Publication date: May 13, 2026
The entry into application of the EU Data Act on 12 September 2025 marks one of the most significant developments in European data regulation since the adoption of the General Data Protection Regulation (GDPR). While the GDPR established a comprehensive framework for the protection of personal data, the Data Act introduces a new legal regime designed to improve access to and use of data generated by connected products and related digital services.
For businesses operating in the European Union, the key challenge is not understanding each regulation in isolation, but determining how they interact in practice. Many organizations already have mature GDPR compliance frameworks, but the Data Act creates additional obligations that require them to share data with users and third parties. Where those datasets contain personal data, compliance with the Data Act must be reconciled with the GDPR.
This article explains the relationship between the Data Act and the GDPR in practical terms. It highlights the main legal issues and outlines the steps businesses should take to prepare.
What Is the Data Act?
The Data Act, Regulation (EU) 2023/2854, is part of the European Union’s broader strategy to build a single market for data. Its purpose is to ensure that users of connected products and related services can access the data they generate and, in certain circumstances, require that such data be shared with third parties.
The regulation is intended to rebalance the relationship between manufacturers, service providers and users. In many industries, companies that design connected products control large volumes of data generated through use of those products. The Data Act seeks to ensure that users are able to benefit from this data rather than being locked into a single ecosystem.
The regulation applies to both personal and non-personal data, which is one of the key differences from the GDPR.
Examples of products and services covered by the Data Act include smart watches, connected vehicles, industrial machinery, medical devices, smart home appliances, agricultural equipment and software applications that process the data generated by such products.
What Is the GDPR?
The GDPR governs the processing of personal data relating to identified or identifiable natural persons. Its objective is to protect privacy and ensure that personal data is processed lawfully, fairly and transparently.
The GDPR applies whenever data relates to an individual and a controller or processor carries out an operation such as collecting, storing, sharing or analyzing that data.
Unlike the Data Act, the GDPR does not grant a broad right of access to all data generated by products. It focuses solely on personal data and establishes rights such as access, rectification, erasure and portability.
The Relationship Between the Data Act and the GDPR
The Data Act expressly states that it is without prejudice to EU and national laws on personal data protection, privacy and confidentiality of communications. In practical terms, this means that the Data Act does not override the GDPR. If a company is required to provide data under the Data Act and the dataset contains personal data, the GDPR continues to apply in full.
This principle has several important consequences.
First, the Data Act does not create a new legal basis for processing personal data. A company cannot rely on the Data Act alone to justify collecting, disclosing or otherwise processing personal data.
Second, organizations must continue to comply with all GDPR principles, including purpose limitation, data minimization, storage limitation and security.
Third, where there is a conflict between the two regulations, the GDPR prevails in relation to personal data.
Why This Matters in Practice
Most data generated by connected products is not purely personal or purely non-personal. Instead, businesses often deal with mixed datasets.
A connected vehicle, for example, may generate information on speed, fuel consumption, component performance, geolocation and driver behavior. Some of this information clearly relates to an identifiable person and therefore qualifies as personal data. Other elements may be technical or operational in nature.
Where personal and non-personal data are inextricably linked, organizations should assume that the GDPR applies to the dataset as a whole unless the data can be effectively separated.
This means that compliance with the Data Act often requires a GDPR analysis before any disclosure can take place.
Practical Example: Smart Watch Data
A consumer uses a smart watch that collects heart rate, sleep patterns, exercise metrics and location information. The consumer wishes to transfer the data to a third-party health application.
Under the Data Act, the user may request access to the data generated by the device and ask the manufacturer to transmit the data to another provider.
Because the dataset contains information relating to an identifiable person, the GDPR applies.
In this scenario, the manufacturer must verify that the request is valid, ensure the transmission is secure and process the data in accordance with the GDPR. The Data Act creates the obligation to provide the data, but the GDPR determines how the transfer must be carried out.
Practical Example: Industrial Equipment
A manufacturing company leases connected machinery that generates data concerning temperature, output, wear and maintenance cycles. The company wants to share this data with an independent maintenance provider.
The Data Act allows the user to request access to the data and to require the data holder to share it with a third party.
If the dataset contains no personal data, the GDPR may not apply.
However, if the data includes operator IDs or logs that can identify employees, GDPR considerations arise. The data holder must assess whether a lawful basis exists for sharing those elements.
Key Roles Under the Data Act and the GDPR
The terminology used by the two regulations differs, but the concepts often overlap. Under the Data Act, the principal roles are the data holder, the user and the data recipient. Under the GDPR, the key roles are the controller and processor. In practice, a data holder will often act as a controller because it determines the purposes and means of processing personal data. A business user receiving data may also become a controller if it decides how the data will be used.
This distinction is important because the recipient of data under the Data Act may inherit independent GDPR obligations.
Data Portability: How the Data Act Expands Existing Rights
The GDPR grants individuals a right to data portability, but this right is limited to personal data provided by the data subject and processed on the basis of consent or contract. The Data Act significantly broadens this concept.
It applies to data generated through the use of connected products and related services, regardless of whether the data is personal or non-personal.
For businesses, this means that existing GDPR portability procedures will usually not be sufficient. Organizations may need entirely new technical and contractual frameworks to handle Data Act requests.
Trade Secrets and Confidential Information
One of the most common concerns raised by businesses is the protection of proprietary information. The Data Act recognizes that data may contain trade secrets and allows data holders to implement safeguards such as confidentiality agreements, access controls and contractual restrictions. However, trade secret protection is not an automatic ground for refusing access. A refusal is permitted only in exceptional circumstances where disclosure would likely cause serious economic harm and where protective measures are insufficient.
In practice, businesses should assume that most requests will need to be fulfilled, subject to appropriate safeguards.
Smart Contracts
The Data Act introduces specific requirements for smart contracts used to automate data sharing.
Where businesses use blockchain-based or automated systems to execute data-sharing arrangements, those systems must meet standards relating to security, integrity and the ability to terminate or interrupt execution where necessary. Although this aspect of the regulation may not affect all organizations, it is highly relevant to businesses deploying decentralized or automated contractual technologies.
Cloud Switching and Digital Assets
The Data Act also addresses switching between providers of data processing services, including cloud providers. Customers must be able to move digital assets such as applications, configuration files, metadata and access credentials to another provider more easily. Organizations that offer cloud or platform services should review their contractual and technical arrangements to ensure that customers can migrate without undue barriers.
Legal Basis for Processing Personal Data
A recurring misconception is that the Data Act itself authorizes disclosure of personal data. This is incorrect. Whenever personal data is involved, a valid legal basis under the GDPR remains necessary. The applicable legal basis will depend on the circumstances. In some cases, processing may be necessary for the performance of a contract. In others, consent or legitimate interests may be relevant. Where the user requesting the data is a business rather than the individual to whom the data relates, the requesting party may need to demonstrate that it has an independent lawful basis for processing the personal data.
What Businesses Should Do
Organizations should begin by identifying whether they fall within the scope of the Data Act. Businesses that manufacture connected products, provide related services, control access to product-generated data or offer cloud services are the most likely to be affected. The next step is to map the data generated by products and services. This exercise should identify what data is collected, whether it includes personal data, who controls it and with whom it may be shared.
Once the data landscape is understood, businesses should review the legal bases for processing any personal data contained in those datasets.
Policies and procedures should then be updated to address Data Act requests. Existing GDPR processes will rarely be sufficient because they are designed primarily for requests from individuals, not business-to-business data sharing.
Contracts with customers, partners and recipients should be revised to address data use restrictions, confidentiality obligations, trade secret protections and security measures.
Technical teams should ensure that systems can provide data in accessible formats, authenticate requesters, record disclosures and protect sensitive information.
Finally, legal, compliance, IT and customer support teams should be trained so that they understand how to manage requests consistently.
Common Pitfalls
Businesses preparing for the Data Act frequently make several mistakes. The first is assuming that the Data Act overrides the GDPR. In reality, the GDPR remains fully applicable whenever personal data is involved. The second is underestimating the complexity of mixed datasets. The third is relying too heavily on trade secret arguments to resist disclosure. The fourth is failing to update contracts and operational procedures.
The fifth is treating compliance as a purely legal issue rather than a multidisciplinary project involving legal, IT, security and commercial teams.
Enforcement and Business Risk
Failure to comply with the Data Act may result in regulatory investigations, disputes with customers and partners, and reputational damage. Where personal data is mishandled, GDPR enforcement risks also arise, including potentially significant administrative fines. For this reason, businesses should approach the Data Act as a strategic compliance project rather than a narrow contractual exercise.
Conclusion
The Data Act and the GDPR are complementary regulations that pursue different objectives. The GDPR protects individuals and their personal data. The Data Act promotes broader access to data generated by connected products and services. When those datasets contain personal data, organizations must apply both regimes simultaneously. The Data Act creates the obligation to make data available, while the GDPR determines the conditions under which personal data may be processed and shared.
Businesses that rely on connected products, IoT ecosystems, industrial data or cloud services should begin preparing well in advance.
Organizations that invest now in data mapping, contractual updates, technical controls and internal governance will be best positioned to comply with the new rules and to leverage data as a strategic asset.
Client Alert
EU Data Act Applies from 12 September 2025: Is Your Business Ready?
The EU Data Act introduces a new framework governing access to data generated by connected products and related services. It applies from 12 September 2025 and will affect manufacturers, software providers, cloud providers and businesses that rely on connected technologies.
The regulation grants users the right to access data generated by products they use and to request that such data be shared with third parties.
Where the data includes personal data, the GDPR remains fully applicable.
For many organizations, the Data Act will require updates to contracts, technical systems and operational procedures.
Businesses should begin by identifying whether they control product-generated data, determining whether datasets include personal data, and assessing whether existing systems can support secure and compliant data sharing.
Organizations should also review trade secret protections and update agreements with customers and business partners.
Companies that prepare early will be better positioned to meet legal obligations and capitalize on new opportunities arising from increased data portability.
Data Act Implementation Checklist
An effective implementation project should begin with a governance assessment to determine which internal teams will be responsible for legal analysis, technical implementation and operational oversight.
The organization should then conduct a comprehensive data mapping exercise covering all connected products, related services and cloud environments. This exercise should distinguish between personal data, non-personal data and mixed datasets.
A legal review should be undertaken to confirm the GDPR legal bases for processing personal data and to identify any restrictions arising from confidentiality obligations or trade secret protections.
Customer terms, data-sharing agreements, cloud contracts and internal policies should be revised to reflect Data Act requirements.
Technical teams should ensure that systems are capable of exporting data in usable formats, authenticating requesters, logging disclosures and protecting confidential information.
Operational procedures should be established for receiving, reviewing and responding to requests.
Training should be delivered to legal, compliance, IT, security and customer-facing teams.
The EU Data Act Meets the GDPR: What Businesses Need to Know
With the EU Data Act becoming applicable from 12 September 2025, we’re entering a new era of data regulation in Europe — one that doesn’t replace the GDPR, but fundamentally reshapes how it operates in practice.
For many organizations, the challenge is no longer GDPR vs. Data Act, but how both frameworks work together when data is shared, accessed, and reused.
The key reality?
Most data generated by connected products is mixed — personal and non-personal at the same time. And that changes everything.
The Data Act creates obligations to share data, but the GDPR still governs how personal data can be processed and transferred. The Data Act never overrides GDPR requirements.
Compliance is no longer just legal — it’s operational and technical.
Organizations will need to:
✔ Map all product-generated data
✔ Identify where personal data is involved
✔ Update contracts and data-sharing frameworks
✔ Build secure, auditable data access systems
✔ Align legal, IT, and compliance teams
The Data Act doesn’t replace the GDPR — it adds a new layer of complexity on top of it. Companies that prepare early will not only reduce compliance risk but also gain a competitive advantage in the emerging EU data economy.