Does the AI Act replace the obligations imposed by the GDPR?
No, the AI Act (European Regulation on Artificial Intelligence) is very clear on this matter: it does not replace the requirements of the GDPR. In fact, its purpose is to complement the GDPR by setting clear requirements for the design and use of trustworthy AI systems.
In practice, the GDPR applies to all processing of personal data, including:
During development: AI providers or developers—under the AI Act—are generally considered data controllers when processing personal data during model training or system design.
During deployment: Organizations that deploy or use AI systems involving personal data are also typically data controllers under the GDPR.
While the AI Act introduces its own compliance obligations, meeting them can actually support and streamline your GDPR compliance efforts.
AI Act & GDPR: What Applies to Your Organization?
As the AI Act only applies to AI systems and models, while the GDPR covers all processing of personal data, four typical scenarios are possible:
| Scenario | AI Act Applies | GDPR Applies | Description | Example |
|---|---|---|---|---|
| 1. Only the AI Act applies | ✅ Yes | ❌ No | Applies to high-risk AI systems that do not involve personal data, either during development or deployment. | An AI system used to optimize predictive maintenance in an industrial manufacturing plant. |
| 2. Only the GDPR applies | ❌ No | ✅ Yes | Applies when personal data is processed, but the AI system is not classified as high-risk under the AI Act. | A customer service chatbot using personal data, but not considered high-risk AI. |
| 3. Both regulations apply | ✅ Yes | ✅ Yes | Applies when a high-risk AI system processes personal data, either during development or use. | An AI system used for predictive analysis of medical records for healthcare diagnostics. |
| 4. Neither regulation applies | ❌ No | ❌ No | Applies when the AI system is low-risk and does not involve any personal data processing. | An AI tool that generates personalized music in a music composition software. |
How does the AI Act influence the GDPR?
The AI Act and the GDPR regulate different aspects and require distinct approaches. However, compliance with the AI Act often facilitates — and even prepares the ground for — GDPR compliance. For instance, an AI system's compliance with the GDPR is included in the EU declaration of conformity required by the AI Act (Annex V).
Moreover, the AI Act addresses certain tensions between its own requirements and those of the GDPR. It extends and adapts some GDPR rules in the following ways:
The AI Act replaces specific GDPR provisions regarding the use of real-time remote biometric identification by law enforcement in publicly accessible spaces. It allows such use only under highly exceptional and specific conditions (Article 5).
It exceptionally permits the processing of sensitive data (as defined in Article 9 of the GDPR) to detect and correct potential biases, provided it is strictly necessary and subject to appropriate safeguards (Article 10).
It allows for the reuse of personal data, including sensitive data, within the framework of “regulatory sandboxes.” These sandboxes are designed to support the development of systems serving a significant public interest (such as improving the healthcare system). They are overseen by a dedicated authority, which must consult with the data protection authorities in advance and verify compliance with various requirements (Article 59).
How to align the requirements of the AI Act and the GDPR?
While the AI Act and the GDPR occasionally overlap in the principles they promote, they often approach them from different regulatory angles.
One notable example is the principle of transparency and the associated documentation obligations, which illustrate how the two frameworks can complement each other rather than conflict.
🔍 Transparency Requirements
Under the GDPR, transparency obligations focus on informing individuals whose personal data is being processed. Organizations must clearly communicate details such as the purpose of processing, identity of the controller, processing methods, data retention periods, and more. These obligations apply both during the development of AI systems and their deployment when personal data is involved.
The AI Act, on the other hand, introduces additional transparency obligations—particularly for general-purpose AI models and systems that interact directly with individuals. These may include requirements to disclose the datasets used for training or to clearly indicate when users are engaging with an AI system.
In this way, both regulations support a shared goal of trustworthy, human-centric AI, each reinforcing the other through complementary compliance requirements.
What are the differences between the AI Act and the GDPR?
Although the AI Act and GDPR share many similarities and complement each other, their objectives and approaches are distinct.
Here is a summary table of the comparaison:
Do you want to know more about Dastra's product offering? Click here