AI Act and GDPR on training data

The AI Act and GDPR are two distinct texts, with different triggers and scopes — but they meet on training data.

What differs

  • GDPR triggers as soon as there is personal data, whatever the system.
  • The AI Act (Article 10) triggers for high-risk AI systems, with or without personal data.

What overlaps

  • Provenance and legal basis: Article 10 requires documenting origin; GDPR requires a legal basis for personal data. Same underlying work.
  • Minimisation and purpose: both push to use only what is relevant, for a defined purpose.
  • Profiling: a system that profiles people easily falls on the high-risk side and under GDPR.

Two impact assessments not to confuse

  • DPIA (GDPR): impact on data protection.
  • FRIA (AI Act): a fundamental rights impact assessment, expected of certain deployers of high-risk systems.

They have different scopes and may need to coexist.

Indicative guidance, not legal advice. Exact articles and scope to be verified for your case.