IT and data

Data Act: Part 3 – Data Act and GDPR

Published on 25th March 2025

(How) do they act together?

From 12 September 2025, a majority of obligations under the European Data Act will apply, including the obligation for providers of connected products and related services to make available usage data to certain actors. Both personal and non-personal data are equally affected, as the Data Act applies to both (Art. 1 (2) Data Act). Unfortunately, this does not automatically mean that a differentiation can be avoided for the purposes of the Data Act since it includes different provisions depending on whether personal data is involved or not:

  • Chapter VII Data Act generally only applies to non-personal data;
  • Articles 4 (12) and 5 (7) Data Act restrict the obligation of the data holder to disclose certain data only for personal data;The obligation to conclude a contract with the user and usage restrictions for data holders in Articles 4 (13)  and (14) Data Act apply only to non-personal data;
  • Article 5 (1) Data Act contains a special provision regarding personal data, stating that the right to data sharing enshrined therein must not affect the rights of data subjects under the GDPR.

Thus, the GDPR continues to provide special provisions for the handling of personal data, which must potentially also be considered within the framework of the Data Act. Therefore, it is still necessary to differentiate thoroughly between personal and non-personal data.

Resolution of differentiations through blanket priority rule?

Unfortunately, generally assuming a priority of the GDPR over the Data Act and thus overturning blanketly undesirable obligations to grant data access under the Data Act is not an option. Although Article 1 (5) Sentence 1 Data Act states that the Data Act applies “without prejudice” to the GDPR. And according to Recital 7 Sentence 2 Data Act, the Data Act shall complement and is without prejudice to Union law on the protection of personal data. In this regard, the Commission clarified in its updated FAQ document on the Data Act of 3 February 2025: “The GDPR is fully applicable to all personal data processing activities under the Data Act. The Data Act does not regulate as such the protection of personal data.”

However, these determinations are unfortunately overly simplistic and at best misleading. According to a reasonable interpretation of the Data Act, the GDPR does not always and blanketly take precedence over the Data Act. This can be seen in the following provisions in particular:

  • According to Article 1 (5) Sentence 3 Data Act, data protection law (only) prevails in the event of a conflict between Data Act and GDPR;
  • The Data Act contains provisions that generally regulate the handling of “data” and thus are intended to apply specifically also to personal data; e.g. usage restrictions by third parties under Article 6 Data Act;
  • The Data Act even contains provisions specifically targeting personal data; e.g. in the case of the involvement of data processors in the granting of data access (Recital 29 Data Act) or in requests for data to be made available under Article 17 (1) (g) Data Act.

Ultimately, the Commission also confirms this interpretation when it states in its FAQ: “In some cases, the Data Act specifies and complements the GDPR.”

This means that obligations or prohibitions under the GDPR cannot be generally held against any obligations under the Data Act. A case-by-case examination must be carried out to determine whether a conflict of obligations exists in the specific case, resulting in a conflict of regulations.

When is there a conflict of regulations?

The question of when such a conflict of regulations exists (which could then really lead to the inapplicability of the Data Act) has already been addressed by the CJEU in a somewhat comparable case. This case law can be used here as an interpretative maxim for the Data Act.

In its judgment in the case Wind, the CJEU determined the existence of a conflict of regulations by interpreting comparable provisions in Article 3 of the Directive 2005/29 on unfair commercial practices and Article 1 (4) of the Universal Service Directive as follows: (CJEU, judgment of 13. September 2018, Cases C-54/17 and C-55/17, paras. 60, 61)

  • A conflict means a relationship between the provisions that goes beyond a mere deviation or simple difference and exhibits a divergence that cannot be overcome by reconciliation.
  • A conflict does not exist therefore if the provisions allow the coexistence of two situations without having to distort them.
  • A conflict exists only if one legal act imposes obligations that are incompatible with those of another legal act.

This means: a conflict of regulations with the GDPR, which could lead to the inapplicability of a Data Act provision, would practically only exist if the GDPR prohibits a data processing activity that the Data Act mandatorily requires. No conflict of regulations exists, however, if, for example, the Data Act requires processing that the GDPR does not require (although allowing it); in such cases, coexistence of both regulatory regimes is possible, with the Data Act provision prevailing.

Implications for data access scenarios

What does this mean specifically for practical situations related to data access claims under Articles 4 ff. Data Act:

  • Can a company generally refuse to make available personal data to a third party by referring to the precedence of the GDPR? No: Article 5 (1) Data Act enshrines a right of the user to request the data holder to disclose data to third parties. Article 5 (13) Data Act contains an independent special provision regarding the consideration of rights of data subjects under the GDPR; this must be observed here. In the end, a legal basis for data processing under Article 6 GDPR is required; a blanket refusal cannot be justified.
  • Does the precedence of the GDPR override the stricter deletion obligation under the Data Act regarding personal data, allowing data to be retained longer? No: According to Article 6 (1) Sentence 2 Data Act, the third party must delete the received (personal) data as soon as it is no longer required for the agreed purpose. This special deletion obligation is stricter than Article 17 GDPR and does not contain an exception for personal data. Since the GDPR only allows longer retention but does not require it, no conflict arises that would need to be resolved through a precedence rule.
  • Can a company process data for other purposes by referring to the GDPR, even if the Data Act prohibits it? No: Article 6 (1) Sentence 1 Data Act prohibits the third party from using the provided data for purposes other than those agreed with the user. This purpose limitation rule is stricter than that in Article 6 (4) GDPR. Nevertheless, the third party is prohibited from changing the purpose contrary to the Data Act provision based on the GDPR; since the GDPR only allows such a purpose change but does not mandate it, no real conflict exists, and the Data Act takes precedence.
  • Can a company refuse to make available personal data to a third party if it lacks a legal basis under the GDPR? Yes: Article 5 (1)  Data Act enshrines a right of the user to request the data holder to disclose data to third parties; if the data does not (only) relate to the user but to another natural person, the data holder needs a legal basis under Article 6 GDPR for this according to Article 5 (7)  Data Act. Since this requirement directly arises from the Data Act, the question of the precedence of the GDPR does not arise here.

In conclusion, contrary to the common belief that the GDPR takes precedence over the Data Act, the latter often makes binding provisions for the handling of personal data that are stricter than the GDPR and take precedence. Processing restrictions under the Data Act must therefore be observed in addition to the GDPR. Companies must consider this by appropriately adjusting their data protection governance.

Necessity for determining the personal nature of the data

This implies that companies affected by the Data Act cannot avoid correctly classifying the processed data as personal or non-personal. Only then can compliance with Data Act and GDPR be ensured. This determination remains complex. So far, some companies have chosen a cautious approach when determining whether the GDPR applies to a data set and have quasi-preemptively assumed a personal nature. This approach will no longer be possible within the scope of the Data Act, as it could lead to certain data being unjustifiably excluded from data access due to their presumed (but factually not existing) personal nature.

Initially, it is at least helpful for legal practitioners that the question of personal nature is evaluated uniformly under Data Act and GDPR, thus avoiding definitional ambiguities: According to Article 2 (3) and (4) Data Act, “personal data” within the meaning of the Data Act are those within the meaning of Article 4 (1) GDPR.

Furthermore, the recitals of the Data Act indicate that in datasets with inseparably linked personal and non-personal data, an overall assumption of personal nature should be made (Recital 34 Data Act).

Unfortunately, even under the GDPR, it is still highly unclear how personal data can be precisely distinguished from non-personal – i.e., anonymous – data. Since the question of personal nature is to be answered relatively and not absolutely and therefore depends on the possibilities and likelihood of identification by the respective entity, blanket classifications are prohibited anyway. A “real” anonymisation, i.e., a complete removal of the personal nature of all data, remains difficult to achieve. For the data holder, a dataset may already be anonymous if certain identifiers are deleted. For the user, however, who as a legal entity may be the employer of several users of a connected device, an identification from the synopsis of usage data may still be possible.

Legal basis for data processing required by the Data Act

If it is determined that personal data must be processed in a data access request under the Data Act, a legal basis under the GDPR is required. The Data Act itself explicitly does not justify processing of personal data. Therefore, the legal bases according to Article 6 GDPR apply. Especially when it comes to the transfer of data from data subjects who are not users to third parties under Article 5 Data Act, the data holder will usually only be able to rely on the pursuit of legitimate interests under Article 6 (1) (f) GDPR, as there is neither a contractual relationship nor direct contact with the data subject (but only with the user). Whether this balancing of interests will regularly favour the interests of the data holder is uncertain given the extremely strict case law of the CJEU on this legal basis:

  • In one of the judgments in the case Meta Platforms, the CJEU stated that the legal bases in Article 6 (1) (b) to (f) GDPR (i.e., all legal bases except consent) should generally be interpreted narrowly, as they can lead to the processing of personal data being lawful despite the lack of expressive consent from the data subject  (CJEU, judgment of 4. July 2023 – C-252/21, Para. 93).
  • According to the CJEU decision in the case Mousse, the objective existence of a legitimate interest alone is not sufficient; the data subjects must also be directly informed of the pursued legitimate interest at the time of data collection for data processing to be admissible based on Article 6 (1) (f) GDPR (CJEU, judgment of 9. January 2025, C-394/23, Para. 52).
  • In the decision Koninklijke Nederlandse Lawn Tennisbond, the Luxembourg judges even argue that the controller must also comply with all other obligations under the GDPR for the pursuit of a legitimate interest to justify the processing of personal data under Article 6 (1) (f) GDPR (CJEU, judgment of 4. November 2024, C-621/22, Para. 50).

While companies often apply a generous standard when justifying self-serving processing activities through the balancing of interests, data holders will likely act much more cautiously here and, in doubt, advocate a strict interpretation of the GDPR to avoid a data protection violation.

Other interactions between Data Act and GDPR

But even beyond the aspect of the permissibility of processing data with or without personal nature for the purposes of the Data Act, there are various interactions between Data Act and GDPR that companies must consider. A practical example is the involvement of data processors. If processors are involved in the processing within the scope of the Data Act, special precautions must be taken:

  • Processors do not themselves qualify as data holders (Recital 22 Sentence 4 Data Act), but according to Recital 29 Sentence 2 Data Act, data holders should ensure that access requests may also be received and processed by any engaged processors. It is therefore advisable to supplement data processing agreements with appropriate instructions;
  • Furthermore, the denial of the status as data holder only applies as long as the data is only processed on behalf of the controller. Increasingly, however, mixed forms of cooperation are emerging, in which processors process certain data outside the controller’s instruction for their own purposes; e.g., for the purpose of training AI models. In this respect, the processor then acts as an independent controller and is itself subject to an obligation to disclose data as a data holder under the Data Act.

Conclusion and recommendations

The interplay between the Data Act and GDPR is extremely complex. Instead of a seemingly simple and blanket rule of precedence of the GDPR, there are numerous interconnections and interactions, whose suitability will be shown in practice. Whether as a potential claimant or obligor under the Data Act, companies should carefully examine the possible implications before being confronted with specific data access requests to set the course for a data protection-compliant implementation of the Data Act in advance. The following measures are suggested as examples:

  • Review and update data classifications to account for the changed significance of non-personal data under the Data Act;
  • Review and – if necessary- adjust concepts of data responsibility to determine who qualifies as the data “controller” and thus as a potential data holder under the Data Act for which processing activity;
  • Review and -if necessary - adjust data usage concepts (including blocking and deletion concept and access concept) in light of the requirements for purpose limitation, deletion, etc., that go beyond the GDPR;
  • Supplement data protection notices with those legitimate interests on which data disclosures and other processing activities under the Data Act may be based;
  • Adjust consents and user agreements to anchor data processing activities requiring justification triggered by the Data Act;
  • Review and supplement both data processing agreements and joint controller agreements to integrate appropriate instructions or terms to enable access to data under the Data Act.
Share
Related articles
Interplay of the EU AI Act and GDPR
25/03/2025 5 mins
DORA Regulation – an ICT service provider's perspective.
21/02/2025 5 mins
What will be the impact of the European Health Data Space Regulation on life sciences companies?
06/02/2025 6 mins
The EU Data Act: Part 1 – what does it regulate?
23/01/2025 5 mins
Wollen Sie häufiger von uns hören?

Wir informieren Sie über Insights, News und Events zu Ihren relevanten Themen.

Jetzt anmelden

services

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Wollen Sie häufiger von uns hören?

Wir informieren Sie über Insights, News und Events zu Ihren relevanten Themen.

Jetzt anmelden