How does the EU AI Act differ from the GDPR?

The EU AI Act and the GDPR are two fundamentally different laws with different purposes. While the GDPR protects the privacy of personal data, the EU AI Act regulates the risks posed by AI systems themselves, regardless of whether those systems process personal data. The two laws complement each other and overlap in specific areas, but they do not replace one another. In this article, we answer the most frequently asked questions about the difference between the two laws and what that means for your organization.

What does the EU AI Act address that the GDPR does not cover?

The EU AI Act regulates the safety, transparency, and reliability of AI systems throughout their entire lifecycle. The GDPR focuses exclusively on the processing of personal data. The AI Act goes further: it applies to every AI system, even if it does not process personal data, and sets requirements for the design, operation, and risk management of those systems.

Specifically, the EU AI Act addresses matters that fall outside the scope of the GDPR, such as:

  • The ban on manipulative AI techniques that influence behavior without a person’s awareness
  • Mandatory technical documentation for AI systems in accordance with specific annexes
  • Requirements for the quality of training data, including the mitigation of bias
  • Mandatory CE marking and registration in an EU database for high-risk systems
  • Human oversight as a design requirement, including protection against automation bias
  • Rules for General-Purpose AI (GPAI) models, such as large language models

The GDPR sets requirements for how personal data is handled. The EU AI Act sets requirements for how an AI system is built, tested, and deployed, regardless of the type of data it processes. That is a fundamentally different starting point.

To which organizations does the EU AI Act apply?

The EU AI Act applies to any organization that develops, places on the market, imports, distributes, or uses AI systems within the European Union. This also applies to organizations outside the EU that offer AI systems to users within the EU. The law distinguishes between different roles, each with its own obligations.

The main roles are:

  • Providers: organizations that develop and market AI systems. They bear the heaviest obligations.
  • Deployers (data controllers): organizations that deploy an AI system under their own authority. They have less stringent but specific obligations, such as assigning human oversight and retaining logs for at least six months.
  • Importers and distributors: They must verify that conformity assessments have been conducted and retain the related documentation for ten years.

An important point to note: a deployer, importer, or distributor becomes a provider—with all the associated obligations—if they put their name on a system, make a substantial change to it, or modify its intended purpose in such a way that the system falls into the high-risk category. Providers outside the EU must also appoint an authorized representative within the EU.

What are the risk categories in the EU AI Act, and how do they work?

The EU AI Act uses four risk levels: unacceptable risk (prohibited), high risk (strictly regulated), limited risk (minimal transparency requirements), and minimal or no risk (unregulated). Most current AI applications fall into the lowest category and are exempt from specific requirements.

Prohibited AI Applications

Applications that pose an unacceptable risk are completely prohibited, and these prohibitions will take effect on February 2, 2025. These include, among other things, AI that uses subliminal manipulation techniques, government social scoring systems, emotion recognition in the workplace or in educational institutions (except for medical or safety exceptions), and real-time biometric identification in public spaces for law enforcement purposes, except in strictly defined cases.

High-Risk AI Systems

High-risk AI is defined in two ways. First: systems that constitute a safety component of a product subject to EU harmonization legislation. Second: systems that fall within one of the eight domains listed in Annex III, including biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration, and the administration of justice. Systems that perform profiling of natural persons are always considered high-risk, even if they otherwise have a limited function.

Which obligations overlap between the AI Act and the GDPR?

The EU AI Act and the GDPR overlap in the area of data protection for high-risk AI systems. Deployers of high-risk systems must, where applicable, conduct a data protection impact assessment (DPIA), a requirement that already applies under the GDPR for high-risk data processing. Furthermore, both laws require transparency toward data subjects and emphasize human oversight.

Other overlapping elements include:

  • Rights of data subjects: Individuals who are subject to a decision made by a high-risk AI system may, pursuant to Article 86 of the AI Act, request an explanation of the determining factors. The GDPR provides for a similar right in the context of automated decision-making (Article 22 of the GDPR).
  • Logging and documentation: Both laws require the recording of processing activities and decisions, albeit with different specifications and retention periods.
  • Data Quality: The AI Act sets requirements for training data (relevant, representative, and as free as possible from errors and bias). The GDPR sets requirements for the accuracy of personal data. For AI systems trained on personal data, both sets of requirements therefore apply simultaneously.

In practice, this means that organizations must assess their AI-driven processes against both legal frameworks, because compliance with one law does not automatically guarantee compliance with the other.

What are the fines and enforcement measures under the EU AI Act compared to the GDPR?

Both laws impose substantial fines, but the systems differ. The GDPR imposes fines of up to 20 million euros or 4% of global annual revenue. The EU AI Act has three categories of fines depending on the severity of the violation: up to 35 million euros or 7% of global annual revenue for violations of prohibited practices, up to 15 million euros or 3% for other violations, and up to 7.5 million euros or 1.5% for providing incorrect information.

In terms of enforcement, the EU AI Act introduces a new regulatory landscape. The European Commission’s AI Office oversees GPAI models and models posing systemic risk. National supervisory authorities are responsible for enforcing the remaining provisions. In the Netherlands, the Dutch Data Protection Authority is expected to play a role in enforcement at the intersection of AI and data protection, but the exact division of responsibilities among supervisory authorities will be further elaborated in 2026.

One key difference is that the GDPR is already fully in effect, while the EU AI Act will be implemented in phases. The prohibited practices will take effect on February 2, 2025; the obligations for GPAI model providers will take effect on August 2, 2025; and the full set of high-risk obligations will take effect later during the implementation period.

How are Dutch organizations preparing for both laws at the same time?

Dutch organizations can best prepare by first conducting an AI assessment, determining the risk category of each system, and then identifying the overlap between GDPR obligations and AI Act obligations. By combining compliance efforts, you can avoid duplication of work and build a cohesive governance framework.

A practical step-by-step approach:

  1. Make an inventory of all AI systems that your organization uses or develops, including tools purchased from third-party vendors.
  2. Classify each system by risk level in accordance with the AI Act. Systems listed in Annex III or that involve the profiling of individuals are high-risk.
  3. Assess your organization’s role: Are you a provider, deployer, importer, or distributor? Each role entails different obligations.
  4. Align existing GDPR processes with the new AI Act requirements. Existing DPIA procedures, processing records, and incident reporting processes can serve as a foundation.
  5. Establish human oversight for high-risk systems and ensure that the employees involved are trained and qualified for that role.
  6. Retain logs and documentation in accordance with the required retention periods: deployers must retain logs for at least six months, and importers must retain compliance documentation for ten years.

For organizations that use AI in customer interactions or process automation, it is also important to inform employees about AI systems prior to their implementation, as required by Article 26(7) of the AI Act.

How Pegamento Helps with AI Compliance and Responsible AI Use

We understand that the combination of the EU AI Act and the GDPR can feel complex for many organizations—especially when you’re simultaneously working to improve your customer interactions, automate processes, and modernize your systems. At Pegamento, we develop AI solutions for customer service that are designed from the ground up with human oversight, transparency, and responsible use as our guiding principles. Our Agentic AI represents an evolution from task-oriented bots to self-thinking assistants that not only follow instructions but also take the initiative and act independently—always within clear parameters and under human oversight.

What we can do for your organization:

  • Understanding which AI applications within your customer engagement environment fall under which risk category
  • Implementation of AI systems in which logging, documentation, and human oversight are built in as standard features
  • A single point of contact for development, implementation, management, and support, so you don’t have to manage a complex supplier structure
  • Customized solutions using standard building blocks, certified in accordance with ISO 27001 (information security), ISO 9001, and ISO 26000

Would you like to know how to make your AI implementation both future-proof and compliant? Contact us, and we’d be happy to help you figure it out.

Frequently Asked Questions

Does the EU AI Act apply even if my organization only uses AI tools from third-party providers, such as ChatGPT or Microsoft Copilot?

Yes, even if you use only third-party AI tools, you are subject to the EU AI Act as a deployer. You are then responsible for assigning human oversight, retaining logs for at least six months, and informing employees before deployment. Also, verify that the supplier is fulfilling its obligations as a provider, because as a deployer, you are jointly responsible for compliance within your organizational context.

What happens if an AI system we’re currently using is later classified as high-risk?

If a system is subsequently found to fall into the high-risk category, your organization must still comply with all associated obligations, such as establishing human oversight, preparing technical documentation, and conducting a DPIA. The sooner you perform a correct classification, the more time you’ll have to become compliant before the enforcement deadlines. A proactive AI inventory is therefore not a one-time exercise, but something you must repeat periodically, especially when a system’s function or scope changes.

Do we need to update our existing DPIA’s now that the EU AI Act is in effect?

Not necessarily update them, but rather expand and supplement them. An existing DPIA under the GDPR covers the risks to personal data, but the EU AI Act requires deployers of high-risk AI systems to also consider the broader AI-specific risks, such as automation bias, robustness, and the quality of training data. In practical terms, you can add an AI-specific addendum to existing DPIA’s, so that you have a single integrated assessment document that complies with both legal frameworks.

How do I properly inform employees about the use of AI systems, as required by the AI Act?

Article 26(7) of the EU AI Act requires deployers to inform employees about the AI systems they will be working with before the systems are put into use. In practice, this means you must, at a minimum, explain which system is being used, what it does, what decisions it supports or makes, and how employees can fulfill their oversight role. This can be done through an internal policy document, targeted training, or an onboarding module—in any case, make sure you can demonstrate that the information was actually provided before the system went live.

What is the risk if we do nothing and wait until enforcement is fully underway?

Waiting is risky for several reasons. The bans on certain AI applications will take effect as of February 2, 2025, which means that if you use prohibited systems, you could already face fines of up to 35 million euros or 7% of your global annual revenue. Furthermore, building a compliant AI governance framework takes considerably more time than organizations typically estimate, especially if you also need to integrate GDPR processes. Starting early gives you the flexibility to work step-by-step without time pressure.

Does the EU AI Act also apply to AI systems that we use internally and do not offer to customers?

Yes, the EU AI Act also applies to AI systems used internally, provided they are used within the EU. Think of systems for HR decisions, performance evaluations, or recruitment and selection—these are explicitly listed as high-risk applications in Annex III. The fact that a system is not publicly accessible or does not have a customer-facing function does not exempt your organization from the obligations that apply to the risk category into which the system falls.

How do I know if an AI supplier is truly compliant with the EU AI Act, and what should I include in the contract?

Ask suppliers for verifiable documentation: technical documentation in accordance with the AI Act annexes, a statement of conformity (for high-risk systems), and information on how they handle data quality, bias mitigation, and human oversight. Contractually, it is wise to establish agreements regarding who bears which obligations, what happens in the event of a substantial change to the system, and how the supplier will notify you of changes that could affect the risk category. After all, a supplier’s negligence does not relieve you, as the deployer, of your own responsibility.

More blogs

Download the white paper here

Deepen your knowledge with Pegamento’s white papers.

Joost Schaap-Account manager Pegamento

Joost Schaap

Senoir Account Manager

When a customer contacts an organization because they have a complaint, it is crucial that the employee of the organization begin by listening carefully. What does this complaint mean for the customer and also for their own organization? How can this complaint be resolved? After listening carefully the employee needs the right information so that a solution can be offered.

This piece was written by Joost Schaap, working as an Account Manager at Pegamento.

Tim Treurniet-AI developer Pegamento

Tim Treurniet

Designer of Intelligent Systems

Real childhood heroes I never had. But in retrospect, I believe figures like Willie Carrot or Dexter’s lab may have had an influence on me. I get energy from actually making innovative and useful products myself. Nothing like seeing the effect of a project that automates a boring task, or makes a complex process suddenly accessible.

A nice bridge to my photograph is the physical aspect of my work. By working with image recognition, I am often very directly connected to the physical world and my work is more than just programming. For example, our image recognition software ensures safety on bridges, tracks players on a soccer field or uses your own smartphone to accurately measure yourself. This combination between physical and digital provides variety and extra challenge. For me, these are the main reasons for my interest and enthusiasm in what I do!

This piece was written by Tim Treurniet, employed Designer of intelligent systems at Pegamento.

Vera van der Plas-UI-UX designer

Vera van der Plas

UI/UX Designer

As a UX/UI designer, I deal daily with transforming complex data into user-friendly visualizations. All of this topped off with a digital lick of paint which should attract the visitor’s attention to take action.

One of the interesting aspects of this field I find the effects that small tweaks, both textual and visual, can have on conversion. The psychological impact that a simple background color of a CTA button has on our behavior is huge. After all, that color can determine whether or not you are going to buy that product.

What we see and how our brains process and interpret this information fascinates me. The possibilities of subconsciously pointing potential customers in your chosen direction are endless. I hope to apply my expertise more often within our solutions in the future.

This piece was written by Vera van der Plas, working as a UX/UI Designer at Pegamento.

Fouad Rahaoui-Finance Pegamento

Fouad Rahaoui

Financial Controller

A Financial Controller within a company should not only be an expert in Finance. You must also have knowledge of the latest IT developments. Because these are also moving very quickly in the world of Finance.

At Pegamento, I can learn all about the latest IT developments. Like the latest development in the field of Machine learning and deep learning.

Through these application areas, as Financial Controller, I can further automate the financial business processes within Pegamento and implement improvements for the automatic processing of financial data.

This piece was written by Fouad Rahaoui, working as a Financial Controller at Pegamento.

Ernst Vegter-Business consultant Pegamento

Ernst Vegter

Business Consultant

Hospitality is one of my deepest motivations.
Not surprisingly, of course, customer service is a common thread in my career. Aspects of hospitality is being able to connect, to facilitate but mainly to make someone feel genuinely welcome. My intuition is my greatest asset to be able to put myself in the shoes of a guest. A customer is my guest.

Fed by various senses, an image forms around the client. I listen to what is being said, watch facial expressions, taste the underlying tone and get a feel for the challenge to be addressed. An image literally forms on my retina. I have to be able to see it. If I can see it, I can create it.

In this, the trick is to pursue simplicity, give the client a warm feeling that the problem is understood, receive good advice, facilitated and carefully guided to the solution. Trust, connect and unburden.

The feeling when a guest arrives at your hotel after a long tiring journey, can sit in front of the fireplace, be handed a good glass of wine and stare carefree at the fire. My guest knows it will be okay.

This piece was written by Ernst Vegter, working as a Business Consultant at Pegamento.

Gunisch-AI developer Pegamento

Gunish Alag

AI Developer

A picture is worth a thousand words, is an expression most of us have heard. We see a lot of things around us on a daily basis and subconciously have the ability to recognize and understand them. This ability of humans to me seems bizarre.

As a computer vision developer at Pegamento that is what I do, break down complex problems and turn them into solutions using images by meticulously extracting useful data.
With the world moving forward and new technologies emerging, complicated problems which were difficult to solve a decade earlier suddenly seem possible and viable. The future is full of new challenges and I look forward to them.

This story is written by Gunish, working as an AI developer at Pegamento.

Ewold Jansen-Service engineer Pegamento

Ewold Jansen

Service & Support Engineer

Hearing the wishes a customer has or the problems a customer is facing is important in order to then be able to help them properly. In both cases, I help find the right solution.

When the customer comes to us with a desire, they don’t know what all the options are. In this I advise them to make the right choices. When problems arise, listening to them is important. For example, a problem arises from a wrong action. By communicating well in this, many problems can be solved quickly by explaining it well. Through poor communication, a small problem can become very big.

This piece was written by Ewold Jansen, working as a Service & Support Engineer at Pegamento.

Andre Glasbergen-Scrum master Pegamento

Andre Glasbergen

Scrum Master

After completing my studies, I started working as a developer at a young Pegamento with a lot of ambition and enthusiasm. In the first years I learned all about process automation, now better known as RPA. I often had to rack my brains to convert the work instruction into a logical function, with not too many If-statements, so that the robot could perform the work.

I developed further and went to work as a consultant. Listening well to the customer and supporting in the pre-sales phase of projects. Executing projects and listening suited me very well. It was a small, but logical, step to now work as a Scrum Master and Project Manager. I have been supervising projects for a few years now. Such as RPA, Cloud applications and AI, according to the Human lead agile approach, We build this with a large team of specialists.

This piece was written by André Glasbergen, working as a Scrum Master at Pegamento.

Ensar Ari-IT engineer Pegamento

Ensar Ari

IT Engineer

Good communication between customer and organization is very important. As an organization, you naturally want to be easily accessible to your customers. Either via social media channels or via the old familiar telephone. Often organizations do not know exactly how they want their telephone line set up. That is why I like to help them think along and give them ideas. I believe there is a solution to every problem. But sometimes you just need someone who looks at the situation a little differently.

This piece was written by Ensar Ari, working as an IT Engineer at Pegamento.

Nini Heerings-Chief Happiness Officer Pegamento

Nini Heerings

Chief Happiness Officer

“You get to know someone better by playing for an hour than by talking for a year.”

This quote from Plato is totally hitting home for me. That’s why I like to connect people through play. Because while playing, you are totally on, all your senses at work.
In my great role as Chief Happiness Officer, I want to do that by connecting colleagues with each other and with the organization. In a creative and playful way that suits Pegamento.

When I’m not at work, I also enjoy connecting people. I do this by organizing The Playground, where adults play games you used to play in the schoolyard, gymnasium or neighborhood playground. The pure feeling of fun, total relaxation and no thoughts of anything but playing. That feeling is the goal.

This piece was written by Nini, working as Chief Happiness Officer at Pegamento.

Ger Koedam-Communication & Marketing Pegamento

Ger Koedam

Marketing & Communications

How can I help you? That’s pretty much the first question I ask when talking to people who are curious about our services. In such a conversation, the use of senses is very important. Because not everyone is the same. One person thinks in images, while for another words are important or how something feels. For me, sight and hearing are the most beautiful senses, because both eyes and ears absorb information and can convey or process emotions.

Why hearing? Because listening is essential in contact. And it’s the key to unlocking valuable insights.

I developed this skill early on. As a child, I enjoyed radio plays on the radio, bringing the stories to life in my head.

Pim Ritmijer-Software developer Pegamento

Pim Ritmeijer

Software Developer

Programming is more than just “code knocking. For me, listening to what the customer wants and visualizing that is an important part of software development.

Actively listening to a customer to understand the customer’s full story is crucial before building a solution. When you understand a customer’s story, you can think together about a solution that truly helps the customer.

Visualizing solutions is the next step for me. What will be the route we will climb to get to a solution? What challenges are we going to face to get to the top?

Like climbing, good preparation is valuable. Even though you can’t prepare for everything, preparation helps make the application fit the client’s needs as well as possible.

What a beautiful and fascinating profession programming is.

This piece was written by Pim Ritmeijer, working as a Software Developer at Pegamento.

Denise Verhoef-Software developer Pegamento

Denise Verhoef

Software Developer

Hearing is something you do a lot of as a programmer but also thinking, for example, when you are tasked with putting together a customer need. If the customer wants a function for his application, it is important that as a programmer you think carefully about which functions are functional and which functions are not. In this way, you will put together the most functional application possible and the customer will have a good end product. Turning needs into code into functionality is something I find interesting.

I am currently doing an internship at Pegamento and studying Software Developer. I get a lot of information that you have to process and apply. The nice thing about this is that you can learn new things but also that you can experience how it works in real business. I started this training last year and knew nothing about programming beforehand. Now I can find my own way with programming and I enjoy working with it. That you can get from a blank page to a functional application through code is cool!

This piece was written by Denise Verhoef, working as a Software Developer intern at Pegamento.

Remco Pabst-Business consultant Pegamento

Remco Pabst

Computer Vision & AI Lead

Using innovative software technology for people or business to make “things” easier and smarter is really a driving force. That’s why the connection between the senses appeals to me the most. Our brains connect the senses just like a business process connects people, systems (data) and logic. They register and trigger an action, exactly how it should be in an optimal workflow. Very cool what is already possible today when we add a lot of computational power to that as well.

Hearing also means a lot. Not because I like to listen to Jazz, Soul, Deep House or Focus-like music every day AND have to be able to listen well to interpret a wish or pain point, but more because not everyone can have all the senses at their disposal. Think of him or her with a visual impairment. The fact that in close cooperation we were able to apply AI, TTS/STT technology (which is still in development) for this often underserved group of people in today’s digital world and to improve the interaction and experience with it gives me a lot of energy and meaning to what I try to do with technology; create value.

This piece was written by Remco, working as a Business Consultant at Pegamento.

Thomas de Wolf-Vision Engineer Pegamento

Thomas de Wolf

R&D Director

Once when I had to choose which study I was going to do, I had a hard time making that choice. I was interested in engineering, but what I most wanted to do was just work with a team toward a common goal.

To this day, that is still what I love doing most. The technology has become image recognition and the team the computer vision department of Pegamento. So it’s logical that in terms of sense, I end up with “seeing. By using our image recognition solutions to see things in the real world, our entire team solves relevant problems for our customers. And because of the variation in customers, the places where our solutions end up are never the same. For example, one moment I am in the control room of a bridge and the next day I am on a production line for sandwiches or between the fences of a TBS clinic.

This piece was written by Thomas de Wolf, working as a Computer Vision & AI Lead at Pegamento.

Rob Roode-Research Development

Rob Roode

Research & Development

Recognizing and automating patterns. Tasks we are constantly working on when implementing our robots at Pegamento. My 2 Drentsche Patrijshonden are hunting dogs and certainly not robots. The hunting instinct and intuition is basically in their genes. Continuing to offer new forms of training has taught them to recognize and act independently in hunting situations. Even “unsupervised,” even if I’m not around.

But when you try to teach a brain something, it also starts to see things you don’t expect. Dogs pick up on the slightest deviation in your voice or directions. To start recognizing that and correcting it again is perhaps the most complex challenge. But in our work, for the wonderful clients for whom we get to work, it often yields the most beautiful new insights!

This piece was written by Rob, founder of Pegamento and in charge of Marketing and R&D.

Serge Poppes-CEO Pegamento

Serge Poppes

CEO

Feeling. That’s the best thing Pegamento stands for. Feeling for technology in the broadest sense of the word. Not only feeling for the exciting stuff like AI, but also for the basics of communication.

The very best part of my job is selling, listening, translating and thinking about what really matters. We bring the digital transformation with a great team!
The diversity of our team, how sharp we are, but especially the wonderful things we get to make makes me feel extremely good. Hence, I intuitively chose the sense of “feeling.

Feeling gives life and differentiation!