As soon as an artificial intelligence system processes personal data, the General Data Protection Regulation (GDPR) applies. The AI Act and the GDPR are two separate but complementary frameworks: the former regulates AI systems according to their risk, the latter protects personal data.
The GDPR does not step aside
Data protection authorities point out that new technologies are not excluded from the scope of the GDPR, and that the interplay between the GDPR and the AI Act is complex. In other words, the arrival of the AI Act does not remove the duty to comply with GDPR principles: lawfulness, data minimisation, purpose limitation, transparency and the rights of individuals.
What the EDPB says about AI models
In its Opinion 28/2024 (18 December 2024), adopted at the request of the Irish authority, the European Data Protection Board (EDPB) examines three questions: when an AI model can be considered anonymous (assessed case by case; it must be very unlikely to identify individuals or to extract their data through queries), whether legitimate interest can serve as a legal basis (to be assessed through a three-step test, including a necessity test and a balancing of rights), and the consequences when a model has been developed with unlawfully processed data.
Impact assessment and reasonable expectations
In practice, processing that may create a high risk can require a prior data protection impact assessment (DPIA). The EDPB also invites checking whether individuals could reasonably expect such a use of their data, taking into account, among other things, whether the data was publicly available, the context in which it was collected and the relationship with the controller. Mitigating measures can limit any negative impact.
Your rights, in practice
When an organisation processes data on the basis of legitimate interest — often invoked for training AI models — the individual has a right to object. The EDPB stresses that GDPR principles support responsible AI, and continues to develop guidance (for instance on web scraping).
Because the field is evolving quickly, the analysis must be carried out case by case. In case of doubt, it is prudent to consult your data protection officer or the competent authority.