Protect, limit, minimise – since 2018 these principles have been the data economy’s mantra, thanks to the sweeping impact of the General Data Protection Regulation (GDPR). Now, the Data Act aims to shake up the game by allowing to harness the data economy’s full potential. But how can these two diametrically opposite regulations work together?
Like so many other EU acts, the Data Act states that it “complements and is without prejudice to” GDPR. Does this mean that GDPR always trumps the Data Act? Not necessarily! As will be shown below, the interplay between the two regulations is a lot more complex than it seems and shows the tension between the principle of data minimisation and the obligation to provide access to data.
The Data Act has a broader scope than GDPR, as it covers both personal and non-personal data. Thus, the classification of data into personal or non-personal does become crucial: If data is mistakenly classified as personal and not made available or an access request is denied with a blanket reference to GDPR, the holder is liable under the Data Act. Conversely, if data is accidently classified as non-personal and made available under the Data Act, the holder may be liable under GDPR. Only for data sets comprising of an inseparable mix of personal and non-personal data, the rules governing personal data prevail. This however heavily restricts the predominant practice of “prima facie” which considers all data as personal and forces businesses to closer analyse their data.
If personal data is concerned, every access request under the Data Act must also fulfil GDPR obligations, namely a legal basis for processing. This poses less of a risk if personal data relating to the user – who himself is the data subject – is concerned as the access request can in this case either be considered as implied consent itself or be coupled with explicit consent. However, a level of complexity is added if the data subject and the user making the request are two different people: For instance, how can a company access data, in particular special categories of data, generated by a connected device, if that data relates to an individual who is not the user requesting access?
The Data Act alone cannot serve as a sufficient legal basis for data processing. In some cases, a contractual relationship between the user and the data subject may provide a lawful basis — but this may not always be the case. Another potential basis is legitimate interest, however, this concept remains vague and its applicability in the context of the Data Act is still unclear. Data holders will need to monitor legal developments closely to ensure compliance with both GDPR and the Data Act.
Lastly, the data user, being the only connection between the data holder and the data subject, may be classified as a joint controller together with the data holder. This would oblige the two to conclude a joint controller agreement, i.e. a legal situation demanding a case-by-case analysis.
It can therefore be assumed that data holders must closely monitor their GDPR compliance as well. So, the question for you is: Are you ready for the Data Act coming into force on 12 September 2025?
- Can your business clearly tell when data is personal – and when it's not?
- Do you have a plan in place for how to respond if a user requests personal data that relates to a third party?
- Who in your business is responsible for ensuring compliance with both GDPR and the Data Act? Do the two compete or do they work in synergy?
Don’t miss our next article in which we will dive deeper into data sharing contract terms – and what will be banned. Stay tuned!
Need guidance on the Data Act?
