GDPR and Data Act Coordination Framework: Navigating Two Parallel Data Regimes
The EU Data Act's implementation on September 12, 2025, introduced a critical challenge for organizations: coordinating compliance between two powerful yet distinct data regulations. While the General Data Protection Regulation (GDPR) has governed personal data since 2018, the Data Act now establishes comprehensive rules for both personal and non-personal data generated by connected devices. Understanding how these regulations interact—and occasionally conflict—is essential for effective compliance.
This framework provides practical guidance for navigating the complex relationship between GDPR and the Data Act, helping organizations build coordinated data governance programs that satisfy both regulatory regimes.
Compliance Hub
Understanding the Fundamental Relationship
Complementary, Not Duplicative
The European Commission states explicitly: "The Data Act is fully compliant with data protection rules, notably the GDPR. The GDPR is fully applicable to all personal data processing activities under the Data Act. The Data Act does not regulate as such the protection of personal data."
However, this official position oversimplifies a complex reality. While the Data Act complements the GDPR, it also specifies and enhances certain aspects of data protection law, creating areas where the two regulations must be carefully coordinated.
Core Distinction:
- GDPR: Regulates the processing of personal data exclusively, focusing on protecting fundamental rights and freedoms of natural persons
- Data Act: Regulates access to and use of data (both personal and non-personal) generated by connected products, focusing on economic fairness and innovation
When Both Regulations Apply
Personal data within the scope of the Data Act triggers obligations under both regulations. Organizations must simultaneously:
- Ensure Data Act compliance: Provide users access to data, enable third-party sharing, respect design requirements
- Maintain GDPR compliance: Verify legal bases, honor data subject rights, implement appropriate security measures, conduct data protection impact assessments where required
Critical Insight: Compliance with the Data Act does not automatically ensure GDPR compliance, and vice versa. Each regulation must be addressed independently, then coordinated.
Defining Scope: Personal vs. Non-Personal Data
Classification Challenges
The distinction between personal and non-personal data is critical but often ambiguous in IoT contexts:
Personal Data (GDPR applies) Data relating to an identified or identifiable natural person. In connected device contexts, this includes:
- User location data from smart vehicles or wearables
- Usage patterns that can identify individuals
- Biometric data from health monitors
- Voice recordings from smart speakers
- Home activity patterns from smart home devices
- Any data that can be linked to a specific person
Non-Personal Data (Data Act applies without GDPR) Data that does not relate to identifiable individuals:
- Aggregated sensor readings stripped of identifying information
- Anonymous machine performance metrics
- Environmental measurements without user association
- Technical system logs with personal identifiers removed
Mixed Data Sets (Both regulations apply) Most IoT data contains both personal and non-personal elements, creating significant challenges:
- Smart thermostat data: Temperature readings (non-personal) + usage times that reveal when someone is home (personal)
- Industrial machinery data: Performance metrics (non-personal) + operator identification (personal)
- Connected vehicle data: Engine diagnostics (non-personal) + driving behavior and location (personal)
Practical Classification Framework
Organizations should implement a three-step classification process:
Step 1: Initial Assessment For each data point generated by connected products, determine:
- Can this data identify a natural person directly?
- Can this data, combined with other available information, identify someone?
- Does this data relate to someone's behavior, characteristics, or choices?
Step 2: Context Evaluation Consider:
- Who has access to auxiliary data that could enable identification?
- What is the reasonable likelihood of re-identification?
- How is the data actually used in practice?
Step 3: Conservative Approach When uncertain, classify data as personal. The consequences of misclassification—treating personal data as non-personal—are severe under GDPR.
Coordinating Core Rights and Obligations
Access Rights: GDPR vs. Data Act
Both regulations grant access rights, but with different scopes and requirements:
GDPR Access Rights (Article 15)
Data subjects have the right to:
- Confirmation whether personal data is being processed
- Access to the personal data
- Information about processing purposes, categories, recipients
- Storage periods or criteria
- Right to rectification, erasure, or restriction
Delivery requirements:
- Provide copy free of charge (first request)
- Respond within one month (extendable to three months)
- Deliver in accessible, intelligible format
- Include all personal data undergoing processing
Data Act Access Rights (Article 4)
Users of connected products have the right to:
- Access all data generated by their use of the product
- Receive data in structured, machine-readable format
- Obtain data continuously and in real-time where feasible
- Share data with third parties
Delivery requirements:
- Provide data free of charge (except archived data retrieval costs)
- Respond within reasonable timeframe
- Deliver in comprehensive, commonly used format
- Include raw data and necessary metadata
Coordination Framework for Access Requests
When a request involves personal data:
- Determine applicable regulation(s)
- Is requester the data subject? → GDPR access right may apply
- Is requester the user of a connected product? → Data Act access right applies
- Both? → Coordinate to satisfy both regimes
- Identify legal basis for sharing
- Under Data Act, user access is required
- Under GDPR, sharing must have lawful basis (often legitimate interest or consent)
- Where user is not the data subject, additional GDPR analysis required
- Apply strictest requirements
- If GDPR requires response in 30 days and Data Act requires real-time access, prioritize real-time where feasible
- If GDPR requires specific information elements, include them even if Data Act doesn't mandate them
- Document coordination decisions
- Manage conflicting interests
- When multiple data subjects' rights conflict with Data Act user rights
- Apply data protection by design principles to separate or anonymize data
- Document why full access cannot be provided if necessary
Portability: Enhanced Rights Under Data Act
The Data Act significantly extends GDPR's data portability right (Article 20):
GDPR Portability (Article 20)
- Applies only to data processed based on consent or contract
- Limited to personal data provided by the data subject
- Must be in structured, commonly used, machine-readable format
- Right to transmit directly to another controller where technically feasible
Data Act Portability (Articles 4-5)
- Applies to all data generated by connected product use
- Includes both personal and non-personal data
- Mandates continuous and real-time access where possible
- Requires direct transmission to third parties upon user request
Coordination Strategy: Implement systems that satisfy Data Act's broader portability requirements, which automatically encompasses GDPR portability for personal data within that scope. Ensure GDPR-specific elements (e.g., origin information, processing purposes) are included for personal data.
Legal Bases for Data Processing
The Critical GDPR Overlay
The Data Act mandates data sharing, but does not provide a legal basis for processing personal data under GDPR. Organizations must independently establish lawful processing grounds.
Common Misconception: "Data Act requires sharing, therefore sharing is automatically lawful under GDPR."
Reality: Data Act obligations do not override GDPR legal basis requirements. Organizations must identify appropriate GDPR grounds for any personal data processing, including sharing.
Legal Basis Options for Data Act-Mandated Sharing
1. Legal Obligation (Article 6(1)(c) GDPR)
Applicability: Processing necessary for compliance with a legal obligation
Application to Data Act:
- Data Act creates legal obligations on data holders
- Some personal data sharing may qualify as legal obligation
- Most reliable basis for mandatory Data Act sharing
Limitations:
- Legal opinion varies on whether Data Act creates sufficient "legal obligation"
- Some authorities may require additional justification
- Does not cover voluntary data use by data holders
2. Legitimate Interest (Article 6(1)(f) GDPR)
Applicability: Processing necessary for legitimate interests pursued by controller or third party
Application to Data Act:
- Data holders may have legitimate interest in complying with Data Act
- Users may have legitimate interests in accessing their data
- Third-party recipients may have legitimate business interests
Requirements:
- Conduct legitimate interest assessment (balancing test)
- Document why processing is necessary
- Ensure interests don't override data subjects' rights and freedoms
- Provide clear information to data subjects
- Honor objections from data subjects
Critical Recent Development: CJEU decisions in Mousse (January 2025) and Koninklijke Nederlandse Lawn Tennisbond (November 2024) significantly tightened legitimate interest requirements:
- Data subjects must be directly informed of the pursued legitimate interest at the time of data collection
- Controllers must comply with all other GDPR obligations
- Balancing test must be thoroughly documented
3. Consent (Article 6(1)(a) GDPR)
Applicability: Data subject has given consent for specific purposes
Application to Data Act:
- Can be used for data holder's own use of data (Article 4(13) Data Act)
- May be appropriate for some third-party sharing scenarios
- Flexible but administratively burdensome
Requirements:
- Freely given, specific, informed, unambiguous
- Clear affirmative action required
- Easy withdrawal mechanism
- Cannot be bundled with product purchase as condition
- Separate consent for each processing purpose
Challenges:
- Difficult to obtain valid consent in B2B contexts
- Consent must be granular (separate for each third-party recipient)
- Withdrawal must be honored, potentially conflicting with Data Act mandates
4. Contract (Article 6(1)(b) GDPR)
Applicability: Processing necessary for contract performance
Application to Data Act:
- Limited applicability to mandated sharing
- May apply to data holder's use of data for product functionality
- Narrow interpretation by data protection authorities
Limitations:
- Cannot be stretched to cover all beneficial processing
- Must be genuinely necessary for contract performance
- Over-reliance on this basis attracts regulatory scrutiny
Recommended Approach
For Data Act-mandated personal data sharing:
- Primary basis: Legal obligation (Article 6(1)(c)) where defensible
- Secondary basis: Legitimate interest (Article 6(1)(f)) with thorough documentation
- Data holder's own use: Obtain explicit consent via data license agreements
- Third-party recipients: Require recipients to establish own legal basis
Critical: Document legal basis decisions thoroughly. Regulators increasingly scrutinize GDPR legal bases, and justifications that seemed clear in 2018 face stricter interpretation today.
Third-Party Data Sharing: Complex Coordination
Data Act's Third-Party Sharing Mandate
Under Article 5, data holders must transmit data to third parties designated by users. When personal data is involved, this creates a complex three-party relationship requiring careful GDPR coordination.
