Comparison · Updated 2026
EU AI Act vs GDPR
The EU AI Act governs AI systems — how they are classified, documented, and deployed — while GDPR governs personal data — how it is collected, processed, and protected. They are complementary, not competing: any AI product that processes personal data must comply with both at the same time. This page compares their scope, deadlines, penalties, and obligations side by side so you know exactly which rules apply to your business.
At a glance
| Dimension | EU AI Act | GDPR |
|---|---|---|
| What it governs | AI systems — how they are built, classified, and deployed | Personal data — how it is collected, processed, and stored |
| Regulation | Regulation (EU) 2024/1689 | Regulation (EU) 2016/679 |
| In force since | 1 August 2024 (high-risk obligations from 2 August 2026) | 25 May 2018 |
| Maximum fine | €35M or 7% of global annual turnover | €20M or 4% of global annual turnover |
| Core mechanism | Risk tiers — unacceptable, high, limited, minimal | Seven principles + eight data-subject rights |
| Key document | Annex IV technical documentation + conformity assessment | Records of Processing Activities (RoPA) + DPIA |
| Extraterritorial | Yes — applies if AI output is used in the EU | Yes — applies if EU residents’ data is processed |
| Who is liable | Providers, deployers, importers, distributors | Data controllers and data processors |
How they overlap
Most real-world AI products sit inside both regimes. A hiring-screening model, for example, is a high-risk AI system under Annex III of the EU AI Act and processes candidates' personal data under GDPR. In practice this means you run the obligations in parallel:
- Classify the system (AI Act). Determine its risk tier — unacceptable, high, limited, or minimal — to know which obligations apply.
- Establish a lawful basis (GDPR). Identify the lawful basis for processing the personal data the system consumes or produces.
- Assess impact (both). Run a GDPR DPIA for data risks and, where required, a Fundamental Rights Impact Assessment for AI Act risks — sharing evidence between them.
- Document and oversee (both). Maintain RoPA and a privacy notice for GDPR, plus Annex IV technical documentation, human oversight, and logging for the AI Act.
- Stay audit-ready (both). Keep evidence current as systems and data flows change, ready for either supervisory authority.
Which applies to you?
- You process personal data but use no AI: GDPR only.
- You deploy AI that touches no personal data (rare — e.g. an industrial control model): EU AI Act only.
- You deploy AI that processes personal data (the common case): both the EU AI Act and GDPR.
Not sure where you land? Use the free GeraCompliance classifier to qualify your AI Act risk tier and GDPR obligations in minutes.
FAQ
- What is the difference between the EU AI Act and GDPR?
- GDPR (Regulation (EU) 2016/679) governs how organisations process personal data — lawful basis, data-subject rights, breach notification, and DPO/DPIA duties. The EU AI Act (Regulation (EU) 2024/1689) governs how AI systems are built and deployed — risk classification, conformity assessment, technical documentation, and transparency. GDPR is about the data; the AI Act is about the system that uses it.
- Do I need to comply with both the EU AI Act and GDPR?
- Usually yes. If your AI system processes personal data — which most do — GDPR applies to the data and the EU AI Act applies to the system. The two regulations are complementary, not alternatives. A high-risk AI system handling personal data must satisfy GDPR (lawful basis, DPIA, data-subject rights) and the AI Act (risk management, conformity, human oversight) at the same time.
- Which has bigger fines, the EU AI Act or GDPR?
- The EU AI Act has the higher ceiling. Its most serious tier — deploying a prohibited AI practice — reaches up to €35 million or 7% of global annual turnover. GDPR's top tier reaches up to €20 million or 4% of global annual turnover. Both apply the higher of the fixed amount or the percentage.
- When did each regulation take effect?
- GDPR has been enforceable since 25 May 2018. The EU AI Act entered into force on 1 August 2024 and is phased in: prohibitions and GPAI rules applied from August 2025, and the main high-risk obligations apply from 2 August 2026.
- Does a GDPR DPIA cover my EU AI Act obligations?
- No. A GDPR Data Protection Impact Assessment (Article 35) covers risks to personal data, while the EU AI Act may require a separate Fundamental Rights Impact Assessment plus a risk management system, technical documentation, and conformity assessment. They overlap but do not replace each other. GeraCompliance maps both so you complete each once and reuse the shared evidence.
Comply with both in one place
GeraCompliance covers GDPR and the EU AI Act in a single dashboard — classify once, document once, stay audit-ready.