---
title: "GDPR vs EU AI Act: privacy controls for AI systems"
canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act"
source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act"
author: "Sorena AI"
description: "Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "EU GDPR"
  - "GDPR"
  - "EU AI Act"
  - "lawful basis"
  - "DPIA"
  - "automated decision-making"
  - "data subject rights"
  - "RoPA"
  - "Article 22"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# GDPR vs EU AI Act: privacy controls for AI systems

Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.

*Artifact Guide* *EU*

## GDPR vs EU AI Act privacy controls for AI systems

Use this page to separate GDPR duties from AI Act work when an AI product or model uses personal data.

The GDPR source pack supports privacy facts, lawful-basis decisions, transparency, DPIAs, automated decision-making, controller and processor obligations, records, security, transfers, and rights. It does not contain the AI Act legal text, so AI Act obligations are deliberately source-limited here.

This comparison is GDPR-first. Use it when an AI feature, model workflow, scoring system, assistant, or vendor tool processes personal data and the team needs to know which privacy controls must be handled independently from any EU AI Act assessment.

## GDPR vs EU AI Act: what this GDPR source pack supports

Use these rows to decide the GDPR work that must happen for AI-enabled personal-data processing, while keeping AI Act-specific claims blocked until an AI Act source is attached.

- **GDPR**: Use this side to assign source-linked privacy work: lawful basis, transparency, rights, DPIA, Article 22, controller and processor duties, RoPA, security, breach, transfers, and accountability.
- **EU AI Act**: This GDPR folder only supports the existence of an EU artificial-intelligence regulation, not its detailed obligations. Treat this side as a handoff marker for separate AI Act sourcing.

| Dimension | GDPR | EU AI Act | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope and source coverage | The GDPR text and GDPR guidance in this folder support concrete privacy obligations for AI-enabled personal-data processing. | The folder does not contain the EU AI Act legal text; it only contains a CJEU factsheet reference to a regulation on artificial intelligence. | Do not present AI Act roles, deadlines, penalties, or risk-tier duties from this page. Attach a separate AI Act source before assigning that work. | [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary GDPR source for the privacy obligations compared on this page.<br>[Court of Justice factsheet on protection of personal data](https://curia.europa.eu?ref=sorena.io) - Shows why the AI Act side must stay source-limited in this GDPR artifact. |
| Who must act | GDPR work belongs to the controller or processor role for the AI processing activity, with input from product, privacy, legal, security, procurement, support, and the DPO where designated. | AI Act actors and role duties are not established by the available GDPR folder. | Assign a GDPR owner who can change the processing purpose, notice, rights workflow, security measures, processor terms, transfer route, or DPIA record. Assign AI Act owners only after separate AI Act sourcing confirms the relevant role. | [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports controller, processor, DPO, DPIA, security, and accountability duties.<br>[Irish DPC RoPA guidance under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports involving process owners rather than leaving RoPA maintenance only to the DPO.<br>[Court of Justice factsheet on protection of personal data](https://curia.europa.eu?ref=sorena.io) - Only limited AI Act comparator support is available in this GDPR folder. |
| Trigger | GDPR is triggered when the AI workflow processes personal data within GDPR scope, including collection, storage, use, disclosure, profiling, retention, transfer, or deletion. | AI Act triggering facts are not established by the available GDPR folder. | Start the review by documenting the personal-data processing purpose and role. Open a separate AI Act assessment only after attaching AI Act source support. | [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Defines GDPR processing and personal-data scope.<br>[Court of Justice factsheet on protection of personal data](https://curia.europa.eu?ref=sorena.io) - Provides only the limited comparator fact that an artificial-intelligence regulation exists.<br>[Irish DPC guidance on legal bases for processing personal data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Supports asking the controller's reason or justification before processing personal data. |
| Core obligations | Each AI processing purpose needs an Article 6 lawful basis, privacy information, rights handling, Article 22 analysis where relevant, DPIA screening or DPIA, RoPA coverage, processor controls, security measures, retention, and transfer safeguards where applicable. | AI Act core obligations are not grounded in this folder beyond the limited fact that an artificial-intelligence regulation exists. | Do not let AI governance approval stand in for GDPR lawfulness, transparency, rights, DPIA, or accountability. Keep a purpose-by-purpose GDPR record and add AI Act duties only from a separate AI Act source. | [Irish DPC guidance on legal bases for processing personal data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Maps Article 6 legal bases and explains why controllers must identify the justification for processing.<br>[GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 6 and transparency provisions require a GDPR basis and related information. |
| Evidence and records | GDPR evidence should include a lawful-basis note, privacy notice text, RoPA entry, DPIA or DPIA screening, Article 22 assessment where relevant, rights workflow, processor terms, security control record, transfer safeguard, retention rule, and breach triage record. | AI Act technical documentation, registration, monitoring, or incident evidence is not grounded by this folder. | A shared AI inventory can reference GDPR evidence, but it must not imply AI Act compliance unless AI Act source-linked records are added. | [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping GDPR evidence independent from AI Act work. |
| Timing and cadence | GDPR timing is tied to the processing lifecycle: lawful basis and notice before processing, DPIA before high-risk processing, Article 22 and rights handling before automated decisions affect people, breach assessment without undue delay and where feasible within 72 hours for notifiable breaches, and RoPA updates when the processing changes. | AI Act application dates or review cadence are not grounded by this GDPR folder. | Calendar GDPR controls around launch, material processing changes, rights intake, breach awareness, transfers, and DPIA risk changes. Do not add AI Act deadlines from this page. | [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR timing for DPIAs, automated decision-making information, breach notification, and ongoing accountability.<br>[CNIL privacy impact assessment overview](https://www.cnil.fr/en/privacy-impact-assessment-pia?ref=sorena.io) - Supports carrying out a DPIA before high-risk processing is deployed. |
| Enforcement or assurance route | GDPR is supervised through data-protection authorities with corrective powers and administrative fines. Internal assurance should be able to produce the RoPA, lawful basis, notice, DPIA, rights, security, breach, processor, and transfer evidence. | AI Act enforcement routes and penalties are not grounded by this GDPR folder. | Escalate GDPR issues through privacy, DPO where designated, legal, security, and supervisory-authority channels as appropriate. Do not state AI Act penalties or authority procedures from this page. | [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports supervisory authority powers, corrective measures, administrative fines, and controller or processor accountability.<br>[Irish DPC RoPA guidance under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports making Article 30 evidence available for supervisory review. |
| Overlap and reuse | GDPR evidence can overlap with AI governance records when the same inventory, vendor file, security control, log, or transfer record describes personal-data processing. | AI Act reuse rules are not grounded by this GDPR folder. | Reuse shared evidence only after labelling which item proves GDPR lawfulness, transparency, rights, DPIA, Article 22, RoPA, security, breach, processor, transfer, or retention duties. Keep AI Act-specific proof separate until sourced. | [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports Article 32 security, Article 33 breach notification, and Chapter V transfer principles.<br>[European Commission standard contractual clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Supports treating transfer safeguards as a GDPR evidence requirement for AI vendors handling personal data. |
| Practical decision rule | If the AI use case processes personal data, assign GDPR owners and evidence before launch: lawful basis, notice, rights, DPIA or screening, Article 22, RoPA, processor, security, transfer, retention, and breach controls. | Assign AI Act work only after a separate AI Act source identifies the applicable scope, role, risk category, duty, evidence, and timing. | The defensible output is two source-linked findings: one GDPR finding from this page, and one AI Act finding from AI Act sources. If the second source is missing, mark the AI Act side blocked rather than guessing. | [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR half of the source-linked finding.<br>[Court of Justice factsheet on protection of personal data](https://curia.europa.eu?ref=sorena.io) - Supports treating AI Act specifics as blocked until separately sourced. |

Sources for Scope and source coverage - GDPR:

- [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary GDPR source for the privacy obligations compared on this page.
  - Quote: "processing of personal data"

Sources for Scope and source coverage - EU AI Act:

- [Court of Justice factsheet on protection of personal data](https://curia.europa.eu?ref=sorena.io) - Only limited AI Act comparator source available in the GDPR grounding folder.
  - Quote: "regulation on artificial intelligence"

Sources for Scope and source coverage - operational implication:

- [Court of Justice factsheet on protection of personal data](https://curia.europa.eu?ref=sorena.io) - Shows why the AI Act side must stay source-limited in this GDPR artifact.
  - Quote: "regulation on artificial intelligence"

Sources for Who must act - GDPR:

- [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports controller, processor, DPO, DPIA, security, and accountability duties.
  - Quote: "responsibility of the controller"
- [Irish DPC RoPA guidance under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports involving process owners rather than leaving RoPA maintenance only to the DPO.
  - Quote: "process owners"

Sources for Who must act - operational implication:

- [Court of Justice factsheet on protection of personal data](https://curia.europa.eu?ref=sorena.io) - Only limited AI Act comparator support is available in this GDPR folder.
  - Quote: "regulation on artificial intelligence"

Sources for Trigger - GDPR:

- [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Defines GDPR processing and personal-data scope.
  - Quote: "processing of personal data"

Sources for Trigger - EU AI Act:

- [Court of Justice factsheet on protection of personal data](https://curia.europa.eu?ref=sorena.io) - Provides only the limited comparator fact that an artificial-intelligence regulation exists.
  - Quote: "regulation on artificial intelligence"

Sources for Trigger - operational implication:

- [Irish DPC guidance on legal bases for processing personal data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Supports asking the controller's reason or justification before processing personal data.
  - Quote: "legal basis"

Sources for Core obligations - GDPR:

- [Irish DPC guidance on legal bases for processing personal data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Maps Article 6 legal bases and explains why controllers must identify the justification for processing.
  - Quote: "consent; contract; legal obligation"

Sources for Core obligations - operational implication:

- [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 6 and transparency provisions require a GDPR basis and related information.
  - Quote: "Processing shall be lawful"

Sources for Evidence and records - GDPR:

- [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR transparency, rights, automated decision-making information, controller responsibility, security, breach, and DPIA evidence.
  - Quote: "rights of the data subject"

Sources for Evidence and records - operational implication:

- [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping GDPR evidence independent from AI Act work.
  - Quote: "accountability"

Sources for Timing and cadence - GDPR:

- [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR timing for DPIAs, automated decision-making information, breach notification, and ongoing accountability.
  - Quote: "not later than 72 hours"
- [CNIL privacy impact assessment overview](https://www.cnil.fr/en/privacy-impact-assessment-pia?ref=sorena.io) - Supports DPIA use where processing is likely to result in high risk.
  - Quote: "Privacy Impact Assessment"

Sources for Timing and cadence - operational implication:

- [CNIL privacy impact assessment overview](https://www.cnil.fr/en/privacy-impact-assessment-pia?ref=sorena.io) - Supports carrying out a DPIA before high-risk processing is deployed.
  - Quote: "demonstrate compliance"

Sources for Enforcement or assurance route - GDPR:

- [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports supervisory authority powers, corrective measures, administrative fines, and controller or processor accountability.
  - Quote: "administrative fine"

Sources for Enforcement or assurance route - operational implication:

- [Irish DPC RoPA guidance under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports making Article 30 evidence available for supervisory review.
  - Quote: "prescribed information"

Sources for Overlap and reuse - GDPR:

- [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports Article 32 security, Article 33 breach notification, and Chapter V transfer principles.
  - Quote: "Security of processing"
- [European Commission standard contractual clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Supports SCC evidence for international transfer safeguards.
  - Quote: "Standard Contractual Clauses"

Sources for Overlap and reuse - operational implication:

- [European Commission standard contractual clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Supports treating transfer safeguards as a GDPR evidence requirement for AI vendors handling personal data.
  - Quote: "international data transfers"

Sources for Practical decision rule - GDPR:

- [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary source for GDPR duties used in the decision rule.
  - Quote: "responsibility of the controller"

Sources for Practical decision rule - EU AI Act:

- [Court of Justice factsheet on protection of personal data](https://curia.europa.eu?ref=sorena.io) - Provides only limited comparator support and therefore supports blocking unsupported AI Act specifics.
  - Quote: "regulation on artificial intelligence"

Sources for Practical decision rule - operational implication:

- [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR half of the source-linked finding.
  - Quote: "protection of personal data"
- [Court of Justice factsheet on protection of personal data](https://curia.europa.eu?ref=sorena.io) - Supports treating AI Act specifics as blocked until separately sourced.
  - Quote: "regulation on artificial intelligence"

### How should teams compare GDPR and the EU AI Act for an AI system?

- First decide whether the AI use case processes personal data and record the GDPR controller or processor role.
- Assign the GDPR controls that are source-linked here: lawful basis, transparency, rights, DPIA or screening, Article 22, RoPA, security, breach, transfer, retention, and accountability evidence.
- Treat the AI Act side as blocked for detailed obligations unless a separate AI Act source is attached.
- Keep shared evidence labelled by source so a privacy reviewer and an AI Act reviewer can each re-run the decision.

Sources for the practical decision rule:

- [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary source for the GDPR decision path.
  - Quote: "processing of personal data"
- [Court of Justice factsheet on protection of personal data](https://curia.europa.eu?ref=sorena.io) - Supports only the limited AI Act comparator context available in this folder.
  - Quote: "regulation on artificial intelligence"

## What this comparison can and cannot prove from the GDPR source pack

The available GDPR grounding supports concrete GDPR requirements: personal-data scope, lawful basis, transparency, controller and processor roles, records of processing, security, breach notification, DPIAs, transfers, data-subject rights, and automated individual decision-making.

The same folder contains only limited comparator support for the EU AI Act: a Court of Justice personal-data factsheet notes that a regulation on artificial intelligence materialised in 2024. It does not provide the AI Act text, risk classes, role definitions, penalties, or application dates. Treat any AI Act implementation row here as a source-limit warning, not as a full AI Act checklist.

- Use GDPR sources to decide whether an AI use case processes personal data and which GDPR controls must exist.
- Do not infer AI Act obligations, deadlines, roles, or penalties from this GDPR page.
- Open a separate AI Act source pack before assigning AI Act-specific risk classification, provider, deployer, technical documentation, or conformity work.

Sources for this answer:

- [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary GDPR text for processing scope, lawful basis, transparency, rights, controller and processor duties, DPIAs, breach notification, transfers, supervisory powers, and fines.
- [Court of Justice factsheet on protection of personal data](https://curia.europa.eu?ref=sorena.io) - The GDPR grounding folder's only AI Act comparator support: it notes that a regulation on artificial intelligence materialised in 2024, without supplying the AI Act obligation text.

## GDPR questions to answer before an AI Act workstream

For any AI-enabled processing, start with the GDPR questions that determine whether privacy controls are required at all. The first record should identify the controller or processor, the purpose, categories of data subjects and personal data, recipients, transfers, retention, security controls, and whether the processing is likely to create risk for individuals.

Then document the Article 6 lawful basis before launch. Irish DPC guidance frames the first controller question as the reason or justification for processing personal data, and lists the Article 6 legal bases as consent, contract, legal obligation, vital interests, public task, or legitimate interests.

- Record the Article 6 lawful basis for each AI processing purpose, not for the product as a whole.
- Update the RoPA when the AI workflow changes the purpose, data categories, recipients, transfers, retention, or security measures.
- Keep the AI Act scoping decision separate until an AI Act source confirms the relevant role and obligation.

Sources for this answer:

- [Irish DPC guidance on legal bases for processing personal data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Explains that controllers should identify the reason or justification for processing and maps Article 6 legal bases.
- [Irish DPC RoPA guidance under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports keeping granular records of processing activities, including purposes, data categories, recipients, transfers, erasure time limits, and security measures.

## Transparency, rights, DPIA, and automated decision-making controls

AI use does not supersede GDPR transparency duties. GDPR Articles 13 and 14 require information about the purposes and legal basis, recipients, storage periods, rights, and the existence of automated decision-making including profiling where relevant. Article 15 also gives the data subject access rights that include information about automated decision-making in the stated cases.

Article 22 adds a separate GDPR control for decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects. When an AI system contributes to such a decision, the GDPR review should document the decision path, human involvement, legal basis, safeguards, rights handling, and the notice language.

A DPIA is required where processing is likely to result in a high risk to natural persons. CNIL's DPIA page and methodology support using the assessment to examine necessity, proportionality, rights controls, processors, transfers, and security risks before the processing is deployed.

- Do not use an AI Act label as a substitute for GDPR notice, access, objection, rectification, erasure, restriction, portability, or Article 22 analysis.
- When relying on legitimate interests for AI-enabled processing, keep the balancing analysis and make the specific interest clear in the privacy information.
- Where a DPIA is needed, include purpose, data minimisation, retention, information notices, rights handling, processor controls, transfer safeguards, and security measures.

Sources for this answer:

- [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports transparency, access, Article 22 automated decision-making, DPIA, security, breach notification, and transfer duties.
- [CNIL privacy impact assessment overview](https://www.cnil.fr/en/privacy-impact-assessment-pia?ref=sorena.io) - Explains that a DPIA is required where processing is likely to result in high risk and links methodology and templates for demonstrating compliance.

## Evidence owners for a GDPR-first AI comparison

Assign the GDPR evidence to teams that can change the underlying processing: product for purpose and feature behavior, data governance for data categories and retention, legal or privacy for lawful basis and notices, security for Article 32 controls, procurement for processor and transfer terms, support for rights workflows, and the DPO where designated for DPIA advice and monitoring.

Keep the AI Act evidence owner separate unless an AI Act source confirms the same owner can satisfy the AI Act duty. A shared inventory may be useful, but each row should identify whether it proves a GDPR obligation, an AI Act obligation, or only a factual overlap.

- Required GDPR evidence commonly includes a RoPA entry, lawful-basis note, privacy notice text, DPIA or DPIA screening, Article 22 assessment where relevant, rights-response workflow, processor terms, transfer safeguards, retention rule, security control record, and breach triage record.
- Label source support beside each artifact so reviewers can see whether it comes from GDPR text, DPC guidance, CNIL DPIA material, SCC material, or a separate AI Act source.
- Do not merge GDPR and AI Act findings into one approval unless the record shows both source bases and both owners.

Sources for this answer:

- [Irish DPC RoPA guidance under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports process-owner involvement, granular RoPA content, and keeping prescribed Article 30 information visible.
- [European Commission standard contractual clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Supports using SCC materials when AI processing involves personal-data transfers to third countries or international organisations.

*Recommended next step*

*Placement: before sources*

## Turn the GDPR side of an AI review into cited implementation work

Sorena can help turn AI-related GDPR questions into lawful-basis records, notices, DPIA checks, Article 22 analysis, RoPA updates, rights workflows, processor controls, and transfer evidence.

- [Open Research Copilot for GDPR](/solutions/research-copilot.md): Ask source-linked questions about GDPR lawful basis, DPIAs, automated decision-making, rights, transfers, and evidence for AI-enabled processing.
- [Talk through implementation](/contact.md): Review your AI-related GDPR evidence, source gaps, and handoff points for a separate AI Act assessment.

## Primary sources

- [GDPR consolidated text](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary source for the GDPR decision path.
  - Quote: "processing of personal data"
- [Irish DPC guidance on legal bases for processing personal data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Maps Article 6 legal bases and explains why controllers must identify the justification for processing.
  - Quote: "consent; contract; legal obligation"
- [Irish DPC RoPA guidance under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports making Article 30 evidence available for supervisory review.
  - Quote: "prescribed information"
- [CNIL privacy impact assessment overview](https://www.cnil.fr/en/privacy-impact-assessment-pia?ref=sorena.io) - Supports carrying out a DPIA before high-risk processing is deployed.
  - Quote: "demonstrate compliance"
- [European Commission standard contractual clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Supports treating transfer safeguards as a GDPR evidence requirement for AI vendors handling personal data.
  - Quote: "international data transfers"
- [Court of Justice factsheet on protection of personal data](https://curia.europa.eu?ref=sorena.io) - Supports only the limited AI Act comparator context available in this folder.
  - Quote: "regulation on artificial intelligence"

## Related Topic Guides

- [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md): A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
- [EU GDPR Applicability Test for Products, Vendors, and Data Flows](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
- [EU GDPR Article 30 RoPA Intake Workflow](/artifacts/eu/general-data-protection-regulation/ropa-intake-workflow.md): Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
- [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md): FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
- [EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence](/artifacts/eu/general-data-protection-regulation/automated-decision-making-and-profiling.md): source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
- [EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
- [EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records](/artifacts/eu/general-data-protection-regulation/breach-notification-workflow.md): A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
- [EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/checklist.md): Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
- [EU GDPR Children and Special-Category Data Guide](/artifacts/eu/general-data-protection-regulation/children-and-special-categories.md): source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
- [EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/compliance.md): Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
- [EU GDPR Controller, Processor, and Joint Controller Roles](/artifacts/eu/general-data-protection-regulation/controller-processor-and-joint-controller-roles.md): source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
- [EU GDPR Data Subject Rights and DSAR Workflow](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
- [EU GDPR deadlines and compliance calendar](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
- [EU GDPR DPIA and Prior Consultation Workflow](/artifacts/eu/general-data-protection-regulation/dpia-and-prior-consultation-workflow.md): Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
- [EU GDPR DPIA and risk management under Articles 35 and 36](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
- [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md): FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
- [EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence](/artifacts/eu/general-data-protection-regulation/dsar-workflow.md): Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
- [EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers](/artifacts/eu/general-data-protection-regulation/faq.md): Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
- [EU GDPR International Transfers and SCCs: Chapter V evidence guide](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
- [EU GDPR Lawful Basis and Consent Guide](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
- [EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow.md): Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
- [EU GDPR Lead Supervisory Authority and One-Stop-Shop](/artifacts/eu/general-data-protection-regulation/lead-authority-and-one-stop-shop.md): How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
- [EU GDPR LIA Template for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lia-template.md): Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
- [EU GDPR penalties and fines: Article 83 tiers and evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
- [EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
- [EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
- [EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers](/artifacts/eu/general-data-protection-regulation/requirements.md): Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
- [EU GDPR Retention and Erasure Schedule](/artifacts/eu/general-data-protection-regulation/retention-and-erasure-schedule.md): Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
- [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md): source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
- [EU GDPR Transfer TIA and SCC Workflow](/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow.md): A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
- [EU GDPR Transparency Notices: Articles 12, 13 and 14](/artifacts/eu/general-data-protection-regulation/transparency-notices.md): Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
- [EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps](/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd.md): Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
- [EU GDPR vs California CCPA: grounded GDPR comparison limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
- [EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications](/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy.md): Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
- [EU GDPR vs UK GDPR: source-limited compliance comparison](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
- [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md): Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
- [GDPR vs EU Data Act: personal data safeguards and source limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act.md): Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
- [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md): Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
- [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md): GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act