[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fbS9QXf-scHsUXAHS195JpnQ7yBhDX55iNpYogSH2W9I":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":11,"nbDownloads":12,"excerpt":13,"lang":14,"url":15,"intro":16,"featured":4,"state":17,"author":18,"authorId":19,"datePublication":23,"dateCreation":24,"dateUpdate":25,"mainCategory":26,"categories":42,"metaDatas":69,"imageUrl":77,"imageThumbUrls":78,"id":86},false,"## Does the AI Act replace the obligations imposed by the GDPR?\r\n\r\nNo, the AI Act [(European Regulation on Artificial Intelligence](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689)) is very clear on this matter: it does not replace the requirements of the GDPR. In fact, its purpose is to **complement** the GDPR by setting clear requirements for the design and use of **trustworthy AI systems**.\r\n\r\nIn practice, the **GDPR applies to all processing of personal data**, including:\r\n\r\n- **During development**: AI providers or developers—under the AI Act—are generally considered **data controllers** when processing personal data during model training or system design.\r\n\r\n- **During deployment**: Organizations that deploy or use AI systems involving personal data are also typically **data controllers** under the GDPR.\r\n\r\nWhile the AI Act introduces its own compliance obligations, meeting them can actually support and streamline your GDPR compliance efforts.\r\n\r\n## AI Act & GDPR: What Applies to Your Organization?\r\n\r\nAs the AI Act only applies to AI systems and models, while the GDPR covers all processing of personal data, four typical scenarios are possible:\r\n\r\n| **Scenario** | **AI Act Applies** | **GDPR Applies** | **Description** | **Example** |\r\n| --- | --- | --- | --- | --- |\r\n| **1. Only the AI Act applies** | ✅ Yes | ❌ No | Applies to high-risk AI systems that do **not involve personal data**, either during development or deployment. | An AI system used to optimize predictive maintenance in an industrial manufacturing plant. |\r\n| **2. Only the GDPR applies** | ❌ No | ✅ Yes | Applies when **personal data is processed**, but the AI system is **not classified as high-risk** under the AI Act. | A customer service chatbot using personal data, but not considered high-risk AI. |\r\n| **3. Both regulations apply** | ✅ Yes | ✅ Yes | Applies when a **high-risk AI system processes personal data**, either during development or use. | An AI system used for predictive analysis of medical records for healthcare diagnostics. |\r\n| **4. Neither regulation applies** | ❌ No | ❌ No | Applies when the AI system is **low-risk and does not involve any personal data processing**. | An AI tool that generates personalized music in a music composition software. |\r\n\r\n## How does the AI Act influence the GDPR?\r\n\r\nThe AI Act and the GDPR regulate different aspects and require distinct approaches. However, compliance with the AI Act often facilitates — and even prepares the ground for — GDPR compliance. For instance, an AI system's compliance with the GDPR is included in the EU declaration of conformity required by the AI Act (Annex V).\r\n\r\nMoreover, the AI Act addresses certain tensions between its own requirements and those of the GDPR. It extends and adapts some GDPR rules in the following ways:\r\n\r\n- The AI Act replaces specific GDPR provisions regarding the use of real-time remote biometric identification by law enforcement in publicly accessible spaces. It allows such use only under highly exceptional and specific conditions (Article 5).\r\n\r\n- It exceptionally permits the processing of sensitive data (as defined in Article 9 of the GDPR) to detect and correct potential biases, provided it is strictly necessary and subject to appropriate safeguards (Article 10).\r\n\r\n- It allows for the reuse of personal data, including sensitive data, within the framework of “regulatory sandboxes.” These sandboxes are designed to support the development of systems serving a significant public interest (such as improving the healthcare system). They are overseen by a dedicated authority, which must consult with the data protection authorities in advance and verify compliance with various requirements (Article 59).\r\n\r\n## How to align the requirements of the AI Act and the GDPR?\r\n\r\nWhile the **AI Act** and the **GDPR** occasionally overlap in the principles they promote, they often approach them from **different regulatory angles**.\r\n\r\nOne notable example is the principle of **transparency** and the associated **documentation obligations**, which illustrate how the two frameworks can complement each other rather than conflict.\r\n\r\n#### 🔍 Transparency Requirements\r\n\r\nUnder the **GDPR**, transparency obligations focus on informing individuals whose personal data is being processed. Organizations must clearly communicate details such as the purpose of processing, identity of the controller, processing methods, data retention periods, and more. These obligations apply both during the **development** of AI systems and their **deployment** when personal data is involved.\r\n\r\nThe **AI Act**, on the other hand, introduces additional transparency obligations—particularly for **general-purpose AI models** and **systems that interact directly with individuals**. These may include requirements to disclose the datasets used for training or to clearly indicate when users are engaging with an AI system.\r\n\r\nIn this way, both regulations support a **shared goal of trustworthy, human-centric AI**, each reinforcing the other through complementary compliance requirements.\r\n\r\n## What are the differences between the AI Act and the GDPR?\r\n\r\nAlthough the **AI Act and GDPR** share many similarities and complement each other, their objectives and approaches are distinct.\r\n\r\nHere is a summary table of the comparaison:\r\n\r\n![](https://static.dastra.eu/richtext/d9186679-59d1-4300-8823-1cf49ddc5768/preparation-en-amont-11-original.jpg)Do you want to know more about Dastra's product offering? [Click here](https://www.dastra.eu/en/product-features)","\u003Ch2 id=\"does-the-ai-act-replace-the-obligations-imposed-by-the-gdpr\">Does the AI Act replace the obligations imposed by the GDPR?\u003C/h2>\n\u003Cp>No, the AI Act \u003Ca href=\"https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689\" rel=\"nofollow\">(European Regulation on Artificial Intelligence\u003C/a>) is very clear on this matter: it does not replace the requirements of the GDPR. In fact, its purpose is to \u003Cstrong>complement\u003C/strong> the GDPR by setting clear requirements for the design and use of \u003Cstrong>trustworthy AI systems\u003C/strong>.\u003C/p>\n\u003Cp>In practice, the \u003Cstrong>GDPR applies to all processing of personal data\u003C/strong>, including:\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>\u003Cstrong>During development\u003C/strong>: AI providers or developers—under the AI Act—are generally considered \u003Cstrong>data controllers\u003C/strong> when processing personal data during model training or system design.\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>\u003Cstrong>During deployment\u003C/strong>: Organizations that deploy or use AI systems involving personal data are also typically \u003Cstrong>data controllers\u003C/strong> under the GDPR.\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003Cp>While the AI Act introduces its own compliance obligations, meeting them can actually support and streamline your GDPR compliance efforts.\u003C/p>\n\u003Ch2 id=\"ai-act-gdpr-what-applies-to-your-organization\">AI Act &amp; GDPR: What Applies to Your Organization?\u003C/h2>\n\u003Cp>As the AI Act only applies to AI systems and models, while the GDPR covers all processing of personal data, four typical scenarios are possible:\u003C/p>\n\u003Ctable>\n\u003Cthead>\n\u003Ctr>\n\u003Cth>\u003Cstrong>Scenario\u003C/strong>\u003C/th>\n\u003Cth>\u003Cstrong>AI Act Applies\u003C/strong>\u003C/th>\n\u003Cth>\u003Cstrong>GDPR Applies\u003C/strong>\u003C/th>\n\u003Cth>\u003Cstrong>Description\u003C/strong>\u003C/th>\n\u003Cth>\u003Cstrong>Example\u003C/strong>\u003C/th>\n\u003C/tr>\n\u003C/thead>\n\u003Ctbody>\n\u003Ctr>\n\u003Ctd>\u003Cstrong>1. Only the AI Act applies\u003C/strong>\u003C/td>\n\u003Ctd>✅ Yes\u003C/td>\n\u003Ctd>❌ No\u003C/td>\n\u003Ctd>Applies to high-risk AI systems that do \u003Cstrong>not involve personal data\u003C/strong>, either during development or deployment.\u003C/td>\n\u003Ctd>An AI system used to optimize predictive maintenance in an industrial manufacturing plant.\u003C/td>\n\u003C/tr>\n\u003Ctr>\n\u003Ctd>\u003Cstrong>2. Only the GDPR applies\u003C/strong>\u003C/td>\n\u003Ctd>❌ No\u003C/td>\n\u003Ctd>✅ Yes\u003C/td>\n\u003Ctd>Applies when \u003Cstrong>personal data is processed\u003C/strong>, but the AI system is \u003Cstrong>not classified as high-risk\u003C/strong> under the AI Act.\u003C/td>\n\u003Ctd>A customer service chatbot using personal data, but not considered high-risk AI.\u003C/td>\n\u003C/tr>\n\u003Ctr>\n\u003Ctd>\u003Cstrong>3. Both regulations apply\u003C/strong>\u003C/td>\n\u003Ctd>✅ Yes\u003C/td>\n\u003Ctd>✅ Yes\u003C/td>\n\u003Ctd>Applies when a \u003Cstrong>high-risk AI system processes personal data\u003C/strong>, either during development or use.\u003C/td>\n\u003Ctd>An AI system used for predictive analysis of medical records for healthcare diagnostics.\u003C/td>\n\u003C/tr>\n\u003Ctr>\n\u003Ctd>\u003Cstrong>4. Neither regulation applies\u003C/strong>\u003C/td>\n\u003Ctd>❌ No\u003C/td>\n\u003Ctd>❌ No\u003C/td>\n\u003Ctd>Applies when the AI system is \u003Cstrong>low-risk and does not involve any personal data processing\u003C/strong>.\u003C/td>\n\u003Ctd>An AI tool that generates personalized music in a music composition software.\u003C/td>\n\u003C/tr>\n\u003C/tbody>\n\u003C/table>\n\u003Ch2 id=\"how-does-the-ai-act-influence-the-gdpr\">How does the AI Act influence the GDPR?\u003C/h2>\n\u003Cp>The AI Act and the GDPR regulate different aspects and require distinct approaches. However, compliance with the AI Act often facilitates — and even prepares the ground for — GDPR compliance. For instance, an AI system's compliance with the GDPR is included in the EU declaration of conformity required by the AI Act (Annex V).\u003C/p>\n\u003Cp>Moreover, the AI Act addresses certain tensions between its own requirements and those of the GDPR. It extends and adapts some GDPR rules in the following ways:\u003C/p>\n\u003Cul>\n\u003Cli>\u003Cp>The AI Act replaces specific GDPR provisions regarding the use of real-time remote biometric identification by law enforcement in publicly accessible spaces. It allows such use only under highly exceptional and specific conditions (Article 5).\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>It exceptionally permits the processing of sensitive data (as defined in Article 9 of the GDPR) to detect and correct potential biases, provided it is strictly necessary and subject to appropriate safeguards (Article 10).\u003C/p>\n\u003C/li>\n\u003Cli>\u003Cp>It allows for the reuse of personal data, including sensitive data, within the framework of “regulatory sandboxes.” These sandboxes are designed to support the development of systems serving a significant public interest (such as improving the healthcare system). They are overseen by a dedicated authority, which must consult with the data protection authorities in advance and verify compliance with various requirements (Article 59).\u003C/p>\n\u003C/li>\n\u003C/ul>\n\u003Ch2 id=\"how-to-align-the-requirements-of-the-ai-act-and-the-gdpr\">How to align the requirements of the AI Act and the GDPR?\u003C/h2>\n\u003Cp>While the \u003Cstrong>AI Act\u003C/strong> and the \u003Cstrong>GDPR\u003C/strong> occasionally overlap in the principles they promote, they often approach them from \u003Cstrong>different regulatory angles\u003C/strong>.\u003C/p>\n\u003Cp>One notable example is the principle of \u003Cstrong>transparency\u003C/strong> and the associated \u003Cstrong>documentation obligations\u003C/strong>, which illustrate how the two frameworks can complement each other rather than conflict.\u003C/p>\n\u003Ch4 id=\"transparency-requirements\">🔍 Transparency Requirements\u003C/h4>\n\u003Cp>Under the \u003Cstrong>GDPR\u003C/strong>, transparency obligations focus on informing individuals whose personal data is being processed. Organizations must clearly communicate details such as the purpose of processing, identity of the controller, processing methods, data retention periods, and more. These obligations apply both during the \u003Cstrong>development\u003C/strong> of AI systems and their \u003Cstrong>deployment\u003C/strong> when personal data is involved.\u003C/p>\n\u003Cp>The \u003Cstrong>AI Act\u003C/strong>, on the other hand, introduces additional transparency obligations—particularly for \u003Cstrong>general-purpose AI models\u003C/strong> and \u003Cstrong>systems that interact directly with individuals\u003C/strong>. These may include requirements to disclose the datasets used for training or to clearly indicate when users are engaging with an AI system.\u003C/p>\n\u003Cp>In this way, both regulations support a \u003Cstrong>shared goal of trustworthy, human-centric AI\u003C/strong>, each reinforcing the other through complementary compliance requirements.\u003C/p>\n\u003Ch2 id=\"what-are-the-differences-between-the-ai-act-and-the-gdpr\">What are the differences between the AI Act and the GDPR?\u003C/h2>\n\u003Cp>Although the \u003Cstrong>AI Act and GDPR\u003C/strong> share many similarities and complement each other, their objectives and approaches are distinct.\u003C/p>\n\u003Cp>Here is a summary table of the comparaison:\u003C/p>\n\u003Cp>\u003Cimg loading=\"lazy\"  src=\"https://static.dastra.eu/richtext/d9186679-59d1-4300-8823-1cf49ddc5768/preparation-en-amont-11-original.jpg\" alt=\"\" />Do you want to know more about Dastra's product offering? \u003Ca href=\"https://www.dastra.eu/en/product-features\">Click here\u003C/a>\u003C/p>\n","AI Act and GDPR","Who is affected by this regulation? What are the differences between the RIA and the GDPR, and how do they complement each other?",806,4,"AI Act & GDPR",0,null,"en","ai-act-gdpr","The European Regulation on AI (or AI Act) was recently published in the Official Journal of the European Union. Who is affected by this regulation? What are the differences between the AI Act and the GDPR, and how do they complement each other?","Published",{"id":19,"displayName":20,"avatarUrl":21,"bio":13,"blogUrl":13,"color":13,"userId":19,"creationDate":22},10458,"Marine Boquien","https://static.dastra.eu/tenant-19/avatar/10458/logo-icon-primary-150.png","2023-10-02T14:39:10","2025-04-14T10:09:00","2025-04-14T10:09:07.0899047","2026-04-20T12:07:51.0867986",{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":32},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[33,36,39],{"lang":34,"name":28,"description":35},"fr","Une liste d'articles rédigés par la communauté",{"lang":37,"name":28,"description":38},"es","Una lista de artículos escritos por la comunidad",{"lang":40,"name":28,"description":41},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[43,48],{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":44},[45,46,47],{"lang":34,"name":28,"description":35},{"lang":37,"name":28,"description":38},{"lang":40,"name":28,"description":41},{"id":49,"name":50,"description":51,"url":52,"color":53,"parentId":27,"count":13,"imageUrl":13,"parent":54,"order":59,"translations":60},69,"Expertise","Gain insights from our experts on GDPR compliance, data protection, and privacy challenges. In-depth articles, professional analysis, and real-world best practices.","indepth","#000000",{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":55},[56,57,58],{"lang":34,"name":28,"description":35},{"lang":37,"name":28,"description":38},{"lang":40,"name":28,"description":41},5,[61,63,66],{"lang":34,"name":50,"description":62},"Bénéficiez des conseils de nos experts sur la conformité RGPD, la protection des données et les enjeux privacy. Articles de fond, analyses et retours d’expérience métier.",{"lang":40,"name":64,"description":65},"Fachwissen","Entdecken Sie die Artikel unserer DSGVO-Experten",{"lang":37,"name":67,"description":68},"Experiencia","Descubre los artículos de nuestros expertos en Privacy",[70,73],{"typeMetaDataId":27,"value":71,"id":72},"https://www.dastra.eu/en/product-features",116359,{"typeMetaDataId":74,"value":75,"id":76},3,"Click here",116360,"https://static.dastra.eu/content/7b9bd56d-c7c2-4a2d-857d-5cf5e4823e75/visuel-article-3-original.jpg",[79,80,81,82,83,84,85],"https://static.dastra.eu/content/7b9bd56d-c7c2-4a2d-857d-5cf5e4823e75/visuel-article-3-1000.webp","https://static.dastra.eu/content/7b9bd56d-c7c2-4a2d-857d-5cf5e4823e75/visuel-article-3.webp","https://static.dastra.eu/content/7b9bd56d-c7c2-4a2d-857d-5cf5e4823e75/visuel-article-3-1500.webp","https://static.dastra.eu/content/7b9bd56d-c7c2-4a2d-857d-5cf5e4823e75/visuel-article-3-800.webp","https://static.dastra.eu/content/7b9bd56d-c7c2-4a2d-857d-5cf5e4823e75/visuel-article-3-600.webp","https://static.dastra.eu/content/7b9bd56d-c7c2-4a2d-857d-5cf5e4823e75/visuel-article-3-300.webp","https://static.dastra.eu/content/7b9bd56d-c7c2-4a2d-857d-5cf5e4823e75/visuel-article-3-100.webp",59079]