EU Regulation — AI Governance vs Data Protection
EU AI Act (Regulation 2024/1689) vs GDPR (Regulation 2016/679)
GDPR is the EU's data protection law — it governs how organisations collect, process, and store personal data. The AI Act is a risk-governance law — it governs how AI systems are designed, deployed, and monitored based on their potential to harm health, safety, or fundamental rights. They coexist and frequently overlap: an AI system that processes personal data is subject to both regimes simultaneously, with different obligations, different supervisory authorities, and different documentation requirements.
Disclosure: EuroComply is the operator of this page. The comparison below is our reading of public information about both products. We encourage readers to verify directly with both vendors.
How does EU AI Act (Regulation 2024/1689) compare to GDPR (Regulation 2016/679)?
GDPR is the EU's data protection law — it governs how organisations collect, process, and store personal data. The AI Act is a risk-governance law — it governs how AI systems are designed, deployed, and monitored based on their potential to harm health, safety, or fundamental rights. They coexist and frequently overlap: an AI system that processes personal data is subject to both regimes simultaneously, with different obligations, different supervisory authorities, and different documentation requirements.
- Scope: EU AI Act (Regulation 2024/1689) — Artificial intelligence systems placed on or used in the EU market; GDPR (Regulation 2016/679) — Processing of personal data by organisations in or targeting the EU
- Legal basis: EU AI Act (Regulation 2024/1689) — Regulation (EU) 2024/1689 — risk-based harmonisation of AI rules; GDPR (Regulation 2016/679) — Regulation (EU) 2016/679 — fundamental right to data protection (Article 8 EU Charter)
- Applies to: EU AI Act (Regulation 2024/1689) — Providers, deployers, importers, and distributors of AI systems; GDPR (Regulation 2016/679) — Controllers and processors of personal data
- Deadline: EU AI Act (Regulation 2024/1689) — Phased: Feb 2025 (Art. 4/5) · Aug 2025 (GPAI) · Aug 2026 (high-risk) · Aug 2027 (Annex I); GDPR (Regulation 2016/679) — In force since 25 May 2018 — obligations apply immediately
- Max fine: EU AI Act (Regulation 2024/1689) — €35 million or 7% of global turnover (prohibited practices); GDPR (Regulation 2016/679) — €20 million or 4% of global turnover
Why this comparison matters
The EU AI Act and GDPR are the two most consequential EU regulations for any organisation that processes data using algorithmic or machine learning systems. They are often discussed as alternatives or successors to each other — they are neither. They are concurrent, overlapping frameworks, each enforced by different authorities, each with its own documentation architecture, and each capable of issuing independent fines for the same underlying system. GDPR governs what happens to personal data: why it is collected (lawful basis under Article 6), how long it is kept, how it is secured, how data subject rights are managed, and whether automated decisions affecting individuals are subject to meaningful human oversight (Article 22). GDPR is technology-neutral — it applies the same whether your organisation uses spreadsheets or neural networks. What matters is that personal data is involved. The AI Act is technology-specific and risk-based. It does not care whether personal data is involved; it cares whether the AI system carries risk to fundamental rights, health, safety, or critical infrastructure. A high-risk AI system that processes no personal data at all (e.g. an AI system controlling industrial safety equipment) is still fully subject to the AI Act. Conversely, a traditional database query that processes personal data is entirely outside the AI Act's scope. The overlap zone is the most operationally demanding: AI systems that both qualify as high-risk under the AI Act and process personal data. An example is an AI hiring tool — it is likely high-risk under Annex III point 4 (employment, workers management) and it processes personal data (CVs, application data) triggering GDPR Article 35 DPIA obligations. For this system, the compliance team must maintain a ROPA entry (GDPR Article 30), complete a DPIA (GDPR Article 35), produce an Annex IV technical documentation file (AI Act), register in the EU AI database (AI Act Article 60), and set up human oversight procedures (AI Act Article 26 + GDPR Article 22). These are parallel, non-substitutable obligations. The practical consequence for compliance teams: a GDPR audit alone is not AI Act compliance. An AI Act conformity assessment alone is not GDPR compliance. GDPR's data-by-design principle (Article 25) and the AI Act's accuracy, robustness, and data governance requirements (Article 10) overlap significantly in their technical controls but diverge enough in documentation format and supervisory audience that managing them separately generates duplication and gaps. The cleanest approach is to build a single AI system inventory that feeds both the ROPA and the Annex IV technical file, with the DPIA and the AI Act conformity assessment cross-referenced from a shared risk record.
Feature comparison
| Attribute | EU AI Act (Regulation 2024/1689) | GDPR (Regulation 2016/679) |
|---|---|---|
| Scope | Artificial intelligence systems placed on or used in the EU market | Processing of personal data by organisations in or targeting the EU |
| Legal basis | Regulation (EU) 2024/1689 — risk-based harmonisation of AI rules | Regulation (EU) 2016/679 — fundamental right to data protection (Article 8 EU Charter) |
| Applies to | Providers, deployers, importers, and distributors of AI systems | Controllers and processors of personal data |
| Deadline | Phased: Feb 2025 (Art. 4/5) · Aug 2025 (GPAI) · Aug 2026 (high-risk) · Aug 2027 (Annex I) | In force since 25 May 2018 — obligations apply immediately |
| Max fine | €35 million or 7% of global turnover (prohibited practices) | €20 million or 4% of global turnover |
| DPA involvement | Secondary — DPAs consult on AI systems processing personal data; primary enforcer is the national market surveillance authority | Primary — national Data Protection Authorities (DPAs) supervise and enforce |
| Data mapping requirement | No equivalent; requires Annex IV technical documentation for high-risk systems | Yes — Article 30 Records of Processing Activities (ROPA) |
| AI inventory requirement | Yes — Article 60 EU database for high-risk AI; internal inventory strongly implied for deployers | No — but AI systems processing personal data must be captured in the ROPA |
| Article references | Art. 4 (literacy) · Art. 5 (prohibited) · Art. 6 + Annex III (high-risk) · Art. 26 (deployer duties) · Annex IV (technical docs) | Art. 5 (principles) · Art. 6 (lawful basis) · Art. 25 (data by design) · Art. 30 (ROPA) · Art. 35 (DPIA) |
Source: EUR-Lex Official Journal. Last reviewed: .
Verdict by use case
SaaS using AI for hiring decisions
Both GDPR and AI Act apply in full. The AI system is high-risk under AI Act Annex III (employment and workers management) — requiring Annex IV technical documentation, EU database registration, and human oversight by August 2026. Simultaneously, the processing of applicant personal data triggers GDPR Article 35 DPIA requirements and Article 22 automated-decision rights. Run a combined DPIA and AI Act conformity assessment. Neither satisfies the other.
SME using ChatGPT for customer support
GDPR applies immediately: the SME is a controller; OpenAI is a processor; an Article 28 DPA and Article 30 ROPA entry are required. The AI Act risk is minimal for a general-purpose chatbot used in customer support without making consequential decisions about individuals — transparency obligations under Article 50 (disclose the system is AI-driven) apply, but the full high-risk regime does not. Start with the GDPR DPA and disclosure notice; AI Act compliance is lightweight at this tier.
Financial services using ML for credit scoring
High exposure under both. Credit scoring AI is high-risk under AI Act Annex III point 5b (access to financial services). GDPR Article 22 limits fully automated credit decisions — meaningful human review is required. The firm needs: ROPA (GDPR Art. 30), DPIA (GDPR Art. 35), Annex IV technical file (AI Act), EU database registration (AI Act Art. 60), human oversight protocol (AI Act Art. 26 + GDPR Art. 22), and likely notification to the competent financial regulator (EBA guidance). Budget significant legal and technical resource before the August 2026 deadline.
Migration considerations
Organisations typically approach GDPR and AI Act compliance sequentially — GDPR first (in force since 2018), AI Act second (high-risk system obligations from August 2026). This is understandable chronologically but creates a rework problem: GDPR records were built without the AI Act's documentation requirements in mind, and AI Act implementation projects often start from scratch rather than extending the GDPR record. The more efficient path is convergence: treat each AI system that processes personal data as a shared object in a single compliance record. Start from the ROPA entry (GDPR Art. 30), then extend it with the AI Act Annex IV fields — intended purpose, risk classification, data governance measures, accuracy metrics, human oversight arrangements, and technical documentation version. This way, a DPA audit request (GDPR) and a market surveillance authority inspection (AI Act) can be answered from the same source file. Where a DPIA is required under GDPR Article 35, structure it to double as the AI Act's fundamental rights impact assessment — the substantive questions overlap considerably. The key discipline: maintain one AI inventory with separate compliance layers, rather than two siloed record sets that reference each other imprecisely.
Where does EuroComply fit?
For organisations subject to both regulations, managing GDPR and AI Act obligations in separate tools creates a documentation gap: your ROPA may not capture the AI system details required by Annex IV, and your AI Act technical file may not reference the GDPR lawful basis or DPIA. EuroComply tracks GDPR records and AI Act documentation simultaneously in one workspace — the AI X-Ray tool classifies each system under the AI Act risk tiers while linking it to the corresponding ROPA entry and DPIA. A single source of truth reduces duplication and makes cross-authority requests faster to answer.
EuroComply pricingFor informational purposes only. Pricing and feature details drift — verify on each vendor's site. Not legal, procurement, or financial advice.
Last reviewed: · Editorial policy