EU AI Act + GDPR: a double burden for LATAM companies operating with Europe

The EU AI Act entered into force progressively from August 2024 and applies in stages until 2027. The rule has extraterritorial effect: any LATAM company offering AI systems in the EU, or whose output is used in the EU, falls within its scope. Combined with GDPR, this creates a double burden for many exporters of digital services.

The AI Act risk categories

• Unacceptable risk (prohibited): social scoring, cognitive manipulation, real-time biometric identification with limited exceptions.
• High risk: systems affecting health, education, employment, justice, critical infrastructure. Conformity assessment required before deployment.
• Limited risk: chatbots, deepfakes, emotion recognition systems. Transparency obligation.
• Minimal risk: the rest. Voluntary codes of conduct.

The clash with GDPR

The AI Act does not replace GDPR — it complements it. An AI system processing personal data of Europeans must comply with both simultaneously: algorithmic transparency (AI Act) + legal basis (GDPR); conformity assessment (AI Act) + DPIA (GDPR).

Fines that can break a company

Up to €35 million or 7% of global turnover, whichever is higher, for prohibited systems infringements.

What to do

If your company exports digital services to the EU, you need a unified inventory of GDPR processing activities + AI Act systems. GOBERNANZA.IO includes a combined GDPR/AI Act view designed for LATAM companies with European customers.