GDPR and AI in 2026: What the AI Act Changes for Your Site
AI chatbot, recommendation engine, customer scoring: AI has crept everywhere on websites. The European AI Act came into force in 2024 and its obligations now apply. Here is what changes concretely — and what you need to do before the end of 2026.
AI Act timeline: where are we in 2026?
The AI Act (EU Regulation 2024/1689) was published in the Official Journal of the EU on July 12, 2024 and entered into force on August 1, 2024. Its application is progressive according to risk categories:
Prohibited AI practices
Subliminal manipulation, exploitation of vulnerabilities, general social scoring, real-time facial recognition in public spaces.
General-purpose AI models (GPAI) and transparency
Transparency obligations for limited-risk systems (chatbots, deepfakes). Foundation model providers (GPT, Claude, Gemini) must document their systems.
High-risk AI systems
Conformity assessment, technical documentation, registration in the EU AI database, mandatory human oversight for recruitment, credit, justice, health.
AI Act and GDPR: two complementary texts
A common confusion: thinking that the AI Act replaces or suspends the GDPR for AI systems. This is false. Both regulations apply in parallel, with distinct but often overlapping scopes:
| Dimension | RGPD | AI Act |
|---|---|---|
| Main object | Personal data protection | Safety and transparency of AI systems |
| Who is targeted | Data controller | AI provider and deployer |
| Max sanction | 4% turnover or €20M | 6% turnover or €35M |
| Individual rights | Access, erasure, portability, automated decision | Transparency, human review (high risk) |
Concrete cases: AI on your site through the dual GDPR + AI Act lens
Case 1 — AI chatbot (support, FAQ, lead qualification)
A chatbot powered by GPT-4 or Claude necessarily processes personal data as soon as the user types their name, email, or order number. Under GDPR: personal data processing, legal basis required (legitimate interest or contract performance for support), retention period to define, sub-processor (OpenAI/Anthropic) to frame via DPA. Under AI Act: limited-risk system, transparency obligation — the user must know they are interacting with an AI (visible mention in the interface).
Case 2 — Customer scoring or lead scoring
A system that assigns a score to each visitor (purchase propensity, churn risk, lead quality) based on behavior or demographic data. Under GDPR: constitutes profiling under Art. 4(4), and potentially automated decision-making under Art. 22 if this score automatically triggers a discriminatory action (refused offer, restricted access). Information obligation, right to access the score, and right to human intervention. Under AI Act: depending on use, may be classified high-risk (credit scoring, recruitment scoring).
Case 3 — Recommendation engine (e-commerce, content)
"Customers who bought X also bought Y" or "Recommended items for you": these systems constitute GDPR profiling. The legal basis is generally legitimate interest (Art. 6(1)(f)) for commercial personalization — provided the data controller's interest prevails over that of the individual, which is not automatic for minors or sensitive categories. Under AI Act: minimal risk if purely commercial and without significant effects. But if the recommendation influences access to essential services, the risk level rises.
Does your site process data via AI without a documented legal basis?
Audit your trackers, AI scripts and sub-processors in 60 seconds with RGPDScan.
Practical obligations if you use ChatGPT/Anthropic in your B2B tools
Many SMEs use OpenAI or Anthropic APIs to automate writing, customer document analysis, support response generation, or commercial data synthesis. As soon as personal data passes through these APIs, GDPR obligations apply:
- Sign the DPA — OpenAI offers a Data Processing Agreement for Business API offerings (available in account settings). Anthropic has similar contractual clauses for its Enterprise offerings.
- Disable training on your data — By default, some offerings use your inputs to train the models. For API offerings, this is generally disabled. Check the settings and document it in your register.
- Anonymize before sending — If possible, anonymize or pseudonymize personal data before including it in prompts. Replace names with identifiers. This considerably reduces the risk.
- Document in the Art. 30 register — Create an "AI Processing" entry in your register with: purpose, legal basis, data categories, sub-processor (OpenAI LLC / Anthropic PBC), USA location + DPF transfer mechanism.
For models hosted on European infrastructure (e.g. Azure OpenAI with EU region, Mistral AI in France), the risk of transfer outside the EU is eliminated. This is an option to consider for the most sensitive processing.
Going further
- GDPR compliance checklist 2026
- GDPR processing register: complete guide
- GDPR sub-processor DPA: the missing clause
- GDPR for SaaS and B2B tools
- CNIL fines 2026: what exposes your site