All insights

EU AI Act vs GDPR: how they differ and where they overlap

The GDPR is EU data-protection law governing how personal data is processed. The EU AI Act is a product-safety-style law governing AI systems by risk tier. They overlap where AI processes personal data — for example, automated decisions with legal or similarly significant effects fall under GDPR Article 22, while the same system may be classified 'high-risk' under the AI Act. You often have to satisfy both.

What the GDPR governs

The GDPR governs the processing of personal data of individuals in the EU: lawful bases, data-subject rights, accountability, security, and — via Article 22 — limits and safeguards on solely automated decisions that have legal or similarly significant effects. It also requires Data Protection Impact Assessments for high-risk processing.

It is technology-neutral: it applies whenever personal data is processed, whether by AI or anything else.

What the EU AI Act governs

The EU AI Act regulates AI systems themselves, by risk tier — prohibited, high-risk, limited-risk (transparency), and minimal-risk. High-risk systems carry obligations around risk management, data governance, documentation, human oversight, transparency, and robustness (see our EU AI Act readiness explainer).

It applies to providers and deployers of AI systems, and its obligations attach to the system and its use, not only to personal data.

Where they overlap

When an AI system processes personal data — common in credit, hiring, and healthcare — both laws apply. A single system might require a GDPR lawful basis and DPIA and Article 22 safeguards, and simultaneously meet the AI Act's high-risk obligations.

The practical implication: map each AI use case against both regimes together, so your data-protection and AI-governance work reinforce rather than duplicate each other.

EU AI Act vs GDPR at a glance

EU AI ActGDPR
GovernsAI systemsProcessing of personal data
ApproachRisk tiers + product-style obligationsRights + accountability
Triggered byPlacing on market / using an AI systemProcessing personal data
Key overlapHigh-risk AI obligationsAutomated decisions (Art. 22), DPIAs
Both apply whenThe AI system processes personal dataThe AI system processes personal data

Frequently asked questions

Does the EU AI Act replace GDPR?

No. They are separate and complementary. The AI Act regulates AI systems; the GDPR regulates personal data. Where AI processes personal data, both apply.

If I comply with GDPR, am I covered for the AI Act?

No. GDPR compliance addresses data protection but not the AI Act's system-level obligations (risk management, documentation, human oversight) for high-risk AI.

What does Article 22 have to do with AI?

GDPR Article 22 restricts solely automated decisions with legal or similarly significant effects and requires safeguards — directly relevant to many AI decisioning systems that also fall under the AI Act.

This article is general information, not legal or compliance advice. Verify specifics against the current text of each framework and your own counsel.