GDPR + EU AI Act Dual-Compliance Assessment

GDPR — Article 35, Recital 84, Recital 89-91

Data Protection Impact Assessment (DPIA) required where processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. Must assess necessity, proportionality, risks, and safeguards.

AI Act — Article 9, Article 43, Annex VI, Annex VII

Conformity assessment required for high-risk AI systems before market placement. Must demonstrate compliance with Articles 8-15 covering risk management, data governance, technical documentation, and human oversight.

GDPR — Article 13, Article 14, Recital 58-62

Controllers must provide data subjects with information about processing including purposes, legal basis, recipients, retention periods, and the existence of automated decision-making with meaningful information about the logic involved.

AI Act — Article 13, Article 52

High-risk AI systems must be designed for transparency. Deployers must provide instructions for use covering capabilities, limitations, accuracy, and human oversight measures. Users must be informed when interacting with AI.

GDPR — Article 22, Recital 71

Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal or similarly significant effects. Exceptions require explicit consent, contractual necessity, or legal authorization, with safeguards including the right to human intervention.

AI Act — Article 14

High-risk AI systems must be designed for effective human oversight. Natural persons assigned human oversight must be able to fully understand the system, monitor its operation, override or reverse outputs, and intervene when necessary.

GDPR — Article 5, Article 6, Article 9, Article 25

Personal data must be processed lawfully, fairly, and transparently; collected for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary (data minimization); accurate; and subject to storage limitation and integrity/confidentiality safeguards.

AI Act — Article 10

Training, validation, and testing data sets must meet quality criteria: relevant, representative, free of errors, complete, and subject to appropriate governance practices including bias examination, annotation procedures, and gap identification.

GDPR — Article 30

Controllers and processors must maintain records of processing activities including purposes, categories of data subjects and personal data, recipients, transfers, retention periods, and security measures.

AI Act — Article 12

High-risk AI systems must technically allow automatic recording of events (logs) throughout the system lifetime, ensuring traceability, audit trail completeness, and minimum six-month retention accessible to authorities.

GDPR — Article 15, Article 16, Article 17, Article 18, Article 20, Article 21, Article 22

Data subjects have rights to access, rectification, erasure, restriction, portability, objection, and not to be subject to solely automated decisions. Controllers must respond within one month.

AI Act — Article 14(4), Article 86

Affected persons have the right to an explanation of individual decisions made by high-risk AI systems and the right to contest such decisions. Member States may establish additional rights.

GDPR — Article 37, Article 38, Article 39

Data Protection Officer (DPO) must be designated for public authorities and organizations whose core activities involve large-scale systematic monitoring or processing of special categories of data. DPO must be independent, report to highest management, and have expert knowledge.

AI Act — Article 4(3), Article 26(5)

Deployers of high-risk AI systems must designate a natural person responsible for human oversight. Providers must ensure AI literacy of their staff. While no formal "AI Compliance Officer" role is mandated, the obligations imply a designated AI governance function.

GDPR — Article 6, Article 7, Article 9, Recital 42-43

Consent must be freely given, specific, informed, and unambiguous for processing personal data. For special categories, explicit consent is required. Consent must be withdrawable at any time without detriment.

AI Act — Article 10(5), Article 53(1)(d)

AI Act allows exceptional processing of special category personal data for bias detection under strict safeguards. GPAI providers must publish sufficiently detailed summaries of training data content.

GDPR — Article 44, Article 45, Article 46, Article 49

Personal data transfers to third countries require adequacy decisions, appropriate safeguards (SCCs, BCRs), or derogations. The Schrems II ruling requires supplementary measures where surveillance risks exist.

AI Act — Article 53(1), Article 2(7)

AI Act applies to providers placing AI systems on the EU market regardless of establishment. GPAI models trained on data from multiple jurisdictions must comply. The regulation does not override GDPR transfer mechanisms.

GDPR — Article 13(2)(f), Article 14(2)(g), Article 22(3), Recital 71

Data subjects have the right to meaningful information about the logic involved in automated decision-making, the significance, and envisaged consequences. Recital 71 references the right to obtain an explanation of the decision reached.

AI Act — Article 13, Article 86

High-risk AI systems must be designed for transparency enabling deployers to interpret outputs. Article 86 establishes the right to explanation of individual AI-assisted decisions.

GDPR — Article 25

Controllers shall implement appropriate technical and organisational measures designed to implement data-protection principles (data protection by design and by default). This includes pseudonymization, data minimization, and privacy-enhancing technologies.

AI Act — Article 15

High-risk AI systems shall achieve appropriate levels of accuracy, robustness, and cybersecurity throughout their lifecycle. Redundancy, fail-safe mechanisms, and resilience against adversarial attacks are required.

GDPR — Article 33, Article 34

Controllers must notify supervisory authorities within 72 hours of becoming aware of a personal data breach. Data subjects must be notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

AI Act — Article 62, Article 73

Providers and deployers must report serious incidents to market surveillance authorities. Serious incidents include those causing death, serious damage to health, property, environment, or fundamental rights.

GDPR — Article 26, Article 28

Where two or more controllers jointly determine purposes and means of processing, they are joint controllers and must arrange their respective responsibilities by agreement. Processors must be bound by data processing agreements.

AI Act — Article 25, Article 28

Obligations apply along the AI value chain: providers, deployers, importers, distributors, and authorized representatives each have defined obligations. Downstream integrators may become providers under certain conditions.

GDPR — Article 58, Article 83, Article 84

GDPR supervisory authorities can impose administrative fines up to EUR 20M or 4% of total worldwide annual turnover (whichever is higher) for the most serious infringements. Each Member State supervisory authority has investigative, corrective, and advisory powers.

AI Act — Article 71, Article 99, Article 100, Article 101

AI Act penalties: up to EUR 35M or 7% of annual worldwide turnover for prohibited AI practices; up to EUR 15M or 3% for other obligations. The AI Office coordinates enforcement for GPAI. National market surveillance authorities enforce for high-risk AI.