisions with significant effects, including safeguards like human intervention. The AI Act separately classifies many such systems — credit, hiring, benefits — as high-risk and imposes oversight, transparency and documentation duties. A single system can trigger both, so its human-in-the-loop design must satisfy Article 22 and the AI Act together.

What are the penalties under the EU AI Act versus the GDPR?

The GDPR allows fines up to €20 million or 4% of worldwide annual turnover, whichever is higher. The AI Act goes higher for the worst breaches: up to €35 million or 7% of turnover for prohibited practices, up to €15 million or 3% for most other obligations, and up to €7.5 million or 1% for incorrect information. The two regimes are cumulative and enforced by different authorities.

Who enforces the EU AI Act and the GDPR?

The GDPR is enforced by national data protection (supervisory) authorities, coordinated by the European Data Protection Board. The AI Act is enforced by national market surveillance authorities, supported at EU level by the European AI Office and the AI Board. A single non-compliant AI deployment can therefore face action from both.

Explore Courses on Udemy

Intermediate

Implement GenAI Governance Step by Step

Intermediate

ISO/IEC 42001: Artificial Intelligence Management System

Intermediate

Implement GDPR Step by Step with Templates