If we have done a DPIA, do we still need a FRIA?

They are separate requirements. A DPIA under GDPR Article 35 covers data-protection-specific risks. A FRIA under AI Act Article 27 covers a wider set of fundamental rights (safety, non-discrimination, dignity, due process) and is specifically triggered by the AI Act deployer obligations (for public bodies and for credit scoring/insurance). You may structure a combined assessment, but you must satisfy both.

Can we be fined under both laws for the same AI failure?

Yes. The AI Act and GDPR are independent legal regimes. An AI system that, for example, makes discriminatory credit decisions using unlawfully processed personal data could attract GDPR fines (up to €20m/4%) and AI Act fines (up to €15m/3% for high-risk non-compliance). There is no general "one fine" principle between the two regimes.

Does the AI Act's prohibition on emotion recognition affect our existing GDPR biometric data processing?

The AI Act prohibition on workplace and educational-institution emotion recognition is an AI-Act-specific ban that applies regardless of GDPR lawful basis. Even if you have GDPR consent for biometric processing, you cannot use an emotion-recognition AI in those contexts under the AI Act. GDPR and AI Act must both be satisfied independently.

Our AI processes no personal data - do we have GDPR obligations?

No GDPR obligations arise where no personal data is processed. You still have AI Act obligations (including high-risk rules, transparency obligations and prohibited-practice checks) which apply regardless of personal-data involvement.

How does the AI Act's data governance (Article 10) relate to GDPR?

Article 10 requires that training, validation and test data for high-risk AI are relevant, representative, sufficiently free of errors and complete. This overlaps with GDPR's accuracy principle (Article 5(1)(d)) and data minimisation - but Article 10 is not a GDPR provision and applies even to non-personal data. Both must be satisfied where personal data is used in training.

EU AI Act topic guide

EU AI Act vs GDPR: how the two laws interact

For organisations that process personal data with AI - which is most organisations - the AI Act and the GDPR will often apply simultaneously. They are not duplicates: GDPR regulates data processing rights; the AI Act regulates AI system safety and fundamental rights. But they overlap significantly, and compliance programmes must account for both. This guide maps the key intersections.

Reviewed by the AI Act Navigator team · Last updated 9 June 2026

TL;DR

Both apply independently: an AI system can breach the AI Act (e.g. prohibited practice, missing conformity assessment) AND GDPR (e.g. unlawful processing, inadequate DPIA) at the same time - double fines are possible.
FRIA (AI Act Art. 27) vs DPIA (GDPR Art. 35): both are risk assessments - the FRIA is mandatory for certain AI deployers regardless of whether personal data is processed; the DPIA is required where processing is likely to result in high risk to natural persons. They overlap but cover different ground.
AI Act high-risk systems that process personal data will almost always require both a FRIA and a DPIA.
Lawful basis: GDPR still governs whether you can process the personal data your AI uses. The AI Act doesn't create new lawful bases and doesn't override GDPR consent or legitimate interest requirements.

Classify your AI system Obligations guide

Scope

What this covers

GDPR applies to any processing of personal data, including data used to train AI, data processed by AI in operation, and outputs that constitute personal data.
AI Act applies to AI systems meeting the Article 3(1) definition, regardless of whether they process personal data - but most commercially relevant AI systems do.
Overlapping scope: AI systems that use personal data and fall in Annex III high-risk categories (e.g. credit scoring, biometrics, employment screening, law enforcement profiling) are subject to both regimes simultaneously.
FRIA (Article 27 AI Act) vs DPIA (Article 35 GDPR): the FRIA assesses impact on fundamental rights broadly (safety, dignity, equality, due process - beyond data protection); the DPIA focuses on data-protection-specific risks. An organisation may use a combined assessment for efficiency but must ensure both regulatory requirements are fully met.
Biometric data: GDPR Article 9 categorises biometric data as special-category data with heightened protection; the AI Act imposes separate restrictions and prohibitions on biometric AI. Both apply cumulatively.

The AI Act expressly preserves GDPR rights and obligations (Recital 9). It does not replace GDPR and does not grant any exemption from GDPR compliance. The fundamental rights framework in the AI Act is broader than GDPR and includes rights that GDPR does not protect.

Source: Regulation (EU) 2024/1689 (EUR-Lex)

Compliance challenges

Key compliance challenges

Governance misalignment: privacy/DPO teams own GDPR compliance; AI governance or risk teams may own AI Act compliance. Keeping both aligned requires cross-functional coordination.
Defining "personal data" in AI contexts: model outputs (generated content, predictions) may constitute personal data about individuals even if no obvious identifier is present.
Automated decision-making: GDPR Article 22 (right to not be subject to purely automated decisions producing significant effects) intersects with the AI Act's human oversight requirements but is not identical - the tests differ.
Training data: GDPR's data minimisation and purpose limitation principles constrain how personal data can be collected and used for AI training, which interacts with the AI Act's data-governance requirements (Article 10).

The EU AI Act applies a risk-based approach: obligations scale with the level of risk posed. AI Act high-level summary

What to do

Map AI systems that process personal data - for each, determine which provisions of both the AI Act and GDPR apply.
For high-risk AI systems that process personal data: combine your FRIA and DPIA assessments where possible, but ensure both checklists are fully addressed.
Assign clear ownership: the DPO should be involved in AI Act compliance for all AI that touches personal data.
Review automated decision-making practices for both GDPR Article 22 compliance and AI Act human oversight requirements.
Ensure AI training datasets comply with GDPR's data minimisation and purpose limitation - document this in the AI Act's Article 10 data-governance records.
Update your Records of Processing Activities (ROPA) to reflect AI processing activities and their AI Act classification.

For the full obligations breakdown, see the AI Act obligations guide, and for role-specific duties see the provider vs deployer guide.

FAQ

AI Act vs GDPR: common questions

If we have done a DPIA, do we still need a FRIA?: They are separate requirements. A DPIA under GDPR Article 35 covers data-protection-specific risks. A FRIA under AI Act Article 27 covers a wider set of fundamental rights (safety, non-discrimination, dignity, due process) and is specifically triggered by the AI Act deployer obligations (for public bodies and for credit scoring/insurance). You may structure a combined assessment, but you must satisfy both.
Can we be fined under both laws for the same AI failure?: Yes. The AI Act and GDPR are independent legal regimes. An AI system that, for example, makes discriminatory credit decisions using unlawfully processed personal data could attract GDPR fines (up to €20m/4%) and AI Act fines (up to €15m/3% for high-risk non-compliance). There is no general "one fine" principle between the two regimes.
Does the AI Act's prohibition on emotion recognition affect our existing GDPR biometric data processing?: The AI Act prohibition on workplace and educational-institution emotion recognition is an AI-Act-specific ban that applies regardless of GDPR lawful basis. Even if you have GDPR consent for biometric processing, you cannot use an emotion-recognition AI in those contexts under the AI Act. GDPR and AI Act must both be satisfied independently.
Our AI processes no personal data - do we have GDPR obligations?: No GDPR obligations arise where no personal data is processed. You still have AI Act obligations (including high-risk rules, transparency obligations and prohibited-practice checks) which apply regardless of personal-data involvement.
How does the AI Act's data governance (Article 10) relate to GDPR?: Article 10 requires that training, validation and test data for high-risk AI are relevant, representative, sufficiently free of errors and complete. This overlaps with GDPR's accuracy principle (Article 5(1)(d)) and data minimisation - but Article 10 is not a GDPR provision and applies even to non-personal data. Both must be satisfied where personal data is used in training.

Get AI Act-ready

Use the risk classifier to find your system's tier, then explore the obligations and checklist for your role.

Classify your AI system

This is guidance, not legal advice

This is guidance to help you understand how the EU AI Act applies to ai act vs gdpr, not legal advice. For decisions specific to your organisation, confirm with the official sources we link or a qualified legal adviser.

Sources

[1]Regulation (EU) 2024/1689 (EU AI Act) - EUR-Lexretrieved 9 Jun 2026
[2]European Commission: AI regulatory frameworkretrieved 9 Jun 2026
[3]AI Act Explorer: high-level summaryretrieved 9 Jun 2026
[4]AI Act implementation timelineretrieved 9 Jun 2026
[5]Council of the EU: Digital Omnibus provisional agreement, 7 May 2026retrieved 9 Jun 2026

The AI Act Brief

Subscribe to The AI Act Brief

We watch Brussels so you don't. Plain-English EU AI Act updates, free.

No spam. Unsubscribe anytime.

categoryWhat this covers

priority_highKey compliance challenges

checklistWhat to do

helpAI Act vs GDPR: common questions