AI Sigil Logo
Contact Us
Back to all insights
A pair of interconnected gears to illustrate the relationship between regulation and technology.

Sections

Harmonizing the GDPR and AI Act: Challenges and Opportunities

The GDPR and the AI Act: A Harmonized Yet Complex Regulatory Landscape

The European Union has recently introduced the AI Act, poised to become the cornerstone of AI governance across the EU. This groundbreaking regulation is designed to address the risks AI systems pose to health, safety, and fundamental rights, complementing the protections already established by the General Data Protection Regulation (GDPR). Together, these frameworks create a robust regulatory structure aimed at fostering innovation while safeguarding fundamental rights. But how do these two frameworks intersect, and where might they clash?

Different Goals, Shared Principles

The GDPR focuses on protecting individuals’ rights by regulating the processing of personal data. It emphasizes principles such as lawfulness, transparency, and accountability, ensuring data is processed fairly and securely.

In contrast, the AI Act is a product safety regulation, addressing the technical risks associated with AI systems. It establishes rules to ensure these systems are trustworthy, reliable, and aligned with ethical principles. Despite these distinct objectives, both frameworks share a commitment to the principles of transparency and accountability, particularly in high-risk applications. For example:

  • Under GDPR, organizations must inform individuals about data processing (Articles 13 and 15) and demonstrate compliance (Article 5 para. 2).
  • Similarly, the AI Act requires providers of high-risk AI systems to provide clear, transparent instructions (Article 13) and maintain detailed technical documentation (Article 11).

The GDPR and the AI Act are complementary, not hierarchical, meaning neither supersedes the other. Article 2 para. 7 of the AI Act ensures that it is without prejudice to existing Union legislation on data protection, explicitly referencing the GDPR. However, their application depends on the specific context:

The GDPR remains the overarching law for the processing of personal data in the EU. Any AI system that processes personal data must comply with the GDPR’s requirements. This means that principles like transparency, accountability, data minimization, and lawful processing must always be observed.

The AI Act is a specialized framework adding specific rules for AI systems, including those that process personal data. It does not replace the GDPR but builds upon its principles, focusing on AI-specific risks like transparency, human oversight, and robustness.

A Shared Territorial Scope: Extending Beyond EU Borders

Both the GDPR and AI Act adopt an extraterritorial approach. Non-EU entities must comply with these regulations if their services or systems are offered within the EU. The AI Act governs AI systems used or made available in the EU. This alignment ensures global compliance for any organization operating in these jurisdictions.

Roles and Responsibilities: Providers, Deployers, Controllers, and Processors

A notable distinction between the two frameworks is the terminology used to define roles. The GDPR classifies entities as controllers (those who determine the purpose and means of processing) and processors (those who process data on behalf of controllers). The AI Act introduces providers (entities developing AI systems) and deployers (entities integrating these systems into operations).

These roles often overlap. For instance, a company deploying an AI-powered recruitment tool might act as a deployer under the AI Act and a controller under the GDPR, requiring compliance with both frameworks simultaneously. Organizations involved in processing personal data while developing or utilizing an AI system must evaluate their responsibilities under both the GDPR and the EU AI Act.

Potential Conflicts Between the GDPR and the AI Act

Some conflict areas between the two regulations are likely to arise:

Automated Decision-Making and Human Oversight

While GDPR’s Article 22 focuses on protecting individuals from solely automated decisions that produce legal or significant effects, the AI Act provides broader protections by requiring human oversight for all high-risk AI systems, regardless of whether decisions are fully automated. This ensures safeguards are embedded throughout the design, deployment, and use of high-risk AI systems, creating a more comprehensive framework. The AI Act also mandates accountability mechanisms for providers and deployers, addressing risks at every stage of an AI system’s lifecycle. This relationship reflects a positive conflict, as the AI Act extends and reinforces GDPR protections. However, there may be some ambiguity regarding what level of oversight qualifies as “solely automated” under GDPR, potentially leading to uncertainties about how to harmonize compliance with both frameworks effectively.

Sensitive Data Processing

The AI Act allows sensitive data processing to correct biases (Article 10 AI Act), a provision that conflicts with GDPR’s stringent restrictions on such processing (Article 9 GDPR). Under the AI Act, organizations may only process special category data for debiasing as far as is “strictly necessary.” This means organizations must constantly check whether they still need the data for debiasing.

In Article 10, the AI Act states the exception only applies when organizations cannot use other data, such as anonymous or synthetic data. The act follows the definition of personal data in the GDPR: anonymous data are not considered personal data, and as such, the ban under Article 9 GDPR does not apply anyway. Synthetic data are a type of fake data that represent the same, or a similar, distribution of individuals but can no longer be linked to the individuals.

This requires organizations to demonstrate that no alternative data, such as anonymous or synthetic data, can achieve the same purpose. However, this can be subject to interpretation, potentially leading to uncertainty in its application alongside GDPR exceptions.

High-risk Classifications

Under Article 35 GDPR, data controllers must conduct a Data Protection Impact Assessment (DPIA) when processing personal data poses a high risk to individuals’ rights. The AI Act requires providers to assess whether their AI systems are high-risk. The conflict arises because:

  • A provider may determine an AI system is not high-risk under the AI Act.
  • A deployer might still need to conduct a DPIA under GDPR if the system processes personal data in a way that risks individuals’ rights.

This means the same AI system could face different classifications and risk management requirements under the two laws, depending on its specific use.

Synergies Between DPIAs and FRIAs

Both frameworks require assessments to identify and mitigate risks:

  • The GDPR mandates Data Protection Impact Assessments (DPIAs) for high-risk data processing.
  • The AI Act requires Fundamental Rights Impact Assessments (FRIAs) for high-risk AI systems, as well as conformity assessments to ensure compliance with technical and ethical standards.

By aligning these assessments, organizations can create a cohesive process, minimizing duplication while ensuring compliance with both frameworks.

Preparing for the Future

The AI Act will roll out in stages, after its publication on 12 July 2024, and its entering into force in August 2024, the next key milestones include:

  • 2 February 2025: Prohibitions on unacceptable-risk AI systems effect. Article 4 requires providers and operators of AI systems to take steps to build AI competence among their employees and authorized users.
  • 2 August 2025: Rules for general-purpose AI models apply, and Member States must designate National Competent Authorities (NCAs).
  • 2 August 2026: Full application of rules for high-risk AI systems. Member States must also implement at least one AI regulatory sandbox.

To navigate this complex regulatory environment, organizations should:

  • Map Roles and Responsibilities: Identify how your organization’s activities align with GDPR and AI Act roles, such as controller, processor, provider, or deployer.
  • Develop Unified Compliance Processes: Integrate GDPR and AI Act requirements, particularly for impact assessments and documentation for compliance.
  • Train Employees: Train employees in the compliant use of AI tools to mitigate risks.
  • Engage Regulators Early: Open dialogue with Data Protection Authorities (DPAs) and NCAs can clarify ambiguities and facilitate smoother compliance.
  • Keep an Eye on Emerging Standards: Engage with harmonized standards to stay ahead of compliance requirements and the AI Board and Office.

More Insights

A safety helmet worn by drone operators

Revolutionizing Drone Regulations: The EU AI Act Explained

December 17, 2025 AI,AI Regulation,Drone Technology,Regulatory Framework
The EU AI Act represents a significant regulatory framework that aims to address the challenges posed by artificial intelligence technologies in various sectors, including the burgeoning field of...
Read More
A safety helmet worn by drone operators

Revolutionizing Drone Regulations: The EU AI Act Explained

December 1, 2025 AI,AI Regulation,Drone Technology,Regulatory Framework
The EU AI Act represents a significant regulatory framework that aims to address the challenges posed by artificial intelligence technologies in various sectors, including the burgeoning field of...
Read More
A light bulb to convey innovation and the bright potential of responsible AI solutions.

Embracing Responsible AI to Mitigate Legal Risks

November 29, 2025 AI,AI Ethics,AI Governance,AI Regulation
Businesses must prioritize responsible AI as a frontline defense against legal, financial, and reputational risks, particularly in understanding data lineage. Ignoring these responsibilities could...
Read More
A traffic light to illustrate the need for clear guidelines and regulations in managing AI technologies.

AI Governance: Addressing the Shadow IT Challenge

November 29, 2025 AI,AI Governance,AI Regulation Awareness,Regulatory Compliance
AI tools are rapidly transforming workplace operations, but much of their adoption is happening without proper oversight, leading to the rise of shadow AI as a security concern. Organizations need to...
Read More
A roadmap illustrating the journey companies must take to align with AI regulations.

EU Delays AI Act Implementation to 2027 Amid Industry Pressure

November 29, 2025 AI,AI Regulation,EU Compliance,Regulatory Compliance
The EU plans to delay the enforcement of high-risk duties in the AI Act until late 2027, allowing companies more time to comply with the regulations. However, this move has drawn criticism from rights...
Read More
A semiconductor chip

White House Challenges GAIN AI Act Amid Nvidia Export Controversy

November 29, 2025 AI,AI Regulation,Artificial Intelligence Governance,Technology Policy
The White House is pushing back against the bipartisan GAIN AI Act, which aims to prioritize U.S. companies in acquiring advanced AI chips. This resistance reflects a strategic decision to maintain...
Read More
Compliance checklist

Experts Warn of EU AI Act’s Impact on Medtech Innovation

November 29, 2025 AI,EU Compliance,Medtech Innovation,Regulatory Compliance
Experts at the 2025 European Digital Technology and Software conference expressed concerns that the EU AI Act could hinder the launch of new medtech products in the European market. They emphasized...
Read More
A tree

Ethical AI: Transforming Compliance into Innovation

November 29, 2025 AI,AI Ethics,Ethical AI
Enterprises are racing to innovate with artificial intelligence, often without the proper compliance measures in place. By embedding privacy and ethics into the development lifecycle, organizations...
Read More
A warning sign

AI Hiring Compliance Risks Uncovered

November 29, 2025 AI,AI Compliance,AI Regulation,Regulatory Compliance
Artificial intelligence is reshaping recruitment, with the percentage of HR leaders using generative AI increasing from 19% to 61% between 2023 and 2025. However, this efficiency comes with legal...
Read More