AI Act and GDPR: What Companies Need to Prepare for Starting 2025

A long-awaited framework to regulate AI in Europe

The European Union adopted the AI Act in 2024. It is the world’s first cross-sector regulation aimed at overseeing the use of artificial intelligence, with progressive implementation through 2027.

Key upcoming milestones:

• 2 February 2025: Ban on certain practices considered “unacceptable risk.”

• 2 August 2025: Rules will apply for general-purpose AI models (GPAI), and each Member State must designate supervisory authorities.

• 2026-2027: High-risk systems and certain regulated products must comply fully.

In this context, the CNIL has published recommendations. They do not create new legal obligations, but help actors apply the GDPR to AI systems in complement to the AI Act.

The AI Act: a regulation that changes the game

The text relies on a risk-based approach:

• Unacceptable risk: Certain practices are forbidden (social scoring, cognitive manipulation, some forms of biometric surveillance).

• High risk: Stronger obligations for systems used in sensitive sectors (health, education, recruitment, justice, critical infrastructure). Requirements include governance of data, risk management, technical documentation, human oversight, and robustness.

• Limited risk: Transparency obligations (for example, disclosing that a user is interacting with AI).

• Minimal risk: General use with minimal constraints.

General-purpose AI models (GPAI) have specific rules:

• mandatory technical documentation

• training data summaries

• respect for copyright

• stricter standards for models with systemic risks

2026-2027: a turning point for high-risk systems and healthcare products

Starting in 2026, the compliance requirements will apply to systems classified as “high risk” under Annex III of the AI Act.

Affected use cases will include:

• systems used in recruitment or employee evaluation,

• systems used for access to education,

• and, importantly for healthcare entities, those deployed in medical domains (e.g. diagnostic assistance, triage tools, software medical devices, patient pathway management).

These systems must meet detailed requirements:

• end-to-end risk management and documentation

• data governance (quality, representativity, absence of bias)

• traceability and technical transparency

• human oversight (medical decisions cannot be fully delegated to AI)

• security, robustness, and accuracy

From 2027, obligations will also extend to products already regulated under other frameworks (e.g. medical devices regulated under the EU MDR), to ensure coherence between legal regimes.

Core GDPR obligations for AI projects

Whenever personal data is used, the GDPR applies fully. The CNIL reminds data controllers to ensure:

• a determined purpose, even if broad in scope

• a legally valid legal basis

• minimization of collection to what is strictly necessary

• informing data subjects and guaranteeing their rights

• setting proportionate data retention periods

• implementing technical and organizational security measures

• verifying legality of datasets used, including open-source ones

These are foundational requirements for any AI development or deployment.

Specific obligations for AI providers

Beyond the GDPR base, certain AI-related practices need special attention. CNIL highlights three frequent areas:

1. Web scraping (data harvesting)

   • Even if data is “public”, it does not mean free from copyright or free for reuse.

   • Base legal justification (e.g. legitimate interest) must be identified, with balancing.

   • Collection must be proportionate (harvesting “the whole web” is not acceptable).

   • Mechanisms must allow individuals to request removal or objection.

   • Use of data must respect source site’s terms and conditions.

2. Model status

   • A model may itself constitute a personal data processing if it is possible to reasonably re-identify individuals from it.

   • Technical tests must verify the likelihood of re-identification.

   • Documentation of these tests is required to demonstrate when GDPR applies to the model itself, beyond its training data.

3. Data annotation

   • Adding labels or metadata is essential in AI, but must be done under strict guarantees when sensitive data (e.g. health data in medical research) is involved: legal authorization, protective contracts, confidentiality, secure environments.

   • Even non-sensitive annotation tasks require oversight to avoid bias and ensure quality.

Impact Assessment: a DPIA is strongly recommended, and in certain cases becomes a legal requirement under the AI Act for high-risk AI systems

A Data Protection Impact Assessment (DPIA) is strongly recommended, and often required under the AI Act for high-risk AI systems. Its goal is to identify risks to individuals, document safeguards, and serve as proof of compliance.

Conclusion: preparing now for compliance

The AI Act and the GDPR are complementary: the first regulates AI broadly, the second continues to safeguard personal data. CNIL’s recommendations help bridge regulatory text and practical implementation.

From today, organizations should:

• anticipate GPAI obligations effective from August 2025

• clarify roles (data controller vs processor)

• implement DPIAs

• document datasets and models

These steps are essential to navigate the progressive implementation of the regulation through 2027 and build user trust.