Double Penalties in 2026: When the GDPR and EU AI Act Strike at the Same Time – AI Compliance for Companies

The GDPR regulates the protection of personal data. It applies whenever data relating to living individuals is processed. The EU AI Act, on the other hand, is product-safety-oriented and regulates the use of artificial intelligence systems based on their risk potential.

What happens when AI processes personal data? The legal answer is clear: both frameworks apply cumulatively. The AI Act does not replace the GDPR; it explicitly complements it.

Because both laws pursue different protected interests - the GDPR protects informational self-determination, while the AI Act protects safety and fundamental rights in the use of AI - this is not considered double punishment in the traditional legal sense. A single data breach in an AI system can therefore open the door to two separate supervisory authorities and two independent fine proceedings.

To properly assess your own risk in 2026, companies need to define their role under the AI Act. A strict distinction is made here:

• Provider: You develop an AI system yourself or have it brought to market under your name in order to distribute it or use it yourself. Providers carry the heaviest set of obligations under the AI Act.
• Deployer: You use an AI system in a professional or commercial context under your own responsibility - for example, purchased HR software, a customer service chatbot, or an AI-powered analytics tool from a third-party provider.

Most small and medium-sized enterprises (SMEs) act purely as deployers. Many therefore feel safe and assume that the compliance burden lies solely with the software provider. That is a serious mistake. Even as a deployer, you will face strict obligations in 2026: you must monitor compliance with the provider’s instructions for use, ensure human oversight, retain relevant system logs, and, if necessary, stop the data processing.
 

In practice, three core areas are emerging where the risk of a double violation is highest for deployers.

Recruiting and HR management

AI systems used in HR for filtering applications, assessing performance, or making promotion decisions are generally classified as high-risk AI under the AI Act.

• The GDPR risk: Automated individual decisions that produce legal effects, such as an automatic rejection, are generally prohibited under Article 22 GDPR unless an exception applies. In addition, transparent information for affected individuals is often missing.
• The AI Act risk: Anyone using such a system as a deployer must be able to prove from August 2026 onward that human oversight works without gaps and that the input data is relevant and representative for the intended purpose.
• The typical mistake: An SME blindly relies on the AI pre-selection of recruiting software without a human reviewing or approving the final rejections.+

To learn how to implement AI in HR in a legally compliant and practical way, read our article “Implementing AI in HR the Right Way”

Customer service and marketing automation

The use of intelligent chatbots or systems for creating customer profiles, known as profiling, will be standard in 2026.

• The GDPR risk: If customer data is analyzed for personalized marketing or behavioral predictions, the GDPR requires a solid legal basis, usually explicit consent, as well as comprehensive transparency.
• The AI Act risk: The AI Act requires clear transparency obligations for chatbots: users must immediately and clearly know that they are communicating with AI. If systems are used for biometric categorization or emotion recognition in the workplace, strict prohibitions may even apply.
• The typical mistake: A customer service chatbot collects sensitive customer data during the conversation, such as health complaints in an insurance context, without the data protection impact assessment being updated or the user knowing that they are talking to a machine.

Financial services and credit scoring

Systems used to assess creditworthiness or evaluate the risk of private individuals also fall under the high-risk classification.

• The GDPR risk: Inaccurate or non-transparent data leads to incorrect profiles. Data subjects have the right to an explanation and the right not to be subject to a purely automated decision.
• The AI Act risk: High-risk systems require detailed logging of all system states so that errors can be traced afterward. In addition, the cybersecurity of the system must be protected against manipulation, such as adversarial attacks.
• The typical mistake: A financial services provider uses an AI model for credit assessment but cannot later explain to the customer which data points led to the rejection. This violates GDPR transparency requirements and AI Act explainability expectations.

The financial pressure from both legal frameworks is massive and can theoretically be added together:

• Under the GDPR: Up to EUR 20 million or 4% of the worldwide annual turnover of the preceding financial year — whichever amount is higher.
• Under the EU AI Act: Up to EUR 35 million or 7% of worldwide annual turnover for the use of prohibited AI practices. For violations of obligations related to high-risk systems, fines of up to EUR 15 million or 3% of turnover may apply.

Although the general European principle of proportionality requires supervisory authorities to consider whether a sanction has already been imposed under the other law when determining the fine, the financial burden of coordinated proceedings by data protection and AI supervisory authorities can still be existentially threatening for many companies.

To avoid coming under regulatory scrutiny in 2026, companies need to end silo thinking. IT, data protection, and management can no longer look at AI compliance separately.

• Step 1 - Create an AI inventory: Record every AI tool used in the company. Document its purpose, provider, processed data, and whether the system makes automated decisions.
• Step 2 - Combined risk assessment: For critical systems, carry out a data protection impact assessment (DPIA under Art. 35 GDPR) and an AI risk classification under the AI Act as part of one shared process.
• Step 3 - Tighten contracts: Review the contracts and data processing agreements (DPAs) with your software providers. Make sure the provider gives you all technical information you need as a deployer to meet your AI Act obligations, for example for human oversight. Who is liable if the provider’s AI hallucinates or discriminates? This must be contractually defined.
• Step 4 - Use central governance: For mid-sized companies, double compliance is almost impossible to manage manually. A digital, central compliance platform — like heyData’s — helps connect the AI inventory directly with existing data protection records of processing activities and DPIAs. This prevents duplicate work and closes dangerous gaps between IT security and legal protection.

The double penalty risk in 2026 is not a theoretical horror story invented by lawyers, but the logical consequence of a digitalized legal environment. Companies that want to benefit from the efficiency gains of AI must master the rules of both worlds at the same time: data protection and AI safety.

As the countdown to the high-risk rules in August 2026 continues, now is the right time to act. Companies that systematically inventory their AI systems, establish clear processes for human oversight, and rely on an integrated compliance strategy can effectively protect themselves against the double reach of supervisory authorities.

Can my company really be fined twice for the same AI mistake?

Yes. Since the protected interests of the GDPR (protection of fundamental rights in data processing) and the AI Act (safety of AI products) are different, two separate fines may be imposed. Authorities must coordinate the penalties proportionately, but cumulative fines are legally possible.

Does the EU AI Act also apply to Swiss companies?

Yes, through its so-called extraterritorial effect. If a Swiss company offers AI on the EU market or if the outputs of an AI system are used in the EU, for example when analyzing EU citizens’ data, the AI Act must be complied with. Switzerland is also working on its own harmonized AI rules.

Is our internal data protection officer enough for AI compliance?

Usually not on their own. The data protection officer is an expert in the GDPR. However, the AI Act also requires deep technical understanding of algorithms, data quality, technical documentation, and AI risk management. An interdisciplinary team made up of IT leadership, legal, and the DPO is recommended.

What happens if employees secretly use “shadow AI,” such as private ChatGPT accounts?

This is one of the biggest risks in 2026. If customer or company data is entered into an external, unauthorized AI tool, this immediately creates a serious GDPR violation. As a deployer, you are also liable for organizational failures. A clear AI policy and blocking unauthorized tools are essential.