EU AI Act and GDPR: how do the two regulations relate?

Updated: June 2026

Introduction: two frameworks, one compliance reality

For Dutch organisations deploying AI systems that process personal data, which is the vast majority of AI systems, the EU AI Act and the GDPR create overlapping obligations. Understanding where they align, where they conflict, and where one framework is stricter than the other is essential for efficient, integrated compliance.

Where do they align?

Data quality

GDPR Art. 5.1(d) requires data accuracy and GDPR Art. 5.1(c) requires data minimisationdata minimisationProcessing only data that is adequate, relevant and necessary — in ML, implemented through pseudonymisation, feature selection, synthetic data and privacy-enhancing techniques.Open full entry →. EU AI Act Art. 26.4 requires deployers to ensure input data quality, completeness, and relevance. These obligations are complementary and can be satisfied by a single, integrated data quality programme.

Impact assessments

GDPR Art. 35 requires DPIAs for high-risk processing. EU AI Act Art. 26.9 requires deployers to integrate AI-specific elements into those DPIAs. EU AI Act Art. 27 (for public sector) requires FRIAs that substantially overlap with DPIADPIAData Protection Impact Assessment — required before likely-high-risk processing (systematic profiling with significant effects, large-scale special categories, public monitoring); AI development triggers it constantly.Open full entry → content. Best practice: conduct a single combined DPIA/FRIAFRIAFundamental Rights Impact Assessment — required of public bodies and certain private deployers before using some high-risk AI systems under the EU AI Act.Open full entry → that satisfies all three requirements simultaneously.

Transparency

GDPR Arts. 13–14 require transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → about data processing. EU AI Act Art. 26.7 requires transparency about AI decision-making. These should be addressed in a unified privacy/AI disclosure framework, typically in your privacy notice and any point-of-interaction disclosures.

Individual rights

GDPR Art. 22 provides rights related to automated decision-makingautomated decision-makingDecisions based solely on automated processing with legal or similarly significant effects — restricted by GDPR Article 22 to three exception grounds, with human-intervention safeguards.Open full entry →. EU AI Act human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry → requirements create structural safeguards that support GDPR Art. 22 compliance. An organisation with robust EU AI Act human oversight arrangements is well-positioned to satisfy Art. 22 obligations.

Where they differ

Scope

GDPR applies to all processing of personal data. The EU AI Act applies specifically to AI systems, and only to some of them (classified by risk). An AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → that processes no personal data is outside GDPR scope but may still be subject to EU AI Act obligations.

Accountability

GDPR accountabilityaccountabilityThe principle that a named human or organization answers for an AI system's outcomes, through ownership, documentation, audit trails and redress — never the system itself.Open full entry → sits with the data controller/processor. EU AI Act accountability for high-risk AI sits with the providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → and deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry →, which may not correspond to the GDPR controller/processor split. Verify that your GDPR data processing agreements with AI vendors also cover EU AI Act compliance commitments.

Incident reporting

GDPR Art. 33 requires breach notification to the supervisory authority within 72 hours. EU AI Act Art. 73 requires serious incidentserious incidentAn AI incident causing (or nearly causing) death, serious harm to health, property, fundamental rights or infrastructure — triggering regulatory reporting duties for high-risk systems.Open full entry → reporting "without undue delay" (interpreted as approximately 15 business days for most incidents). AI incidents involving personal data may trigger both obligations simultaneously, with different timelines and reporting requirements.

Practical integration

• Extend your GDPR Article 30 register of processing activities to include AI system classification data
• Update data processing agreements with AI vendors to include EU AI Act compliance obligations
• Conduct integrated DPIA/FRIA assessments for all high-risk AI systems processing personal data
• Establish a unified incident response process that covers both GDPR and EU AI Act reporting obligations
• Ensure your DPO is involved in AI governance from the outset

Compliance checklist

1. Have you identified all AI systems that process personal data?
2. Are GDPR DPIAs and EU AI Act FRIAs/DPIAs integrated for relevant systems?
3. Do your data processing agreements with AI vendors cover EU AI Act obligations?
4. Is your Art. 30 processing register updated to reflect AI system data?
5. Is your incident response process integrated for both GDPR and EU AI Act reporting?
6. Is the DPO involved in AI governance and classification decisions?