EU AI Act and GDPR: How Do the Two Regulations Relate?

Updated: June 2026 — full revision to Validai quality standard

Introduction: Two Frameworks, One Compliance Reality

For Dutch organisations deploying AI systems that process personal data — which is the vast majority of AI systems — the EU AI Act and the GDPR create overlapping obligations. Understanding where they align, where they conflict, and where one framework is stricter than the other is essential for efficient, integrated compliance.

Where Do They Align?

Data Quality

GDPR Art. 5.1(d) requires data accuracy and GDPR Art. 5.1(c) requires data minimisation. EU AI Act Art. 26.4 requires deployers to ensure input data quality, completeness, and relevance. These obligations are complementary and can be satisfied by a single, integrated data quality programme.

Impact Assessments

GDPR Art. 35 requires DPIAs for high-risk processing. EU AI Act Art. 26.9 requires deployers to integrate AI-specific elements into those DPIAs. EU AI Act Art. 27 (for public sector) requires FRIAs that substantially overlap with DPIA content. Best practice: conduct a single combined DPIA/FRIA that satisfies all three requirements simultaneously.

Transparency

GDPR Arts. 13–14 require transparency about data processing. EU AI Act Art. 26.7 requires transparency about AI decision-making. These should be addressed in a unified privacy/AI disclosure framework — typically in your privacy notice and any point-of-interaction disclosures.

Individual Rights

GDPR Art. 22 provides rights related to automated decision-making. EU AI Act human oversight requirements create structural safeguards that support GDPR Art. 22 compliance. An organisation with robust EU AI Act human oversight arrangements is well-positioned to satisfy Art. 22 obligations.

Where They Differ

Scope

GDPR applies to all processing of personal data. The EU AI Act applies specifically to AI systems — and only to some of them (classified by risk). An AI system that processes no personal data is outside GDPR scope but may still be subject to EU AI Act obligations.

Accountability

GDPR accountability sits with the data controller/processor. EU AI Act accountability for high-risk AI sits with the provider and deployer — which may not correspond to the GDPR controller/processor split. Verify that your GDPR data processing agreements with AI vendors also cover EU AI Act compliance commitments.

Incident Reporting

GDPR Art. 33 requires breach notification to the supervisory authority within 72 hours. EU AI Act Art. 73 requires serious incident reporting "without undue delay" (interpreted as approximately 15 business days for most incidents). AI incidents involving personal data may trigger both obligations simultaneously — with different timelines and reporting requirements.

Practical Integration

• Extend your GDPR Article 30 register of processing activities to include AI system classification data
• Update data processing agreements with AI vendors to include EU AI Act compliance obligations
• Conduct integrated DPIA/FRIA assessments for all high-risk AI systems processing personal data
• Establish a unified incident response process that covers both GDPR and EU AI Act reporting obligations
• Ensure your DPO is involved in AI governance from the outset

Compliance Checklist

1. Have you identified all AI systems that process personal data?
2. Are GDPR DPIAs and EU AI Act FRIAs/DPIAs integrated for relevant systems?
3. Do your data processing agreements with AI vendors cover EU AI Act obligations?
4. Is your Art. 30 processing register updated to reflect AI system data?
5. Is your incident response process integrated for both GDPR and EU AI Act reporting?
6. Is the DPO involved in AI governance and classification decisions?