Use this page to separate GDPR duties from AI Act work when an AI product or model uses personal data.
The GDPR source pack supports privacy facts, lawful-basis decisions, transparency, DPIAs, automated decision-making, controller and processor obligations, records, security, transfers, and rights. It does not contain the AI Act legal text, so AI Act obligations are deliberately source-limited here.
Structured answer sets in this page tree.
Cited legal and guidance references.
This comparison is GDPR-first. Use it when an AI feature, model workflow, scoring system, assistant, or vendor tool processes personal data and the team needs to know which privacy controls must be handled independently from any EU AI Act assessment.
Use these rows to decide the GDPR work that must happen for AI-enabled personal-data processing, while keeping AI Act-specific claims blocked until an AI Act source is attached.
Use this side to assign source-linked privacy work: lawful basis, transparency, rights, DPIA, Article 22, controller and processor duties, RoPA, security, breach, transfers, and accountability.
This GDPR folder only supports the existence of an EU artificial-intelligence regulation, not its detailed obligations. Treat this side as a handoff marker for separate AI Act sourcing.
| Dimension | GDPR | EU AI Act | Operational implication |
|---|---|---|---|
| Scope and source coverage | The GDPR text and GDPR guidance in this folder support concrete privacy obligations for AI-enabled personal-data processing. | The folder does not contain the EU AI Act legal text; it only contains a CJEU factsheet reference to a regulation on artificial intelligence. | Do not present AI Act roles, deadlines, penalties, or risk-tier duties from this page. Attach a separate AI Act source before assigning that work. |
| Who must act | GDPR work belongs to the controller or processor role for the AI processing activity, with input from product, privacy, legal, security, procurement, support, and the DPO where designated. | AI Act actors and role duties are not established by the available GDPR folder. | Assign a GDPR owner who can change the processing purpose, notice, rights workflow, security measures, processor terms, transfer route, or DPIA record. Assign AI Act owners only after separate AI Act sourcing confirms the relevant role. |
| Trigger | GDPR is triggered when the AI workflow processes personal data within GDPR scope, including collection, storage, use, disclosure, profiling, retention, transfer, or deletion. | AI Act triggering facts are not established by the available GDPR folder. | Start the review by documenting the personal-data processing purpose and role. Open a separate AI Act assessment only after attaching AI Act source support. |
| Core obligations | Each AI processing purpose needs an Article 6 lawful basis, privacy information, rights handling, Article 22 analysis where relevant, DPIA screening or DPIA, RoPA coverage, processor controls, security measures, retention, and transfer safeguards where applicable. | AI Act core obligations are not grounded in this folder beyond the limited fact that an artificial-intelligence regulation exists. | Do not let AI governance approval stand in for GDPR lawfulness, transparency, rights, DPIA, or accountability. Keep a purpose-by-purpose GDPR record and add AI Act duties only from a separate AI Act source. |
| Evidence and records | GDPR evidence should include a lawful-basis note, privacy notice text, RoPA entry, DPIA or DPIA screening, Article 22 assessment where relevant, rights workflow, processor terms, security control record, transfer safeguard, retention rule, and breach triage record. | AI Act technical documentation, registration, monitoring, or incident evidence is not grounded by this folder. | A shared AI inventory can reference GDPR evidence, but it must not imply AI Act compliance unless AI Act source-linked records are added. |
| Timing and cadence | GDPR timing is tied to the processing lifecycle: lawful basis and notice before processing, DPIA before high-risk processing, Article 22 and rights handling before automated decisions affect people, breach assessment without undue delay and where feasible within 72 hours for notifiable breaches, and RoPA updates when the processing changes. | AI Act application dates or review cadence are not grounded by this GDPR folder. | Calendar GDPR controls around launch, material processing changes, rights intake, breach awareness, transfers, and DPIA risk changes. Do not add AI Act deadlines from this page. |
| Enforcement or assurance route | GDPR is supervised through data-protection authorities with corrective powers and administrative fines. Internal assurance should be able to produce the RoPA, lawful basis, notice, DPIA, rights, security, breach, processor, and transfer evidence. | AI Act enforcement routes and penalties are not grounded by this GDPR folder. | Escalate GDPR issues through privacy, DPO where designated, legal, security, and supervisory-authority channels as appropriate. Do not state AI Act penalties or authority procedures from this page. |
| Overlap and reuse | GDPR evidence can overlap with AI governance records when the same inventory, vendor file, security control, log, or transfer record describes personal-data processing. | AI Act reuse rules are not grounded by this GDPR folder. | Reuse shared evidence only after labelling which item proves GDPR lawfulness, transparency, rights, DPIA, Article 22, RoPA, security, breach, processor, transfer, or retention duties. Keep AI Act-specific proof separate until sourced. |
| Practical decision rule | If the AI use case processes personal data, assign GDPR owners and evidence before launch: lawful basis, notice, rights, DPIA or screening, Article 22, RoPA, processor, security, transfer, retention, and breach controls. | Assign AI Act work only after a separate AI Act source identifies the applicable scope, role, risk category, duty, evidence, and timing. | The defensible output is two source-linked findings: one GDPR finding from this page, and one AI Act finding from AI Act sources. If the second source is missing, mark the AI Act side blocked rather than guessing. |
The GDPR text and GDPR guidance in this folder support concrete privacy obligations for AI-enabled personal-data processing.
The folder does not contain the EU AI Act legal text; it only contains a CJEU factsheet reference to a regulation on artificial intelligence.
Do not present AI Act roles, deadlines, penalties, or risk-tier duties from this page. Attach a separate AI Act source before assigning that work.
GDPR work belongs to the controller or processor role for the AI processing activity, with input from product, privacy, legal, security, procurement, support, and the DPO where designated.
AI Act actors and role duties are not established by the available GDPR folder.
Assign a GDPR owner who can change the processing purpose, notice, rights workflow, security measures, processor terms, transfer route, or DPIA record. Assign AI Act owners only after separate AI Act sourcing confirms the relevant role.
GDPR is triggered when the AI workflow processes personal data within GDPR scope, including collection, storage, use, disclosure, profiling, retention, transfer, or deletion.
AI Act triggering facts are not established by the available GDPR folder.
Start the review by documenting the personal-data processing purpose and role. Open a separate AI Act assessment only after attaching AI Act source support.
Each AI processing purpose needs an Article 6 lawful basis, privacy information, rights handling, Article 22 analysis where relevant, DPIA screening or DPIA, RoPA coverage, processor controls, security measures, retention, and transfer safeguards where applicable.
AI Act core obligations are not grounded in this folder beyond the limited fact that an artificial-intelligence regulation exists.
Do not let AI governance approval stand in for GDPR lawfulness, transparency, rights, DPIA, or accountability. Keep a purpose-by-purpose GDPR record and add AI Act duties only from a separate AI Act source.
GDPR evidence should include a lawful-basis note, privacy notice text, RoPA entry, DPIA or DPIA screening, Article 22 assessment where relevant, rights workflow, processor terms, security control record, transfer safeguard, retention rule, and breach triage record.
AI Act technical documentation, registration, monitoring, or incident evidence is not grounded by this folder.
A shared AI inventory can reference GDPR evidence, but it must not imply AI Act compliance unless AI Act source-linked records are added.
GDPR timing is tied to the processing lifecycle: lawful basis and notice before processing, DPIA before high-risk processing, Article 22 and rights handling before automated decisions affect people, breach assessment without undue delay and where feasible within 72 hours for notifiable breaches, and RoPA updates when the processing changes.
AI Act application dates or review cadence are not grounded by this GDPR folder.
Calendar GDPR controls around launch, material processing changes, rights intake, breach awareness, transfers, and DPIA risk changes. Do not add AI Act deadlines from this page.
GDPR is supervised through data-protection authorities with corrective powers and administrative fines. Internal assurance should be able to produce the RoPA, lawful basis, notice, DPIA, rights, security, breach, processor, and transfer evidence.
AI Act enforcement routes and penalties are not grounded by this GDPR folder.
Escalate GDPR issues through privacy, DPO where designated, legal, security, and supervisory-authority channels as appropriate. Do not state AI Act penalties or authority procedures from this page.
GDPR evidence can overlap with AI governance records when the same inventory, vendor file, security control, log, or transfer record describes personal-data processing.
AI Act reuse rules are not grounded by this GDPR folder.
Reuse shared evidence only after labelling which item proves GDPR lawfulness, transparency, rights, DPIA, Article 22, RoPA, security, breach, processor, transfer, or retention duties. Keep AI Act-specific proof separate until sourced.
If the AI use case processes personal data, assign GDPR owners and evidence before launch: lawful basis, notice, rights, DPIA or screening, Article 22, RoPA, processor, security, transfer, retention, and breach controls.
Assign AI Act work only after a separate AI Act source identifies the applicable scope, role, risk category, duty, evidence, and timing.
The defensible output is two source-linked findings: one GDPR finding from this page, and one AI Act finding from AI Act sources. If the second source is missing, mark the AI Act side blocked rather than guessing.
The available GDPR grounding supports concrete GDPR requirements: personal-data scope, lawful basis, transparency, controller and processor roles, records of processing, security, breach notification, DPIAs, transfers, data-subject rights, and automated individual decision-making.
The same folder contains only limited comparator support for the EU AI Act: a Court of Justice personal-data factsheet notes that a regulation on artificial intelligence materialised in 2024. It does not provide the AI Act text, risk classes, role definitions, penalties, or application dates. Treat any AI Act implementation row here as a source-limit warning, not as a full AI Act checklist.
For any AI-enabled processing, start with the GDPR questions that determine whether privacy controls are required at all. The first record should identify the controller or processor, the purpose, categories of data subjects and personal data, recipients, transfers, retention, security controls, and whether the processing is likely to create risk for individuals.
Then document the Article 6 lawful basis before launch. Irish DPC guidance frames the first controller question as the reason or justification for processing personal data, and lists the Article 6 legal bases as consent, contract, legal obligation, vital interests, public task, or legitimate interests.
AI use does not supersede GDPR transparency duties. GDPR Articles 13 and 14 require information about the purposes and legal basis, recipients, storage periods, rights, and the existence of automated decision-making including profiling where relevant. Article 15 also gives the data subject access rights that include information about automated decision-making in the stated cases.
Article 22 adds a separate GDPR control for decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects. When an AI system contributes to such a decision, the GDPR review should document the decision path, human involvement, legal basis, safeguards, rights handling, and the notice language.
A DPIA is required where processing is likely to result in a high risk to natural persons. CNIL's DPIA page and methodology support using the assessment to examine necessity, proportionality, rights controls, processors, transfers, and security risks before the processing is deployed.
Assign the GDPR evidence to teams that can change the underlying processing: product for purpose and feature behavior, data governance for data categories and retention, legal or privacy for lawful basis and notices, security for Article 32 controls, procurement for processor and transfer terms, support for rights workflows, and the DPO where designated for DPIA advice and monitoring.
Keep the AI Act evidence owner separate unless an AI Act source confirms the same owner can satisfy the AI Act duty. A shared inventory may be useful, but each row should identify whether it proves a GDPR obligation, an AI Act obligation, or only a factual overlap.
Sorena can help turn AI-related GDPR questions into lawful-basis records, notices, DPIA checks, Article 22 analysis, RoPA updates, rights workflows, processor controls, and transfer evidence.
Ask source-linked questions about GDPR lawful basis, DPIAs, automated decision-making, rights, transfers, and evidence for AI-enabled processing.
Review your AI-related GDPR evidence, source gaps, and handoff points for a separate AI Act assessment.
"demonstrate compliance"
"regulation on artificial intelligence"
"international data transfers"
"processing of personal data"
"consent; contract; legal obligation"
"prescribed information"