Privacy & Data

GDPR and artificial intelligence: what stays and what changes

With the arrival of the AI Act, many SMEs breathed a sigh of relief, thinking: «now there is a law for AI, privacy is covered». It is a mistake that can prove costly. The truth is simpler and more demanding: on the processing of personal data with artificial intelligence systems the GDPR stays entirely in place, and the AI Act adds to it. It does not replace it. The question to ask is not «which of the two applies?», but «how do I safeguard both without duplicating the work?».

The formula that decides everything: «without prejudice to the GDPR»

Regulation (EU) 2024/1689 contains a clear-cut coordination clause: the AI Act applies without prejudice to the GDPR. Translated: the new Regulation does not touch the rules on the protection of personal data. The two texts operate in parallel and cumulatively. The AI Act governs the AI system — its placing on the market, its risk class, the obligations of provider and deployer. The GDPR governs every processing of personal data connected with that system.

The practical consequence is that conformity with the AI Act does not exempt you from GDPR compliance, and vice versa. An SME that thinks it can «cover» privacy by adopting AI Act measures is reasoning on a single track when the tracks are two. And there is a second element that weighs in: the penalties. The GDPR regime remains among the most severe in the EU legal order — with a dual threshold: up to €20 million or 4% of total worldwide annual turnover for the most serious infringements, up to €10 million or 2% for the others. These penalties sit alongside — and can be cumulated with — the further ones provided for by the AI Act.

What stays: the GDPR obligations do not change

Anyone processing personal data with AI must continue to comply with the entire framework of the GDPR. The points that, in our experience, most often intertwine with AI are five:

  1. Record of processing activities (Art. 30): processing carried out through AI systems must be mapped like any other.
  2. Legal basis (Art. 6) and transparency (Arts. 13-14): every AI processing needs a solid legal basis — starting with the training data — and clear information for data subjects.
  3. Minimisation: collect and process only the necessary data, a principle that «data-hungry» AI constantly puts under strain.
  4. Automated decisions (Art. 22): where a decision is solely automated or based on profiling, human intervention, information and the right to contest must be guaranteed.
  5. Security (Art. 32) and data breach (Arts. 33-34): adequate measures and notification to the Garante within 72 hours.

To these are added contracts with processors (Art. 28): if a provider of AI models or services processes data on behalf of the company, the relationship must be governed in writing. In Italy, the competent authority remains the Italian Data Protection Authority (Garante); at European level, the EDPB ensures consistent application.

What changes: where AI and the GDPR converge

The change is not in what the GDPR requires, but in how it intertwines with the new AI obligations. The clearest junction is the impact assessment. The GDPR provides for the DPIA (Art. 35) when a processing operation presents high risks to the rights of data subjects — a condition that often arises precisely in high-impact AI systems. The AI Act, in turn, imposes risk assessments on the system side. The two assessments do not replace each other: they run alongside. Conducting them in a disconnected way means doing the same work twice; conducting them in an integrated way is the mark of mature governance.

The same applies to human oversight, to documentation and to the information provided to data subjects and workers: they are required by both regimes, from different angles. The convergence is an opportunity, not a duplication.

The NomotecnIA reading for an SME

For a business the efficient path is one: a single governance that handles GDPR, the AI Act and — if adopted — ISO/IEC 42001 together, avoiding duplicated obligations. In practice this means a register that covers both processing activities and AI systems, an impact assessment that speaks to both regimes, an information notice that integrates the two levels of transparency.

The formal privacy safeguard — for example the appointment of a DPO where required — remains the controller's responsibility. Our role is to help you read the two tracks as a single system, verifiable, defensible before an authority or a client. Because in AI, trust is demonstrated with evidence, not with declarations.

Informative and editorial content. It does not constitute legal advice nor an attestation of conformity. NomotecnIA is not a notified body. For every assessment the official source cited in the linked briefings prevails.

Author

Matteo Colacchio

CEO · AI Governance, NomotecnIA

Author profile →

LinkedIn: to be linked

From analysis to your business

Want a governance that speaks to both tracks?

The AI Entry Assessment brings GDPR and the AI Act together into a single governance: register, integrated DPIA, two-level information notice.