EU AI Act vs GDPR: How the Two Regulations Interact in Practice

# Two rulebooks, one AI system

The eu ai act vs gdpr question is not academic. If your company uses an AI tool that processes employee data, customer profiles, or automated decisions, both regulations apply at the same time, right now. The GDPR has been enforceable since 2018. The AI Act entered into force on 1 August 2024, with its first hard obligations already live and the full deployer framework applying from 2 August 2026. You cannot pick one and ignore the other.

Understanding where they overlap, and where they diverge, is the fastest way to avoid duplicating work or, worse, assuming one regulation covers what only the other addresses.

# What each regulation actually governs

The GDPR governs how personal data is collected, stored, shared, and used. It applies whenever you process information that can identify a natural person. The legal basis sits in Article 6 GDPR, and special-category data triggers the stricter requirements of Article 9.

The AI Act governs AI systems themselves: how they are designed, tested, documented, and deployed. It applies regardless of whether personal data is involved. A pricing algorithm that never touches names still falls under the Act if it meets the definition of an AI system under Article 3. A recruitment screening tool that ranks CVs is almost certainly a high-risk AI system under Annex III, which triggers a full set of deployer obligations.

The short version: GDPR protects people's data. The AI Act protects people from AI. Most real-world deployments require both.

# Where the obligations genuinely overlap

Lawful basis and purpose limitation. Under GDPR, you need a lawful basis before processing personal data. Under the AI Act, you must use an AI system only for its intended purpose as defined by the provider. If you use a candidate-screening tool for employee performance monitoring, you are likely breaching both: GDPR's purpose limitation principle and the AI Act's requirement in Article 26 that deployers stick to the instructions of use.

Transparency and information obligations. GDPR Article 13 and 14 require you to tell data subjects how their data is used. AI Act Article 50 requires disclosure when people interact with AI systems, particularly those generating synthetic content or making consequential decisions. In practice, your privacy notice and your AI transparency statement need to align. They often do not.

Automated decision-making. GDPR Article 22 gives individuals the right not to be subject to solely automated decisions that produce legal or similarly significant effects. The AI Act classifies many of these same systems as high-risk under Annex III, requiring human oversight, logging, and technical robustness. Complying with one does not automatically satisfy the other. You need a human review process that is real, documented, and traceable.

Data subject rights vs. AI Act rights. GDPR grants rights to access, rectification, erasure, and objection. The AI Act grants a separate right in Article 86 to a meaningful explanation of decisions made by high-risk AI systems. Both rights can be triggered by the same person about the same decision. You need a single workflow that can respond to both.

# The DPIA and FRIA: two assessments, one shortcut

This is where compliance workload stacks up fast. The GDPR requires a Data Protection Impact Assessment (DPIA) under Article 35 when processing is likely to result in high risk to individuals. The AI Act requires a Fundamental Rights Impact Assessment (FRIA) under Article 27 when deployers use high-risk AI systems in contexts that affect the public.

They sound similar because they are similar. Both require you to map the system, identify affected people, assess risks, and document mitigations. The FRIA is broader: it explicitly requires you to consider impacts on groups protected under the EU Charter of Fundamental Rights, including non-discrimination, dignity, and access to justice.

Here is the practical shortcut. Article 27(4) of the AI Act states explicitly that deployers may use an existing DPIA to partially fulfil the FRIA requirement, provided it adequately covers the relevant fundamental rights risks. This is not a loophole. It is a designed efficiency for organisations that have already invested in rigorous DPIAs.

To use it, your DPIA must already:

• Identify affected individuals beyond just data subjects (e.g., third parties affected by a decision)
• Assess risks to rights beyond data protection, including non-discrimination
• Document human oversight mechanisms
• Reference the specific AI system and its intended use case

If your current DPIAs are narrow, data-centric documents that stop at "risk to personal data", they will not carry over. You will need to expand them. But the expansion is far less work than starting a FRIA from scratch.

# Three high-stakes scenarios for SMEs

HR and recruitment AI. CV screening tools, psychometric AI, and interview analysis software all land in Annex III as high-risk systems. You have GDPR obligations (lawful basis, explicit consent or legitimate interest for special-category data, Article 22 safeguards) and AI Act obligations (Article 26 deployer duties, human oversight, FRIA under Article 27). The Dutch Autoriteit Persoonsgegevens has already investigated algorithmic decision-making in HR contexts and has enforcement powers under both regimes once national market surveillance authorities are designated.

Credit and financial risk scoring. Any AI system that evaluates creditworthiness is Annex III high-risk. GDPR Article 22 applies to automated credit decisions. The AI Act adds technical documentation, logging, and accuracy requirements. Fines for AI Act violations run up to €15 million or 3% of global annual turnover under Article 99; GDPR fines reach €20 million or 4% of global turnover. These are not additive in most cases, but regulators from both sides can investigate the same incident.

Customer profiling and personalisation. Profiling under GDPR requires transparency and, for sensitive categories, explicit consent. AI Act rules on prohibited practices under Article 5 ban subliminal manipulation and exploitation of vulnerabilities. If your personalisation engine targets people based on emotional state or economic hardship, you may be in prohibited-practice territory regardless of whether you have a lawful basis under GDPR.

# Building a unified compliance approach

The most efficient path for an SME is a single AI inventory that flags both GDPR and AI Act triggers simultaneously. For each AI system in use, record:

1. Does it process personal data? (GDPR trigger)
2. Does it meet the AI system definition under Article 3? (AI Act trigger)
3. Is it Annex III high-risk? (escalated AI Act obligations)
4. Does it make automated decisions with legal effect? (GDPR Article 22 + AI Act Article 26)
5. Is a DPIA already in place that can be expanded into a FRIA?

This five-question triage takes under an hour per system. It tells you immediately where you have gaps and where existing documentation can be repurposed.

Document your AI literacy training under Article 4 at the same time as you update staff data protection training. One training cycle, two obligations ticked.

The regulations are designed to coexist. The EU Commission's guidance on the AI Act confirms that the AI Act does not replace sector-specific legislation including GDPR; it layers on top. Treat them as a system, not as competing checklists.

# Your next practical step

Start with the inventory. List every AI tool your organisation uses, apply the five questions above to each one, and identify which need a DPIA expansion into a FRIA. That single exercise will surface your highest-risk exposure points and show you exactly where the Article 27(4) shortcut applies.

If you want a structured starting point, run the free 2-minute compliance check at comply.khairos.ai. It maps your current AI tools against both the GDPR and AI Act frameworks and tells you where your gaps are before a regulator does.