EU AI Act Blogs

AI and Privacy in 2025: how organizations can comply with the EU AI Act

••6 min read

The challenge of AI & Privacy: a practical guide for organizations

The rise of artificial intelligence (AI) offers organizations unprecedented opportunities, from real-time data analysis to automated decision-making and personalization. At the same time, concerns about the protection of personal data and potential forms of discrimination remain high. Since August 1, 2024, the European AI Regulation (EU AI Act) has officially been in effect. These new rules—which come on top of the General Data Protection Regulation (GDPR)—create an even more complex legal landscape. In this blog, we delve deeper into the interplay between AI and privacy in 2025, and examine how organizations can prepare for and comply with these regulations.

Why is privacy so relevant in AI?

AI systems—from machine learning to deep learning—are often 'hungry' for data. Without large and high-quality datasets, these systems cannot function properly. However, this leads to various privacy risks, especially when the datasets contain sensitive personal data:

  • Biometric data (e.g., facial and voice recognition)
  • Health data (e.g., medical records, genetic information)
  • Financial data (e.g., transaction data, credit scores)
  • Location data (e.g., GPS data, travel history)

Under the General Data Protection Regulation (GDPR), organizations must process this data in a lawful, transparent, and secure manner. However, AI systems can unintentionally lead to violations of these principles. Think of the traceability of pseudonymized data, unintended discrimination, or limited possibilities for people to contest decisions. Since the introduction of the EU AI Act (August 1, 2024), this pressure has only increased.

The main privacy challenges

Lack of Transparency and Explainability
Many AI models—especially in deep learning—are 'black boxes'. It is often difficult for data subjects and supervisors to determine how an algorithm arrives at a particular decision. This lack of transparency hampers GDPR compliance monitoring and can lead to a lack of trust.

Data Hunger vs. Data Minimization
AI often needs a lot of data to arrive at reliable analyses and predictions. This conflicts with the principle of data minimization from the GDPR, which stipulates that you may not collect more data than strictly necessary.

Data Reuse
Data collected for one purpose—for example, marketing—is sometimes reused for an AI project (e.g., risk scoring). This may conflict with the purpose limitation principle from the GDPR, which stipulates that data may only be used for the purpose for which it was collected.

Automated Decision-Making and Profiling
AI systems increasingly make automatic decisions with significant impact on individuals (such as in job applications or loan approvals). If the underlying data is biased, the outcome will be too. At the same time, it is complicated for data subjects to object or gain insight into the algorithm's 'reasoning'.

Security Risks
AI systems are not immune to cyber attacks. A 'poisoned' dataset or a security breach can lead to hackers manipulating decisions or stealing sensitive personal data.

The interaction with GDPR

The GDPR continues to apply unabated to organizations processing personal data, including in the context of AI. This includes principles such as:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Rights of data subjects (including access, rectification, erasure)
  • Prohibition on automated decision-making with legal effect (Art. 22 GDPR), unless there are specific legal grounds

It is important to understand that the GDPR and the EU AI Act complement and reinforce each other. Where the GDPR lays the foundation for responsible data processing, the EU AI Act adds specific requirements for AI systems. Organizations must therefore develop an integrated approach that incorporates both regulations in the design and implementation of AI solutions. This requires a proactive attitude where privacy and data protection are included from the start in AI projects (Privacy by Design) and where systems are regularly evaluated to ensure they still meet all requirements.

The EU AI Act: new obligations since August 1, 2024

The EU AI Act came into effect on August 1, 2024, and introduces additional rules for the development, deployment, and monitoring of AI systems within the EU. A key point is the classification into risk levels—ranging from low to high-risk AI. Organizations using high-risk AI must comply with strict requirements in the areas of:

  • Data governance and quality
  • Documentation and logging
  • Transparency
  • Human oversight
  • Robustness, security, and accuracy

The EU AI Act and GDPR complement each other: where GDPR focuses on protecting personal data, the EU AI Act zooms in on responsible AI use. With the entry into force in 2024, organizations are now (in 2025) already required to have aligned their AI processes accordingly.

What does this mean for organizations in 2025?

Complying with both the GDPR and the EU AI Act is no longer optional: non-compliance can lead to substantial fines and reputational damage. What can you concretely do?

Conduct a Data Protection Impact Assessment (DPIA)
A DPIA helps identify and assess the privacy risks of an AI system. This is especially urgent if the AI application falls under the high-risk category.

Ensure Transparency and Explainability
Inform internal and external stakeholders about what data you use, which algorithms are deployed, and how the decision-making process works.

Implement Data Minimization
Only collect the personal data absolutely necessary for the intended purpose of the AI application and regularly evaluate if you can 'slim down'.

Secure Data and AI Systems
In addition to the GDPR, the rules around high-risk AI in the EU AI Act require a strongly secured infrastructure. Think of encryption, access controls, and continuous monitoring.

Respect Data Subject Rights
Make it easy for people to exercise their GDPR rights (such as access, rectification, or deletion). Take into account questions about automated decision-making.

Stay Updated on Latest Developments
The EU AI Act may be further strengthened. It is important to follow the guidelines, case law, and any additions or revisions.

Work with Legal and Technical Experts
AI projects require a multidisciplinary approach. Ensure short lines between IT, compliance, and legal advice to respond quickly to new rules.

How to balance AI, privacy, and compliance?

Given the recent entry into force of the EU AI Act, now is the time to reassess your AI processes. By investing in transparency, risk management, and ethics, you can prevent AI projects from getting stuck in legal procedures or reputational damage. The key to success lies in a combination of technical and organizational measures, in close consultation with experts in the fields of data, law, and security. With this approach, you can deploy AI safely, responsibly, and compliantly, ensuring that your organization not only reaps the benefits of AI but also maintains the trust of customers, partners, and supervisors. In 2025, AI is no longer a novelty—it is or is becoming an integral part of business operations, where privacy and ethics must remain at the forefront.

Test your knowledge 🎯

Now that you know everything about AI and privacy under the EU AI Act, are you ready to test your knowledge?

AI & Privacy Quiz

Test your knowledge about AI, privacy and the EU AI Act.

Start de Quiz