In the previous part of our Data Act series, we explored how the EU Data Act (Regulation (EU) 2023/2854) “Data Act” establishes new frameworks to transform the way organizations handle data, creating new compliance obligations while opening up substantial opportunities across both consumer and industrial data ecosystems. Building on that foundation, this article turns to one of the critical intersections in EU digital regulation: the relationship between the Data Act and the General Data Protection Regulation (EU) 2016/679 “GDPR”.
Shared foundations, different objectives
The GDPR and the Data Act are complementary but differ substantially. The GDPR is fully applicable to all personal data processing activities under the Data Act. Nonetheless, the GDPR’s focus is on personal data: information relating to an identifiable individual and ensuring that its processing is lawful, transparent, and limited to specific purposes. The Data Act, on the other hand, aims to unlock the value of non-personal data (although it still applies to personal data too).
Both laws are built on similar principles: transparency, user control, fairness, and accountability. At the same time, their regulatory logics diverge:
- Data Act → focuses on data access and reuse, mainly in the context of non-personal and mixed data: it seeks to enable and incentivise data sharing to stimulate competition and innovation.
- GDPR → focuses on personal data protection and the rights of natural persons: it restricts and places conditions on the use of personal data to safeguard privacy.
The tension between these objectives becomes most visible in mixed datasets (personal/non-personal) and mandatory data-sharing scenarios.
When data is both personal and non-personal: the “mixed dataset” challenge
In practice, few datasets are purely personal or purely non-personal. Connected vehicles, smart home devices, and industrial sensors typically generate mixed datasets, containing both personal data (e.g., driver behaviour) and non-personal data (e.g., engine temperature). The Data Act recognises this reality but leaves organisations with a difficult task: ensuring compliance with both frameworks simultaneously.
The Data Act imposes extensive obligations on data holders to share data with users (Articles 3–7) and, in certain circumstances, with public sector bodies (Articles 14–22). These obligations aim to ensure that users can access and reuse data generated by that product. However, when personal data is included, these sharing duties must still comply with the GDPR’s principles of lawfulness, purpose limitation, and data minimisation.
The challenge in meeting the Data Act’s sharing obligations while staying compliant with the GDPR can be approached by separating one type of data (personal) from the other (non-personal) within the database. However, such activity is often technically challenging or even impossible and generates additional (often significant) costs. Nonetheless, anonymisation, aggregation, and pseudonymisation become key compliance tools.
To stay compliant when navigating the intersection of the Data Act and the GDPR, organisations must therefore:
- understand what kinds of data they possess in what configurations (personal/non-personal);
- identify a valid lawful basis for processing under GDPR when handling a data access request;
- ensure that data subjects are adequately informed (i.e. relevant notices must be in place);
- in their contracts under the Data Act, clearly allocate controller–processor roles, establish data minimisation measures, and include safeguards consistent with GDPR standards.
When in doubt: GDPR prevails?
The Data Act and the GDPR are meant to coexist and regulate seemingly overlapping areas related to data sharing, which may include personal data. Importantly, Article 1(5) of the Data Act clarifies that it is “without prejudice” to the GDPR, including the powers and competences of supervisory authorities and the rights of data subjects. It also states that in the event of a conflict between the Data Act and EU law on the protection of personal data or privacy, or national legislation adopted in accordance with such EU law, the relevant EU or national law on the protection of personal data or privacy shall prevail.
This can’t however be interpreted as a simple and blanket rule of precedence of the GDPR, as there are numerous interconnections and interactions, whose application will be shown in practice.
According to a reasonable interpretation of the Data Act, the GDPR does not always take precedence over the Data Act, as:
- according to Article 1 (5) Sentence 3 of the Data Act, data protection law (only) prevails in the event of a conflict between the Data Act and GDPR;
- the Data Act contains provisions specifically targeting personal data; e.g. in the case of the involvement of data processors in the granting of data access (Recital 29 of the Data Act), in case of user’s data access requests (Article 4 (12) of the Data Act) or in requests for data to be made available under Article 17 (1) (g) of the Data Act;
- the Commission in its resources (FAQs) indicates: “in some cases, the Data Act specifies and complements the GDPR” (e.g. real-time portability of data from Internet-of-Things (loT) objects).
Therefore, it should be understood that the rules set out in the GDPR cannot be held against obligations under the Data Act. However, GDPR continues to provide general framework for processing personal data and remains fully applicable to all personal data processing activities under the Data Act. In the event of conflict, a case-by-case examination should be conducted to establish whether there is in fact a conflict of obligations.
Complex supervisory framework
The Data Act introduces yet another layer to the EU’s digital regulatory landscape, establishing new enforcement mechanisms that impact the data sector. Data protection authorities remain fully competent to enforce obligations under the GDPR. However, enforcement of the Data Act will fall to ‘competent authorities’ designated by each Member State, which may involve creating new bodies or expanding the powers of existing ones. Notably, the Data Act provides that supervisory authorities responsible for monitoring the GDPR will also be responsible for overseeing the application of the Data Act, but only insofar as the protection of personal data is concerned. In these cases, Chapters VI and VII of the GDPR apply mutatis mutandis. This results in a complex and potentially fragmented matrix of supervisory authorities, with overlapping responsibilities and enforcement powers, further complicating the regulatory environment for organisations operating in the data sector.
Practical guidance for organisations
Organisations navigating both frameworks should start by mapping their data flows to distinguish personal, non-personal, and mixed datasets. For each category, they should identify applicable obligations and lawful bases for processing. Recommended actions include:
- mapping datasets to identify personal vs. non-personal data (data classification);
- design “data-sharing protocols” that layer Data Act compliance over the GDPR principles;
- implement technical measures (e.g., pseudonymisation and access control);
- adjust data access and data deletion procedures;
- review or supplement data protection notices and privacy policies;
- review and amend data processing agreements and joint controller agreements.
From a contractual perspective, data-sharing agreements should clarify roles, establish responsibilities, and ensure that any sharing obligations under the Data Act do not inadvertently breach GDPR provisions. In short, GDPR compliance remains the foundation upon which Data Act compliance must be built.
Click here to learn more about the EU Data Act in the brochure prepared by our data experts.
