EU AI Act vs GDPR: How They Differ and Where They Overlap

Side-by-side comparison

The table below covers the most important structural differences between GDPR and the EU AI Act. Read it first, then see the overlap analysis below.

Dimension	GDPR	EU AI Act
Regulates	Personal data processing	AI systems and GPAI models
Who's regulated	Any data controller or processor handling EU residents' data	Providers, deployers, importers, and distributors of AI that reaches EU persons
Key obligation	Lawful basis for processing + data subject rights (access, erasure, portability, objection)	Risk classification + conformity assessments + transparency obligations + technical documentation
Fines	Up to €20M or 4% of global annual turnover, whichever is higher	Up to €35M or 7% (prohibited AI); €15M or 3% (other violations); €7.5M or 1.5% (false information)
Enforced by	National Data Protection Authorities (CNIL in France, ICO in UK, BfDI in Germany, etc.)	EU AI Office (for GPAI) + National Market Surveillance Authorities (for AI systems)
Applies outside EU	Yes, if processing personal data of EU residents	Yes, if AI system is placed on EU market or output affects EU persons
Effective date	May 25, 2018	Aug 2, 2026 for general obligations (prohibited practices from Feb 2, 2025; GPAI from Aug 2, 2025)
Risk tiers	None — GDPR applies uniformly to all personal data processing	Four tiers: prohibited, high-risk (Annex III), limited-risk (Art. 50 transparency), minimal-risk

Where GDPR and EU AI Act overlap

Both laws were designed with AI in mind, and several areas require attention under both simultaneously:

• Automated decision-making: GDPR Article 22 gives data subjects the right not to be subject to decisions based solely on automated processing that produce legal or significant effects. The EU AI Act's Annex III high-risk category for employment decisions and access to essential services covers substantially the same ground but adds technical documentation and conformity assessment obligations on top of GDPR's data subject rights.
• Biometric data: GDPR classifies biometric data as "special category" personal data requiring explicit consent or another Article 9 condition. The EU AI Act prohibits real-time remote biometric identification in public spaces (with narrow exceptions) and treats biometric categorization systems as high-risk. Both laws apply simultaneously to systems that process biometric data.
• Profiling: GDPR Article 4(4) defines profiling as automated processing of personal data to evaluate personal aspects (behavior, preferences, location, health, economic situation). The EU AI Act's Annex III covers AI systems used to evaluate creditworthiness, make employment decisions, and allocate essential services, which typically involves profiling. Running one without the other creates gaps.
• Data minimization in AI training: GDPR's data minimization principle limits the personal data you can use to what's necessary for a specified purpose. The EU AI Act requires documentation of training data provenance for GPAI models and high-risk systems. The two requirements push in the same direction but require separate documentation.
• Impact assessments: GDPR requires Data Protection Impact Assessments (DPIAs) for high-risk processing activities. The EU AI Act requires Fundamental Rights Impact Assessments (FRIAs) for deployers of certain high-risk AI systems in the public sector and some private operators. For many AI deployments, you'll need both.

Where they differ

Understanding the structural differences prevents the most common compliance mistakes:

• Subject matter: GDPR is about data, specifically personal data and how it's processed. The EU AI Act is about AI systems and their outputs, regardless of whether they process personal data. A purely synthetic-data AI model with no personal data may have no GDPR obligations but still face EU AI Act obligations if it interacts with EU persons or makes consequential decisions about them.
• Accountability split: GDPR accountability sits with the data controller, the entity that determines the purposes and means of processing. The EU AI Act splits obligations between providers (who develop the AI system) and deployers (who use it in a specific context). A company that fine-tunes a third-party model and deploys it for customer decisions is both a provider and a deployer under the Act. Under GDPR, it's simply the data controller.
• Fine structure: GDPR has two fine tiers (4% and 2%). The EU AI Act has three (7%, 3%, and 1.5%), with higher maximums for the most serious violations. The 7% maximum for prohibited AI exceeds GDPR's highest tier.
• Risk classification: GDPR treats most personal data processing under a single framework with additional rules for special category data. The EU AI Act has four distinct tiers where the compliance burden varies dramatically: prohibited systems must cease immediately, high-risk systems need full conformity assessments, limited-risk systems need transparency disclosures, and minimal-risk systems have no mandatory obligations.

Practical implications: running compliance for both

If you're subject to both laws (which most AI companies in or serving the EU are), you'll need to build programs that address them together, not as separate silos:

• AI system registry: Build one registry that feeds both your EU AI Act inventory (risk classification, technical documentation) and your GDPR DPIA process (processing activities, lawful basis, data subject rights). Two separate spreadsheets lead to gaps and contradictions.
• Combined impact assessments: Update your DPIA template to incorporate EU AI Act fundamental rights impact assessment elements. For high-risk AI deployments that process personal data, you'll need to satisfy both processes.
• Training data governance: The EU AI Act requires documentation of training data provenance for GPAI models and high-risk systems. GDPR requires lawful basis for any personal data used in training. Your data governance framework needs to track both: what data was used, under what lawful basis, and what opt-outs you honor.
• Transparency stacking: GDPR requires a privacy notice explaining what data you process and why. The EU AI Act requires transparency disclosures for AI interactions (chatbots, voice agents, generated content). These are separate obligations with separate delivery mechanisms. Your chatbot needs both the AI Act disclosure before the conversation and the GDPR privacy notice available on request.

Common mistakes when handling both laws together

• Treating them as the same law. GDPR and the EU AI Act have different scopes, different accountability structures, different enforcement authorities, and different fine regimes. A privacy lawyer who knows GDPR inside out is not automatically qualified to advise on EU AI Act compliance, and vice versa.
• Assuming GDPR consent covers AI Act transparency. Getting consent to process personal data under GDPR doesn't satisfy Article 50 of the EU AI Act. The AI Act's transparency obligation is about informing users they're interacting with AI, before the interaction starts, regardless of whether personal data is involved.
• Ignoring the EU AI Act because you're already GDPR-compliant. GDPR compliance gives you a head start on documentation, impact assessments, and data governance practices. It doesn't cover risk classification, conformity assessments, technical documentation under Annex XI, or GPAI provider obligations. You need both.