AI Act 2026 13 min read·

GDPR and AI in 2026: What the AI Act Changes for Your Site

AI chatbot, recommendation engine, customer scoring: AI has crept everywhere on websites. The European AI Act came into force in 2024 and its obligations now apply. Here is what changes concretely — and what you need to do before the end of 2026.

AI Act timeline: where are we in 2026?

The AI Act (EU Regulation 2024/1689) was published in the Official Journal of the EU on July 12, 2024 and entered into force on August 1, 2024. Its application is progressive according to risk categories:

February 2025 — Applicable

Prohibited AI practices

Subliminal manipulation, exploitation of vulnerabilities, general social scoring, real-time facial recognition in public spaces.

August 2025 — Applicable

General-purpose AI models (GPAI) and transparency

Transparency obligations for limited-risk systems (chatbots, deepfakes). Foundation model providers (GPT, Claude, Gemini) must document their systems.

August 2026 — Applicable

High-risk AI systems

Conformity assessment, technical documentation, registration in the EU AI database, mandatory human oversight for recruitment, credit, justice, health.

AI Act and GDPR: two complementary texts

A common confusion: thinking that the AI Act replaces or suspends the GDPR for AI systems. This is false. Both regulations apply in parallel, with distinct but often overlapping scopes:

DimensionRGPDAI Act
Main objectPersonal data protectionSafety and transparency of AI systems
Who is targetedData controllerAI provider and deployer
Max sanction4% turnover or €20M6% turnover or €35M
Individual rightsAccess, erasure, portability, automated decisionTransparency, human review (high risk)

Concrete cases: AI on your site through the dual GDPR + AI Act lens

Case 1 — AI chatbot (support, FAQ, lead qualification)

A chatbot powered by GPT-4 or Claude necessarily processes personal data as soon as the user types their name, email, or order number. Under GDPR: personal data processing, legal basis required (legitimate interest or contract performance for support), retention period to define, sub-processor (OpenAI/Anthropic) to frame via DPA. Under AI Act: limited-risk system, transparency obligation — the user must know they are interacting with an AI (visible mention in the interface).

Case 2 — Customer scoring or lead scoring

A system that assigns a score to each visitor (purchase propensity, churn risk, lead quality) based on behavior or demographic data. Under GDPR: constitutes profiling under Art. 4(4), and potentially automated decision-making under Art. 22 if this score automatically triggers a discriminatory action (refused offer, restricted access). Information obligation, right to access the score, and right to human intervention. Under AI Act: depending on use, may be classified high-risk (credit scoring, recruitment scoring).

Case 3 — Recommendation engine (e-commerce, content)

"Customers who bought X also bought Y" or "Recommended items for you": these systems constitute GDPR profiling. The legal basis is generally legitimate interest (Art. 6(1)(f)) for commercial personalization — provided the data controller's interest prevails over that of the individual, which is not automatic for minors or sensitive categories. Under AI Act: minimal risk if purely commercial and without significant effects. But if the recommendation influences access to essential services, the risk level rises.

Does your site process data via AI without a documented legal basis?

Audit your trackers, AI scripts and sub-processors in 60 seconds with RGPDScan.

Practical obligations if you use ChatGPT/Anthropic in your B2B tools

Many SMEs use OpenAI or Anthropic APIs to automate writing, customer document analysis, support response generation, or commercial data synthesis. As soon as personal data passes through these APIs, GDPR obligations apply:

  • Sign the DPAOpenAI offers a Data Processing Agreement for Business API offerings (available in account settings). Anthropic has similar contractual clauses for its Enterprise offerings.
  • Disable training on your dataBy default, some offerings use your inputs to train the models. For API offerings, this is generally disabled. Check the settings and document it in your register.
  • Anonymize before sendingIf possible, anonymize or pseudonymize personal data before including it in prompts. Replace names with identifiers. This considerably reduces the risk.
  • Document in the Art. 30 registerCreate an "AI Processing" entry in your register with: purpose, legal basis, data categories, sub-processor (OpenAI LLC / Anthropic PBC), USA location + DPF transfer mechanism.

For models hosted on European infrastructure (e.g. Azure OpenAI with EU region, Mistral AI in France), the risk of transfer outside the EU is eliminated. This is an option to consider for the most sensitive processing.

Going further

Frequently asked questions

Does the AI Act replace the GDPR for AI systems?
No, the AI Act complements the GDPR without replacing it. Both regulations apply in parallel. The AI Act covers the safety and transparency of AI systems according to their risk level. The GDPR covers the processing of personal data. An AI chatbot on your site is subject to both texts simultaneously.
Is my AI chatbot a high-risk system under the AI Act?
Generally no, if your chatbot serves to answer customer questions or automate support. It will be classified as "limited risk" and subject mainly to transparency obligations (informing the user they are talking to an AI). However, a recruitment or credit assessment chatbot would be high-risk.
What is Article 22 GDPR and when does it apply to AI?
Article 22 GDPR gives individuals the right not to be subject to a decision based solely on automated processing producing significant legal effects. It applies if your AI alone makes an impactful decision: automated credit refusal, rejection of an application without human intervention, account suspension. In this case, you must allow a human appeal.
Can ChatGPT or Claude be used in B2B tools without GDPR risk?
Yes, under conditions: never send non-anonymized personal data to OpenAI/Anthropic APIs without a signed DPA and valid legal basis. OpenAI and Anthropic offer DPAs for their Business/Enterprise API offerings. Using customer data in prompts without consent or legal basis constitutes a GDPR violation.
When do AI Act obligations apply for SMEs?
The AI Act entered into force in August 2024. Prohibited AI practices (manipulation, social scoring) have been applicable since February 2025. Obligations for high-risk systems apply progressively until August 2026. For SMEs using limited-risk AI systems (chatbots, recommendations), the main obligations (transparency) have applied since August 2025.
What must I mention in my privacy policy if I use AI?
You must mention: (1) the existence of automated processing and its purposes, (2) the legal basis (consent, legitimate interest or contract performance), (3) third parties to whom you send data (e.g. OpenAI, Anthropic), (4) if significant automated decisions are made, the existence of a right to human appeal. If the AI provider is outside the EU, mention the transfer mechanism.

Audit the GDPR compliance of your AI site

Detection of AI scripts and trackers without consent. Actionable report. Free scan.