Key Takeaways
- The EU AI Act does not replace the GDPR — it sits alongside it. When an AI system processes personal data, both regulations apply in full, and obligations compound rather than cancel out.
- Three enforcement milestones have already taken effect: prohibited AI practices and AI literacy (2 February 2025), general-purpose AI model rules (2 August 2025), and the next major gate, high-risk AI system obligations on 2 August 2026.
- The EDPB's Opinion 28/2024 (adopted 17 December 2024) is the single most important guidance document for teams that train or deploy AI on personal data. It sets out a case-by-case test for AI model anonymity and a three-step test for using legitimate interest as a legal basis.
- A DPIA (GDPR Article 35) and a FRIA (AI Act Article 27) are different documents with different triggers. Many organisations will need both for the same system.
- The Digital Omnibus proposal published by the European Commission on 19 November 2025 could change some AI Act deadlines, but it is a proposal — not law. Treat 2 August 2026 as the binding date.
Introduction
If you build or deploy AI in the EU, you are no longer operating under one privacy law. You are operating under two overlapping frameworks — the General Data Protection Regulation (GDPR), in force since 2018, and the EU AI Act, phasing in through 2027.
As of April 2026, the AI Act is already partly enforceable. Prohibited practices have been banned for over a year. General-purpose AI (GPAI) model rules have been in effect since August 2025. The next major gate — the one most eCommerce and SaaS teams need to plan for right now — is 2 August 2026, when the obligations for high-risk AI systems apply and the European AI Office's enforcement powers over GPAI providers switch on.
This guide is a verified snapshot of where things stand. It focuses on how the two regulations interlock in practice, what the EDPB has actually said about AI and personal data, and which concrete steps an eCommerce or SaaS team should take in the months before August.
This article is informational content, not legal advice. For organisation-specific guidance, consult a qualified legal professional.
The Verified 2026 Timeline
The AI Act entered into force on 1 August 2024 but applies in stages. These are the milestones that are confirmed by the European Commission's published implementation timeline:
| Date | What applies |
|---|---|
| 2 February 2025 | Chapter I (general provisions) and Chapter II: prohibited AI practices under Article 5 and AI literacy under Article 4 |
| 2 August 2025 | Chapter V: obligations for general-purpose AI (GPAI) models, plus governance provisions and penalties for Article 5 breaches |
| 2 August 2026 | Most remaining provisions, including high-risk AI system obligations, FRIA requirements for certain deployers, and the AI Office's enforcement powers over GPAI providers |
| 2 August 2027 | Providers of GPAI models placed on the market before 2 August 2025 must reach full compliance |
Two caveats sit on top of this timeline.
First, the Digital Omnibus package proposed by the European Commission on 19 November 2025 includes amendments that could link the start date of high-risk obligations to the availability of harmonised standards — potentially extending the effective deadline to August 2028 at the latest. This is a proposal, not enacted law, and it still needs to pass the European Parliament and the Council. Until that happens, 2 August 2026 remains the date to plan against.
Second, GPAI enforcement powers (the Commission's ability to fine non-compliant providers) only activate on 2 August 2026 — even though the underlying obligations have applied since August 2025. Providers cannot use the enforcement gap to delay compliance work.
How GDPR and the EU AI Act Actually Overlap
The two regulations are designed around different questions. GDPR asks "is this processing of personal data lawful, fair, and proportionate?" The AI Act asks "is this AI system safe, trustworthy, and appropriately controlled for the risk it creates?"
When an AI system touches personal data — which is most AI that matters to an eCommerce or SaaS team — both questions apply at the same time. Compliance with one does not satisfy the other.
Scope
GDPR applies whenever personal data is processed, regardless of whether an AI system is involved. The AI Act applies to AI systems placed on the EU market or whose output is used in the EU, regardless of whether personal data is involved. The overlap is large: training data, inference inputs, and model outputs are all frequently personal data, which means the GDPR tracks every step of the AI lifecycle.
Lawful basis vs. conformity
GDPR requires a lawful basis under Article 6 — consent, contract, legal obligation, vital interests, public task, or legitimate interests — before any personal data is processed. The AI Act does not provide a lawful basis. A high-risk AI system that has passed a conformity assessment still needs a valid GDPR basis for the personal data it processes.
Risk assessments
GDPR requires a Data Protection Impact Assessment (DPIA) under Article 35 when processing is likely to result in a high risk to individuals' rights — which almost always includes AI-driven profiling or large-scale personal data processing. The AI Act adds a separate obligation: certain deployers of high-risk AI systems must conduct a Fundamental Rights Impact Assessment (FRIA) under Article 27. These are different documents with different scopes, and a well-prepared organisation runs them together rather than treating the FRIA as a second DPIA.
Rights and explanations
GDPR Article 22 already gives individuals the right not to be subject to a decision based solely on automated processing that has legal or similarly significant effects, and the right to meaningful information about the logic involved. The AI Act adds complementary transparency and human oversight duties — notably Article 14 on human oversight of high-risk systems and Article 86 on explanations of individual decisions from high-risk AI. The Future of Privacy Forum's analysis puts it cleanly: even where the AI Act does not apply to a specific decision, Article 22 still does, and vice versa.
EDPB Opinion 28/2024: What It Actually Says
The single most important piece of guidance connecting the two regulations is the European Data Protection Board's Opinion 28/2024, adopted on 17 December 2024 under Article 64(2) GDPR. It answers three questions that Irish DPA had referred on behalf of EU supervisory authorities:
- When can an AI model be considered anonymous? The EDPB's answer is that this must be assessed case by case by the supervisory authority. For a model to be treated as anonymous, it should be very unlikely both (a) to directly or indirectly identify the individuals whose data was used to build it, and (b) to extract that personal data from the model through queries. A model does not become anonymous simply because the training data was numerous or because the output is generative.
- Can controllers rely on legitimate interests (Article 6(1)(f)) as a legal basis for developing or deploying AI models? Yes, in principle, but only after a three-step test: identify a legitimate interest, show processing is strictly necessary, and balance against the rights and freedoms of the individuals involved. The EDPB flags conversational agents assisting users and AI used to improve cybersecurity as examples where legitimate interest can be appropriate — provided the balancing test holds.
- What happens if an AI model is developed using personal data that was processed unlawfully? This is the most consequential part of the opinion. Unlawful training data can taint downstream processing, though the EDPB's analysis is fact-specific and leaves room for a fresh legal basis where the model is later genuinely anonymised before deployment.
For any team that fine-tunes models, embeds third-party LLMs in a product, or uses customer data to personalise recommendations, Opinion 28/2024 is the document your privacy counsel should be reading alongside the AI Act.
DPIA vs. FRIA: Do You Need Both?
This is the most common question we get from eCommerce and SaaS teams planning for August 2026.
| Dimension | DPIA (GDPR Article 35) | FRIA (AI Act Article 27) |
|---|---|---|
| Trigger | Processing likely to result in high risk to individuals' rights and freedoms | Deploying a high-risk AI system in certain deployer categories |
| Who must do it | Data controllers | Deployers that are public bodies or private entities providing public services; plus deployers of high-risk AI systems listed in Annex III points 5(b) and (c) (credit scoring and life/health insurance risk assessment) |
| Scope | Data protection risks | All fundamental rights under the EU Charter — including non-discrimination, dignity, access to justice, freedom of expression |
| Output | Risk register, mitigations, consultation with the DPA if residual risk is high | Description of deployment, affected groups, specific risks, human oversight measures; notified to the national market surveillance authority |
In practice, a retailer that deploys a third-party AI chatbot that only does customer support is unlikely to need a FRIA — but the DPIA is almost certainly required if the chatbot handles personal data at scale. A fintech offering AI-driven credit scoring almost certainly needs both. Running them as one integrated assessment — with the DPIA feeding the data-protection section of the FRIA — is the approach we see working best.
Our [data mapping guide](/resources/blog/data-mapping-101-how-to-build-a-record-of-processing-activities) covers the Record of Processing Activities that feeds both documents.
What General-Purpose AI Rules Mean for Customers
Most eCommerce and SaaS teams are not GPAI providers — they are downstream deployers of GPAI models like large language models offered by third parties. But the GPAI obligations that took effect on 2 August 2025 still matter to deployers for two reasons.
First, providers must now produce a summary of training data. The AI Office published a mandatory template for this summary in July 2025. Customers of GPAI models should ask for it: it is evidence of what data went into the model, which feeds your own GDPR records and your own answer to the EDPB's Opinion 28/2024 test.
Second, GPAI providers must maintain technical documentation and copyright compliance policies. When you procure a GPAI-powered tool, your vendor due diligence should now include requesting the provider's AI Act compliance pack — model cards, training data summary, acceptable use policy. If a vendor cannot supply these, they are signalling that they are behind their own legal obligations, and that risk flows to you.
Models designated as having systemic risk (those trained with more than 10^25 floating-point operations) carry additional obligations around model evaluation, incident reporting, and cybersecurity. Most teams will not provide such models — but they may well use them, and contracting language should allocate who carries which obligation.
Practical Steps Before 2 August 2026
If you are an eCommerce or SaaS team based in the EU, or serving EU customers, here is a focused plan. It assumes you already have a working GDPR programme — if you do not, our [complete GDPR compliance guide](/resources/blog/complete-guide-gdpr-compliance-2026) is a better starting point.
Step 1: Build a single AI inventory
List every AI system you use or build — own-built, open-source, embedded in a SaaS product, fine-tuned on your data. For each one, capture: the purpose, who the provider is, what personal data is involved (input, training, output), who the deployer is, and which AI Act risk tier it falls into.
Step 2: Classify each system under the AI Act
Map each system to one of four tiers: prohibited (Article 5 — stop immediately), high-risk (Annex III — heavy obligations applying 2 August 2026), limited-risk (Article 50 transparency — our separate [Article 50 guide](/resources/blog/eu-ai-act-article-50-ecommerce-transparency) covers this in detail), or minimal-risk (no specific AI Act duties). Document your reasoning for borderline cases.
Step 3: Run the DPIA and, where required, the FRIA
For any system processing personal data where the risk is high — which covers essentially all customer-facing AI — complete or update the DPIA under GDPR Article 35. If the system is high-risk under the AI Act and you fall into one of the deployer categories in Article 27, prepare the FRIA alongside it. Do not let one document replicate the other; reference shared sections.
Step 4: Update your legal basis analysis
Walk through your legitimate-interest assessments using the EDPB's three-step test. Where you rely on consent, check that it is informed, specific, and freely given — the bar is higher when AI-driven profiling is involved. Review your retention periods: training data used to build a model has a different lifecycle than operational data.
Step 5: Audit your AI vendors
Request the AI Act compliance pack from every AI provider in your stack: conformity documentation for high-risk systems, training-data summary for GPAI models, transparency and copyright policies. Build these requests into your procurement and DPA (Data Processing Agreement) templates so they become default, not exceptional.
Step 6: Wire human oversight into the product
For high-risk and customer-facing limited-risk systems, review the actual user experience. Where AI is making or supporting decisions that affect people, is there a real, accessible route to human review? Article 14 (human oversight) and GDPR Article 22 (human intervention) both land here, and a UX that technically offers review but practically hides it will not satisfy either regulator.
Common Mistakes to Avoid
- Treating the AI Act as a replacement for GDPR. It is not. Both apply; both must be satisfied.
- Assuming the Digital Omnibus will delay your deadline. It is a proposal. Budget for 2 August 2026.
- Using a generic DPIA template for high-risk AI. The DPIA now needs to capture AI-specific risks — bias, explainability, training-data provenance — that generic templates often miss.
- Relying on "the vendor handles it". As a deployer, you are independently accountable. Vendor documentation is evidence, not delegation.
- Skipping Opinion 28/2024. Supervisory authorities will lean on it. Your own legal-basis and anonymity analyses should reference the three-step test explicitly.
How PrivacyForge Helps
PrivacyForge is built around the reality that GDPR and the AI Act are converging, not separate. Teams already using PrivacyForge for GDPR compliance can extend to the AI Act without standing up parallel systems:
- AI system registry — a single inventory of every AI system with its purpose, provider, deployer role, personal-data footprint, and AI Act risk tier. This is your foundation for Articles 9 and 11 (technical documentation and record-keeping).
- Integrated DPIA and FRIA workflows — a unified assessment that generates the GDPR and AI Act documents side by side, reusing shared inputs and flagging where the two diverge.
- Vendor compliance tracking — structured requests for conformity documentation, GPAI training-data summaries, and DPAs, with a clear status view across your supply chain.
- Compliance scoring — see both GDPR and AI Act posture in one dashboard, with alerts when EDPB guidance or AI Office activity changes what "good" looks like.
- Consent management and DSAR automation — the usual GDPR foundation, wired to the AI inventory so rights requests that touch AI systems route correctly.
For a deeper look at the AI-specific tooling, see our [AI governance dashboard](/resources/blog/ai-governance-dashboard-managing-eu-ai-act-compliance) post. For a free first look at where you stand, try our [compliance scan](/scan).
Conclusion
The GDPR and the EU AI Act were never going to be two separate compliance programmes. By August 2026, they will be one — a single obligation to handle personal data lawfully and to place safe, transparent AI on the EU market.
The good news is that the path is well-marked. The EDPB has published the guidance that bridges both regimes. The implementation timeline is concrete. The deployer categories that need a FRIA are narrow. The GPAI obligations are mostly handled by providers, not their customers. Most eCommerce and SaaS teams can be ready in the months remaining — if they start from an honest inventory and work outward.
Start with Step 1: list every AI system you touch. The rest follows.