The eight collisions, mapped
From Fontvera's obligation_crossrefs table, all eight AI Act ↔ GDPR cross-references in one place:
| AI Act | GDPR | Type | Severity | What collides |
|---|---|---|---|---|
| Art 10 | Art 17 | Conflict | High | AI Act allows processing of special-category data for bias detection where strictly necessary; GDPR right to erasure may require its deletion once retention is no longer necessary. Provider exposure. |
| Art 19 | Art 5 | Conflict | Medium | AI Act mandates log retention for at least six months; GDPR Article 5(1)(e) storage limitation requires data to be kept no longer than necessary if the logs contain personal data. |
| Art 12 | Art 5 | Overlap | Low | Both require logging and record-keeping for accountability — AI Act demands automatic event logging on high-risk systems; GDPR demands records of processing activities under Article 30. |
| Art 11 | Art 24 | Overlap | Medium | Both require documentation to demonstrate compliance — AI Act technical documentation under Annex IV; GDPR controller technical and organisational measures. |
| Art 15 | Art 24 | Overlap | Medium | Both mandate technical and organisational measures for security and robustness — AI Act focuses on cybersecurity and resilience; GDPR focuses on confidentiality, integrity and availability. |
| Art 10 | Art 5 | Overlap | Medium | Both require data quality and accuracy — AI Act mandates bias-free, representative training data; GDPR requires personal data to be accurate and kept up to date. |
| — | — | Gap | High | Neither regulation clearly defines liability or compliance obligations for deployers of general-purpose AI models when used in high-risk contexts not explicitly covered. Deployer exposure. |
| — | — | Gap | Medium | No clear guidance on reconciling AI Act transparency in decision-making with GDPR restrictions on disclosing trade secrets or third-party rights. Provider exposure. |
The two conflicts you cannot ignore
AI Act Article 10 ↔ GDPR Article 17 — the bias-detection conflict
AI Act Article 10(5) explicitly permits processing of special categories of personal data (race, ethnic origin, political opinion, religious belief, trade union membership, genetic and biometric data, health data, sex life and sexual orientation) for bias detection and correction in high-risk AI systems, where strictly necessary. This is a derogation crafted into the AI Act because conformity assessment under Articles 9–15 cannot be done without it.
GDPR Article 17 grants the data subject the right to erasure once the data is no longer necessary for the original purpose. The two texts collide when the data subject requests erasure of biometric or health data the AI Act provider is using for ongoing bias monitoring. The provider cannot delete the data without breaking AI Act Article 9 risk management; refusing to delete it potentially breaches GDPR Article 17.
The resolution lives in AI Act Article 10(5) read with GDPR Article 9(2)(g) — the "substantial public interest" basis, which the AI Act recognises as a legal basis for the special-category processing. Most providers will need a documented Article 10(5) impact assessment on file to defend retention against an erasure request.
AI Act Article 19 ↔ GDPR Article 5(1)(e) — the log retention conflict
AI Act Article 19 requires providers of high-risk AI systems to keep automatically generated logs for at least six months, and longer where applicable Union or national law mandates. This is a floor.
GDPR Article 5(1)(e) storage limitation requires personal data to be kept "for no longer than is necessary" for the purposes for which it is processed. This is a ceiling.
If the logs contain personal data — which they often will, since they capture inputs, outputs and operator IDs — the operator is squeezed between an AI Act minimum and a GDPR maximum. The reconciliation is documented purpose: the legitimate interest in maintaining AI Act-mandated logs is itself a sufficient purpose under GDPR Article 6, provided the retention period is justified in writing.
Where the two regulations stack at penalty
Both regimes set EU-wide ceilings that apply on top of each other if a single incident breaches both:
- GDPR Article 83(5): up to €20,000,000 or 4% of worldwide annual turnover, whichever is higher, for breaches of basic principles, data subject rights, transfers and other core obligations.
- AI Act Article 99(1): up to €35,000,000 or 7% for prohibited Article 5 practices.
- AI Act Article 99(2): up to €15,000,000 or 3% for breach of provider, deployer, importer, distributor, authorised representative, notified body or transparency obligations.
An AI system that processes biometric data without a GDPR Article 9 basis and is also classified high-risk under AI Act Annex III could in principle hit both ceilings on the same incident.
Article 22 — the cleanest overlap to resolve
GDPR Article 22 grants data subjects the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects them. The AI Act sits on top of this for high-risk Annex III categories — credit scoring (5(b)), insurance pricing (5(c)), employment (4), education (3) — by requiring human oversight under Article 14 and fundamental rights impact assessments under Article 27 for public bodies and Annex III 5(b)/(c) deployers.
The compliance pattern is single-stack: build human oversight into the workflow once, document it under both Article 14 (AI Act) and Article 22(3) (GDPR). The same control clears both audits.
Real numbers Fontvera tracks
- 743 AI Act obligations and 483 GDPR obligations mapped to articles.
- AI Act ↔ GDPR is the densest interaction in the cross-reference graph — 8 collisions of the 41 AI Act-involved cross-references in the corpus.
- GDPR enforcement corpus: 15,480 cross-references from EDPB, datatilsynet, GDPRhub, IMY, CNIL, BfDI and others — searchable across the homepage.
- 312,758 current regulatory documents from 130 sources across 96 jurisdictions feed the joint analysis.
Authorities — different bodies, joint enforcement
GDPR is enforced by national Data Protection Authorities (CNIL, BfDI, datatilsynet, IMY, AEPD, Garante, etc.) coordinated by the EDPB. The AI Act is enforced by national market surveillance authorities designated under Article 70, with cross-border coordination by the European AI Office. The two systems already cooperate informally on data-driven AI cases; the AI Office is expected to publish joint guidance with the EDPB on Articles 10, 13, 14 and 22 before Q4 2026.
Where both apply, expect joint investigations. Where the system is high-risk under Annex III and processes personal data, both authorities will arrive at the same audit walkthrough.
What to do before 2 August 2026
- Map every AI system that processes personal data against the eight collisions above. The mapping is the deliverable an audit will request.
- Document the Article 10(5) basis for special-category bias data in writing, with retention period and deletion criteria. Without it, an Article 17 erasure request defaults to deletion.
- Lock log retention in policy. AI Act floor: ≥6 months. GDPR ceiling: documented purpose. Reconcile in a single retention schedule.
- Run DPIA and Article 27 FRIA jointly for Annex III 5(b)/(c) deployers — the public-services entities especially. The two documents share most of the analysis.
- Treat human oversight as a single control. Build the workflow once, satisfy AI Act Article 14, GDPR Article 22(3), and Article 27 FRIA in one pass.
Run your free AI Act compliance diagnostic
Returns the AI Act classification plus the article list — including which obligations cross-reference back to GDPR.
Cross-regulatory data update
Auto-merged from the Fontvera archetype dataset on 2026-05-12. The sections below are extracted verbatim from the `obligations` and `obligation_crossrefs` tables; the page itself was last reviewed manually before this update.
Summary statistics
Overlaps: 4 · Conflicts: 2 · Gaps: 2
8 article-level crossrefs catalogued between AI Act and GDPR from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| AI Act Art 10 | GDPR Art 5 | overlap | medium | [entity affected: provider] Both regulations require data quality and accuracy; AI Act mandates bias-free and representative training data, while GDPR requires personal data to be accurate and kept up |
| AI Act Art 15 | GDPR Art 24 | overlap | medium | [entity affected: provider] Both regulations mandate the implementation of technical and organizational measures to ensure security and robustness; AI Act focuses on cybersecurity and resilience, whil |
| AI Act Art 12 | GDPR Art 5 | overlap | low | [entity affected: provider] Both regulations require logging and record-keeping for accountability; AI Act requires automatic event logging for high-risk systems, while GDPR requires maintaining recor |
| AI Act Art 11 | GDPR Art 24 | overlap | medium | [entity affected: provider] Both regulations require documentation to demonstrate compliance; AI Act requires technical documentation for high-risk AI systems, while GDPR requires controllers to imple |
| AI Act Art 10 | GDPR Art 17 | conflict | high | [entity affected: provider] AI Act allows processing special categories of data for bias detection if strictly necessary, which may conflict with GDPR's right to erasure if the data is no longer neces |
| AI Act Art 19 | GDPR Art 5 | conflict | medium | [entity affected: provider] AI Act mandates keeping logs for at least six months, which may conflict with GDPR's storage limitation principle requiring data to be kept no longer than necessary if the |
| AI Act Art ? | GDPR Art ? | gap | high | [entity affected: deployer] Neither regulation clearly defines the liability or compliance obligations for deployers of general-purpose AI models when used in high-risk contexts not explicitly covered |
| AI Act Art ? | GDPR Art ? | gap | medium | [entity affected: provider] There is a gap in clear guidance on how to reconcile the AI Act's requirement for transparency in AI decision-making with GDPR's restrictions on disclosing trade secrets or |
Conflicts explained
The 2 article-level conflicts between AI Act and GDPR mean a control that satisfies one can pull the wrong way on the other:
- AI Act Art 10 vs GDPR Art 17 — [entity affected: provider] AI Act allows processing special categories of data for bias detection if strictly necessary, which may conflict with GDPR's right to erasure if the data is no longer necessary for the original purpose but needed for ongoing bias monitoring.
- AI Act Art 19 vs GDPR Art 5 — [entity affected: provider] AI Act mandates keeping logs for at least six months, which may conflict with GDPR's storage limitation principle requiring data to be kept no longer than necessary if the logs contain personal data not needed for that duration.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between AI Act and GDPR. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.