Hael
Sign inRequest a demo
GDPR Article 22 · Comparisons

GDPR Article 22 vs the EU AI Act: how they overlap

Updated 6 July 2026 · 6 min read
Key takeaway
They are different instruments doing complementary work. Article 22 gives individuals rights against significant solely-automated decisions about them; the EU AI Act imposes obligations on the providers and deployers of AI systems by risk tier. One AI system can trigger both, and the safeguards each demands overlap enough to build once.
  • Article 22 is a data-protection right about the individual; the AI Act is a product-and-market rule about the system.
  • Both converge on human oversight, transparency, and contestability.
  • The Act reaches systems Article 22 does not; Article 22 reaches processing the Act does not classify as high-risk.
  • Design human review, explanations and documentation once, to the higher bar, and both regimes draw on it.
  • General information, not legal advice. Current as of July 2026.

Different lenses on the same system

Article 22 is a data-protection right, focused on the individual subjected to an automated decision, and on the lawful basis and safeguards for it. The EU AI Act is a product-and-market regulation, focused on the system: its classification, documentation, oversight, and monitoring. A credit-scoring model can be a high-risk AI system under the Act and the engine of an Article 22 decision under the GDPR at the same time.

Where the duties converge

Both regimes converge on human oversight, transparency, and contestability. Article 22 requires the right to human intervention and to contest a decision; the AI Act requires human oversight designed into high-risk systems. Article 22 requires meaningful information about the logic involved; the AI Act requires technical documentation and instructions for use. An organisation that designs genuine human review, clear explanations, and complete documentation once can satisfy the overlapping core of both.

Where they differ

The Act reaches systems that never make Article 22 decisions, such as safety components, and imposes duties, like conformity assessment, that the GDPR does not. The GDPR reaches processing that the Act does not classify as high-risk at all. Neither subsumes the other; mapping a system against both is the only safe approach, and doing it from one governed record is the efficient one.

Key terms

Lawful basis
The GDPR's requirement that any personal-data processing rest on a defined legal ground.
High-risk classification
The EU AI Act's tiering that pulls certain systems into its heaviest obligations.
Human oversight
Meaningful human control designed into the system and its use.
Contestability
The individual's ability to challenge a decision and have it reconsidered.
Dual applicability
The reality that one AI system can be governed by both regimes at once.

References

Related guides

Keep reading on GDPR Article 22.

Free check

See where you stand on GDPR Article 22, free.

Answer a few questions and get an indicative view of what GDPR Article 22 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
GDPR Article 22 · indicative readiness
HAEL FREE TOOLLIVE
Applicability
Applies to your AI use
MAPPED
What's expected
Risk classification · governance · documentation · oversight
4 PILLARS
Where you stand
Banded result · pointed to the gaps that matter most
SOURCED
Result
On-screen, free · optional PDF
FREE
Effort
Pre-scoped to GDPR Article 22
~ 5 MIN
INDICATIVE · NOT LEGAL ADVICE