GDPR and the EU AI Act: How They Interact and Where They Conflict

Two frameworks, one AI system

Any AI system that processes personal data about EU residents must comply with both GDPR and, where applicable, the EU AI Act. These are not alternative frameworks, they are cumulative obligations that apply simultaneously and must both be satisfied. Organisations that have structured their AI governance around one framework without considering the other face significant compliance gaps.

The relationship between GDPR and the EU AI Act is one of complementarity with tension. They share common concerns, transparency, individual rights, accountability, but approach those concerns from different regulatory perspectives, using different concepts and creating different obligations. Understanding where they align, where they create cumulative obligations, and where they create genuine tension is essential for organisations designing AI governance frameworks for EU-facing AI systems.

Automated decision-making: Article 22 GDPR

GDPR Article 22 creates a right for individuals not to be subject to decisions based solely on automated processing: including profiling, that produces legal effects or similarly significant effects on them. The right applies where automated processing alone determines an outcome affecting the individual, without meaningful human involvement in the decision.

The "solely automated" threshold is interpreted by data protection authorities in ways that limit what constitutes meaningful human involvement. A human who rubber-stamps an AI recommendation without genuinely reviewing it does not constitute meaningful human involvement. The human must be capable of understanding the AI's logic, accessing the relevant information, and making an independent decision, not simply confirming what the AI produced.

Where Article 22 applies, organisations must either rely on one of its limited exceptions (explicit consent, contractual necessity, or EU/member state law), or ensure that automated processing is not the sole basis for consequential decisions. The EU AI Act's human oversight requirements for high-risk AI systems are designed to ensure that, for the most consequential AI decisions, Article 22's requirements can be met, but only if the oversight is genuine rather than nominal.

Transparency: overlapping disclosure obligations

Both GDPR and the EU AI Act require transparency about AI processing, but they do so through different mechanisms with different scope.

GDPR Articles 13 and 14 require organisations to disclose information about automated decision-making: including the existence of automated processing, the logic involved, and the significance and consequences, to individuals at the point of data collection or when data is obtained from other sources. This is a general transparency obligation that applies whenever personal data is processed using automated means that produce significant effects.

The EU AI Act requires providers of high-risk AI systems to ensure that deployers have sufficient information to understand the system, and requires deployers to inform individuals subject to high-risk AI decisions that AI is being used. For systems generating synthetic content, explicit disclosure that content is AI-generated is required.

Organisations using high-risk AI systems to process personal data must satisfy both disclosure regimes. GDPR disclosures at the point of data collection must cover the AI processing; EU AI Act disclosures must inform individuals when consequential decisions are being made using high-risk AI. These are distinct obligations requiring distinct processes.

Data minimisation versus model performance

GDPR's data minimisation principle requires that personal data be adequate, relevant, and limited to what is necessary for the purposes for which it is processed. This principle creates direct tension with AI model development, where the general principle is that more data produces better models.

Training an AI model for credit risk assessment on a large, feature-rich dataset: including variables that turn out not to be predictive, is standard machine learning practice. From a GDPR perspective, collecting personal data about individuals that is then used as training input without a specific purpose may breach the data minimisation principle, particularly if the legal basis for collection was a purpose that did not encompass AI training.

Governance must address this tension explicitly. Before assembling training datasets from personal data, organisations must assess: whether they have a valid legal basis for using the data for AI training; whether the training use is compatible with the purpose for which the data was collected; what data minimisation measures can be applied; and whether anonymisation or pseudonymisation techniques can reduce personal data processing while preserving sufficient model performance.

Purpose limitation and training data

GDPR's purpose limitation principle requires that personal data collected for one purpose not be reused for a materially different purpose without a new legal basis or a compatibility assessment. Using customer transaction data collected under a contract for service delivery to train a fraud detection model for a different product is not automatically lawful, it requires assessment of whether the training use is compatible with the original collection purpose.

Organisations that have assembled AI training datasets from personal data collected for operational purposes without conducting this compatibility assessment face a fundamental compliance risk: their AI models may be built on unlawfully processed training data. Remediation may require retraining models on lawfully assembled data, a significant undertaking that governance frameworks should prevent by requiring legal basis assessment before training data is assembled.