EU AI Act and GDPR: Where the Two Laws Overlap
Teams often treat the EU AI Act as a brand new rulebook that lands on a clean desk. It does not. If your AI system touches personal data, GDPR was already on that desk, and the AI Act stacks on top of it.
That stacking is where most of the confusion lives. The same project can owe a Data Protection Impact Assessment under one law and a Fundamental Rights Impact Assessment under the other, and nobody wants to run two parallel compliance tracks if one mapped program will do.
What is the relationship between the EU AI Act and GDPR?
Section titled “What is the relationship between the EU AI Act and GDPR?”The EU AI Act and GDPR are two EU regulations that apply together. GDPR (Regulation 2016/679) governs how organizations handle personal data, while the AI Act (Regulation 2024/1689) governs AI systems by risk level. A high-risk AI system that processes personal data must satisfy both, so the AI Act adds duties on top of GDPR rather than replacing them.
In practice this means GDPR keeps doing its job. Lawful basis, data minimization, purpose limitation, and data subject rights all still apply to the personal data an AI system reads or produces. The AI Act then layers on AI-specific duties such as risk management, human oversight, and transparency.
The result is two obligations running in parallel, not one canceling the other. When the two overlap, you satisfy the stricter requirement, because clearing the higher bar clears the lower one too.
Where do the EU AI Act and GDPR overlap?
Section titled “Where do the EU AI Act and GDPR overlap?”The overlap is concentrated in a handful of areas, and most of them sit inside any project that uses personal data to train or run a model. The clearest way to see it is side by side.
| Topic | GDPR duty | EU AI Act duty |
|---|---|---|
| Impact assessment | DPIA for high-risk processing (Article 35) | FRIA for certain high-risk deployers (Article 27) |
| Data quality and governance | Accuracy and minimization principles (Article 5) | Data governance for high-risk systems (Article 10) |
| Records | Records of processing activities (Article 30) | Technical documentation and logging |
| Transparency | Inform data subjects (Articles 13 and 14) | Disclose AI interaction and synthetic content (Article 50) |
| International transfers | Chapter V safeguards | No separate transfer regime; GDPR governs the data |
| Incident duty | Personal data breach notification (Articles 33 and 34) | Serious incident reporting for high-risk systems |
The pattern is consistent. GDPR governs the data inside the system, and the AI Act governs the system that acts on the data. The AI and data protection exercise runs a healthcare model through both regimes at once so teams can feel where the duties meet.
DPIA vs FRIA: do you need both?
Section titled “DPIA vs FRIA: do you need both?”Often yes. A Data Protection Impact Assessment under GDPR Article 35 looks at the risk a processing activity poses to people’s data rights. A Fundamental Rights Impact Assessment under AI Act Article 27 looks at the broader risk a high-risk AI system poses to fundamental rights, and it applies to public bodies and certain high-risk deployers before first use.
They ask different questions about the same system. A DPIA asks whether the data processing is lawful, proportionate, and protected. A FRIA asks whether the deployed system could harm rights like non-discrimination, dignity, or access to services.
The smart move is to run them as one mapped exercise rather than two disconnected forms. The GDPR data protection impact assessment exercise trains the DPIA half, and the fundamental rights impact assessment exercise trains the FRIA half, so a team sees how one feeds the other instead of duplicating work.
How does AI data governance build on GDPR records of processing?
Section titled “How does AI data governance build on GDPR records of processing?”It builds on the inventory you should already have. GDPR Article 30 requires records of processing activities, a documented map of what personal data you hold, why, and where it flows. AI Act Article 10 then requires high-risk systems to use training and input data that is relevant, representative, and governed for quality.
You cannot govern AI data you have never mapped. A model trained on a dataset nobody documented is a model nobody can audit, which fails both laws in one shot. The records you keep for GDPR become the foundation an AI inventory sits on.
This is why an honest data map pays off twice. The GDPR data mapping and records of processing exercise trains the Article 30 discipline, and the AI data governance exercise extends it to training sets, so the same map serves your privacy office and your AI governance owner.
Do GDPR cross-border transfer rules apply to AI training data?
Section titled “Do GDPR cross-border transfer rules apply to AI training data?”Yes, and the AI Act does not change them. The AI Act has no separate transfer regime, so when AI training data contains personal data and moves outside the EU, GDPR Chapter V governs the move. That means an adequacy decision, standard contractual clauses, or another valid safeguard.
This catches teams off guard with cloud-hosted models. Sending European personal data to a model endpoint in another region is a transfer, even when the data is “just” being used to fine-tune or run inference. The AI label does not exempt the data from Chapter V.
The fix is to treat AI vendors like any other processor and check where the data actually lands. The GDPR cross-border data transfers exercise walks teams through validating a transfer before personal data leaves the bloc, which is exactly the gap an AI procurement decision tends to miss.
How do breach and AI-incident duties line up?
Section titled “How do breach and AI-incident duties line up?”They sit next to each other and can both fire from a single event. GDPR Articles 33 and 34 require notifying the supervisory authority, and sometimes the affected people, after a personal data breach. The AI Act adds a serious incident reporting duty for high-risk systems, aimed at malfunctions and harms rather than data exposure.
One incident can trigger both clocks. If a high-risk AI system malfunctions and that malfunction also exposes personal data, you may owe a GDPR breach notification and an AI Act incident report on overlapping timelines.
Response teams need to know both duties exist before the incident, not during it. The GDPR security incident response exercise rehearses the breach-notification clock under pressure, and pairing that muscle memory with AI-incident awareness keeps a single event from becoming two missed deadlines.
Can one training program cover both laws?
Section titled “Can one training program cover both laws?”Yes, and it is the more defensible choice. Because the AI Act and GDPR overlap so heavily, separate privacy and AI tracks teach the same data-handling habits twice while leaving the seams between them untrained. A mapped program teaches the shared core once and then branches into the law-specific duties.
The shared core is data discipline. Knowing what personal data you hold, why you hold it, and how it flows is the prerequisite for a DPIA, a FRIA, a records inventory, and AI data governance alike. Train that once and most of both regulations becomes reachable.
The branches are where each law goes its own way. The privacy and compliance catalogue carries GDPR scenarios next to the EU AI Act course, so a single learning path can cover data subject rights and AI risk controls without sending people through two unrelated curricula.
How RansomLeak trains the AI Act and GDPR overlap
Section titled “How RansomLeak trains the AI Act and GDPR overlap”RansomLeak teaches the overlap as connected scenarios rather than two siloed courses. The EU AI Act course and the GDPR course share a data-governance spine, so a learner who understands records of processing already has the footing for AI data governance, and a learner who has run a DPIA can see how a FRIA extends it.
Every module exports as SCORM for the LMS an auditor will inspect, which matters when you need to show that the people operating AI on personal data were actually trained on both regimes. For the regulations end to end, the EU AI Act training guide and the GDPR training guide map each obligation to a specific exercise.
The deeper background lives in two companion posts. Our EU AI Act risk categories guide explains the four-tier model that decides which AI duties apply, and the EU AI Act compliance deadlines guide lays out the staged dates. On the privacy side, a solid GDPR employee training program and the underlying GDPR data protection principles cover the data handling that high-risk AI depends on.
If you want one mapped path across both laws, explore our compliance training programs or book a walkthrough with our team.
Frequently asked questions
Section titled “Frequently asked questions”Does the EU AI Act replace GDPR?
Section titled “Does the EU AI Act replace GDPR?”No. The EU AI Act sits on top of GDPR and adds AI-specific duties such as risk management, human oversight, and transparency. GDPR still governs every piece of personal data your AI system reads or produces, so the two apply at the same time rather than one superseding the other.
What is the difference between a DPIA and a FRIA?
Section titled “What is the difference between a DPIA and a FRIA?”A DPIA under GDPR Article 35 assesses the risk a processing activity poses to people’s data protection rights. A FRIA under AI Act Article 27 assesses the broader risk a high-risk AI system poses to fundamental rights, and it applies to public bodies and certain high-risk deployers before first use. Many high-risk AI projects need both.
Do GDPR rules apply to AI training data?
Section titled “Do GDPR rules apply to AI training data?”Yes, whenever the training data includes personal data. Lawful basis, data minimization, and data subject rights all apply to that data, and moving it outside the EU still triggers GDPR Chapter V transfer safeguards. The AI Act adds data governance duties on top but does not switch off GDPR.
Which law takes priority when the EU AI Act and GDPR overlap?
Section titled “Which law takes priority when the EU AI Act and GDPR overlap?”Neither overrides the other. Where their requirements overlap, you satisfy the stricter one, because clearing the higher bar also clears the lower. The AI Act explicitly preserves data protection law, so the safe reading is to treat both sets of duties as live at once.
Can the same incident trigger both a GDPR breach notice and an AI Act report?
Section titled “Can the same incident trigger both a GDPR breach notice and an AI Act report?”Yes. If a high-risk AI system malfunctions and that malfunction also exposes personal data, you may owe a GDPR breach notification under Articles 33 and 34 and a serious incident report under the AI Act. The two duties run on overlapping timelines, so response teams should plan for both before an incident happens.
Do small businesses get any relief under these rules?
Section titled “Do small businesses get any relief under these rules?”GDPR scales some duties to risk and scope, and the AI Act sets penalty caps that take the lower of two values for SMEs. The substantive duties still apply, though. A small company running a high-risk AI system on personal data owes the same core controls as a large one, just with proportionate penalty exposure.
Bottom line
Section titled “Bottom line”The EU AI Act and GDPR are not competing rulebooks. GDPR governs the personal data, the AI Act governs the system that acts on it, and a high-risk project that touches personal data has to clear both at once.
Treating them as one mapped program is the efficient and defensible path. Build the data map once, branch into DPIA and FRIA, records and AI data governance, breach and incident duties, and train the people who operate AI on both regimes rather than either alone.
If you want scenario-based training that covers the AI Act and GDPR together, explore the privacy and compliance catalogue or talk to our team.