The EU AI Act and GDPR target related problems from different angles. GDPR (Regulation (EU) 2016/679) protects personal data wherever it is processed. The AI Act (Regulation (EU) 2024/1689) regulates artificial intelligence systems based on the risk they pose to health, safety, and fundamental rights. Many AI systems process personal data, which puts them squarely in the overlap zone where both regulations apply at once.
For website operators, the practical question is not whether the AI Act replaces GDPR (it does not) but how the two interlock. Each adds obligations the other does not cover. Each carries separate penalties. And the AI Act compliance deadlines are arriving in waves between February 2025 and December 2027, so the workload is being layered onto teams that already manage GDPR.
Two Laws, Two Starting Points
GDPR has applied since 25 May 2018. Its scope is broad: any processing of personal data of people in the European Union, regardless of where the controller or processor is based. Article 5 sets out the core principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, accountability). Article 6 lists the six legal bases for processing.
The AI Act took a different route. It does not regulate data; it regulates AI systems. Risk classification under the Act splits systems into four tiers:
Unacceptable risk (prohibited under Article 5) covers practices such as social scoring by public authorities, manipulative subliminal techniques, and untargeted scraping of facial images.
High risk (Annex III) covers AI used in employment, credit scoring, education, biometric identification, critical infrastructure, law enforcement, and justice.
Limited risk (Article 50) covers chatbots, deepfakes, emotion recognition, and biometric categorisation, with transparency obligations.
Minimal risk covers everything else, with no AI Act obligations beyond voluntary codes.
An AI system processing only non-personal data falls under the AI Act but not GDPR. A personal data processing operation that uses no AI falls under GDPR but not the AI Act. Most real-world systems sit in the middle, with both regulations applying in parallel.
Where the Two Frameworks Look Alike
Both laws are EU regulations with extraterritorial reach. The AI Act applies to providers and deployers outside the EU if their AI system output is used inside the bloc. GDPR (Article 3) catches non-EU controllers and processors targeting EU residents. Neither stops at borders.
Both adopt a risk-based approach. GDPR scales obligations to the risk of processing (mandatory DPIA for high-risk operations, breach notification thresholds, special category data rules). The AI Act scales obligations to the risk classification of the system itself. Both rely on accountability: the organisation must document its assessment, justify its choices, and be able to demonstrate compliance on demand.
Documentation requirements echo each other. Records of processing (GDPR Article 30) sit alongside technical files (AI Act Article 11), risk management documentation (Article 9), and conformity assessments (Articles 43-44). Transparency obligations appear in both regimes: GDPR Articles 13-14 cover privacy notices; AI Act Article 50 covers chatbot disclosure, deepfake labelling, and disclosure of emotion recognition or biometric categorisation systems.
Where the Two Frameworks Diverge
The differences are sharper than the similarities. The headline figures alone separate the two regimes.
| Aspect | GDPR | EU AI Act |
|---|---|---|
| Adopted | 2016, applies from May 2018 | 2024, phased application 2025 to 2027 |
| Protected interest | Personal data and individual privacy | Health, safety, fundamental rights from AI |
| Trigger | Any processing of personal data | Placing on market or putting into service of AI systems |
| Approach | Principles-based | Product safety plus risk tiers |
| Maximum fine | 20 million euros or 4% global turnover | 35 million euros or 7% global turnover (prohibited practices) |
| Main enforcer | National data protection authorities | National market surveillance authorities plus AI Office |
| Impact assessment | DPIA (Article 35) | FRIA (Article 27) for high-risk deployers |
| Individual rights | Extensive (access, erasure, portability, object) | Limited (right to explanation, right to complain) |
GDPR grants individual rights directly to data subjects. The AI Act creates rights against deployers of high-risk systems but does not match GDPR's catalogue. The right to be forgotten has no AI Act equivalent. Conversely, GDPR does not require conformity assessment, CE marking, or registration in an EU database, which are core to the AI Act for high-risk systems.
Where the Rules Collide
The most consequential overlap concerns impact assessments. Article 35 GDPR requires a Data Protection Impact Assessment (DPIA) where processing is likely to result in high risk to rights and freedoms. Article 27 AI Act requires a Fundamental Rights Impact Assessment (FRIA) for deployers of high-risk AI systems that are public bodies or operate in credit, insurance, or employment contexts. Article 27(4) explicitly recognises the overlap and allows the two to be conducted together, but the FRIA must still cover ground a DPIA was not scoped for: non-discrimination, freedom of expression, access to justice, and good administration.
Automated decision-making sits in the same collision zone. Article 22 GDPR gives individuals the right not to be subject to solely automated decisions with legal or similarly significant effects. The AI Act adds product-safety style requirements for the high-risk systems that typically make such decisions: data quality, technical robustness, human oversight, accuracy thresholds, and post-market monitoring. A system can satisfy Article 22 (the deployer offers a human review path) and still fail the AI Act (the model was trained on biased data).
Training data governance is the third major collision. Article 10 of the AI Act introduces quality criteria for training, validation, and testing data in high-risk AI systems: relevance, representativeness, accuracy, completeness, and bias mitigation. These obligations exist in parallel with GDPR's lawful basis requirement. The Italian Garante's December 2024 decision against OpenAI illustrates the stakes: a 15 million euro fine for processing personal data to train ChatGPT without a lawful basis, failing transparency obligations, and inadequate breach notification. The Court of Rome annulled the decision in March 2026, but the regulatory direction is set: training data is a GDPR question even before the AI Act bites.
Cookies, Profiling and AI on Websites
Most websites will encounter the GDPR and AI Act crossover through three vectors: AI-driven personalisation, AI chatbots, and generative content tools. Each one triggers cookie consent obligations under the ePrivacy Directive and AI Act transparency obligations from 2 August 2026.
An AI chatbot embedded on a site must, under AI Act Article 50, inform the visitor that they are interacting with an AI. If the chatbot sets cookies that are not strictly necessary, or processes user inputs for profiling or model training, GDPR consent applies on top. Generative AI tools like ChatGPT or Google Gemini embedded as widgets carry both the disclosure obligation and the cookie consent obligation.
AI-generated content, including images and synthetic voice, must be labelled as artificially generated. The deadline for this transparency layer has been compressed: the political agreement reached on 7 May 2026 sets 2 December 2026 as the compliance date for content marking, down from the original six-month grace period.
Enforcement: Who Watches What
GDPR enforcement is mature. National data protection authorities such as the French CNIL, the Italian Garante, and the Irish DPC have built up case law and procedure since 2018, with fines exceeding 5 billion euros cumulatively across the EU. The European Data Protection Board (EDPB) coordinates positions, most recently issuing Opinion 28/2024 on AI models and personal data, which confirmed that AI models trained on personal data cannot be assumed to be anonymous.
AI Act enforcement is still being built. Each member state must designate one or more national competent authorities and market surveillance authorities. The European AI Office, established within the European Commission, handles general-purpose AI models. The Digital Omnibus package agreed politically on 7 May 2026 postponed the deadline for Annex III high-risk AI systems from 2 August 2026 to 2 December 2027, and to 2 August 2028 for AI embedded in regulated products. Prohibitions and general-purpose AI rules already apply. The transparency obligations under Article 50 begin on 2 August 2026.
What This Means in Practice
A single processing activity can attract two separate fines under two separate procedures. An organisation using a third-party AI tool to score job applications would face GDPR scrutiny for the personal data processing and AI Act scrutiny for using a high-risk system. The regulators are different. The deadlines for action are different. The defences are different.
Existing GDPR programmes are a foundation, not a substitute. The most efficient path is to map AI use cases against both regimes from the start: classify the AI system under the AI Act, identify the GDPR roles (controller, processor, joint controller), document the lawful basis, run the DPIA, extend it into a FRIA where required, and ensure the cookie banner and privacy notice reflect the AI layer. Running a cookie scan is a useful early step because it surfaces every analytics, advertising, and AI-related tracker on the site that may now carry both GDPR and AI Act consequences.
Frequently Asked Questions
Does GDPR compliance mean an organisation is also AI Act compliant?
No. GDPR compliance covers personal data processing only. The AI Act adds product-safety obligations, risk classification, conformity assessment, technical documentation, human oversight, and post-market monitoring that GDPR never required. Both must be assessed separately.
Which regulation has higher fines?
The AI Act. Prohibited AI practices can attract fines up to 35 million euros or 7% of global annual turnover, compared to GDPR's ceiling of 20 million euros or 4% under Article 83.
Does the AI Act apply to companies outside the European Union?
Yes. The AI Act applies to providers placing AI systems on the EU market and to deployers whose AI output is used in the EU, regardless of where the company is established. Its extraterritorial reach mirrors GDPR Article 3.
Do AI chatbots need cookie consent?
Yes, where the chatbot sets cookies that are not strictly necessary for the service the user requested. AI Act Article 50 adds a duty to inform the visitor that they are interacting with an AI system, on top of the existing ePrivacy and GDPR consent obligations.
When do AI Act rules fully apply?
Prohibitions have applied since 2 February 2025 and general-purpose AI rules since 2 August 2025. Following the political agreement of 7 May 2026, high-risk system rules under Annex III now apply from 2 December 2027, with product-embedded AI from 2 August 2028. Transparency obligations under Article 50 apply from 2 August 2026.
Can a DPIA and a FRIA be combined?
Article 27(4) of the AI Act allows them to be conducted together where the same processing activity triggers both. The combined assessment must still address fundamental rights beyond data protection, including non-discrimination, freedom of expression, and access to justice.
Take Control of Your Cookie Compliance
AI tools on a website rarely arrive alone. They bring tracking scripts, analytics integrations, and third-party cookies that need consent before they fire. A cookie scan is the fastest way to see what is actually running on the site and where the AI Act and GDPR overlap in practice.
Kukie.io detects every first-party and third-party cookie set by AI widgets, chatbots, and analytics tools, categorises them, and produces a consent banner that handles the GDPR layer while leaving the AI Act disclosure obligations clearly separated.
