EU AI Act and GDPR Crosswalk: Obligation Mapping Table
Article-by-article mapping: EU AI Act to GDPR. Where Art 27 and Art 35 DPIA combine, where Art 14 and GDPR Art 22 overlap, and where the two diverge.
Two separate regulations, two sets of regulators, two penalty regimes — but one compliance team. When an AI system processes personal data, the EU AI Act (Regulation (EU) 2024/1689) and the GDPR (Regulation (EU) 2016/679) both apply, simultaneously and independently. Neither defers to the other. Market surveillance authorities enforce the AI Act; data protection authorities (DPAs) enforce the GDPR.
This page maps the specific obligation pairs — EU AI Act article to GDPR article — so you can see exactly where the two frameworks touch, where one assessment can satisfy both, and where they genuinely diverge. For the broader conceptual treatment of how the two frameworks intersect, see our GDPR and EU AI Act intersection guide.
The Crosswalk Table
Before reading the pairs: keep the penalty regimes clearly separated. EU AI Act fines under Article 99 reach €35,000,000 or 7% of global turnover (Article 5 prohibitions), €15,000,000 or 3% (most other obligations), and €7,500,000 or 1% (misleading information to authorities). GDPR fines under GDPR Article 83 reach €20,000,000 or 4% (GDPR Article 83(5) — most serious violations) and €10,000,000 or 2% (GDPR Article 83(4) — procedural obligations). These are separate instruments; a single AI incident involving personal data can attract fines under both, from different authorities.
| AI Act obligation | GDPR counterpart | Relationship |
|---|---|---|
| AI Act Article 9 — risk management system | GDPR Article 35 — DPIA | Adjacent; DPIA output feeds the Art 9 risk register |
| AI Act Article 10 — data and data governance | GDPR Article 5 data principles + GDPR Article 9 special categories | Parallel but distinct duties; Art 10(5) mirrors GDPR Art 9 for sensitive data in training |
| AI Act Articles 13 and 50 — transparency | GDPR Articles 13–14 — information obligations + GDPR Article 12 — accessible communication | Strong overlap; a single notice can address both where requirements align |
| AI Act Article 14 — human oversight | GDPR Article 22 — right to human review of solely automated decisions | Rights-based vs. governance-based; one oversight mechanism should satisfy both |
| AI Act Article 27 — FRIA | GDPR Article 35 — DPIA | Art 27(4) explicitly permits the FRIA to build on the DPIA; combined assessment is standard practice |
| AI Act Articles 12, 19, 26 — logging and records | GDPR Article 30 — records of processing activities (RoPA) | Additive; AI Act logs are narrower (technical event logs); GDPR RoPA is broader (all processing) |
| AI Act Article 49 — EU database registration | No direct GDPR equivalent | No GDPR counterpart; a separate, AI-Act-only obligation |
Each pair is unpacked below.
AI Act Article 9 ↔ GDPR Article 35
AI Act Article 9 requires high-risk AI providers to implement a risk management system — documented, iterative, covering foreseeable risks throughout the system's lifecycle.
GDPR Article 35 requires a DPIA before processing "likely to result in a high risk to the rights and freedoms of natural persons." Systematic profiling, special category data at scale, novel technologies, and systematic monitoring all typically trigger it.
Where they connect: Both require a structured pre-deployment risk assessment. The DPIA output feeds directly into the Article 9 risk management file. Run both together; document shared findings once.
Where they diverge: The Article 9 system is an ongoing operational control; the DPIA is a pre-processing assessment reviewed at significant changes. Article 9 focuses on risks from AI outputs; GDPR Article 35 focuses on risks from the personal data processing. An AI system with no personal data in outputs could still require both.
AI Act Article 10 ↔ GDPR Article 5 + GDPR Article 9
AI Act Article 10 sets data governance requirements for training, validation, and testing datasets: data must be relevant, representative, and — to the greatest extent possible — free from errors. Where special category data is used in training, Article 10(5) permits it only where strictly necessary for bias monitoring with appropriate safeguards.
GDPR Article 5 states the core data principles: lawfulness, fairness, transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality. GDPR Article 9 prohibits processing of special category data unless an explicit exception applies — a frequent issue in training data containing health, ethnic origin, or other sensitive attributes through proxy variables or scraped web data.
Where they connect: Both flag special category data as requiring heightened treatment. A data governance policy covering bias detection and special category controls satisfies both simultaneously.
Where they diverge: GDPR Article 5 requires a lawful basis under GDPR Article 6 to use personal data in training at all — Article 10 assumes that has been resolved and addresses representativeness and bias on top. Data minimisation (GDPR) can create tension with Article 10's representativeness requirement.
AI Act Articles 13 and 50 ↔ GDPR Articles 12–14
AI Act Article 13 requires high-risk AI systems to be designed to allow deployers to understand how the system functions — deployer-facing documentation to support human oversight. AI Act Article 50 requires, from 2 August 2026, that natural persons be informed when interacting with an AI system, that AI-generated content be marked as such, and that emotion-recognition or biometric-categorisation outputs be disclosed to those affected.
GDPR Articles 13 and 14 require controllers to provide individuals with clear information about how their personal data is processed. GDPR Article 12 requires that information be provided in a concise, intelligible, and easily accessible form.
Where they connect: Any AI system processing personal data and interacting with individuals generates overlapping transparency duties. A chatbot must disclose both that it is an AI system (Article 50) and that it processes personal data (GDPR Articles 13–14). A single, well-drafted user notice handles both.
Where they diverge: GDPR transparency is data-subject-facing and personal-data-specific. AI Act Article 13 is deployer-facing. Article 50 is individual-facing but broader — the disclosure requirement applies even where the AI interaction does not involve personal data.
AI Act Article 14 ↔ GDPR Article 22
AI Act Article 14 requires high-risk AI systems to be designed to allow effective human oversight — persons responsible must have the competence, authority, and tools to monitor operation, recognise anomalies, and intervene, including by overriding or suspending the system.
GDPR Article 22 gives individuals the right not to be subject to decisions based solely on automated processing that produce significant effects — unless the decision is necessary for a contract, authorised by law, or based on explicit consent. Where any exemption applies, the controller must implement safeguards including the right to obtain human review.
Where they connect: Both require that a human be genuinely capable of intervening in consequential AI decisions. An oversight process built to satisfy Article 14 — a trained reviewer with authority and data access to override AI outputs — is also the GDPR Article 22 safeguard.
Where they diverge: GDPR Article 22 is triggered only by solely automated decisions with significant effects. AI Act Article 14 applies to all high-risk AI systems regardless of whether any decision is solely automated. "A human reviewed it" satisfies neither: the GDPR requires meaningful review; Article 14 requires genuinely effective oversight. A rubber-stamp process fails both.
AI Act Article 27 ↔ GDPR Article 35
AI Act Article 27 requires certain deployers to conduct a Fundamental Rights Impact Assessment before deploying a high-risk AI system. The obligation applies to: (a) bodies governed by public law deploying any high-risk AI system; and (b) private deployers of Annex III point 5(b) creditworthiness/credit scoring or point 5(c) life/health insurance systems. Most private-sector deployers do not owe a FRIA.
GDPR Article 35 requires a DPIA before high-risk personal data processing — a structured assessment of the necessity and proportionality of the processing, the risks to data subjects, and the measures to address them.
Where they connect: Both are pre-deployment assessments. Article 27(4) explicitly permits the FRIA to build on a completed DPIA — the clearest do-once-satisfy-many provision in either regulation.
Where they diverge: The DPIA covers data processing risks; the FRIA covers fundamental rights risks more broadly — non-discrimination, access to essential services, fair judicial proceedings. The DPIA may be conducted by the controller (provider or deployer); the FRIA is always the deployer's obligation.
AI Act Articles 12, 19, 26 ↔ GDPR Article 30
AI Act Article 12 requires high-risk AI systems to automatically generate logs of events that may cause or contribute to a risk. Article 19 requires providers to retain those logs for at least six months where they control them. Article 26 imposes the same six-month minimum on deployers.
GDPR Article 30 requires records of processing activities — a high-level governance document covering purposes, data categories, recipients, transfers, retention periods, and security measures.
Where they connect: Every AI system processing personal data should appear in both the Article 30 RoPA and the AI Act log and inventory records.
Where they diverge: AI Act logs are technical event logs — timestamped inputs, outputs, and anomalies — designed for post-incident market surveillance review. The GDPR RoPA is an organisational governance record designed to demonstrate accountability to supervisory authorities. Different in form, audience, and content; neither substitutes for the other.
AI Act Article 49: No GDPR Counterpart
AI Act Article 49 requires providers of high-risk AI systems to register their systems in the EU database (established under Article 71) before placing them on the market. Deployers of systems under specific Annex III categories must also register. For providers claiming the Article 6(3) exemption from the high-risk classification, registration of that assessment is also required.
There is no GDPR equivalent. Article 49 registration cannot be delegated to the DPO's GDPR programme and must be tracked separately. The EU database is publicly searchable — a system that should be registered but is not will eventually be visible to regulators, competitors, and the public.
Do-Once-Satisfy-Many: Where One Effort Serves Both Frameworks
| What you build once | AI Act purpose | GDPR purpose |
|---|---|---|
| Pre-deployment risk assessment (FRIA incorporating DPIA) | Article 27 FRIA | GDPR Article 35 DPIA |
| Human oversight process | Article 14 oversight mechanism | GDPR Article 22 safeguard for automated decisions |
| Combined privacy and AI-interaction notice | Article 50 disclosure (from Aug 2026) + Art 13 information for deployers | GDPR Articles 12–14 information obligations |
| Single AI inventory with data-processing fields | Article 9 risk management input + Art 12/19/26 log references | GDPR Article 30 RoPA |
Where the Frameworks Genuinely Diverge
Training data lawful basis. GDPR requires a lawful basis under GDPR Article 6 for using personal data in training — typically legitimate interests, with a Legitimate Interests Assessment. AI Act Article 10 has no equivalent: it assumes the data is lawfully held and addresses representativeness and bias on top. Two separate analyses; neither substitutes for the other.
Erasure rights. GDPR Article 17 gives individuals the right to have personal data erased. For AI training data, this creates technical complexity that the EU AI Act does not address. The AI Act imposes no erasure or data subject rights framework; that burden falls entirely on GDPR.
Registration and notification. AI Act Article 49 registration is a compliance obligation with no GDPR equivalent. The DPO's programme cannot satisfy it. It requires separate tracking and resourcing.
How Confir Helps
Confir's guided intake captures both EU AI Act and GDPR-relevant data about each AI system in one pass. The risk classification questions surface whether a system processes personal data, whether it makes consequential decisions about individuals, and whether special category data is involved — feeding the AI Act risk tier determination and the GDPR DPIA trigger assessment simultaneously.
Where a deployer is subject to Article 27, Confir's FRIA workflow incorporates the GDPR Article 35 elements required by Article 27(4), producing a single combined document. The engine is rule-based and deterministic: the same intake produces the same obligation mapping, consistently.
Frequently Asked Questions
What is the difference between the EU AI Act and the GDPR?
They are separate regulations with separate supervisory authorities, separate penalty structures, and separate obligations. The GDPR (Regulation (EU) 2016/679) governs personal data processing. The EU AI Act (Regulation (EU) 2024/1689) governs AI systems by risk level. Both may apply to the same AI system simultaneously. Compliance with one does not constitute compliance with the other.
Can a single DPIA satisfy the EU AI Act FRIA requirement?
Yes, where the FRIA obligation applies. Under AI Act Article 27(4), a FRIA may build on an existing GDPR Article 35 DPIA, extended to cover fundamental rights beyond data protection — non-discrimination, access to essential services, access to justice. The FRIA obligation applies only to public bodies (any high-risk deployment) and private deployers of Annex III point 5(b) creditworthiness or 5(c) life/health insurance systems.
Is GDPR Article 22 always triggered when a high-risk AI system is used?
No. GDPR Article 22 applies only where a decision is based solely on automated processing and produces significant effects on the individual. Many high-risk AI systems have a human review the output before any decision is communicated — removing the "solely automated" trigger. AI Act Article 14, by contrast, applies more broadly: the system must be designed to make human review genuinely effective, whether or not it is technically "sole" automation.
What are the penalties under each regulation, and can both apply to the same incident?
Yes. AI Act Article 99 fines reach up to €15,000,000 or 3% of worldwide turnover for most violations, enforced by market surveillance authorities. GDPR Article 83(5) fines reach up to €20,000,000 or 4% for the most serious GDPR violations, enforced by data protection authorities. A single incident can attract both, assessed independently under different instruments.
How should we structure our AI inventory to satisfy both frameworks?
Maintain a master AI inventory including both AI Act fields (risk classification, provider/deployer role, compliance status) and GDPR fields (personal data categories, legal basis, retention period, third-country transfers). Where a system appears in both the AI Act inventory and the GDPR RoPA, reference the AI Act record from the RoPA entry rather than duplicating. One record, two framework references.
Which authority handles a complaint involving both the EU AI Act and GDPR?
Both have jurisdiction. EU AI Act complaints go to the national market surveillance authority (Article 70); GDPR complaints go to the national data protection authority. Notify both in parallel — a notification to one does not satisfy the other.
Does the GDPR apply to AI training data?
Yes, where training data includes personal data. You need a lawful basis under GDPR Article 6, must satisfy data minimisation and purpose limitation under GDPR Article 5, and must respect data subject rights. Where special category data is involved, GDPR Article 9 requires a specific exception ground. AI Act Article 10 adds a parallel requirement for data representativeness and bias examination — it does not replace the GDPR obligations.
Related guides
- healthcare AI compliance strategies
- fintech AI regulatory requirements
- EU AI Act compliance checklist
- legal tech compliance obligations
- public sector AI governance
- EU AI Act framework overview
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →