Does the GDPR go away now that we have the AI Act?
In short: no. Regulation (EU) 2016/679 stays fully in force, and the AI Act applies without prejudice to the GDPR: any processing of personal data connected with an AI system remains fully subject to data protection law. They are two cumulative tracks. Below, the facts verified on EUR-Lex, then our reading.
The facts · fields 1–10
What the official source says.
01 · Name
Regulation (EU) 2016/679 — "GDPR"
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Common acronym: GDPR (General Data Protection Regulation) / in Italian RGPD.
Official title · EUR-Lex ELI Reg. (EU) 2016/679
02 · Type of source
European Union regulation
An EU legislative act of general application, adopted by the European Parliament and the Council. It repeals and replaces the previous Directive 95/46/EC. It consists of 99 articles and 173 recitals.
EUR-Lex ELI Reg. (EU) 2016/679
03 · Nature
Binding and directly applicable
As an EU regulation (Art. 288 TFEU) it is binding in its entirety and directly applicable in every Member State, without any need for national transposition. It is not soft law: it lays down specific legal obligations and a robust system of penalties (Art. 83).
Art. 288 TFEU · text of the Regulation on EUR-Lex
04 · Subject matter
Protection of personal data and free movement
It establishes harmonised rules for the protection of natural persons with regard to the processing of personal data and for the free movement of such data within the EU. It governs principles (lawfulness, fairness, transparency, data minimisation, purpose and storage limitation, integrity and confidentiality, accountability), the legal bases for processing, the rights of the data subject, the obligations of the controller and processor, transfers to third countries, security and personal data breaches.
EUR-Lex ELI Reg. (EU) 2016/679
05 · Who it applies to
Controllers and processors, public and private
- Material scope: the wholly or partly automated processing of personal data and the non-automated processing of data forming part of (or intended to form part of) a filing system.
- Personal scope: data controllers (titolare del trattamento) and data processors (responsabile del trattamento), whether public or private.
- Territorial scope (Art. 3) — extraterritorial: it also applies to controllers/processors established outside the EU when they process the data of data subjects who are in the Union in order to offer them goods/services or to monitor their behaviour.
Arts. 2 and 3 (scope of application) · EUR-Lex
06 · Key dates
From adoption to full application (Art. 99)
-
Adoption of the Regulation.
-
Publication in the Official Journal of the European Union (OJEU L 119).
-
Entry into force (20th day following publication — Art. 99(1)).
-
Date of application (Art. 99(2)): from this date the GDPR is fully operative and replaces Directive 95/46/EC.
Art. 99 of the Regulation · EUR-Lex (dates corroborated by EUR-Lex and by independent legal sources).
07 · Competent authorities
Garante at national level; EDPB and EDPS at EU level
At national level (Italy): the Italian Data Protection Authority (Garante per la protezione dei dati personali) — the independent supervisory authority under Arts. 51 et seq. — competent for supervision, investigation and penalties.
At EU level: the European Data Protection Board (EDPB), which ensures the consistent application of the Regulation, and the European Data Protection Supervisor (EDPS) for the EU institutions.
Chapter VI (Independent supervisory authorities) and Chapter VII (EDPB) · EUR-Lex
08 · Status
In force since 24 May 2016, fully applicable since 25 May 2018
Fully operative and binding. In Italy it is coordinated with the Privacy Code (Legislative Decree 196/2003) as amended by the adapting Legislative Decree 101/2018. The system of penalties (Art. 83) is active.
EUR-Lex ELI Reg. (EU) 2016/679
09 · Relationship with other rules
It coordinates with the AI Act «without prejudice», Law 132/2025 and ISO/IEC 42001
- ↔ AI Act (Reg. EU 2024/1689) — «without prejudice»: the AI Act applies without prejudice to the GDPR. The two regulations operate in parallel, cumulatively: the AI Act governs the AI system (placing on the market, risk, provider/deployer obligations), while any processing of personal data connected with that system remains fully subject to the GDPR. Compliance with the AI Act does not exempt from GDPR compliance, and vice versa. Typical points of contact: the legal basis for processing in the training data, the data minimisation principle, automated decision-making (Art. 22 GDPR), the impact assessment (DPIA, Art. 35 GDPR) which sits alongside the AI Act's risk assessment.
- ↔ Law 132/2025 (Italy): the Italian national AI law reaffirms that the processing of personal data connected with AI remains subject to the GDPR and to the Privacy Code, with the Garante as competent authority (see dedicated brief).
- ↔ ISO/IEC 42001: voluntary AI management standard; it may include safeguards useful for data protection, but does not replace GDPR obligations.
«without prejudice» to the GDPR clause in Reg. EU 2024/1689 (AI Act) · GDPR text on EUR-Lex
10 · Official source
EUR-Lex — ELI identifier
Primary source to be cited: EUR-Lex, ELI identifier reg/2016/679. Official Italian text: CELEX 32016R0679. Published in the OJEU L 119 of 4 May 2016 (with a corrigendum in OJEU L 127 of 23 May 2018).
Open the official source on EUR-Lex
Primary source · EUR-Lex (official ELI)
Fields 11–12 · own synthesis
Our reading for an SME.
Synthesis
- The GDPR is the pre-existing base on which the entire body of AI legislation is grafted: those who process personal data with AI systems must comply with both regimes. The AI Act adds to, it does not subtract, privacy obligations.
- The key formula is «without prejudice to the GDPR»: it means that the AI Act does not touch the rules on personal data. An SME that thinks it can "cover" privacy by adopting AI Act measures makes a mistake: they are two cumulative tracks.
- The system of penalties is severe and has a dual threshold (see below): GDPR penalties remain among the highest in the EU legal order and sit alongside (and may be cumulated with) the further penalties provided for by the AI Act.
- Practical junctures where AI and the GDPR intertwine: the legal basis for training data, minimisation, automated decision-making and profiling (Art. 22), the DPIA (Art. 35) which often has to be carried out precisely for high-impact AI systems.
- For an SME the efficient path is a single governance framework that handles the GDPR, the AI Act and (if adopted) ISO/IEC 42001 together, avoiding duplicated compliance efforts.
Practical obligations for an SME
- Record of processing activities (Art. 30): map the processing of personal data, including that carried out through AI systems.
- Legal basis (Art. 6) and transparency (Arts. 13-14): identify the legal basis for each AI processing operation and inform data subjects clearly.
- DPIA (Art. 35): carry out a Data Protection Impact Assessment where the processing (often via AI) presents high risks to the rights of data subjects.
- Automated decision-making (Art. 22): oversee cases of solely automated decision-making/profiling, ensuring human intervention, information and the right to contest.
- Security (Art. 32) and data breaches (Arts. 33-34): adequate technical/organisational measures and a procedure for notifying breaches to the Garante within 72 hours.
- Contracts (Art. 28): govern in writing the relationship with data processors (e.g. providers of AI services/models that process data on behalf of the company).
- Penalties — dual threshold (Art. 83): up to EUR 20 million or 4% of total annual worldwide turnover of the preceding financial year (whichever is higher) for the most serious infringements (Art. 83(5)); up to EUR 10 million or 2% of total annual worldwide turnover for the infringements referred to in Art. 83(4).
Positioning note (NomotecnIA): NomotecnIA provides guidance and readiness support in coordinating the GDPR and the AI Act within a single governance framework; it is not a notified body and does not issue certifications of conformity with either the GDPR or the AI Act. The formal privacy function (e.g. appointing a DPO where required) remains the responsibility of the controller.
From the rule to your business
Coordinate the GDPR and the AI Act in a single governance framework?
The AI Entry Assessment maps your processing operations and AI systems, tells apart the GDPR and AI Act tracks, and hands you back a prioritised, non-duplicated compliance roadmap.