All Essentials You Need To Know About Data Act and GDPR

Author: Negar Modirrousta (Head of Compliance)

INTRODUCTION:

In today’s digital economy, data has become one of the most valuable resources. It fuels innovation, drives business models, and supports public services. At the same time, the collection and use of data raise serious concerns about privacy, fairness, and competition. To address these challenges, governments around the world have introduced data regulations legal frameworks that define how data can be collected, shared, stored, and protected.

Within the European Union (EU), data regulation is particularly advanced, with a framework designed both to safeguard individual rights and to ensure that the benefits of data are distributed fairly across society. Two of the most important pieces of legislation in this context are the General Data Protection Regulation (GDPR) and the Data Act. Although they are closely related, they serve different purposes and address different dimensions of the data economy.

DATA ACT

What is the Data Act

The Data Act is a Regulation at EU level, adopted by the European Parliament and the Council, officially titled Regulation (EU) 2023/2854 on harmonized rules on fair access to and use of data. It entered into force on 11 January 2024. However, many of its provisions became applicable from 12 September 2025.

Why it Matters

The Data Act aims to unlock economic and societal value of data in the EU by:

1) ensuring fairness in how value from data is allocated among actors (manufacturers, service providers, device owners, etc.)

2) stimulating a competitive data market, so that data doesn’t remain locked up with big platforms or gatekeepers.

3) enabling innovation, especially in areas using Internet of Things (IoT), connected devices, smart devices, machinery, etc.  

4) giving more control to both individuals and businesses over data they generate.

Key Provisions of the Data Act:

The Data Act introduces several important measures designed to make data access and use fairer, more transparent, and more efficient.

First, it grants users of connected products, whether individuals or businesses, the right to access the data generated through their use. This ensures that information from devices such as IoT products, vehicles, or industrial machines is no longer held exclusively by manufacturers or service providers.

The Act also distinguishes between two categories of data. Product Data refers to information generated directly from the functioning of a product, while Related Service data refers to data created in connection with services linked to the product, such as maintenance or diagnostics

Another major provision is that users can share their data with third parties of their choice. For example, a car owner could provide vehicle data to an independent mechanic for servicing or to an insurance company to negotiate a tailored policy.

To ensure fairness in such arrangements, the Act establishes rules on contractual terms. It specifically protects against unfair clauses in data-sharing contracts, particularly in situations where there is a significant imbalance of power between the parties, such as between small businesses and large corporations.

The regulation also allows businesses required to share data to receive reasonable compensation. The level of compensation depends on factors such as the cost of sharing, the volume of data involved, and the data’s nature and value.

At the same time, the Act provides strong safeguards for trade secrets and intellectual property, ensuring that obligations to share data do not compromise confidential business information or erode competitive advantages.

To promote innovation and reduce market lock-in, the Data Act enhances interoperability and switching. This makes it easier for users to move between data service providers, such as cloud platforms, and ensures that data can be transferred more seamlessly across different systems and sectors.

The regulation also gives public sector bodies limited rights of access to private data, but only in exceptional circumstances where there is a clear public interest such as natural disasters, health emergencies, or other crises. These requests must comply with strict safeguards, including privacy protections and fair compensation for the data providers.

Furthermore, the Act strengthens data portability rights. Users should be able to move their data easily from one service to another. For some newly marketed connected products, data access must even be enabled “by default,” without the need for additional tools, apps, or agreements.

Finally, the Data Act provides safeguards and mechanisms for dispute settlement. These are designed to resolve conflicts fairly and to ensure that the regulation does not override other important rights, such as data protection, intellectual property, or trade secret laws.

Interactions & Relations with Other Laws

1) It complements the Data Governance Act (which focuses on facilitating voluntary data sharing, governance, trust, etc.). The Data Act more clearly defines who can use data and under what conditions.

2) It ties into other EU goals, like creating a Single Market for data, enhancing innovation, digital sovereignty, etc.

3) Also related to rules about cloud services, data protection / privacy (e.g. GDPR), IP law, trade secrets. Any implementation must respect those regimes.

Impact / What Will Change

Here are some likely effects:

1. More data control for device users: If you buy a smart device (e.g. a smart thermostat, wearable, industrial machine), you’ll have more right to see/access the data it generates, and to share it.
2. More competition in after-market / repair services: Repair shops or third-party service providers can access relevant data, potentially lowering costs and increasing options.
3. Increase in data sharing / innovation: New services or business models can use shared data to innovatively combine different data sources, possibly across sectors.
4. Better portability and less lock-in for cloud services / data processing services: If you want to switch providers, the regulations will ease this.
5. Public sector will have powers in emergencies: Maybe quicker access to data needed for crisis management (e.g. environmental disasters) subject to privacy / legal protections.
6. Legal / compliance work increase: Companies will need to audit their contracts, check whether their devices / services comply, possibly adapt technical features, data handling, ensure they are prepared for new access obligations.
7. Standardization push: Expect development of standard contractual clauses, model contract terms, technical standards for interoperability.

General Data Protection Regulation (GDPR):

The General Data Protection Regulation (GDPR) is a comprehensive data protection law of the European Union (EU) that came into effect on 25 May 2018. It was designed to strengthen the protection of personal data, give individuals more control over how their information is used, and harmonize data protection rules across all EU Member States. It replaced the 1995 Data Protection Directive, creating a unified framework for data privacy in Europe.

At its core, the GDPR regulates how organizations, both within and outside the EU-collect, process, store, and share the personal data of individuals located in the EU. It applies not only to companies established in the EU but also to foreign businesses that offer goods or services to EU citizens or monitor their behavior online.

The regulation defines personal data broadly, covering any information that can directly or indirectly identify a person. This includes names, identification numbers, location data, online identifiers (like IP addresses and cookies), as well as more sensitive categories such as health records, biometric data, and political or religious beliefs.

GDPR is based on several key principles of data processing, including:

1) Lawfulness, fairness, and transparency: Data must be processed legally, fairly, and in a way that is clear to individuals.

2) Purpose limitation: Data should be collected for specified, explicit, and legitimate purposes and not used for unrelated reasons.

3) Data minimization: Only the data necessary for the intended purpose should be collected and processed.

4) Accuracy Personal data must be kept accurate and up to date.

5) Storage limitation: Data should not be stored for longer than necessary.

6) Integrity and confidentiality: Data must be protected with appropriate security measures to prevent unauthorized access, loss, or damage.

7) Accountability: Organizations are responsible for ensuring compliance and must be able to demonstrate it.

One of the most significant aspects of the GDPR is the rights it grants to individuals (data subjects). These rights include:

1) The right of access to their personal data.

2) The right to rectification of inaccurate or incomplete data.

3) The right to erasure (also known as the “right to be forgotten”) in certain circumstances.

4) The right to restrict processing of their data.

5) The right to data portability, allowing individuals to obtain their data in a usable format and transfer it to another provider.

6)  The right to object to processing, particularly for direct marketing purposes. 

7)  Rights related to automated decision-making and profiling, ensuring that individuals are not subject to decisions based solely on automated processing without safeguards.

Organizations must also comply with strict obligations under the GDPR. These include obtaining valid consent before processing personal data, maintaining records of processing activities, conducting Data Protection Impact Assessments (DPIAs) for high-risk processing, and, in many cases, appointing a Data Protection Officer (DPO). In the event of a personal data breach, companies must notify the relevant supervisory authority within 72 hours and, in certain cases, inform affected individuals.

To enforce these rules, the GDPR grants national data protection authorities’ significant powers, including the ability to investigate complaints, conduct audits, and impose penalties. Non-compliance can result in heavy fines: up to €20 million or 4% of a company’s annual global turnover, whichever is higher.

Overall, the GDPR has become a global benchmark for data privacy and protection. Its impact extends far beyond Europe, influencing data protection laws in many countries worldwide and raising public awareness of privacy rights in the digital age.

Comparison Between the Data Act and the GDPR

Although both the General Data Protection Regulation (GDPR) and the Data Act are part of the European Union’s broader digital and data strategy, they serve different purposes and operate in distinct but complementary areas. Understanding the relationship between these two laws is essential for grasping how the EU envisions the future of data governance.

The GDPR, which came into force in 2018, is primarily concerned with protecting personal data and safeguarding the privacy of individuals. Its main objective is to ensure that the collection, processing, and storage of personal data is done in a lawful, fair, and transparent manner. It establishes strict rules for organizations that process personal data, defines the rights of individuals over their information, and introduces accountability measures such as consent requirements, breach notifications, and penalties for non-compliance. In short, GDPR is focused on the fundamental right to privacy.

By contrast, the Data Act, which became law in 2024 and has applied from September 2025 onward, is not focused on personal data protection in the same way. Instead, it is designed to regulate access to and use of data in general, whether personal or non-personal, particularly data generated by connected devices and related services. Its main purpose is to ensure fairness in how data is shared, prevent data monopolization, and stimulate innovation by making it easier for individuals, businesses, and public bodies to use and share data. While GDPR is rooted in fundamental rights, the Data Act is more about economic value, competition, and digital innovation.

A key difference lies in the scope of data covered. The GDPR applies only to personal data-information that can directly or indirectly identify an individual, such as names, email addresses, or biometric data. The Data Act, however, applies to a much broader category of data, including both personal and non-personal data. For example, machine-generated data from sensors in a factory, performance logs of vehicles, or usage data from smart home appliances all fall under the Data Act, even if this data does not identify a specific person.

The way the two laws approach rights and obligations are also different. Under GDPR, individuals (data subjects) are at the center, with rights such as access, rectification, erasure, portability, and objection. Organizations must protect these rights and comply with strict data protection principles. Under the Data Act, however, the emphasis is on data access and sharing rights for users of connected products. A user who owns or operates a machine or device has the right to access the data it generates and to share it with third parties, such as independent repair services or insurance providers. This shifts the focus from privacy to control over economic and industrial data.

Another point of comparison concerns public sector access. GDPR restricts data processing by public authorities to specific legal bases, always under the framework of fundamental rights and proportionality. The Data Act goes further by explicitly granting public sector bodies the right to request access to privately held data in exceptional circumstances, such as emergencies, disasters, or crises. These powers are meant to serve the public interest but are limited by safeguards, including requirements to respect trade secrets, privacy rights, and fair compensation for data holders.

Both regulations also differ in how they handle contractual relationships. GDPR focuses on ensuring that contracts and processing agreements respect data protection principles, particularly between data controllers and processors. The Data Act, on the other hand, directly addresses issues of fairness in contracts for data sharing, especially in situations where one party has stronger bargaining power. It prohibits unfair terms and introduces mechanisms for dispute resolution to ensure that data sharing happens on balanced terms.

Despite their differences, the GDPR and the Data Act are not in conflict; rather, they complement each other. GDPR continues to safeguard personal data and privacy, while the Data Act creates a framework for unlocking the broader potential of data in the digital economy. When the data in question is personal data, the two laws work together: the rights and protections of GDPR always apply first, and the Data Act’s provisions apply only insofar as they do not undermine those protections. In other words, GDPR provides the foundation of privacy and protection, while the Data Act builds on top of it to regulate fairness, competition, and innovation in the data-driven economy.

Together, these two regulations reflect the EU’s dual vision: protecting individuals’ privacy as a fundamental right, while at the same time promoting a competitive, fair, and innovative digital market where data is not locked away but can be used to create value for society.

Let’s take a real-world example: a connected car, and see how the GDPR and the Data Act would apply differently but complement each other:

Example: A Connected Car

Modern cars generate vast amounts of data. This includes information about the driver and passengers (such as location history, driving behavior, voice commands, or infotainment usage) and technical data about the vehicle itself (engine performance, fuel consumption, tire pressure, or sensor readings from safety systems). Both GDPR and the Data Act come into play here, but in different ways.

Under the GDPR
All data that can identify a driver or passenger is considered personal data. This means that information like GPS location, driver profiles, biometric authentication, or even the car’s VIN (Vehicle Identification Number, if tied to a specific owner) is subject to GDPR rules. The car manufacturer or connected service provider must have a lawful basis for collecting and processing this data, such as consent from the driver or the necessity to fulfill a contract (for example, providing navigation services).

Individuals also have rights under the GDPR. A driver can request access to the personal data collected about them, demand corrections if it is inaccurate, or even ask for deletion if the data is no longer necessary. If the car manufacturer suffers a data breach, for example, if hackers gain access to user profiles, the company must notify both the regulator and, in many cases, the affected individuals. GDPR’s central focus here is on protecting privacy and preventing misuse of personal information.

Under the Data Act
The Data Act steps in to regulate access to all data generated by the vehicle, not just the personal elements. For example, the car produces technical data such as tire wear, brake system diagnostics, or fuel efficiency logs. Even if this data is not personal, it is highly valuable for repair shops, insurers, or fleet managers.

The Data Act gives the user of the car (whether it’s the owner or a leasing company) the right to access this vehicle-generated data and share it with third parties of their choice. For instance, if a car owner wants to bring the car to an independent mechanic instead of the manufacturer’s authorized repair center, they can authorize the mechanic to access the necessary performance and diagnostic data. Similarly, an insurance company could offer personalized policies based on actual driving data if the user decides to share it.

The Act also ensures fairness in these arrangements. A car manufacturer cannot impose unfair contractual terms that restrict access to or use of the car’s data. If providing the data incurs costs, the manufacturer may receive reasonable compensation, but they cannot block or monopolize its use. At the same time, the Data Act contains safeguards to protect trade secrets and prevent the disclosure of sensitive information that could harm the manufacturer’s competitive advantage.

Public Interest Scenario
If a major traffic accident occurs, or if a city wants to analyze vehicle emissions in real time during a pollution crisis, public authorities may request access to certain connected car data under the Data Act. Such access would be limited, temporary, and subject to safeguards to protect privacy and confidentiality. GDPR protections would still apply if the data includes personal elements, ensuring that authorities cannot overstep privacy boundaries.

How They Complement Each Other

In this example, the GDPR ensures that personal data such as the driver’s identity, location, and behavior are protected, used transparently, and handled with the individual’s rights in mind. Meanwhile, the Data Act ensures that the broader technical and operational data of the car, which often has significant economic and societal value, can be accessed and shared fairly.

Together, these two regulations strike a balance:

1. GDPR protects the privacy and dignity of individuals.
2. Data Act ensures the fair use and distribution of data’s economic value.

This combination prevents misuse of personal information while unlocking the potential of non-personal and industrial data to drive competition, innovation, and new services.

At Aryatech law firm, we offer cohesive advisory services, building practical compliance programs, and helping clients across industries navigate complex data ecosystems. Furthermore, we are trying to map to client business models: IoT devices, SaaS platforms, manufacturers with device data, data intermediation entities, and other data-driven ecosystems.  Our experts Assess overlap risk by recognizing scenarios where GDPR and the Data Act apply simultaneously and where one regime governs certain data flows more than the other.

SOURCES:

1) www.eu-data-act.com/

2) www.european-data-governance-act.com/ European Data Governance Act (DGA) | Updates, Compliance

3) www.dataprotectionlawhub.com/knowhow/data-act

4) www.dataprotectionlawhub.com/knowhow/data-act/

5) https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng