GDPR & AI Act

Article 22 of GDPR gives people the right not to be subject solely to automated processing that has significant effects on them. This right is absolute for decisions that "significantly affect" someone. Think of loan applications, recruitment processes, social benefits or medical triage. In such cases GDPR always requires the possibility of human intervention, the right to object and the right to an explanation.

The AI Act adds a layer to this: systems that apply automated decision-making in the sectors listed in Annex III (credit, education, HR, essential services, etc.) are classified as high-risk AI systems. For those systems, obligations apply regarding registration, transparency, human oversight and technical robustness. The overlap is precisely where Art. 22 GDPR is already in force.

Under GDPR you are required to perform a Data Protection Impact Assessment (DPIA) when processing is likely to result in a high risk to the rights and freedoms of people. This is almost always the case with large-scale processing of special categories of personal data or profiling with significant effects.

The AI Act introduced a Fundamental Rights Impact Assessment (FRIA) in Article 27. Unlike a DPIA, a FRIA looks at the full spectrum of fundamental rights — not just privacy. The FRIA is mandatory for public bodies and private organisations providing services of public interest (education, healthcare, social services) that deploy high-risk AI. The European Commission is developing a template to integrate DPIA and FRIA into a single combined assessment.

GDPR requires organisations to inform data subjects about processing of their personal data. For automated decision-making (Art. 22) you must additionally provide "meaningful information about the underlying logic". This is not an empty obligation — regulators expect people to understand on the basis of which variables a decision was reached.

AI Act Article 13 imposes a similar but broader transparency obligation on high-risk AI systems: users must be able to interpret and assess the output of the system. Documentation requirements (technical file, logs) serve partly as the basis for that explainability. The challenge is that GDPR requires "meaningful explanation to the data subject", while the AI Act requires "interpretability for the deployer" — these are partly different audiences with partly different information needs.

GDPR prescribes data minimisation: you may not process more personal data than strictly necessary for the purpose. This is a fundamental principle that sits in tension with the tendency of machine learning to gather as much data as possible for better model performance.

AI Act Article 10 sets specific requirements for training data, validation data and test data of high-risk AI systems. The data must be relevant, representative, free from errors and complete. Furthermore Art. 10 requires control of bias — which amounts to an active duty to verify that data does not contain discriminatory patterns. This requires categories of personal data that are specially protected under GDPR (ethnicity, gender, health). There is thus an inherent tension: Art. 10 requires data analysis on sensitive categories, while GDPR strictly restricts that processing.

In the Netherlands, the Dutch Data Protection Authority (AP) has been designated as the national market supervisory authority for the AI Act. That is a deliberate choice: the AP already has expertise in assessing data processing operations and automated systems. But it also means the AP now enforces two legal frameworks simultaneously — GDPR and AI Act.

This has practical consequences. A complaint about an AI system making personal decisions can be investigated by the AP from two angles simultaneously: violation of Art. 22 GDPR (no human oversight) and violation of the AI Act (high-risk system not registered or without technical file). The AP can enforce and impose fines on both grounds. The total penalty risk is therefore significantly greater than with a single supervisory framework.