Artificial intelligence is transforming every industry — but it's also creating a compliance minefield. The EU AI Act became fully applicable in 2025, and it operates alongside GDPR, not as a replacement. If your AI system processes personal data of EU residents, you must comply with both frameworks simultaneously.
This guide covers the practical intersection of GDPR and the EU AI Act — what you need to do, what to document, and how to avoid the pitfalls that have already triggered enforcement actions.
Where GDPR and the EU AI Act Overlap
The EU AI Act regulates AI systems based on risk level (unacceptable, high, limited, minimal). GDPR regulates any processing of personal data. When your AI system uses personal data — and most do — both apply.
| Requirement | GDPR | EU AI Act |
|---|---|---|
| Transparency | Art. 13-14: inform data subjects | Art. 52: disclose AI interaction |
| Risk assessment | Art. 35: DPIA for high-risk processing | Art. 9: risk management system |
| Human oversight | Art. 22: right not to be subject to automated decisions | Art. 14: human oversight measures |
| Data quality | Art. 5(1)(d): accuracy principle | Art. 10: training data governance |
| Documentation | Art. 30: records of processing | Art. 11: technical documentation |
| Accountability | Art. 5(2): demonstrate compliance | Art. 17: quality management system |
1. Determine Your Lawful Basis for AI Data Processing
Every use of personal data in AI requires a lawful basis under GDPR Article 6. The most common bases for AI are:
- Consent (Art. 6(1)(a)): The data subject explicitly agrees. Hard to use for training data at scale because consent must be specific, informed, and freely given.
- Legitimate interest (Art. 6(1)(f)): Most common for AI. Requires a documented Legitimate Interest Assessment (LIA) balancing your interest against the data subject's rights.
- Contract performance (Art. 6(1)(b)): If the AI is necessary to provide a service the user requested (e.g., a recommendation engine they actively use).
Critical: "Publicly available data" does not create a lawful basis. The Italian DPA fined Clearview AI €20 million for scraping public images without a legal basis. You must still justify your processing regardless of data source.
2. Conduct a DPIA for AI Systems
GDPR Article 35 requires a Data Protection Impact Assessment when processing is likely to result in high risk. AI systems almost always qualify because they involve:
- Systematic and extensive evaluation of personal aspects (profiling)
- Large-scale processing of personal data
- Innovative use of technology
- Automated decision-making with legal or significant effects
Your AI DPIA should document:
- The purpose and necessity of processing
- Training data sources and how personal data was collected
- Model architecture and how it processes data
- Output types and potential impact on individuals
- Bias testing results and mitigation measures
- Data retention policies for training and inference data
- Supplementary measures (anonymization, differential privacy, access controls)
3. Address Automated Decision-Making (Article 22)
GDPR Article 22 gives individuals the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. This directly impacts AI-driven:
- Credit scoring and loan approvals
- Automated hiring or CV screening
- Insurance risk assessment
- Content moderation affecting user access
- Pricing algorithms based on personal characteristics
To comply with Article 22:
- Implement meaningful human review for high-impact decisions
- Provide the right to contest automated decisions
- Explain the logic involved — not the full algorithm, but the key factors
- Allow users to obtain human intervention
- Document your human-in-the-loop processes
4. Ensure AI Transparency Obligations
Both GDPR and the EU AI Act require transparency. Under GDPR Articles 13-14, you must inform users about automated processing. Under EU AI Act Article 52, you must disclose when users are interacting with AI.
Your AI privacy policy disclosures must include:
- The existence of automated decision-making and profiling
- Meaningful information about the logic involved
- The significance and envisaged consequences for the data subject
- The categories of personal data used as input
- Whether third-party AI APIs process user data (OpenAI, Google, Anthropic)
5. Implement Training Data Governance
The EU AI Act Article 10 requires training data to be relevant, representative, free of errors, and complete. GDPR adds requirements around purpose limitation and data minimization.
- Document the provenance of all training datasets
- Assess and mitigate biases in training data
- Implement data quality checks before and during training
- Honor data subject rights for data used in training (erasure, rectification)
- Consider privacy-enhancing technologies like differential privacy for training
6. EU AI Act Risk Classification for Websites
Most website AI features fall into the limited or minimal risk categories. Here's how common AI features are classified:
| AI Feature | Risk Level | Key Obligation |
|---|---|---|
| AI chatbot (customer service) | Limited | Disclose AI interaction to users |
| Product recommendations | Minimal | Transparency in privacy policy |
| AI-generated content | Limited | Label as AI-generated |
| Automated hiring/CV screening | High | Full compliance framework required |
| Credit scoring | High | Full compliance framework required |
| Emotion recognition | Prohibited* | Banned in workplace/education |
| Social scoring | Unacceptable | Prohibited entirely |
7. Practical Compliance Checklist
- Identify all AI systems processing personal data
- Document the lawful basis for each (with LIA if using legitimate interest)
- Conduct a DPIA for each AI system
- Classify each AI system under the EU AI Act risk framework
- Update your privacy policy with AI-specific disclosures
- Implement human oversight for automated decisions
- Create a process for data subjects to contest AI decisions
- Document training data provenance and quality measures
- Implement bias testing and monitoring
- Review and update quarterly as models and regulations evolve
Next Steps
Start by auditing your website for AI-driven processing. PrivacyChecker detects AI chatbots, third-party AI scripts, automated personalization, and AI crawlers accessing your content. Run a free scan to see what AI-related compliance issues your site may have.