EU AI Act vs GDPR: where they overlap and where they don't

# EU AI Act vs GDPR: where they overlap and where they don't

About a third of the SaaS founders I talk to assume the EU AI Act is "the GDPR for AI." That assumption is wrong in a specific way that causes real money to be wasted. The two regulations cover different things. They overlap in exactly three places. Knowing the difference saves you from doing the same compliance work twice and from missing the gaps where each regulation has its own teeth.

This post is the map the Disclos team uses when scoping audits for SaaS that are already GDPR-compliant.

What each regulation actually regulates

GDPR (Regulation (EU) 2016/679) regulates the processing of personal data. Its unit is the data subject. Its question is: are you handling someone's personal data lawfully, transparently, securely, and with respect for their rights?

EU AI Act (Regulation (EU) 2024/1689) regulates AI systems placed on the EU market or whose output is used in the EU. Its unit is the AI system. Its question is: is this AI system safe, transparent, properly classified, and operated with appropriate human oversight?

You can have an AI system that processes no personal data and is fully covered by the AI Act and untouched by the GDPR (think: an AI that designs bridges from CAD files). You can have personal data processing with no AI at all that is fully covered by the GDPR and untouched by the AI Act (think: your CRM with manual data entry).

Most SaaS lives in the middle, where both apply.

Where the two overlap

There are three real overlaps. Get these right and you have covered most of the joint surface.

Overlap 1: automated decision-making about individuals.

GDPR Article 22 gives the data subject the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. You need a legal basis, you need to inform the person, you usually need to offer human intervention.

EU AI Act Annex III(5) (creditworthiness, public benefits, healthcare access) makes most of those same decisions high-risk AI systems. So an automated credit decision is BOTH a GDPR Article 22 decision AND an Annex III high-risk AI system. You owe both sets of obligations. The GDPR transparency notice does not satisfy the AI Act conformity assessment, and vice versa.

Overlap 2: biometric data.

GDPR Article 9 treats biometric data used for unique identification as special-category data. You need explicit consent in most B2C cases, or another Article 9 legal basis.

EU AI Act Article 5(1)(g) prohibits biometric categorisation based on race, political opinion, religion, sexual orientation, and similar categories. Article 50(3) requires disclosure of any emotion recognition or biometric categorisation system. Annex III(1) makes most biometric identification high-risk.

So a face recognition system in your SaaS is regulated under BOTH. GDPR governs the data. AI Act governs the system. You need explicit consent (GDPR), AND a disclosure (AI Act Article 50), AND likely a conformity assessment (AI Act Annex III).

Overlap 3: documentation.

The GDPR requires records of processing under Article 30. The AI Act requires a technical file under Article 11 (for high-risk systems) and a fundamental rights impact assessment under Article 27 (for high-risk systems deployed by public bodies or in specific contexts).

These are different documents with overlapping content. You can save time by sharing the underlying analysis. You cannot save the documents themselves. A DPIA is not a technical file. A technical file is not a DPIA.

Where they explicitly do not overlap

The AI Act covers safety. The GDPR does not.

If your AI system has an accuracy problem, a robustness problem, or a cybersecurity problem that does not involve personal data, the GDPR has nothing to say about it. The AI Act does. Article 15 requires accuracy, robustness, and cybersecurity for high-risk systems. Article 13 requires transparency about the system's intended purpose and limitations.

The GDPR covers data minimisation. The AI Act mostly does not.

If your AI system is processing more personal data than it needs to, that is a GDPR violation under Article 5(1)(c). The AI Act has data governance obligations under Article 10 for high-risk systems, but they are about quality and bias, not minimisation.

The AI Act covers human oversight as a system requirement. The GDPR covers human review as a data subject right.

Article 14 of the AI Act requires that high-risk systems be designed for effective human oversight by the deployer. This is a system-level obligation. GDPR Article 22 gives the data subject the right to request human intervention. Different obligations, different parties, different triggers.

The compounding penalty problem

If you violate both regulations with the same action (say, an automated decision in a high-risk area that also misuses personal data), you can face penalties under both. GDPR caps at 20 million euros or 4 percent of global turnover. AI Act high-risk violations cap at 15 million or 3 percent. In a worst case, the same action exposes you to up to 7 percent of turnover in stacked penalties.

National authorities are also separate. Your data protection authority enforces the GDPR. Your AI Act national competent authority enforces the AI Act. In some Member States these are the same office. In most, they are different. So you may end up explaining the same incident to two regulators in parallel.

What the Disclos team does in joint scope

When we run a 5-day audit for a SaaS that is already GDPR-compliant, we do four things differently:

  1. We map the AI Act obligations against the existing GDPR documentation and flag the overlaps so you do not redo work
  2. We highlight the three overlap zones above and confirm both regulations are satisfied
  3. We note the GDPR-only and AI-Act-only gaps that GDPR compliance alone has not closed
  4. We hand back a single compliance file that is keyed to both regulations, so your DPO and your AI lead can both use it

If you want to do this yourself, the open-source checklist on GitHub walks through the AI Act portion. Combine it with whatever GDPR documentation you already have. The overlaps are predictable once you know where to look.

The summary: GDPR and AI Act are siblings, not the same regulation. SaaS teams that treat them as one make twice the mess.

Last updated: 2026-06-04