AI Act and GDPR on training data
The AI Act and GDPR are two distinct texts, with different triggers and scopes — but they meet on training data.
What differs
- GDPR triggers as soon as there is personal data, whatever the system.
- The AI Act (Article 10) triggers for high-risk AI systems, with or without personal data.
What overlaps
- Provenance and legal basis: Article 10 requires documenting origin; GDPR requires a legal basis for personal data. Same underlying work.
- Minimisation and purpose: both push to use only what is relevant, for a defined purpose.
- Profiling: a system that profiles people easily falls on the high-risk side and under GDPR.
Two impact assessments not to confuse
- DPIA (GDPR): impact on data protection.
- FRIA (AI Act): a fundamental rights impact assessment, expected of certain deployers of high-risk systems.
They have different scopes and may need to coexist.
Indicative guidance, not legal advice. Exact articles and scope to be verified for your case.