Data Act and GDPR

Regulations and their application

The GDPR (Regulation 2016/679) has been in force since 2018 and establishes an EU-wide standard for the protection of personal data.

The Data Act (Regulation 2023/2854), adopted in 2023, will apply from September 2025 and regulates, in particular, access to data generated by devices, services and systems.

Together, they create a legal framework aimed at protecting individuals while at the same time developing a data-driven economy. The regulations should be interpreted as complementary – especially in situations where technical data contains personal elements.

Normative objectives

The purpose of the GDPR is to protect the rights and freedoms of natural persons, minimize risk and ensure control over one’s own data.

The Data Act, on the other hand, promotes the free flow of data in the EU to support competition, innovation and new business models. It imposes new obligations related to access to data, their sharing with third parties, and the interoperability of digital services.

Although these objectives differ, in practice they complement each other – parallel application takes into account both values: the protection of the data subject and the public and economic interest.

Subject matter of regulation

The GDPR covers only personal data, defined in Article 4(1) as information relating to an identified or identifiable natural person.

The Data Act applies to all data generated through the use of products or services, regardless of their nature.

Consequently, if data made available under the Data Act contains personal elements, the GDPR regime applies.

Obligations of companies

Under the Data Act, manufacturers and service providers are required to enable the user to access data generated by a product and to transfer it to designated third parties. The performance of this obligation must, however, comply with the principles of purpose limitation and data minimization set out in the GDPR.

In practice, this means the need to implement contractual procedures and technical safeguards.

Practical risks

Improper implementation of the Data Act may lead to GDPR violations. For example, transferring personal data to a third party without an appropriate legal basis will constitute a violation of Article 6 of the GDPR. Another risk is the lack of proper anonymization.

Sanctions may be cumulative: administrative fines under the GDPR and contractual liability under the Data Act.

Legal grounds for processing

The GDPR requires that each data processing operation has a legal basis, such as consent, contract or legal obligation.

The Data Act introduces an obligation to share data but does not replace the requirements of the GDPR. Companies must therefore indicate the legal basis on which they will transfer the data in order to avoid allegations of unlawful processing.

How to reconcile the regulations?

To reconcile the two regimes, the controller should implement procedures for data classification, pseudonymization and anonymization. It is also essential to conclude agreements regulating access to and further use of data.

Data protection impact assessments are also crucial when sharing data may result in a high risk to the rights and freedoms of individuals.

What the Data Act means for business?

The Data Act and the GDPR should be treated together as part of the EU data strategy. Entrepreneurs should prepare comprehensive compliance programs: audits of data flows, contractual procedures and technical security measures.

Failure to comply by September 2025 risks not only financial penalties but also the loss of trust from contractors and business partners.

This post was prepared as part of the 60th edition of Compliance Insights. The graphic version in Polish can be found on our LinkedIn profile and in our Knowledge Base.