EU AI Act and GDPR overlap — dual compliance guide for HR deployers

The two frameworks operate in parallel

The EU AI Act’s preamble (Recital 9) makes clear that it does not affect Union law on the protection of personal data, in particular the GDPR and the Law Enforcement Directive. GDPR supervisory authorities retain full competence over personal data processing. AI Act market surveillance authorities oversee product-safety and compliance obligations under the AI Act. Both may investigate the same incident.

For HR AI deployers, this means a single AI recruitment system may simultaneously require: a lawful basis under GDPR Article 6, a DPIA under GDPR Article 35, an Art 22 safeguard, an Art 13 instructions-for-use document under the AI Act, an Art 26(7) worker notification, and an Art 26(6) log retention policy. These obligations do not substitute for each other.

GDPR Article 22 and EU AI Act Article 26 — automated decision-making

GDPR Article 22 gives data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them. The definition of “solely automated” is narrow: a human rubber-stamping an AI recommendation without genuinely reviewing it does not satisfy the Article 22 safeguard.

EU AI Act Article 26(2) separately requires deployers of high-risk AI systems to assign human oversight to persons with the necessary competence, training and authority to override the system’s output. A person on the oversight seat who can genuinely question and override the AI recommendation will typically also satisfy the GDPR Article 22 “meaningful human review” standard.

• GDPR Art 22(2)(b) permits solely automated decisions where the data subject has given explicit consent — but this is difficult to rely on in an employment context where consent is rarely freely given.
• GDPR Art 22(2)(a) permits such decisions where they are necessary for entering into or performing a contract — which has a high bar; convenience or efficiency arguments are insufficient.
• Regardless of which Art 22 ground applies, the data subject must receive meaningful information about the logic involved, the significance and envisaged consequences, and the right to obtain human intervention and contest the decision (Art 22(3)).

GDPR Article 35 DPIA and EU AI Act fundamental rights impact assessment

A Data Protection Impact Assessment (DPIA) under GDPR Article 35 is mandatory where processing is likely to result in a high risk to natural persons, including where systematic and extensive evaluation of personal aspects by automated processing is used to make decisions that produce legal or similarly significant effects. HR AI systems in scope of Annex III of the EU AI Act will typically satisfy this threshold.

The EU AI Act’s Annex III conformity assessment and post-market monitoring framework (Articles 43 and 72) overlap functionally with a DPIA but do not replace it. The most efficient approach is a single integrated assessment that addresses both the AI Act’s risk questions (technical, intended purpose, foreseeable misuse) and the GDPR’s data-protection questions (lawful basis, data minimisation, retention, rights). The output should be two separate records (DPIA for GDPR; risk assessment records for AI Act) derived from the same review exercise.

GDPR Article 9 special-category data and EU AI Act Article 10

GDPR Article 9 prohibits processing of special-category data — health, biometric data used to uniquely identify, racial or ethnic origin, religion, trade union membership, political opinions, genetic data, sex life or sexual orientation — except under specific conditions. Article 9(2)(b) permits processing where necessary for employment law obligations with appropriate safeguards.

EU AI Act Article 10(5) permits use of special-category data for the sole purpose of detecting and correcting bias in high-risk AI systems, provided that appropriate safeguards for the fundamental rights and freedoms of natural persons are in place. This is a narrow research exception and does not override GDPR Article 9 — the deployer must separately satisfy a GDPR Article 9(2) ground. The Article 10(5) permission also does not extend to using protected attributes as model input features.

Data minimisation: GDPR Article 5 vs EU AI Act Article 10

GDPR Article 5(1)(c) requires personal data to be adequate, relevant and limited to what is necessary for the purposes (data minimisation). EU AI Act Article 10(3) requires training data to be relevant, representative, and, to the best extent possible, free of errors and complete. Both principles point in the same direction: deployers should not accept or feed AI systems with personal data that is not needed for the stated purpose.

A practical implication: if a vendor’s system ingests raw CVs including free-text fields that may contain protected-attribute information (name indicating ethnic origin, address indicating socioeconomic background), the deployer has both an AI Act bias-risk obligation (Art 10(2)(f)) and a GDPR data-minimisation and special-category exposure to manage.

Transparency: EU AI Act Article 50 and GDPR Articles 13–14

GDPR Articles 13 and 14 require controllers to provide data subjects with information about automated decision-making and profiling at the time of data collection. EU AI Act Article 50 requires deployers to disclose AI interaction to users from 2 August 2026.

In practice, an HR deployer using a recruitment chatbot must combine both disclosure obligations in a single user-facing notice. The GDPR notice must cover the existence of profiling and the AI Act disclosure must cover the fact that the user is interacting with an AI system. These can be merged into one communication if all required elements of each regime are present.

Retention and log obligations compared

• GDPR storage limitation (Art 5(1)(e)): Personal data must not be kept longer than necessary for the purpose. For HR AI, this typically means candidate data that was not used to make a hiring decision must be deleted within a short period (often 6 months under national employment law).
• EU AI Act log retention (Art 26(6)): Automatic logs generated by the AI system must be kept for at least 6 months. These logs may contain personal data (inputs and outputs of the AI system for individual candidates or employees).
• Reconciliation: The deployer must retain the AI logs for 6 months even where the general HR data retention period is shorter. The logs should be access-controlled, clearly classified as compliance records, and documented in the Record of Processing Activities (ROPA) under GDPR Article 30.

Who supervises what

• GDPR compliance is supervised by national Data Protection Authorities (DPAs). For cross-border processing, the lead supervisory authority mechanism under GDPR Chapter VII applies.
• EU AI Act compliance is supervised by national market surveillance authorities (MSAs) designated under Article 70. In some Member States the DPA has been designated as the MSA or co-authority for HR-AI systems. This may result in joint investigations.
• The AI Office (a Commission body) has oversight over GPAI models and coordinates cross-border AI Act enforcement.

Dual-compliance evidence map

• ROPA entry covering the AI system as a processing activity (GDPR Art 30).
• DPIA (GDPR Art 35) covering HR AI systems producing legal or significant effects.
• Art 22 safeguard: GDPR lawful basis, human-review procedure, and data-subject rights response process.
• AI inventory entry: classification, Annex III status, vendor, intended purpose (EU AI Act Art 26 + Art 4).
• Art 26(7) worker notification record.
• Art 26(6) log retention protocol documented in ROPA.
• Art 4 AI literacy policy covering data-protection aspects of AI use.
• Article 50 disclosure text for chatbot or AI-generated output, cross-referenced with GDPR Art 13/14 notice.

Related EU guides

• AI bias audit for HR systems
• AI-based employee evaluation under the EU AI Act
• Article 50 transparency — deployer guide
• Logging obligations — Article 12
• NIS2 for HR systems

Sources

• Regulation (EU) 2024/1689 (EU AI Act), Articles 10, 26, 50, 70, 72, Annex III — EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj
• Regulation (EU) 2016/679 (GDPR), Articles 5, 6, 9, 13, 14, 22, 30, 35 — EUR-Lex: eur-lex.europa.eu/eli/reg/2016/679/oj
• European Data Protection Board — Guidelines on automated decision-making: edpb.europa.eu