AI hackathons and EU compliance: what enterprise teams need to know

The EU AI Act is no longer a regulation on the horizon. Prohibited AI practices have been enforceable since February 2025, general-purpose AI obligations applied from August 2025, and on 2 August 2026, the full weight of high-risk AI system requirements comes into force, with penalties up to €35 million or 7% of global annual turnover for the most serious violations.

Hackathons sit right in the middle of this.

They generate personal data, they produce AI prototypes, and the platforms that host them process both. Yet no one in the hackathon space is talking about it.

This article is for the innovation managers, HR leads, and procurement teams at European enterprises running AI programs.

Two frameworks. Both apply to your event.

Most enterprise legal teams are comfortable with GDPR by now. The AI Act is newer and less understood. And when you combine both frameworks, applied to the same AI system, it creates a new gap that very few organisations have addressed.

The first thing to understand is that GDPR and the EU AI Act are not the same regulation and do not cover the same things. They stack.

GDPR governs data.

Every time a participant registers for your hackathon, fills in a profile, submits a project, or gets matched to a team, personal data is being processed. That processing needs a lawful basis. You need to tell people what you're collecting, why, and how long you'll keep it.

The EU AI Act governs AI systems.

If participants are building AI tools during your event (and in 2026, it's highly likely they are) questions arise about who is responsible for what gets built, and under what conditions it can be tested and deployed.

What GDPR means for how you run your event

A hackathon produces more personal data than most organizers realize.

Registration captures names, emails, professional backgrounds, and sometimes CVs. Team formation involves matching people based on skills and preferences. Project submissions contain the work product of identifiable individuals. Judging involves assessments tied to those individuals. Post-event follow-up, if you send prize notifications or recruitment leads to sponsors, means that data travels further.

Each of these is a data processing activity under GDPR, and each requires a lawful basis. For most hackathons, that basis is consent. Participants agree to their data being used for the purpose of running the event. The problem is that consent needs to be specific, informed, and freely given. A generic "I accept the terms" checkbox at registration does not cover every downstream use of participant data.

A few concrete things that often get missed:

Data minimization. GDPR requires that you collect only what is necessary for the purpose. If you ask for a participant's LinkedIn URL, date of birth, or employer at registration and don't need it to run the event, you shouldn't be collecting it.

Third-party tools. Most hackathons run on a combination of platforms: a hackathon management tool, Slack or Discord for communication, Notion or Google Drive for documentation. You remain responsible for ensuring those tools process participant data compliantly. You cannot outsource liability to your vendors.

Post-event follow-up. If you plan to share participant profiles with sponsors or use submission data for recruitment, that use needs to be disclosed before participants sign up, not added to the terms after the event. The purpose for which data is collected must be explicit and legitimate from the start.

What the EU AI Act adds on top

GDPR compliance is necessary but not sufficient. The EU AI Act introduces a separate layer of obligations that apply specifically because participants are building AI.

The Act classifies AI systems into risk tiers: prohibited, high-risk, limited risk, and minimal risk. Most hackathon prototypes will fall into the limited or minimal risk categories, which carry lighter obligations. But the classification depends on what the system does, not what it's called.

If a team builds a tool that scores, ranks, or makes decisions about people, even a prototype, the risk profile changes.

AI used in hiring, credit assessment, education, or access to essential services is classified as high-risk under Annex III of the Act. A hackathon project, for this matter, is still a project.

There are two other AI Act obligations that apply to hackathon organizers directly:

AI literacy (in force since February 2025). Article 4 of the Act requires organisations to ensure adequate AI literacy among employees and anyone using or deploying AI systems on their behalf. If you're running an AI hackathon, you have a duty to ensure participants understand what they're building. That means more than a waiver. Responsible AI guidelines, challenge briefs that flag risk categories, and facilitated briefings on what kinds of systems require special care are all part of what good looks like here.

Role classification. Determining whether your organisation acts as a provider or deployer under the AI Act, and the resulting responsibilities, can be complex, particularly when AI products are co-developed or when a company makes additional developments to an existing AI product. In a hackathon context, where participants build on top of existing models and the organizer hosts the submissions, that line is not always clear.

Transparency obligations (applying August 2026). AI systems that interact with people must disclose their artificial nature. If your hackathon uses AI-powered matching, judging, or project scoring, those systems are subject to this obligation too, not just the prototypes participants submit.

The part everyone misses: what happens after the event

GDPR has a storage limitation principle. Personal data must be deleted once the purpose for which it was collected is fulfilled.

For a hackathon, that purpose is running the event. Once it ends, the lawful basis for holding participant data narrows significantly. Retaining it for recruiting pipelines or future programme marketing requires a separate basis, typically explicit consent, collected at registration.

But the EU AI Act creates a competing pressure. 

GDPR mandates personal data erasure as soon as it is no longer required for its purpose, while the AI Act demands lengthy archival of system documentation. For a hackathon organizer sitting on submitted AI prototypes, these two obligations pull in opposite directions.

The practical resolution is anonymization. Anonymized data is no longer considered personal data under GDPR and can therefore be retained without triggering the storage limitation principle, but the anonymization has to be real and irreversible. Pseudonymization doesn't count.

IP ownership is the related question that enterprise legal teams should ask before the event, not after.

If a team builds something valuable during your hackathon and you want to productize it, new AI Act obligations kick in the moment you take a prototype to market. That transition needs to be planned, and not discovered.

What a compliant AI hackathon looks like in practice

None of this requires a legal team embedded in the event. It requires thinking about compliance before the challenge goes live, not after.

1. At registration: state clearly what data you're collecting, the lawful basis for processing it, how long you'll retain it, and under what conditions it will be shared. If you plan to share profiles with sponsors or use submissions for follow-up programs, say so upfront.

2. In the challenge brief: include a responsible AI section. Flag what risk categories apply to the challenge theme. If the challenge is in healthcare, finance, or HR, tell teams upfront what documentation their prototype needs and what they shouldn't build without proper oversight.

3. During the event: AI literacy isn't a tick-box. A short briefing on the AI Act risk tiers, what counts as a high-risk system, and what transparency obligations apply takes thirty minutes and prevents significant downstream exposure.

4. After the event: define your data retention policy before you launch. Decide which submissions you'll retain, in what form, for how long, and why. Make that policy visible to participants. For projects you want to carry forward, document the transition from hackathon prototype to deployed system. That's where the Act's requirements for high-risk systems begin to apply.

TAIKAI is a EU-based platform, built and operated under Portuguese law, with GDPR compliance built into the platform's core data handling.
We've run 300+ hackathons with organisations including Microsoft, Pfizer, and the European Commission. If you're running an enterprise AI program and need a platform that takes the regulatory environment seriously, talk to us.

The window is closing

August 2026 is three months away. Most enterprise AI compliance programs are focused on the AI systems companies deploy internally. The hackathons they run to build those systems are sitting outside the compliance perimeter.

That gap won't stay invisible. The first enforcement actions under the AI Act will create case law that clarifies where organizer liability sits. Being ahead of that is easier than responding to it, and can save you plenty of headaches.

This is not a reason to stop running hackathons. It's a reason to run them properly.

Further reading

• EU AI Act: full text and implementation updates
• European Data Protection Board: AI and data protection guidance
• EU AI Act complete timeline, 2024–2030

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult qualified legal counsel.