Agnes compares two documents on her desk: one with GDPR text and one with AI Act requirements

GDPR and the EU AI Act: how the two laws work together

GDPR, AI Act, Compliance

You set up your GDPR documentation. Then a customer questionnaire arrives asking about your AI Act compliance status. And you wonder: are these the same thing? Do I need two separate projects?

The short answer: they are two separate laws, but for many Dutch SMBs they overlap in practice. If you use AI tools that process personal data, you have obligations under both.

This article explains where that overlap lies, where the laws actually diverge, and what to do concretely when one system falls under both.

What GDPR covers, and what the AI Act covers

GDPR (General Data Protection Regulation) is about personal data. The law governs who may collect data, for what purpose, on what lawful basis, and for how long. GDPR applies to every organisation that processes personal data of people in the EU, regardless of company size.

The EU AI Act is about AI systems. The law governs the development, placing on the market, and use of AI, categorised by risk level. The AI Act applies to organisations that use AI systems (deployers) and to organisations that develop them (providers). The higher the risk of the system, the stricter the obligations.

The two laws start from different angles. GDPR protects people by setting rules on what you may do with their data. The AI Act protects people by setting rules on how AI may make decisions about them.

When do AI systems fall under both laws at the same time?

An AI tool that processes personal data automatically falls under GDPR. At the same time, as an AI system, it falls under the AI Act. The two laws then apply simultaneously.

This is true for a large proportion of the AI tools that SMBs use. Recognisable examples:

A CV screening tool that automatically assesses job applicants. AI Act: most likely high-risk (employment selection). GDPR: may process special categories if the tool learns from demographic data, and touches Article 22 (automated decision-making).

A CRM with lead scoring that gives customers a score based on behaviour. AI Act: probably minimal risk, depending on how the score is used. GDPR: processes customer behavioural data and falls under profiling.

An email tool that predicts the optimal send time. AI Act: minimal risk. GDPR: processes email addresses and behavioural data, but the AI functionality probably does not touch Article 22.

A credit assessment tool for financial decisions. AI Act: high-risk. GDPR: processes financial personal data, directly touches Article 22.

The combination requiring the most attention: high-risk AI that processes personal data and makes automated decisions with consequences for people.

Where do the two laws overlap?

The practical overlap sits at three points.

Documentation. GDPR requires a record of processing activities (RoPA): an overview of all processing activities involving personal data. The AI Act requires an AI register: an overview of all AI systems, with risk class, AI type, and information on human oversight. For an AI system that processes personal data, you need both. They share fields such as purpose, responsible person, and data types involved, but they are not copies of each other.

Human oversight. Article 22 GDPR requires that automated decision-making with legal effects can be challenged and human correction is possible. The AI Act requires that for high-risk systems, human oversight is structurally built in. This translates to the same practical requirement: someone in your organisation must be able to review, assess, and if necessary reverse the AI decision.

Transparency toward data subjects. GDPR obliges you to inform data subjects about how their data is used, including when AI is involved. The AI Act obliges deployers of high-risk AI to inform data subjects that they are dealing with an AI system. These transparency obligations touch each other but are not identical.

Where do they complement each other without overlapping?

The AI Act also has scope outside GDPR. An AI system that works exclusively with anonymised data falls outside GDPR but may still be high-risk under the AI Act, for example if it automatically makes medical diagnoses based on scan results without personal identification.

GDPR also has scope outside the AI Act. A simple form on a website that collects personal data without any AI functionality falls fully under GDPR, but the AI Act does not apply.

What to do when one system falls under both laws

The most common mistake is treating both laws as separate projects. That leads to duplicated effort and gaps: you have a processing register but no AI register, or the other way around.

The starting point is always the same: an AI inventory. Know which systems your organisation uses. For each system, ask two questions:

  1. Does this system process personal data? If yes: GDPR applies. Determine the lawful basis, retention period, and data subject rights. Add it to your processing register.

  2. What is the risk class under the AI Act? If minimal risk: few additional obligations. If high-risk: technical documentation, human oversight, and registration in the AI register are required.

From the inventory, you build two registers that complement each other. The guide to building an AI inventory is the logical first step.

Common mistakes when managing both obligations at once

Assumption: if you are GDPR-compliant, you are also covered for the AI Act. That is not correct. The AI Act imposes separate requirements for technical documentation, risk classification, and human oversight that GDPR does not address.

Assumption: the AI Act only applies to tech companies that develop AI. Not accurate. As a deployer of an AI system, you have obligations even if you purchase the tool from a vendor. This is especially true for high-risk systems.

Assumption: one register is enough. No. The processing register and the AI register have different fields, different purposes, and are assessed by different supervisory authorities.

Practical steps

Step 1: Build an AI inventory. Which AI tools does your organisation use? Ask team members to include what they use themselves.

Step 2: Check per tool whether personal data is processed. If yes: add the processing activity to your processing register. Determine the lawful basis and retention period.

Step 3: Determine the risk class per AI system under the AI Act. Read our article on determining your AI Act risk class for guidance.

Step 4: Record high-risk systems in your AI register with the required documentation on human oversight, purpose, and risk measures.

Step 5: Check whether a system falls under Article 22 GDPR (automated decision-making with legal effects). If yes: add the additional documentation described in our article on automated decision-making documentation.

Does your AI tool fall under GDPR, the AI Act, or both? ComplianceHive combines the processing register and the AI systems register in one platform. You record AI systems that process personal data once, in both registers at the same time. Try free for 30 days.

This article is general information and not legal advice. Consult a qualified lawyer or privacy specialist for an assessment specific to your situation.

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free