GDPR Article 22 vs the EU AI Act: how they overlap
- Article 22 is a data-protection right about the individual; the AI Act is a product-and-market rule about the system.
- Both converge on human oversight, transparency, and contestability.
- The Act reaches systems Article 22 does not; Article 22 reaches processing the Act does not classify as high-risk.
- Design human review, explanations and documentation once, to the higher bar, and both regimes draw on it.
- General information, not legal advice. Current as of July 2026.
Different lenses on the same system
Article 22 is a data-protection right, focused on the individual subjected to an automated decision, and on the lawful basis and safeguards for it. The EU AI Act is a product-and-market regulation, focused on the system: its classification, documentation, oversight, and monitoring. A credit-scoring model can be a high-risk AI system under the Act and the engine of an Article 22 decision under the GDPR at the same time.
Where the duties converge
Both regimes converge on human oversight, transparency, and contestability. Article 22 requires the right to human intervention and to contest a decision; the AI Act requires human oversight designed into high-risk systems. Article 22 requires meaningful information about the logic involved; the AI Act requires technical documentation and instructions for use. An organisation that designs genuine human review, clear explanations, and complete documentation once can satisfy the overlapping core of both.
Where they differ
The Act reaches systems that never make Article 22 decisions, such as safety components, and imposes duties, like conformity assessment, that the GDPR does not. The GDPR reaches processing that the Act does not classify as high-risk at all. Neither subsumes the other; mapping a system against both is the only safe approach, and doing it from one governed record is the efficient one.
Key terms
- Lawful basis
- The GDPR's requirement that any personal-data processing rest on a defined legal ground.
- High-risk classification
- The EU AI Act's tiering that pulls certain systems into its heaviest obligations.
- Human oversight
- Meaningful human control designed into the system and its use.
- Contestability
- The individual's ability to challenge a decision and have it reconsidered.
- Dual applicability
- The reality that one AI system can be governed by both regimes at once.