AI does not get a pass from data-protection law. If your AI system processes personal data — in training, in operation, or in its outputs — the GDPR applies in full, alongside the EU AI Act. For Belgian organisations the two regimes are best treated as one programme: the AI Act asks “is this AI safe and trustworthy?”, the GDPR asks “is this processing of personal data lawful and fair?”. You need a clean answer to both.
TL;DR — GDPR duties that bite hardest in AI
- You need a lawful basis for training and for inference — they can differ.
- Purpose limitation and data minimisation constrain what you can feed a model.
- Automated decisions with legal/significant effects trigger Art. 22 safeguards.
- A DPIA is usually mandatory for AI that profiles or scores people.
- Transparency and data-subject rights (access, erasure, objection) still apply to model-driven processing.
Lawful basis: training is not the same as inference
A frequent mistake is to find one legal basis and assume it covers the whole lifecycle. It rarely does. Training a model on personal data and using the model on a live individual are distinct processing operations, each needing its own basis under Art. 6. For most commercial AI, the realistic candidates are legitimate interests (with a documented balancing test) or consent; contract may fit where the AI is integral to a service the person requested. If you process special-category data (health, biometrics, etc.), you also need an Art. 9 condition — a materially higher bar.
Purpose limitation and minimisation vs the appetite for data
Models reward more data; the GDPR rewards less. Two principles do the heavy lifting. Purpose limitation means data collected for one purpose cannot be silently repurposed to train a model — reuse must be compatible with the original purpose or rest on a fresh basis. Data minimisationmeans you collect and retain only what the model genuinely needs. Techniques such as anonymisation, pseudonymisation, synthetic data and aggregation are not just good practice — they are how you reconcile a data-hungry model with a minimisation duty.
Automated decision-making (Art. 22)
This is where AI and GDPR collide most sharply. Art. 22 gives individuals the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects or similarly significantly affects them (think credit refusal, automated hiring rejection, insurance pricing). Solely-automated decisions of this kind are only allowed where they are necessary for a contract, authorised by law, or based on explicit consent — and even then you must provide safeguards: meaningful human review, the ability to contest, and an explanation of the logic involved. Designing a genuine human-in-the-loop is often the cleanest way out of the Art. 22 trap, and it dovetails with the AI Act’s human-oversight requirement for high-risk systems.
The DPIA: usually mandatory for AI
A Data Protection Impact Assessment (Art. 35) is required where processing is likely to result in a high risk to people’s rights — which describes most AI that profiles, scores or makes consequential decisions, especially at scale. The Belgian Data Protection Authority publishes a list of processing operations that require a DPIA, and large-scale or systematic profiling features prominently. A good DPIA for AI documents the data flows, the lawful basis, the necessity and proportionality, the risks of bias and error, and the mitigations. Done well, it doubles as much of the evidence the AI Act expects for a high-risk system — one assessment, two regimes.
Transparency, accuracy and the right to erasure
Individuals must be told, in clear terms, that their data feeds an AI system and with what consequences (Art. 13–14). The accuracy principle is sharper for AI: a model that outputs wrong inferences about a person can breach it. And rights do not stop at the model boundary — a valid erasure or objection request must be honoured even when the data has been used for training, which is why retention design and the ability to retrain or filter matter from day one.
Where GDPR meets the AI Act
The regimes are complementary, not duplicative. The table shows how the same control often satisfies both.
| Control | GDPR | AI Act |
|---|---|---|
| Human oversight of decisions | Art. 22 safeguards | Human-oversight duty for high-risk |
| Risk & impact assessment | DPIA (Art. 35) | Fundamental-rights impact assessment; risk management |
| Data quality & governance | Accuracy, minimisation | Data-governance for training/testing data |
| Transparency to people | Art. 13–14 notices | Art. 50 transparency duties |
| Documentation & logging | Records of processing | Technical documentation, automatic logs |
A pragmatic checklist
- Map the personal data in your AI — training sets, prompts, outputs, logs.
- Fix a lawful basis for training and for inference separately; document any legitimate-interests test.
- Check for special-category data and secure an Art. 9 condition if present.
- Identify any solely-automated decisions with significant effects; design human review and contestability.
- Run a DPIA for profiling/scoring use cases — and reuse it as AI Act evidence.
- Wire in data-subject rights, retention limits and transparency notices before launch.
General information, not legal advice. ICTLAB helps Belgian organisations run GDPR and AI governance as a single programme — see our GDPR compliance services, read the EU AI deployment checklist, or talk to our team.