AI Regulatory Intelligence โ€” by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NLยทENยทDE
Guide

The AI Act for DPOs: where it meets the GDPR

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

The AI Act and the GDPR overlap but are not the same. The DPO is not automatically responsible for AI compliance, yet plays a key role wherever AI processes personal data. This guide maps the touchpoints: DPIAs, legal grounds, transparency and the limits of the DPO role.

Short answer: The AI Act and the GDPR are two separate regimes that often apply to AI systems at the same time. The GDPR protects personal data; the AI Act regulates AI systems regardless of whether they contain personal data. The DPO does not automatically own AI compliance, but is indispensable wherever AI processes personal data โ€” which is almost always.

Two regimes, one system

The GDPR asks: do you process personal data lawfully, fairly and transparently? The AI Act asks: was this AI system placed on the market and deployed correctly, given its risk class? A recruitment AI falls under both: it processes personal data (GDPR) and is high-risk AI (AI Act).

The regimes reinforce each other but do not fully overlap. AI Act conformity does not guarantee GDPR compliance, and vice versa. The DPO must be able to keep those two tracks apart.

Where the GDPR and the AI Act meet

  • DPIA. A data protection impact assessment is often mandatory for high-risk AI involving personal data. Align the DPIA with the risk assessment the AI Act requires; combine where possible, but keep them legally distinct.
  • Legal basis. Training and using AI with personal data requires a valid GDPR ground. Legitimate interest or consent must be demonstrable.
  • Automated decision-making. The GDPR gives data subjects rights regarding decisions without human involvement; the AI Act requires human oversight. Together they shape how an automated decision must be designed.
  • Transparency. Both regimes require that people know that and how AI is used.

The limits of the DPO role

The DPO is an adviser and supervisor, not an implementer. AI Act compliance demands expertise beyond privacy: product safety, conformity assessment, technical documentation. Do not quietly assign those tasks to the DPO. The DPO guards the privacy share within a broader governance framework and works with the CISO, the product team and the board.

Protecting independence

A common mistake is having the DPO help build the AI system they must later assess. That undermines the independence the GDPR requires. Advise up front, but do not co-decide.

What to do

  • Inventory which AI systems process personal data and what risk class they fall into โ€” see high-risk obligations.
  • Run DPIAs and link them to the AI Act risk assessment.
  • Test the legal basis for training and deploying AI with personal data.
  • Ensure transparency towards data subjects and human oversight for decisions.
  • Protect your independence: advise, do not build.
  • Invest in AI literacy within the privacy team.

The DPO is not the AI Act coordinator, but without the DPO no AI application involving personal data gets safely round the bend.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): risk-based rules that apply alongside the GDPR to AI systems.
  2. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR): legal grounds, the DPIA obligation and data-subject rights for automated processing.

Share on LinkedIn

Read next

A

DPIA for HR AI: when is it mandatory and how do you combine it with the FRIA?

A DPIA (Art. 35 GDPR) is mandatory for large-scale, systematic monitoring and for high-risk AI in HR. This article explains what it must contain and how to combine the DPIA with the FRIA (fundamental rights assessment, Art. 27 AI Act) into one process. With a practical step plan.

U

AI in hospitality and tourism: dynamic pricing, profiling and the GDPR

Hospitality and tourism use AI for dynamic pricing, recommendations and guest profiling. The AI Act rarely treats this as high-risk, but the GDPR is decisive: profiling, automated decisions and transparency call for clear legal bases.

U

AI in legal services: reliability and confidentiality

AI in law firms and legal services is rarely high-risk, but sets sharp demands on reliability, confidentiality and transparency. Hallucinations, professional secrecy and GDPR processing set the limits, alongside the AI Act's transparency duties.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.