EU AI Act vs GDPR: how the two regimes stack for SaaS

What each regulation covers

GDPR (Regulation 2016/679, in force since May 2018) governs the processing of personal data of EU residents. It applies to controllers and processors regardless of geography if EU residents are involved. The AI Act (Regulation 2024/1689, applying primarily from 2 August 2026) governs how AI systems are designed, placed on the market, and deployed in the EU. It applies regardless of whether personal data is processed. An AI system trained only on synthetic data still falls under the AI Act if it operates in the EU.

Where they overlap

The overlap is substantial. AI systems that process personal data are subject to both regulations simultaneously. Specific intersections: GDPR Article 22 (automated decision-making) overlaps with AI Act Article 14 (human oversight) and AI Act Article 50(1) (transparency). GDPR Article 5 (data minimisation, purpose limitation) constrains the training data documentation required under AI Act Article 10. GDPR Article 35 (Data Protection Impact Assessment) for high-risk processing overlaps with AI Act Article 43 conformity assessment.

Where they differ

Key differences: GDPR is rights-based (data subject rights), the AI Act is risk-based (system classification). GDPR penalties cap at €20M or 4% of global turnover; AI Act caps at €35M or 7% for prohibited practices, €15M or 3% for high-risk. GDPR enforcement runs through national DPAs with EDPB coordination; AI Act enforcement uses a mix of national authorities and the European AI Office. GDPR has been in force seven years; AI Act enforcement is just starting.

Which applies when

Both apply to AI systems processing personal data of EU residents. Only the AI Act applies to AI systems that do not process personal data but operate in the EU (e.g., AI for industrial machinery, AI for inventory optimisation). Only GDPR applies to non-AI data processing. For SaaS, the practical pattern is: do GDPR work first if not already done, then layer AI Act compliance on top. Many SaaS find their existing DPIAs partially satisfy AI Act Article 43 documentation, but rarely fully.

Practical compliance approach

Run a stacked compliance review: identify AI features, classify under AI Act (Provider/Deployer, Annex III, Article 5), check GDPR alignment (lawful basis, DPIA, Article 22 controls). Update privacy notice to satisfy both Article 50 transparency (AI Act) and Article 13/14 disclosure (GDPR). Update terms of service to address Article 22 GDPR and Article 50(1) AI Act disclosure. Build incident reporting that satisfies both Article 33 GDPR notification and Article 73 AI Act reporting.

Frequently asked questions

Does GDPR compliance mean I am AI Act compliant?

No - they cover different obligations. GDPR addresses personal data processing; the AI Act addresses how AI systems are designed and deployed. Both apply to most SaaS.

Which has higher penalties?

AI Act for prohibited practices (€35M or 7% of global turnover). GDPR caps at €20M or 4%. High-risk AI Act violations cap at €15M or 3%.

Can a single DPIA cover both?

Partially - a well-structured DPIA can address most of Article 43 AI Act conformity assessment requirements, but additional documentation on Article 10 data governance and Article 14 human oversight is needed.

Do I need a separate AI compliance officer?

Not required by the Act, but recommended for high-risk AI providers. Many organisations expand the DPO role to cover AI Act oversight or appoint a dedicated AI Compliance Officer.

How do enforcement actions interact?

A single incident can trigger both GDPR and AI Act investigations, often by the same national authority. Cumulative penalties are possible. EDPB and the European AI Office are coordinating enforcement guidance for overlap cases.

Sources

• https://eur-lex.europa.eu/eli/reg/2016/679/oj
• https://eur-lex.europa.eu/eli/reg/2024/1689/oj
• https://edpb.europa.eu/