{"id":31911,"date":"2026-07-03T08:00:00","date_gmt":"2026-07-03T06:00:00","guid":{"rendered":"https:\/\/pegamento.nl\/niet-gecategoriseerd\/how-does-the-eu-ai-act-differ-from-the-gdpr\/"},"modified":"2026-07-03T10:01:05","modified_gmt":"2026-07-03T08:01:05","slug":"how-does-the-eu-ai-act-differ-from-the-gdpr","status":"publish","type":"post","link":"https:\/\/pegamento.nl\/en\/contact-center\/how-does-the-eu-ai-act-differ-from-the-gdpr\/","title":{"rendered":"How does the EU AI Act differ from the GDPR?"},"content":{"rendered":"<p>The <strong>EU AI Act<\/strong> and the GDPR are two fundamentally different laws with different purposes. While the GDPR protects the privacy of personal data, the EU AI Act regulates the risks posed by AI systems themselves, regardless of whether those systems process personal data. The two laws complement each other and overlap in specific areas, but they do not replace one another. In this article, we answer the most frequently asked questions about the difference between the two laws and what that means for your organization.   <\/p>\n<h2>What does the EU AI Act address that the GDPR does not cover?<\/h2>\n<p>The EU AI Act regulates the safety, transparency, and reliability of AI systems throughout their entire lifecycle. The GDPR focuses exclusively on the processing of personal data. The AI Act goes further: it applies to every AI system, even if it does not process personal data, and sets requirements for the design, operation, and risk management of those systems.  <\/p>\n<p>Specifically, the EU AI Act addresses matters that fall outside the scope of the GDPR, such as:<\/p>\n<ul>\n<li>The ban on manipulative AI techniques that influence behavior without a person&#8217;s awareness<\/li>\n<li>Mandatory technical documentation for AI systems in accordance with specific annexes<\/li>\n<li>Requirements for the quality of training data, including the mitigation of bias<\/li>\n<li>Mandatory CE marking and registration in an EU database for high-risk systems<\/li>\n<li>Human oversight as a design requirement, including protection against automation bias<\/li>\n<li>Rules for General-Purpose AI (GPAI) models, such as large language models<\/li>\n<\/ul>\n<p>The GDPR sets requirements for <em>how<\/em> personal data is handled. The EU AI Act sets requirements for <em>how<\/em> an AI system is built, tested, and deployed, regardless of the type of data it processes. That is a fundamentally different starting point.  <\/p>\n<h2>To which organizations does the EU AI Act apply?<\/h2>\n<p>The EU AI Act applies to any organization that develops, places on the market, imports, distributes, or uses AI systems within the European Union. This also applies to organizations outside the EU that offer AI systems to users within the EU. The law distinguishes between different roles, each with its own obligations.  <\/p>\n<p>The main roles are:<\/p>\n<ul>\n<li><strong>Providers:<\/strong> organizations that develop and market AI systems. They bear the heaviest obligations. <\/li>\n<li><strong>Deployers (data controllers):<\/strong> organizations that deploy an AI system under their own authority. They have less stringent but specific obligations, such as assigning human oversight and retaining logs for at least six months. <\/li>\n<li><strong>Importers and distributors:<\/strong> They must verify that conformity assessments have been conducted and retain the related documentation for ten years.<\/li>\n<\/ul>\n<p>An important point to note: a deployer, importer, or distributor becomes a provider\u2014with all the associated obligations\u2014if they put their name on a system, make a substantial change to it, or modify its intended purpose in such a way that the system falls into the high-risk category. Providers outside the EU must also appoint an authorized representative within the EU. <\/p>\n<h2>What are the risk categories in the EU AI Act, and how do they work?<\/h2>\n<p>The EU AI Act uses four risk levels: unacceptable risk (prohibited), high risk (strictly regulated), limited risk (minimal transparency requirements), and minimal or no risk (unregulated). Most current AI applications fall into the lowest category and are exempt from specific requirements. <\/p>\n<h3>Prohibited AI Applications<\/h3>\n<p>Applications that pose an unacceptable risk are completely prohibited, and these prohibitions will take effect on February 2, 2025. These include, among other things, AI that uses subliminal manipulation techniques, government social scoring systems, emotion recognition in the workplace or in educational institutions (except for medical or safety exceptions), and real-time biometric identification in public spaces for law enforcement purposes, except in strictly defined cases. <\/p>\n<h3>High-Risk AI Systems<\/h3>\n<p>High-risk AI is defined in two ways. First: systems that constitute a safety component of a product subject to EU harmonization legislation. Second: systems that fall within one of the eight domains listed in Annex III, including biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration, and the administration of justice. Systems that perform profiling of natural persons are always considered high-risk, even if they otherwise have a limited function.   <\/p>\n<h2>Which obligations overlap between the AI Act and the GDPR?<\/h2>\n<p>The EU AI Act and the GDPR overlap in the area of data protection for high-risk AI systems. Deployers of high-risk systems must, where applicable, conduct a data protection impact assessment (DPIA), a requirement that already applies under the GDPR for high-risk data processing. Furthermore, both laws require transparency toward data subjects and emphasize human oversight.  <\/p>\n<p>Other overlapping elements include:<\/p>\n<ul>\n<li><strong>Rights of data subjects:<\/strong> Individuals who are subject to a decision made by a high-risk AI system may, pursuant to Article 86 of the AI Act, request an explanation of the determining factors. The GDPR provides for a similar right in the context of automated decision-making (Article 22 of the GDPR). <\/li>\n<li><strong>Logging and documentation:<\/strong> Both laws require the recording of processing activities and decisions, albeit with different specifications and retention periods.<\/li>\n<li><strong>Data Quality:<\/strong> The AI Act sets requirements for training data (relevant, representative, and as free as possible from errors and bias). The GDPR sets requirements for the accuracy of personal data. For AI systems trained on personal data, both sets of requirements therefore apply simultaneously.  <\/li>\n<\/ul>\n<p>In practice, this means that organizations must assess their <a href=\"https:\/\/pegamento.nl\/en\/ai-powered-intelligence\/\">AI-driven processes<\/a> against both legal frameworks, because compliance with one law does not automatically guarantee compliance with the other.<\/p>\n<h2>What are the fines and enforcement measures under the EU AI Act compared to the GDPR?<\/h2>\n<p>Both laws impose substantial fines, but the systems differ. The GDPR imposes fines of up to 20 million euros or 4% of global annual revenue. The EU AI Act has three categories of fines depending on the severity of the violation: up to 35 million euros or 7% of global annual revenue for violations of prohibited practices, up to 15 million euros or 3% for other violations, and up to 7.5 million euros or 1.5% for providing incorrect information.  <\/p>\n<p>In terms of enforcement, the EU AI Act introduces a new regulatory landscape. The European Commission\u2019s <strong>AI Office<\/strong> oversees GPAI models and models posing systemic risk. National supervisory authorities are responsible for enforcing the remaining provisions. In the Netherlands, the Dutch Data Protection Authority is expected to play a role in enforcement at the intersection of AI and data protection, but the exact division of responsibilities among supervisory authorities will be further elaborated in 2026.   <\/p>\n<p>One key difference is that the GDPR is already fully in effect, while the EU AI Act will be implemented in phases. The prohibited practices will take effect on February 2, 2025; the obligations for GPAI model providers will take effect on August 2, 2025; and the full set of high-risk obligations will take effect later during the implementation period. <\/p>\n<h2>How are Dutch organizations preparing for both laws at the same time?<\/h2>\n<p>Dutch organizations can best prepare by first conducting an AI assessment, determining the risk category of each system, and then identifying the overlap between GDPR obligations and AI Act obligations. By combining compliance efforts, you can avoid duplication of work and build a cohesive governance framework. <\/p>\n<p>A practical step-by-step approach:<\/p>\n<ol>\n<li><strong>Make an inventory of all AI systems<\/strong> that your organization uses or develops, including tools purchased from third-party vendors.<\/li>\n<li><strong>Classify each system<\/strong> by risk level in accordance with the AI Act. Systems listed in Annex III or that involve the profiling of individuals are high-risk. <\/li>\n<li><strong>Assess your organization\u2019s role:<\/strong> Are you a provider, deployer, importer, or distributor? Each role entails different obligations. <\/li>\n<li><strong>Align existing GDPR processes<\/strong> with the new AI Act requirements. Existing DPIA procedures, processing records, and incident reporting processes can serve as a foundation. <\/li>\n<li><strong>Establish human oversight<\/strong> for high-risk systems and ensure that the employees involved are trained and qualified for that role.<\/li>\n<li><strong>Retain logs and documentation<\/strong> in accordance with the required retention periods: deployers must retain logs for at least six months, and importers must retain compliance documentation for ten years.<\/li>\n<\/ol>\n<p>For organizations that use AI in customer interactions or process automation, it is also important to inform employees about AI systems prior to their implementation, as required by Article 26(7) of the AI Act.<\/p>\n<h2>How Pegamento Helps with AI Compliance and Responsible AI Use<\/h2>\n<p>We understand that the combination of the EU AI Act and the GDPR can feel complex for many organizations\u2014especially when you\u2019re simultaneously working to improve your customer interactions, automate processes, and modernize your systems. At Pegamento, we develop <a href=\"https:\/\/pegamento.nl\/en\/agentic-ai-for-customer-service\/\">AI solutions for customer service<\/a> that are designed from the ground up with human oversight, transparency, and responsible use as our guiding principles. Our Agentic AI represents an evolution from task-oriented bots to self-thinking assistants that not only follow instructions but also take the initiative and act independently\u2014always within clear parameters and under human oversight.   <\/p>\n<p>What we can do for your organization:<\/p>\n<ul>\n<li>Understanding which AI applications within your customer engagement environment fall under which risk category<\/li>\n<li>Implementation of AI systems in which logging, documentation, and human oversight are built in as standard features<\/li>\n<li>A single point of contact for development, implementation, management, and support, so you don&#8217;t have to manage a complex supplier structure<\/li>\n<li>Customized solutions using standard building blocks, certified in accordance with <strong>ISO 27001<\/strong> (information security), ISO 9001, and ISO 26000<\/li>\n<\/ul>\n<p>Would you like to know how to make your AI implementation both future-proof and compliant? <a href=\"https:\/\/pegamento.nl\/en\/contact-2\/\">Contact us<\/a>, and we\u2019d be happy to help you figure it out.<\/p>\n        <div class=\"wp-block-seoaic-faq-block\">\n            <h2 class=\"seoaic-faq-section-title\">Frequently Asked Questions<\/h2>\n                            <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        Does the EU AI Act apply even if my organization only uses AI tools from third-party providers, such as ChatGPT or Microsoft Copilot?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Yes, even if you use only third-party AI tools, you are subject to the EU AI Act as a deployer. You are then responsible for assigning human oversight, retaining logs for at least six months, and informing employees before deployment. Also, verify that the supplier is fulfilling its obligations as a provider, because as a deployer, you are jointly responsible for compliance within your organizational context.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        What happens if an AI system we\u2019re currently using is later classified as high-risk?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        If a system is subsequently found to fall into the high-risk category, your organization must still comply with all associated obligations, such as establishing human oversight, preparing technical documentation, and conducting a DPIA. The sooner you perform a correct classification, the more time you\u2019ll have to become compliant before the enforcement deadlines. A proactive AI inventory is therefore not a one-time exercise, but something you must repeat periodically, especially when a system\u2019s function or scope changes.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        Do we need to update our existing DPIA\u2019s now that the EU AI Act is in effect?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Not necessarily update them, but rather expand and supplement them. An existing DPIA under the GDPR covers the risks to personal data, but the EU AI Act requires deployers of high-risk AI systems to also consider the broader AI-specific risks, such as automation bias, robustness, and the quality of training data. In practical terms, you can add an AI-specific addendum to existing DPIA\u2019s, so that you have a single integrated assessment document that complies with both legal frameworks.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        How do I properly inform employees about the use of AI systems, as required by the AI Act?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Article 26(7) of the EU AI Act requires deployers to inform employees about the AI systems they will be working with before the systems are put into use. In practice, this means you must, at a minimum, explain which system is being used, what it does, what decisions it supports or makes, and how employees can fulfill their oversight role. This can be done through an internal policy document, targeted training, or an onboarding module\u2014in any case, make sure you can demonstrate that the information was actually provided before the system went live.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        What is the risk if we do nothing and wait until enforcement is fully underway?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Waiting is risky for several reasons. The bans on certain AI applications will take effect as of February 2, 2025, which means that if you use prohibited systems, you could already face fines of up to 35 million euros or 7% of your global annual revenue. Furthermore, building a compliant AI governance framework takes considerably more time than organizations typically estimate, especially if you also need to integrate GDPR processes. Starting early gives you the flexibility to work step-by-step without time pressure.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        Does the EU AI Act also apply to AI systems that we use internally and do not offer to customers?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Yes, the EU AI Act also applies to AI systems used internally, provided they are used within the EU. Think of systems for HR decisions, performance evaluations, or recruitment and selection\u2014these are explicitly listed as high-risk applications in Annex III. The fact that a system is not publicly accessible or does not have a customer-facing function does not exempt your organization from the obligations that apply to the risk category into which the system falls.                    <\/p>\n                <\/div>\n                                <div class=\"seoaic-faq-item\">\n                    <h3 class=\"seoaic-question\">\n                        How do I know if an AI supplier is truly compliant with the EU AI Act, and what should I include in the contract?                    <\/h3>\n                    <p class=\"seoaic-answer\">\n                        Ask suppliers for verifiable documentation: technical documentation in accordance with the AI Act annexes, a statement of conformity (for high-risk systems), and information on how they handle data quality, bias mitigation, and human oversight. Contractually, it is wise to establish agreements regarding who bears which obligations, what happens in the event of a substantial change to the system, and how the supplier will notify you of changes that could affect the risk category. After all, a supplier\u2019s negligence does not relieve you, as the deployer, of your own responsibility.                    <\/p>\n                <\/div>\n                        <\/div>\n        ","protected":false},"excerpt":{"rendered":"<p>The EU AI Act and the GDPR complement each other\u2014but cover very different areas. Do you know what this means for your organization? <\/p>\n","protected":false},"author":2,"featured_media":31912,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[500],"tags":[],"class_list":["post-31911","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-contact-center"],"_links":{"self":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/31911","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/comments?post=31911"}],"version-history":[{"count":2,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/31911\/revisions"}],"predecessor-version":[{"id":31914,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/31911\/revisions\/31914"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/media\/31912"}],"wp:attachment":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/media?parent=31911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/categories?post=31911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/tags?post=31911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}