From August 2, 2026, the grace period ends: regulators stop explaining and start enforcing the AI Act. For most companies, this isn’t a reason to panic—but a reason to get organized. Compliance retrofitted after the fact costs many times more than compliance designed from the start.
Two Regimes to Handle Simultaneously
#RODO and the AI Act are different regimes that partially overlap:
- RODO governs how you process personal data—legal basis, data minimization, individual rights (access, erasure), and for high-risk processing, a Data Protection Impact Assessment (DPIA).
- AI Act governs what kind of AI system your solution is—classifying it by risk and adding obligations: technical documentation, human oversight, registers, and conformity assessments.
In Poland, oversight of AI data processing is handled by UODO, while some AI Act tasks fall under a new commission at the Ministry of Digital Affairs. In practice: one implementation must meet both sets of requirements—not choose one.
Risk Classification: Where Do You Stand?
#The AI Act divides systems by risk level. For most companies, two levels matter:
| Risk Level | Example | Key Obligation |
|---|---|---|
| Limited | Chatbot “how can I help?”, content generator | Transparency—user knows it’s AI |
| High | Customer profiling, scoring, decisions about people | Human oversight, documentation, registers, often DPIA |
The line is practical: a chatbot that only answers questions is usually limited risk. The same chatbot, when it starts profiling, assessing sentiment, or making decisions about a customer, jumps into high risk—and triggers significantly more obligations, including a Data Protection Impact Assessment (DPIA).
Four Things We Always Implement
#Regardless of risk level, these four elements are designed into every deployment:
- Transparency—the assistant clearly identifies as AI and can hand off to a human at any time (human-handoff). This is the AI Act minimum for limited-risk systems.
- Human oversight—irreversible actions and decisions impacting people require confirmation (human-gate). The system doesn’t operate “fully” autonomously—it operates autonomously within a narrow, defined scope.
- Audit trail and accountability—every significant step is logged, so you can demonstrate what the system did and why. Without logs, there’s no accountability, which both RODO and the AI Act require.
- Data minimization and localization—PII is masked before leaving for the cloud, and sensitive workflows are handled locally. Sensitive data may not leave the country.
“Does the bot have to introduce itself?”—Yes
#This question comes up most often, and the answer is simple: yes. Limited-risk systems (chatbots, assistants, content generators) must meet the transparency requirement—the user must know they’re interacting with AI or consuming AI-generated content. That’s why our assistants don’t impersonate humans: they identify as AI and offer to transfer to a human. This doesn’t limit value—it builds trust.
When You Need a DPIA
#A Data Protection Impact Assessment (DPIA) is required when processing could pose a high risk to individuals’ rights—typically in large-scale profiling, processing sensitive data, or automated decisions about people. In practice: if your system only answers questions from your knowledge base, a DPIA is usually unnecessary; if it evaluates, profiles, or decides—it likely is. This is the moment to talk to a lawyer, not guess.
Compliance Is a Design, Not a Patch
#The most important rule is the same as with security: barriers and compliance are designed from the first line of code. Inputs are filtered, PII is masked, actions are gated, every step is logged, transparency is built in. A system designed this way is compliant “by nature”—not patched in a panic before an audit. The same approach that makes a deployment RODO-compliant with self-hosting.
Try It Live
#Describe your use case, and the model will help preliminarily assess the risk level and obligations—as a starting point for a lawyer consultation, not a replacement (playground: PII masked, zero retention):
FAQ
#Does my chatbot have to disclose it’s a bot?
#Yes. From August 2026, the AI Act requires transparency for limited-risk systems—the user must know they’re interacting with AI, not a human. Our assistants identify as AI and can transfer the conversation to a human at any time.
How does the AI Act differ from RODO?
#They’re different regimes. RODO regulates personal data processing (legal basis, individual rights, DPIA). The AI Act regulates the AI system itself—classifying it by risk and adding technical documentation, human oversight, and registers. One implementation must comply with both—not choose one.
When do I need a DPIA for AI deployment?
#When processing could pose a high risk to individuals’ rights—typically in large-scale profiling, sensitive data, or automated decisions about people. An assistant that only answers questions from your knowledge base usually doesn’t require a DPIA; a system that profiles or decides likely does.
Does data processed by AI have to stay in Poland?
#Not necessarily, but it can—and often should. We mask PII before sending it to the cloud, and sensitive workflows are handled locally on your own infrastructure, so sensitive data may not leave the country. Data processing location is tailored to your RODO and confidentiality requirements.
Is this legal advice?
#No. This is a practical guide to how we design technical compliance. Always confirm risk classification, DPIA, and formal obligations with a lawyer—we design systems so compliance can be demonstrated.