The world's first comprehensive AI law took effect on 1 August 2024, phasing in through 2026. It does not replace the GDPR — it layers on top of it, with personal data fuelling most AI systems in scope.
The AI Act's obligations apply in stages: bans on 'unacceptable-risk' practices from February 2025, rules for general-purpose AI models from August 2025, and the bulk of high-risk requirements from August 2026.
Where an AI system processes personal data — training data, biometric identification, profiling, automated decisions — the GDPR continues to apply in full. Article 22's limits on solely automated decision-making, the rules on special-category data, and the transparency duties are all back in the spotlight.
Regulators have signalled that 'we used it to train a model' is not a lawful basis. Organisations building or buying AI should map personal-data flows and lawful bases before deployment, not after.
The information contained within this resource does in no way constitute legal advice. Any person who intends to rely upon or use this information is solely responsible for independently verifying it and obtaining independent expert advice if required.
Need to act on this?
We advise on GDPR compliance, transfers, AI and breach response.