GDPR and the EU AI Act: Dual Compliance Guide for AI Systems
Table of Contents
Introduction
If you deploy artificial intelligence in the European Union, you operate under two regulatory frameworks that often overlap, occasionally contradict, and always demand careful orchestration: the General Data Protection Regulation (GDPR) and the recently enforced EU AI Act.
The mistake most teams make is treating these as separate compliance exercises. They are not. GDPR and the EU AI Act create a single, integrated compliance requirement that touches every part of your AI system, from data collection through model deployment and beyond.
This guide covers both frameworks comprehensively: where they overlap significantly, where they diverge entirely, and how to architect AI systems that satisfy both without doubling compliance work.
By the end of this guide, you will understand the technical requirements of each framework, how to map them to your codebase, and how to use tools like the AIR Blackbox GDPR scanner to verify compliance automatically.
Where GDPR and the AI Act Overlap
Data Processing Requirements
GDPR Article 6 requires a lawful basis for processing personal data. The EU AI Act Article 10 requires documentation of training data and validation data sources for high-risk AI systems. These requirements are not the same, but they intersect:
- If you train an AI model on EU resident data, GDPR Article 6 determines whether that processing is lawful.
- If that model is high-risk under the AI Act, Article 10 requires you to document the data, maintain records, and prove you followed data governance standards.
- Both frameworks require you to establish the source of data, the purpose of processing, and the retention schedule.
The overlap means a single dataset must satisfy GDPR lawfulness AND AI Act documentation requirements. Compliance with only one is insufficient.
Automated Decision-Making
GDPR Article 22 restricts automated decision-making that produces legal or similarly significant effects. The EU AI Act Article 14 requires additional human oversight for high-risk AI systems that make consequential decisions.
These overlap when your AI system makes decisions about individuals:
- Credit decisions, hiring recommendations, loan approvals, insurance assessments, benefit eligibility: all trigger both GDPR Article 22 and AI Act Article 14.
- GDPR Article 22 requires human review capability and the right to opt out of automated decisions.
- AI Act Article 14 requires human oversight, monitoring for errors, and documented procedures for handling failures.
- Satisfying one does not satisfy the other. Both are independently required.
Documentation Obligations
Both frameworks demand extensive documentation:
- GDPR: Processing activities, lawful basis, recipients, retention periods, and data subject rights mechanisms.
- AI Act: Training data sources, validation procedures, risk assessments, performance metrics, and monitoring systems.
The overlap creates a single documentation burden that must address both frameworks. A GDPR Data Protection Impact Assessment (DPIA) and an AI Act risk assessment are related but distinct documents.
Data Subject Rights in AI Context
GDPR gives individuals the right to access their data (Article 15), the right to rectification (Article 16), and the right to erasure (Article 17). The AI Act requires that systems using personal data respect these rights.
This creates overlapping requirements: your AI system must be able to
- Identify which data belongs to which individual
- Retrieve that data on request
- Update or correct data when requested
- Remove data when requested (subject to AI Act requirements for maintaining training documentation)
Where They Differ
Focus and Scope
GDPR focuses on personal data protection. Its concern is how organizations collect, process, store, and use information about individuals. GDPR applies to any processing of personal data of EU residents, regardless of whether AI is involved.
The EU AI Act focuses on system-level safety and transparency. Its concern is whether the AI system itself is capable of causing harm, and whether users understand its capabilities and limitations. The AI Act does not apply to systems that don't use personal data, but applies broadly to high-risk AI systems regardless of data protection measures.
Risk Assessment Framework
Under GDPR, you perform a Data Protection Impact Assessment (DPIA) when processing presents high risk to individuals' rights. The DPIA focuses on confidentiality, integrity, and availability of personal data.
Under the AI Act, you perform an AI system risk assessment focused on whether the system could cause harm. Categories include:
- Prohibited AI (completely banned, e.g. social credit scoring)
- High-risk AI (detailed requirements, e.g. hiring tools, credit decisions, biometric identification)
- Limited-risk AI (transparency requirements only)
- Minimal-risk AI (no specific requirements)
A system with minimal personal data protection risk under GDPR could be high-risk under the AI Act if it makes consequential decisions. A system with significant data protection risk could be minimal-risk if it causes no direct harm to individuals.
Enforcement Mechanisms
GDPR is enforced by data protection authorities (like CNIL in France, ICO in UK, BfDI in Germany). They issue fines up to EUR 20 million or 4% of global revenue for violations. They focus on data protection investigation and complaint handling.
The AI Act is enforced by national competent authorities designated by each Member State, with coordination by the European AI Office. Penalties escalate from administrative fines to prohibition of the system entirely. The enforcement approach is still developing, but authorities are appointed with specific AI Act expertise.
This means a system can face simultaneous enforcement from two different regulators with different standards and penalties.
Legal Basis vs. Risk Classification
GDPR requires you to establish a lawful basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests) for each processing activity. Without a lawful basis, you cannot process data at all, regardless of safeguards.
The AI Act does not require a lawful basis for using data. Instead, it requires you to classify your system's risk level and implement safeguards appropriate to that risk. You can use data without consent if the system presents only minimal risk, but the data protection standards still apply via GDPR.
The 8 GDPR Checks for AI Systems
Compliance officers and engineers often ask: what are the concrete GDPR requirements I need to verify in my AI system? Here are the 8 core checks that apply to any AI system processing personal data:
1. Consent Mechanisms for AI Processing
If you rely on consent as your lawful basis for training, you must obtain affirmative, informed consent before processing data for AI. This is more stringent than passive consent or pre-checked boxes. Users must understand that their data will be used for model training.
Use the AIR Blackbox GDPR scanner to verify:
from air_compliance import GDPRScanner
scanner = GDPRScanner()
findings = scanner.check_consent_mechanisms(
code_path="./src",
focus_on=["training_data_loading", "preprocessing"]
)
for finding in findings:
if finding.severity == "HIGH":
print(f"Consent gap: {finding.description}")
print(f"Location: {finding.file}:{finding.line}")
2. Data Minimization in Training Data
GDPR Article 5 requires data minimization: you must collect and use only the data necessary to achieve your stated purpose. For AI systems, this means:
- Only include features in training data that are necessary for model performance
- Remove unnecessary PII before training
- Exclude protected characteristics (race, religion, health) unless explicitly required and justified
Check data minimization in your pipeline:
findings = scanner.check_data_minimization(
data_path="./training_data",
model_purpose="credit_decision"
)
if findings:
print("Data minimization issues found:")
for f in findings:
print(f" - {f.feature_name}: not required for {f.model_purpose}")
print(f" Recommendation: remove or justify")
3. Right to Explanation for AI Decisions
GDPR Article 22 and the AI Act both require explainability. When an AI system makes a decision about someone, they have the right to understand why. This is not always a full mathematical explanation, but must be meaningful to a non-technical person.
Verify your system provides explanations:
findings = scanner.check_explainability(
model_path="./models/credit_decision.pkl",
decision_type="consequential"
)
for finding in findings:
if finding.requires_explanation:
print(f"Decision '{finding.decision_type}' requires explanation")
print(f"Current explanation capability: {finding.explanation_method}")
if not finding.is_user_understandable:
print(" WARNING: Explanation is not user-understandable")
4. Data Retention Policies
GDPR Article 5 requires storage limitation: you must delete personal data when it is no longer necessary. For AI systems, this means:
- Define retention periods for training data
- Delete data when retention period expires
- Handle requests to delete data from individuals (right to erasure)
- Account for the tension between right to erasure and the need to maintain model training records for AI Act compliance
Check retention policies:
findings = scanner.check_retention_policies(
database_schema="./schema.sql",
policies_file="./compliance/retention_policy.json"
)
for dataset in findings.datasets:
print(f"Dataset: {dataset.name}")
print(f" Retention period: {dataset.retention_period}")
print(f" Auto-deletion enabled: {dataset.auto_delete_enabled}")
if not dataset.retention_period:
print(" ERROR: No retention period defined")
5. Cross-Border Transfer Compliance
If your training data comes from EU residents but your model runs on servers outside the EU (US, Asia), you must implement Standard Contractual Clauses (SCCs) or other transfer mechanisms. This is separate from encryption or pseudonymization.
Verify transfer mechanisms:
findings = scanner.check_cross_border_transfers(
data_flow="./architecture/data_flows.yml",
regions=["EU", "US", "APAC"]
)
for transfer in findings.transfers:
if transfer.involves_personal_data and transfer.crosses_border:
print(f"Transfer: {transfer.source} -> {transfer.destination}")
print(f" Legal basis: {transfer.legal_basis}")
if transfer.legal_basis not in ["SCC", "BCR", "DEPA"]:
print(" ERROR: Transfer mechanism not recognized")
6. Data Protection Impact Assessment (DPIA)
For any high-risk processing (which includes most AI systems), GDPR Article 35 requires a Data Protection Impact Assessment before deployment. The DPIA must document:
- Purpose and necessity of processing
- Categories of data
- Risk to rights and freedoms
- Safeguards and mitigations
- Legal basis
Link your DPIA to your codebase:
findings = scanner.check_dpia_completeness(
dpia_path="./compliance/dpia_credit_model.md",
code_path="./src",
verify_mapping=True
)
print("DPIA Coverage Report:")
print(f" Documented risks: {findings.documented_risks}")
print(f" Risks found in code: {findings.actual_risks}")
print(f" Missing documentation: {findings.gap}")
if findings.gap:
print(" ACTION REQUIRED: Update DPIA for newly identified risks")
7. PII Detection and Handling
You must identify what constitutes personally identifiable information (PII) in your training data and ensure it is handled appropriately. Direct identifiers (name, email, SSN) must be removed or pseudonymized. Quasi-identifiers (age, location, occupation) require careful handling.
Automatically scan for PII:
findings = scanner.check_pii_exposure(
data_path="./training_data.csv",
column_config="./compliance/pii_config.json"
)
print(f"PII Detection Results:")
print(f" Columns with direct identifiers: {findings.direct_identifiers}")
print(f" Columns with quasi-identifiers: {findings.quasi_identifiers}")
print(f" Unencrypted PII found: {len(findings.unencrypted_pii)} instances")
if findings.unencrypted_pii:
print("\n Unencrypted PII locations:")
for pii in findings.unencrypted_pii[:5]:
print(f" - {pii.column} at row {pii.row}")
8. Purpose Limitation
GDPR Article 5 restricts you to using data for the purpose stated at collection. You cannot collect data for "improving services" and then use it for "targeted advertising" without additional consent. For AI systems, this means:
- Document the stated purpose (credit assessment, hiring recommendation, fraud detection)
- Verify that your model only uses data for that purpose
- Do not repurpose the model without obtaining new consent or establishing a new lawful basis
Check purpose limitation:
findings = scanner.check_purpose_limitation(
stated_purpose="credit_decision",
model_path="./models/credit_model.pkl",
usage_logs="./logs/model_usage.json"
)
if findings.purpose_violations:
print("Purpose limitation violations found:")
for violation in findings.purpose_violations:
print(f" - Model used for {violation.actual_purpose}")
print(f" Stated purpose: {violation.stated_purpose}")
print(f" Instances: {violation.count}")
Building a Dual-Compliant System
Architecture Principles
A dual-compliant AI system requires intentional architecture. Here are the core principles:
- Data governance at the source: Handle compliance at the point of data ingestion, not at the model. Tag data with provenance, lawful basis, retention schedule, and allowed purposes.
- Explainability by design: Build models with interpretability as a first-class requirement, not a post-hoc addition.
- Audit trail for both frameworks: Log every data access, model prediction, and decision override with timestamps and reasons. Both GDPR and the AI Act require proof of your processes.
- Separation of concerns: Keep data access, model inference, and decision-making as separate, auditable components.
Example: Building a Credit Scoring System
Credit decisions are high-risk under both frameworks. Let us walk through the structure:
from dataclasses import dataclass
from enum import Enum
from datetime import datetime, timedelta
import json
class DataLawfulBasis(Enum):
CONSENT = "user_consent"
LEGITIMATE_INTEREST = "legitimate_interest"
LEGAL_OBLIGATION = "legal_obligation"
CONTRACT = "contract"
@dataclass
class TrainingDataRecord:
"""Metadata for training data, supporting both GDPR and AI Act requirements"""
data_id: str
source: str
lawful_basis: DataLawfulBasis
consent_date: datetime
retention_until: datetime
purposes: list[str]
contains_sensitive_data: bool
de_identified: bool
def is_still_valid(self):
"""Check if data can still be used under GDPR Article 5"""
return datetime.now() < self.retention_until
def allowed_for_purpose(self, requested_purpose: str):
"""Check GDPR Article 5 purpose limitation"""
return requested_purpose in self.purposes
class CreditScoringModel:
"""High-risk AI system under both GDPR and EU AI Act"""
def __init__(self):
self.training_data_records = {}
self.decisions_log = []
self.feature_importance = None
def load_training_data(self, data_record: TrainingDataRecord):
"""GDPR: Verify lawful basis before loading"""
if not data_record.is_still_valid():
raise ValueError(f"Data {data_record.data_id} retention period expired")
if not data_record.allowed_for_purpose("credit_scoring"):
raise ValueError(f"Data {data_record.data_id} not authorized for credit scoring")
self.training_data_records[data_record.data_id] = data_record
return True
def make_decision(self, applicant_data: dict) -> dict:
"""
AI Act Article 14: High-risk decision with human oversight required.
GDPR Article 22: Right to explanation required.
"""
# Inference
score = self._compute_score(applicant_data)
# Explainability (Article 22, AI Act)
explanation = self._generate_explanation(applicant_data, score)
# Decision with override capability (both frameworks)
decision = {
"applicant_id": applicant_data.get("id"),
"score": score,
"decision": "approve" if score > 0.7 else "deny",
"explanation": explanation,
"requires_human_review": score > 0.6 and score < 0.7,
"timestamp": datetime.now().isoformat(),
"decision_basis": "AI system recommendation"
}
# Log for audit trail (both frameworks require this)
self.decisions_log.append(decision)
return decision
def _compute_score(self, applicant_data: dict) -> float:
"""Model inference, privacy-preserving"""
# Features used should reflect data minimization
features = ["income", "debt_ratio", "employment_history"]
# Only use necessary features (GDPR Article 5)
filtered = {k: v for k, v in applicant_data.items() if k in features}
# Score calculation (placeholder)
return sum(filtered.values()) / len(features) if filtered else 0.5
def _generate_explanation(self, data: dict, score: float) -> dict:
"""
GDPR Article 22: Meaningful explanation to the individual
AI Act Article 14: Transparency and human oversight
"""
return {
"decision": "Your credit score was calculated based on your income, debt ratio, and employment history.",
"primary_factors": ["income (40% weight)", "debt_ratio (35% weight)", "employment_history (25% weight)"],
"score": score,
"right_to_human_review": "You have the right to request human review of this decision.",
"right_to_rectify": "If any information is inaccurate, you can request correction.",
"contact": "[email protected]"
}
def handle_data_subject_request(self, request_type: str, applicant_id: str):
"""
GDPR Article 15-17: Data subject rights in AI context
"""
if request_type == "access":
# Article 15: Right to access
return {"data": self._get_applicant_data(applicant_id)}
elif request_type == "rectify":
# Article 16: Right to rectification
return {"status": "pending_human_review"}
elif request_type == "erasure":
# Article 17: Right to erasure
# Tension: AI Act requires maintaining training data records
# Resolution: Delete PII but retain de-identified records
self._delete_applicant_data(applicant_id)
return {"status": "data_deleted_but_records_retained"}
def audit_trail(self):
"""Both frameworks require audit trail for enforcement"""
return {
"total_decisions": len(self.decisions_log),
"human_overrides": sum(1 for d in self.decisions_log if d.get("overridden")),
"avg_score": sum(d["score"] for d in self.decisions_log) / len(self.decisions_log) if self.decisions_log else 0,
"decisions": self.decisions_log
}
# Usage
model = CreditScoringModel()
# Load training data with GDPR compliance metadata
training_record = TrainingDataRecord(
data_id="training_batch_2026_q1",
source="historical_approvals",
lawful_basis=DataLawfulBasis.LEGITIMATE_INTEREST,
consent_date=datetime(2026, 1, 1),
retention_until=datetime(2029, 1, 1),
purposes=["credit_scoring", "fraud_detection"],
contains_sensitive_data=False,
de_identified=False
)
model.load_training_data(training_record)
# Make a decision with full audit trail
applicant = {
"id": "APP_12345",
"income": 75000,
"debt_ratio": 0.3,
"employment_history": 8
}
decision = model.make_decision(applicant)
print(json.dumps(decision, indent=2))
This example demonstrates:
- GDPR compliance: Lawful basis tracking, retention limits, purpose limitation, data subject rights
- AI Act compliance: Explainability, human oversight, audit trail, documentation
- Code-level verification: Tools like AIR Blackbox can scan this code and verify each framework requirement
Generating Evidence Bundles
Regulators expect evidence. The AIR Blackbox suite generates compliance evidence bundles automatically:
from air_compliance import ComplianceReporter
reporter = ComplianceReporter(
code_path="./src",
dpia_path="./compliance/dpia.md",
evidence_path="./compliance_evidence"
)
# Generate GDPR-specific evidence
gdpr_bundle = reporter.generate_gdpr_bundle(
focus_on=[
"lawful_basis_verification",
"data_minimization",
"retention_policies",
"dpia_completeness"
]
)
# Generate AI Act-specific evidence
ai_act_bundle = reporter.generate_ai_act_bundle(
system_name="credit_scoring_model",
risk_level="high_risk",
focus_on=[
"training_data_documentation",
"human_oversight",
"transparency_measures",
"performance_monitoring"
]
)
print("Compliance Evidence Generated:")
print(f" GDPR Bundle: {gdpr_bundle.file_path}")
print(f" AI Act Bundle: {ai_act_bundle.file_path}")
print(f" Combined Report: {reporter.combined_report_path}")
Common Pitfalls
Pitfall 1: Assuming GDPR Compliance Means AI Act Compliance
This is the most frequent error. Teams achieve GDPR compliance with solid data handling practices, then assume they are done with the AI Act. This is false.
A system can be GDPR-compliant but AI Act non-compliant if it:
- Lacks explainability for high-risk decisions
- Does not implement human oversight
- Fails to document training data quality and performance monitoring
- Cannot detect and log errors or failures
Conversely, a system can be AI Act-compliant but GDPR non-compliant if it:
- Lacks a lawful basis for data processing
- Collects data beyond what is necessary (data minimization violation)
- Fails to implement data subject rights mechanisms
Pitfall 2: Ignoring Consent Requirements for AI-Specific Processing
Organizations often have consent for general "service improvement" but lack consent for "AI model training." These are distinct under GDPR. Training data on an individual's transaction history for fraud detection requires separate consent from using that data for marketing personalization.
Audit your consent form. Verify it explicitly mentions AI and machine learning. If not, do not use that data for model training without obtaining new consent.
Pitfall 3: Failing to Document AI-Specific Data Governance
The AI Act requires detailed documentation of training data, validation data, test data, and the performance of the system on different demographic groups. Many organizations skip this or keep it in unstructured notes.
Use a standardized format. The AIR Blackbox framework includes a data governance template:
# Data Governance for [System Name]
## Training Data
- Source: [where the data comes from]
- Volume: [number of records]
- Time Period: [date range]
- Quality Checks: [validation rules applied]
- Bias Assessment: [demographic parity, equalized odds, etc.]
## Retention
- Retention Period: [how long it is kept]
- Deletion Schedule: [when and how data is removed]
- Audit Trail: [who accessed it and when]
## Data Subject Rights
- Access Process: [how individuals can request their data]
- Rectification: [process for corrections]
- Erasure: [process for deletion, with AI Act considerations]
Practical Checklist for Dual Compliance
Pre-Deployment Checklist
Automated Compliance Verification
Do not rely on checklists alone. Use the AIR Blackbox GDPR and AI Act scanners to automatically verify code against these requirements. Combine human judgment with machine verification to reduce false negatives and false positives.
FAQ
No. GDPR and the EU AI Act are separate frameworks with different requirements. A system can be GDPR-compliant but lack the explainability, human oversight, and documentation required by the AI Act. You must verify both frameworks independently, then ensure they work together.
You face enforcement from multiple authorities with stacked penalties. GDPR penalties go up to EUR 20 million or 4% of global revenue. AI Act penalties can include fines up to EUR 30 million or 6% of revenue, plus the system can be banned entirely. Both authorities can act independently, so penalties stack.
Yes. The AI Act applies to high-risk AI systems regardless of whether they use personal data. The AI Act categorizes risk based on the system's capability to cause harm, not on data use. An AI system that makes hiring recommendations is high-risk under the AI Act even if it uses only anonymous aggregated data.
Consent can be a lawful basis under GDPR for data processing, but the AI Act does not recognize consent as a framework requirement. Consent is relevant to GDPR (if your lawful basis is consent) but does not replace AI Act requirements like explainability and human oversight. You need both.
A Data Protection Impact Assessment (DPIA) under GDPR focuses on risks to personal data: confidentiality, integrity, availability, and individuals' rights. An AI Act risk assessment focuses on system-level risks: can the system cause harm? These overlap but are distinct. A high-risk AI system might have low DPIA risk if it uses minimal personal data, and vice versa. You need both documents.
GDPR requires deletion when data is no longer necessary. The AI Act requires documentation of training data for the system lifetime. The tension is real: you must keep enough records to prove the system was trained responsibly, but delete the raw personal data when the retention period expires. Solution: delete personal data but retain de-identified records, statistics, and quality metrics that prove training data quality.
Not every decision, but every consequential one. Under GDPR Article 22, if a decision produces legal or similarly significant effects, the individual has the right to explanation. Under the AI Act, high-risk systems require transparency. This applies to credit decisions, hiring recommendations, insurance assessments, benefit eligibility, and similar high-stakes decisions. For low-stakes decisions (product recommendations, low-risk fraud flags), explainability is best practice but not always legally required.
The AIR Blackbox suite includes scanners for both GDPR and EU AI Act compliance. The GDPR scanner checks lawful basis, data minimization, retention, explainability, and data subject rights. The AI Act scanner checks documentation, risk classification, human oversight, and transparency. Together, they provide evidence bundles for enforcement. See our quickstart guide and the full checklist for integration patterns.
Both. The organization is legally responsible for GDPR and AI Act compliance. But compliance is a shared responsibility: compliance officers own the governance and documentation, engineers own the implementation and verification, and leadership owns accountability. Effective teams use tools like AIR Blackbox to distribute the burden and create shared visibility into compliance status.
Next Steps
You now understand the dual compliance requirement and have code examples for implementation. The next steps are:
- Classify your system: Is it high-risk under the AI Act? Does it process personal data? This determines your compliance obligations.
- Run the AIR Blackbox scanners: Use the GDPR and AI Act scanners on your codebase to identify gaps. See our quickstart guide.
- Document your architecture: Write a DPIA and an AI Act risk assessment. Link them to your code. Use our compliance mapping tool to show where requirements are implemented.
- Build human oversight workflows: Design how humans will review and override AI decisions. Document this in your training procedures.
- Set up continuous monitoring: Track system performance, errors, and feedback from users. Both frameworks require ongoing monitoring.
Learn More
Explore our related resources:
- EU AI Act Compliance Checklist: A detailed checklist for each article of the AI Act.
- Technical Requirements for Articles 9-15: Deep dive into specific AI Act articles with code examples.
- 6 Technical Checks for AI Compliance: Practical verification strategies for both frameworks.
- Compliance Mapping Tool: Automatically map your code to regulatory requirements.