If you are building or deploying AI systems in the EU, you are probably already managing GDPR obligations. Now the EU AI Act is layered on top.
The two regulations appear to conflict directly on one of the most sensitive data questions: how long do you keep training data?
GDPR says you delete it when it is no longer necessary. The EU AI Act says you keep it to prove your system is compliant.
Here is how you resolve it.
Why the Tension Exists
GDPR's storage limitation principle under Article 5(1)(e) requires that personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected.
The EU AI Act under Article 10(5) allows high-risk AI systems to retain special categories of personal data, where strictly necessary, for the purpose of detecting and correcting biases.
Article 12 of the EU AI Act requires logging capabilities that retain records sufficient to enable post-hoc review of system outputs. For systems used in high-stakes decisions, these logs include input data linked to specific decisions affecting identifiable individuals.
A pure GDPR application would say: delete when the purpose expires. A pure EU AI Act application would say: retain to demonstrate conformity. Neither regulation explicitly defers to the other.
The Reconciliation Framework
The resolution lies in purpose specification and proportionality, the same principles that underpin GDPR compliance generally.
The key is to separate training data retention from operational log retention, and to apply different retention rules to each.
For training data, the GDPR purpose limitation principle requires a clear, documented legal basis for extended retention. Under Article 6(1)(f), legitimate interests or under Article 9(2)(g) for special category data in the substantial public interest, you can justify retaining training data beyond its original collection purpose if you document the necessity for bias detection, can demonstrate no less privacy-invasive alternative exists, and have completed a legitimate interests assessment.
This is not a blanket exemption. It requires active documentation and regular review.
For operational logs under Article 12 of the EU AI Act, the retention period must be proportionate to the risk profile of the system. A general-purpose AI tool used internally has a different risk profile from a high-risk system used in employment screening under Annex III. The former may justify 30-day log retention. The latter may require two years or more.
What Your Documentation Must Show
The practical resolution requires you to produce documentation that serves both regulatory frameworks simultaneously.
Your data governance record must show the original collection purpose, the EU AI Act compliance purpose that justifies extended retention, the legal basis under GDPR Article 6 or Article 9 for that extended retention, a defined retention period tied to the EU AI Act conformity assessment cycle, and a deletion schedule activated at the end of that period.
This documentation should sit alongside your EU AI Act technical documentation under Annex IV and your GDPR Records of Processing Activities. In practice, many organisations are creating a unified data governance layer that feeds both.
The Special Category Problem
The conflict sharpens with special category data. GDPR restricts processing under Article 9 to specific grounds. The EU AI Act under Article 10(5) permits retention of such data for bias detection but only where strictly necessary and where appropriate safeguards are in place.
Strictly necessary is a high bar. You cannot retain sensitive demographic data because it might be useful. You need to demonstrate that the bias detection objective cannot be achieved using anonymised or aggregated data.
In most cases, pseudonymisation provides a workable middle path. You retain the data structure necessary for bias analysis while reducing the re-identification risk that makes GDPR Article 9 processing so constrained.
Pseudonymisation does not eliminate GDPR obligations. The data remains personal data for regulatory purposes. But it reduces the risk profile and strengthens the proportionality case.
Practical Steps
First, classify your AI systems by risk tier. High-risk systems under Annex III have active retention obligations that justify more extensive GDPR carve-outs. Limited risk systems have a weaker case for extended retention.
Second, map your data flows. Know which data feeds your training pipeline, which data populates your operational logs, and which data supports your post-market monitoring obligations under Article 72.
Third, draft retention schedules that are regulation-specific. Your training data retention policy and your operational log policy should reference both GDPR and EU AI Act obligations explicitly, with legal bases cited for each.
Fourth, build deletion into your conformity process. When a conformity assessment cycle ends, your deletion triggers should activate. Retention that outlasts its regulatory purpose becomes a GDPR liability.
The organisations that handle this well are the ones treating data governance as infrastructure, not paperwork. The conflict between these two regulations is real, but it is navigable with deliberate documentation and proportionate retention design.
Top comments (0)