EU AI Act vs GDPR: how they differ and where they overlap
The GDPR is EU data-protection law governing how personal data is processed. The EU AI Act is a product-safety-style law governing AI systems by risk tier. They overlap where AI processes personal data — for example, automated decisions with legal or similarly significant effects fall under GDPR Article 22, while the same system may be classified 'high-risk' under the AI Act. You often have to satisfy both.
What the GDPR governs
The GDPR governs the processing of personal data of individuals in the EU: lawful bases, data-subject rights, accountability, security, and — via Article 22 — limits and safeguards on solely automated decisions that have legal or similarly significant effects. It also requires Data Protection Impact Assessments for high-risk processing.
It is technology-neutral: it applies whenever personal data is processed, whether by AI or anything else.
What the EU AI Act governs
The EU AI Act regulates AI systems themselves, by risk tier — prohibited, high-risk, limited-risk (transparency), and minimal-risk. High-risk systems carry obligations around risk management, data governance, documentation, human oversight, transparency, and robustness (see our EU AI Act readiness explainer).
It applies to providers and deployers of AI systems, and its obligations attach to the system and its use, not only to personal data.
Where they overlap
When an AI system processes personal data — common in credit, hiring, and healthcare — both laws apply. A single system might require a GDPR lawful basis and DPIA and Article 22 safeguards, and simultaneously meet the AI Act's high-risk obligations.
The practical implication: map each AI use case against both regimes together, so your data-protection and AI-governance work reinforce rather than duplicate each other.
EU AI Act vs GDPR at a glance
| EU AI Act | GDPR | |
|---|---|---|
| Governs | AI systems | Processing of personal data |
| Approach | Risk tiers + product-style obligations | Rights + accountability |
| Triggered by | Placing on market / using an AI system | Processing personal data |
| Key overlap | High-risk AI obligations | Automated decisions (Art. 22), DPIAs |
| Both apply when | The AI system processes personal data | The AI system processes personal data |
Frequently asked questions
Does the EU AI Act replace GDPR?
No. They are separate and complementary. The AI Act regulates AI systems; the GDPR regulates personal data. Where AI processes personal data, both apply.
If I comply with GDPR, am I covered for the AI Act?
No. GDPR compliance addresses data protection but not the AI Act's system-level obligations (risk management, documentation, human oversight) for high-risk AI.
What does Article 22 have to do with AI?
GDPR Article 22 restricts solely automated decisions with legal or similarly significant effects and requires safeguards — directly relevant to many AI decisioning systems that also fall under the AI Act.
This article is general information, not legal or compliance advice. Verify specifics against the current text of each framework and your own counsel.