Regulation (EU) 2024/1689 (the AI Act) and Regulation (EU) 2016/679 (the GDPR) are independent regulations that apply in parallel. The GDPR regulates the processing of personal data; the AI Act regulates the AI system itself — its risk class, its documentation, its lifecycle. The two overlap where personal data is processed by an AI system, but neither replaces the other. Art. 2(7) of the AI Act expressly preserves the GDPR. The Art. 27 FRIA complements — does not replace — the Art. 35 GDPR DPIA (Art. 27(4)). Penalties under each regulation are separate: GDPR up to €20M or 4% of worldwide turnover; AI Act up to €35M or 7% for prohibited practices. AICheck structures the technical documentation under Art. 11 + Annex IV of the AI Act, irrespective of GDPR status.
€249 one-time payment · 12 PDF documents in ZIP · 45 minutes · 100% in your browser
Both regulations are horizontal, both apply to operators inside and outside the EU, and both rely on a risk-based logic — but the objects regulated, the subjects of obligations, and the assessment instruments are different.
| Aspect | AI Act (Reg (EU) 2024/1689) | GDPR (Reg (EU) 2016/679) |
|---|---|---|
| Subject regulated | The AI system itself: development, placing on market, use | The processing of personal data |
| Applies regardless of personal data? | Yes — applies even if no personal data is processed | Only where personal data is processed (Art. 2 GDPR) |
| Risk concept | Risk to health, safety, fundamental rights — by AI category (prohibited, high-risk, transparency, minimal) | Risk to rights and freedoms of natural persons — case-by-case under Art. 24, Art. 35 |
| Pre-market documentation | Art. 11 + Annex IV technical documentation (9 blocks) for high-risk AI | Art. 30 records of processing activities |
| Impact assessment | Art. 27 FRIA — public bodies + Annex III 5(b)(c) deployers | Art. 35 DPIA — high-risk processing |
| Risk management | Art. 9 risk management system + Art. 17 QMS | Art. 32 security of processing |
| Incident reporting | Art. 73 serious incidents: 15d / 10d death / 2d widespread | Art. 33 personal data breach: 72 hours |
| Conformity / certification | Art. 43 conformity assessment + CE marking | Art. 42 voluntary certification |
| Information to subject | Art. 50 transparency + Art. 26(11) for Annex III | Arts. 13 and 14 information to data subjects |
| Right not to be subject to automated decision | Not directly; transparency + human oversight under Art. 14 | Art. 22 specific right |
| Maximum fine | €35M / 7% (Art. 99(3) for Art. 5 prohibitions) | €20M / 4% (Art. 83(5) GDPR) |
| Enforcement authority | National competent authorities under Art. 70 + AI Office | National supervisory authorities + EDPB |
Article 2(7) of the AI Act provides: "Union law on the protection of personal data, privacy and the confidentiality of communications applies to personal data processed in connection with the rights and obligations laid down in this Regulation. This Regulation shall not affect Regulation (EU) 2016/679...".
No. GDPR-compliant processing of personal data is one piece of the puzzle. The AI Act regulates the AI system itself: risk classification (Art. 6 + Annex III), technical documentation (Art. 11 + Annex IV), quality management system (Art. 17), conformity assessment (Art. 43), CE marking (Art. 48), registration (Art. 49), transparency for chatbots and synthetic content (Art. 50), post-market monitoring (Art. 72), serious-incident reporting (Art. 73). None of these is covered by GDPR compliance.
Art. 27(4): if any of the FRIA obligations is already met through a DPIA under Art. 35 GDPR or Art. 27 Directive (EU) 2016/680, the FRIA shall complement that DPIA. The two assessments are separate obligations covering different subject matters. A DPIA assesses processing of personal data; a FRIA assesses impact on fundamental rights of an AI deployment. They can share inputs and be performed jointly but neither replaces the other.
Art. 99(7)(b) and (c) of the AI Act provide that when deciding on an administrative fine, the competent authority shall consider whether administrative fines have already been applied by other market surveillance authorities or by other authorities for infringements of other Union or national law resulting from the same activity. Coordination is required, but two independent fines from two different regulators for two different breaches of two different regulations remain possible.
Answer these four questions to determine your obligations.
12 PDF documents generated from your inputs. Each cites the article of Regulation (EU) 2024/1689 it fulfils.
Identifies whether your system is prohibited (Art. 5), high-risk (Art. 6 + Annex III) or subject to transparency obligations (Art. 50).
The 9 blocks of Annex IV in full: system description, training data, validation, performance metrics, risk management, human oversight. Art. 11 + Annex IV.
Signable document conforming to Art. 47 and Annex V.
Key application dates: 2 Feb 2025, 2 Aug 2025, 2 Aug 2026, 2 Aug 2027. Art. 113.
Executive summary of compliance status for authorities or commercial buyers. Art. 43 procedure.
QMS structure covering the 13 aspects required by Art. 17.
Document for the entity deploying your system, conforming to Art. 13.
Verifiable evidence list, cross-referenced to every Annex IV block.
Notification protocol conforming to Art. 73 (15 days general / 10 days death / 2 days widespread).
Training plan conforming to Art. 4, in force since 2 February 2025.
Plan structure required by Art. 72 and integrated into the technical documentation under Annex IV(9).
Template under Art. 27 for public bodies, private entities providing public services, and Annex III 5(b)(c) deployers.
See before you buy — Download a sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your inputs, in your browser. No data leaves your machine.
12 documents. 45 minutes. €249. The documentation your system needs before being placed on the market.
If your system falls under Art. 43(1) (Annex III point 1 biometrics with notified-body route, or Annex I products), you will need third-party conformity assessment. That is a separate process. AICheck does not replace it.
We do not sell audits. We do not sell consultancy. We sell the tool that structures your documentation under Annex IV.
Article 99 of Regulation (EU) 2024/1689. Chapter XII (Penalties) applies from 2 August 2025.
Art. 99(3). Up to €35 million or 7% of total worldwide annual turnover, whichever is higher. For SMEs and start-ups: whichever is lower (Art. 99(6)).
Art. 99(4). Includes failure to draw up technical documentation under Art. 11 + Annex IV. Covers obligations of providers (Art. 16), deployers (Art. 26), authorised representatives (Art. 22), importers (Art. 23), distributors (Art. 24), notified bodies (Art. 31, 33, 34) and transparency under Art. 50.
Art. 99(5). Applies when information provided to notified bodies or national competent authorities is wrong or misleading.
If you operate multiple AI systems and need to document them all under Annex IV, contact us for volume pricing at hello@solidwaretools.com.
Request volume pricingAICheck produces a document structured under Article 11 and Annex IV of Regulation (EU) 2024/1689 from the information you provide. The accuracy, truthfulness and completeness of that information is your responsibility as provider of the AI system.
We guarantee that the document structure follows Article 11 and Annex IV of Regulation (EU) 2024/1689 and that the legal references cited are correct as of the last verification date. We do not guarantee that a specific document will be accepted by a market surveillance authority in a given case, nor by a commercial buyer in a procurement process.
AICheck is not legal advice. For specific situations, consult a lawyer or specialised regulatory consultancy.
Twelve documents. Annex IV fully structured. Regulation (EU) 2024/1689. Your data does not leave your machine. The ZIP you download is yours to keep.