AI Sigil Logo
Contact Us
Back to all insights
A magnifying glass

Sections

AI Act and GDPR: Examining the Tensions and Synergies

EU’s AI Act versus GDPR: Overlaps and Contradictions

The AI Act and the GDPR (General Data Protection Regulation) are two significant regulatory frameworks established by the European Union, each addressing critical aspects of technology and data privacy. This study explores the overlaps and contradictions between these two regulations, particularly in the context of artificial intelligence and personal data.

Introduction

As the landscape of artificial intelligence evolves, the need for robust regulations becomes increasingly apparent. The AI Act aims to ensure that AI systems are safe and trustworthy, while the GDPR focuses on protecting individuals’ personal data. The question arises: do these regulations complement each other, or do they present inherent contradictions?

Scope of the Regulations

The AI Act is comprehensive, applying to any actor using AI systems within the jurisdiction of EU law, regardless of their country of residence. Similar to the GDPR, the AI Act is a regulation, meaning that EU member states must implement it with minimal modifications. It also has relevance for the European Economic Area (EEA), necessitating its incorporation into national legislation, just as the GDPR has been.

Overlapping Principles

Both the AI Act and GDPR aim to secure the fundamental rights and freedoms of individuals as outlined in the Charter of Fundamental Rights of The European Union. They address personal data processing, with the GDPR focusing on protecting individuals’ privacy and the AI Act targeting the potential harmful effects of AI systems.

However, overlaps arise when AI systems process personal data, necessitating compliance with both regulations. This intersection highlights the importance of understanding user needs and the implications of AI systems on data subjects.

Roles and Responsibilities

In the GDPR, the central entity is the data subject, and entities that control or process personal data are classified as controllers and processors, respectively. The AI Act, on the other hand, categorizes involved parties as providers and deployers of AI systems. This distinction leads to potential overlaps, especially when AI systems process personal data, requiring compliance with both regulations.

Documentation and Assessment Requirements

Under the GDPR, a Data Protection Impact Assessment (DPIA) is mandatory when processing personal data that poses risks to individuals’ rights. In the AI Act, a Fundamental Rights Impact Assessment (FRIA) is required for high-risk AI systems. In many cases, the DPIA and FRIA may be similar, with the AI Act allowing for the FRIA to complement the DPIA.

Transparency Obligations

Transparency is a key issue in both regulations. The GDPR mandates that data subjects be informed about the purpose of data processing and their rights regarding access and rectification. The AI Act expands these obligations, requiring providers and deployers of AI systems to offer clear information about the AI systems’ design and use. This includes details on the system’s capabilities, limitations, and potential risks.

Challenges with Personal Data Processing

The GDPR always applies when personal data is processed. If an AI model is trained using personal data, a legal basis for processing is required. However, the practice of web scraping—a common method for gathering training data for AI systems—often involves collecting personal data without proper consent. This raises significant compliance issues under the GDPR.

Principles at Risk

The principles of purpose limitation and data minimization outlined in the GDPR come under scrutiny when applied to AI systems. Scraping personal data without a specified purpose challenges these principles. Additionally, the right to be forgotten becomes problematic, as it is difficult for individuals to ensure their data is removed from AI systems once it has been scraped.

Conclusion

The AI Act and GDPR are both crucial in regulating AI technologies and protecting personal data. However, the inherent contradictions and overlaps between the two regulations necessitate careful consideration and compliance strategies from organizations operating within the EU/EEA. As AI technology continues to advance, ongoing dialogue and regulatory adaptations will be essential to ensure that both innovation and individual rights are adequately protected.

More Insights

A safety helmet worn by drone operators

Revolutionizing Drone Regulations: The EU AI Act Explained

December 17, 2025 AI,AI Regulation,Drone Technology,Regulatory Framework
The EU AI Act represents a significant regulatory framework that aims to address the challenges posed by artificial intelligence technologies in various sectors, including the burgeoning field of...
Read More
A safety helmet worn by drone operators

Revolutionizing Drone Regulations: The EU AI Act Explained

December 1, 2025 AI,AI Regulation,Drone Technology,Regulatory Framework
The EU AI Act represents a significant regulatory framework that aims to address the challenges posed by artificial intelligence technologies in various sectors, including the burgeoning field of...
Read More
A light bulb to convey innovation and the bright potential of responsible AI solutions.

Embracing Responsible AI to Mitigate Legal Risks

November 29, 2025 AI,AI Ethics,AI Governance,AI Regulation
Businesses must prioritize responsible AI as a frontline defense against legal, financial, and reputational risks, particularly in understanding data lineage. Ignoring these responsibilities could...
Read More
A traffic light to illustrate the need for clear guidelines and regulations in managing AI technologies.

AI Governance: Addressing the Shadow IT Challenge

November 29, 2025 AI,AI Governance,AI Regulation Awareness,Regulatory Compliance
AI tools are rapidly transforming workplace operations, but much of their adoption is happening without proper oversight, leading to the rise of shadow AI as a security concern. Organizations need to...
Read More
A roadmap illustrating the journey companies must take to align with AI regulations.

EU Delays AI Act Implementation to 2027 Amid Industry Pressure

November 29, 2025 AI,AI Regulation,EU Compliance,Regulatory Compliance
The EU plans to delay the enforcement of high-risk duties in the AI Act until late 2027, allowing companies more time to comply with the regulations. However, this move has drawn criticism from rights...
Read More
A semiconductor chip

White House Challenges GAIN AI Act Amid Nvidia Export Controversy

November 29, 2025 AI,AI Regulation,Artificial Intelligence Governance,Technology Policy
The White House is pushing back against the bipartisan GAIN AI Act, which aims to prioritize U.S. companies in acquiring advanced AI chips. This resistance reflects a strategic decision to maintain...
Read More
Compliance checklist

Experts Warn of EU AI Act’s Impact on Medtech Innovation

November 29, 2025 AI,EU Compliance,Medtech Innovation,Regulatory Compliance
Experts at the 2025 European Digital Technology and Software conference expressed concerns that the EU AI Act could hinder the launch of new medtech products in the European market. They emphasized...
Read More
A tree

Ethical AI: Transforming Compliance into Innovation

November 29, 2025 AI,AI Ethics,Ethical AI
Enterprises are racing to innovate with artificial intelligence, often without the proper compliance measures in place. By embedding privacy and ethics into the development lifecycle, organizations...
Read More
A warning sign

AI Hiring Compliance Risks Uncovered

November 29, 2025 AI,AI Compliance,AI Regulation,Regulatory Compliance
Artificial intelligence is reshaping recruitment, with the percentage of HR leaders using generative AI increasing from 19% to 61% between 2023 and 2025. However, this efficiency comes with legal...
Read More