The entry into application of the EU Data Act on 12 September 2025 marks one of the most significant developments in European data regulation since the adoption of the General Data Protection Regulation (GDPR). While the GDPR established a comprehensive framework for the protection of personal data, the Data Act introduces a new legal regime designed to improve access to and use of data generated by connected products and related digital services.

For businesses operating in the European Union, the key challenge is not understanding each regulation in isolation, but determining how they interact in practice. Many organizations already have mature GDPR compliance frameworks, but the Data Act creates additional obligations that require them to share data with users and third parties. Where those datasets contain personal data, compliance with the Data Act must be reconciled with the GDPR.

This article explains the relationship between the Data Act and the GDPR in practical terms. It highlights the main legal issues and outlines the steps businesses should take to prepare.

What Is the Data Act?

The Data Act, Regulation (EU) 2023/2854, is part of the European Union’s broader strategy to build a single market for data. Its purpose is to ensure that users of connected products and related services can access the data they generate and, in certain circumstances, require that such data be shared with third parties.

The regulation is intended to rebalance the relationship between manufacturers, service providers and users. In many industries, companies that design connected products control large volumes of data generated through use of those products. The Data Act seeks to ensure that users are able to benefit from this data rather than being locked into a single ecosystem.

The regulation applies to both personal and non-personal data, which is one of the key differences from the GDPR.

Examples of products and services covered by the Data Act include smart watches, connected vehicles, industrial machinery, medical devices, smart home appliances, agricultural equipment and software applications that process the data generated by such products.

What Is the GDPR?

The GDPR governs the processing of personal data relating to identified or identifiable natural persons. Its objective is to protect privacy and ensure that personal data is processed lawfully, fairly and transparently.

The GDPR applies whenever data relates to an individual and a controller or processor carries out an operation such as collecting, storing, sharing or analyzing that data.

Unlike the Data Act, the GDPR does not grant a broad right of access to all data generated by products. It focuses solely on personal data and establishes rights such as access, rectification, erasure and portability.

The Relationship Between the Data Act and the GDPR

The Data Act expressly states that it is without prejudice to EU and national laws on personal data protection, privacy and confidentiality of communications. In practical terms, this means that the Data Act does not override the GDPR. If a company is required to provide data under the Data Act and the dataset contains personal data, the GDPR continues to apply in full.

This principle has several important consequences.

First, the Data Act does not create a new legal basis for processing personal data. A company cannot rely on the Data Act alone to justify collecting, disclosing or otherwise processing personal data.

Second, organizations must continue to comply with all GDPR principles, including purpose limitation, data minimization, storage limitation and security.

Third, where there is a conflict between the two regulations, the GDPR prevails in relation to personal data.

Why This Matters in Practice

Most data generated by connected products is not purely personal or purely non-personal. Instead, businesses often deal with mixed datasets.

A connected vehicle, for example, may generate information on speed, fuel consumption, component performance, geolocation and driver behavior. Some of this information clearly relates to an identifiable person and therefore qualifies as personal data. Other elements may be technical or operational in nature.

Where personal and non-personal data are inextricably linked, organizations should assume that the GDPR applies to the dataset as a whole unless the data can be effectively separated.

This means that compliance with the Data Act often requires a GDPR analysis before any disclosure can take place.

Practical Example: Smart Watch Data

A consumer uses a smart watch that collects heart rate, sleep patterns, exercise metrics and location information. The consumer wishes to transfer the data to a third-party health application.

Under the Data Act, the user may request access to the data generated by the device and ask the manufacturer to transmit the data to another provider.

Because the dataset contains information relating to an identifiable person, the GDPR applies.

In this scenario, the manufacturer must verify that the request is valid, ensure the transmission is secure and process the data in accordance with the GDPR. The Data Act creates the obligation to provide the data, but the GDPR determines how the transfer must be carried out.

Practical Example: Industrial Equipment

A manufacturing company leases connected machinery that generates data concerning temperature, output, wear and maintenance cycles. The company wants to share this data with an independent maintenance provider.

The Data Act allows the user to request access to the data and to require the data holder to share it with a third party.

If the dataset contains no personal data, the GDPR may not apply.

However, if the data includes operator IDs or logs that can identify employees, GDPR considerations arise. The data holder must assess whether a lawful basis exists for sharing those elements.

Key Roles Under the Data Act and the GDPR

The terminology used by the two regulations differs, but the concepts often overlap. Under the Data Act, the principal roles are the data holder, the user and the data recipient. Under the GDPR, the key roles are the controller and processor. In practice, a data holder will often act as a controller because it determines the purposes and means of processing personal data. A business user receiving data may also become a controller if it decides how the data will be used.

This distinction is important because the recipient of data under the Data Act may inherit independent GDPR obligations.

Data Portability: How the Data Act Expands Existing Rights

The GDPR grants individuals a right to data portability, but this right is limited to personal data provided by the data subject and processed on the basis of consent or contract. The Data Act significantly broadens this concept.

It applies to data generated through the use of connected products and related services, regardless of whether the data is personal or non-personal.

For businesses, this means that existing GDPR portability procedures will usually not be sufficient. Organizations may need entirely new technical and contractual frameworks to handle Data Act requests.

Trade Secrets and Confidential Information

One of the most common concerns raised by businesses is the protection of proprietary information. The Data Act recognizes that data may contain trade secrets and allows data holders to implement safeguards such as confidentiality agreements, access controls and contractual restrictions. However, trade secret protection is not an automatic ground for refusing access. A refusal is permitted only in exceptional circumstances where disclosure would likely cause serious economic harm and where protective measures are insufficient.

In practice, businesses should assume that most requests will need to be fulfilled, subject to appropriate safeguards.

Smart Contracts

The Data Act introduces specific requirements for smart contracts used to automate data sharing.

Where businesses use blockchain-based or automated systems to execute data-sharing arrangements, those systems must meet standards relating to security, integrity and the ability to terminate or interrupt execution where necessary. Although this aspect of the regulation may not affect all organizations, it is highly relevant to businesses deploying decentralized or automated contractual technologies.

Cloud Switching and Digital Assets

The Data Act also addresses switching between providers of data processing services, including cloud providers. Customers must be able to move digital assets such as applications, configuration files, metadata and access credentials to another provider more easily. Organizations that offer cloud or platform services should review their contractual and technical arrangements to ensure that customers can migrate without undue barriers.

Legal Basis for Processing Personal Data

A recurring misconception is that the Data Act itself authorizes disclosure of personal data. This is incorrect. Whenever personal data is involved, a valid legal basis under the GDPR remains necessary. The applicable legal basis will depend on the circumstances. In some cases, processing may be necessary for the performance of a contract. In others, consent or legitimate interests may be relevant. Where the user requesting the data is a business rather than the individual to whom the data relates, the requesting party may need to demonstrate that it has an independent lawful basis for processing the personal data.

What Businesses Should Do

Organizations should begin by identifying whether they fall within the scope of the Data Act. Businesses that manufacture connected products, provide related services, control access to product-generated data or offer cloud services are the most likely to be affected. The next step is to map the data generated by products and services. This exercise should identify what data is collected, whether it includes personal data, who controls it and with whom it may be shared.

Once the data landscape is understood, businesses should review the legal bases for processing any personal data contained in those datasets.

Policies and procedures should then be updated to address Data Act requests. Existing GDPR processes will rarely be sufficient because they are designed primarily for requests from individuals, not business-to-business data sharing.

Contracts with customers, partners and recipients should be revised to address data use restrictions, confidentiality obligations, trade secret protections and security measures.

Technical teams should ensure that systems can provide data in accessible formats, authenticate requesters, record disclosures and protect sensitive information.

Finally, legal, compliance, IT and customer support teams should be trained so that they understand how to manage requests consistently.

Common Pitfalls

Businesses preparing for the Data Act frequently make several mistakes. The first is assuming that the Data Act overrides the GDPR. In reality, the GDPR remains fully applicable whenever personal data is involved. The second is underestimating the complexity of mixed datasets. The third is relying too heavily on trade secret arguments to resist disclosure. The fourth is failing to update contracts and operational procedures.

The fifth is treating compliance as a purely legal issue rather than a multidisciplinary project involving legal, IT, security and commercial teams.

Enforcement and Business Risk

Failure to comply with the Data Act may result in regulatory investigations, disputes with customers and partners, and reputational damage. Where personal data is mishandled, GDPR enforcement risks also arise, including potentially significant administrative fines. For this reason, businesses should approach the Data Act as a strategic compliance project rather than a narrow contractual exercise.

Conclusion

The Data Act and the GDPR are complementary regulations that pursue different objectives. The GDPR protects individuals and their personal data. The Data Act promotes broader access to data generated by connected products and services. When those datasets contain personal data, organizations must apply both regimes simultaneously. The Data Act creates the obligation to make data available, while the GDPR determines the conditions under which personal data may be processed and shared.

Businesses that rely on connected products, IoT ecosystems, industrial data or cloud services should begin preparing well in advance.

Organizations that invest now in data mapping, contractual updates, technical controls and internal governance will be best positioned to comply with the new rules and to leverage data as a strategic asset.

Client Alert

EU Data Act Applies from 12 September 2025: Is Your Business Ready?

The EU Data Act introduces a new framework governing access to data generated by connected products and related services. It applies from 12 September 2025 and will affect manufacturers, software providers, cloud providers and businesses that rely on connected technologies.

The regulation grants users the right to access data generated by products they use and to request that such data be shared with third parties.

Where the data includes personal data, the GDPR remains fully applicable.

For many organizations, the Data Act will require updates to contracts, technical systems and operational procedures.

Businesses should begin by identifying whether they control product-generated data, determining whether datasets include personal data, and assessing whether existing systems can support secure and compliant data sharing.

Organizations should also review trade secret protections and update agreements with customers and business partners.

Companies that prepare early will be better positioned to meet legal obligations and capitalize on new opportunities arising from increased data portability.

Data Act Implementation Checklist

An effective implementation project should begin with a governance assessment to determine which internal teams will be responsible for legal analysis, technical implementation and operational oversight.

The organization should then conduct a comprehensive data mapping exercise covering all connected products, related services and cloud environments. This exercise should distinguish between personal data, non-personal data and mixed datasets.

A legal review should be undertaken to confirm the GDPR legal bases for processing personal data and to identify any restrictions arising from confidentiality obligations or trade secret protections.

Customer terms, data-sharing agreements, cloud contracts and internal policies should be revised to reflect Data Act requirements.

Technical teams should ensure that systems are capable of exporting data in usable formats, authenticating requesters, logging disclosures and protecting confidential information.

Operational procedures should be established for receiving, reviewing and responding to requests.

Training should be delivered to legal, compliance, IT, security and customer-facing teams.

The EU Data Act Meets the GDPR: What Businesses Need to Know

With the EU Data Act becoming applicable from 12 September 2025, we’re entering a new era of data regulation in Europe — one that doesn’t replace the GDPR, but fundamentally reshapes how it operates in practice.

For many organizations, the challenge is no longer GDPR vs. Data Act, but how both frameworks work together when data is shared, accessed, and reused.

The key reality?
Most data generated by connected products is mixed — personal and non-personal at the same time. And that changes everything.

Key takeaway:

The Data Act creates obligations to share data, but the GDPR still governs how personal data can be processed and transferred. The Data Act never overrides GDPR requirements.

What this means in practice:

• No new legal basis for processing personal data under the Data Act
• GDPR principles (minimization, purpose limitation, security) still fully apply
• Trade secrets don’t automatically block access requests
• Data portability rights are significantly expanded beyond GDPR scope
• Cloud and IoT ecosystems will need major technical and contractual updates

The real challenge for businesses

Compliance is no longer just legal — it’s operational and technical.

Organizations will need to:
Map all product-generated data
Identify where personal data is involved
Update contracts and data-sharing frameworks
Build secure, auditable data access systems
Align legal, IT, and compliance teams

Bottom line:

The Data Act doesn’t replace the GDPR — it adds a new layer of complexity on top of it. Companies that prepare early will not only reduce compliance risk but also gain a competitive advantage in the emerging EU data economy.

Artykuł Interplay Between the Data Act and the GDPR: A Practical Guide for Businesses pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

Artificial intelligence (AI) is currently finding widespread use in healthcare. A prime example is the Polish National Health Fund (NFZ) initiative, which utilizes AI to analyze patient data stored in the Fund’s databases. This data is then analyzed with the support of machine learning tools to make strategic decisions regarding the health of Poles. This approach will certainly simplify the work of doctors by searching for and analyzing the desired information, undoubtedly reducing their workload. However, such a solution may raise several issues and legal requirements related to regulations regarding the protection and processing of personal data.

What is personal data?

The most common definition of personal data is contained in the EU Regulation 2016/679 (GDPR), according to which personal data is any information about an identified or identifiable natural person. This includes direct identification (e.g., name and surname) or certain factors allowing indirect identification (e.g., job description or nationality). This concept is expanded by the Polish Act on the Protection of Personal Data Processed in Connection with the Prevention and Combating of Crime of December 14, 2018, by applying it directly to health. Health data here means personal data relating to the physical or mental health of an individual, including data on the use of healthcare services that reveal information about their health.

Patients’ rights

A number of patient rights are listed in the EU Regulation 2025/327 (Regulation on the European Health Data Space). The fundamental right is the right of individuals to access their electronically collected data (especially “priority data,” e.g., electronic prescriptions or imaging test results), which should be granted immediately after data is registered in the system. Individuals can also add their own information to their data already visible in the system and correct it. Furthermore, patients can grant access or request the transfer of their data to another provider. Access to healthcare professionals can also be restricted (however, in such cases, the patient should also be informed of the potential impact of such action on the quality of care provided). In this case, institutions collecting patient data should be aware of these rights, because if they are not respected, the patient could file a complaint (provided, however, that the rights or interests of the individual are adversely affected) and demand appropriate compensation.

The EU GDPR also provides similar rights, which additionally provides for one crucial privilege: the right to object. According to this regulation, an individual may object at any time to the processing of their data, including in connection with the performance of healthcare tasks, for reasons relating to their particular situation. In such a case, the data may no longer be processed unless the controller demonstrates compelling and legitimate grounds for further processing. Under the regulation, a patient could also request the deletion of their personal data if, for example, they are no longer necessary for the purpose for which they were collected or if they were processed unlawfully. Furthermore, the regulation also provides for the possibility of imposing an administrative fine of up to €20 million for a controller’s violation of guaranteed rights. Furthermore, Article 79 of the GDPR grants the right to an effective judicial remedy if the individual (patient) believes that the processing of their personal data violated the law.

Obligations of entities storing and processing data

Pursuant to Article 24 of the GDPR, the data controller is obligated to implement appropriate technical and organizational measures to ensure data processing is carried out in compliance with legal provisions and the rights and freedoms of others. The controller must also review and update these measures as necessary. In the case of AI-based patient data processing, the obligation specified in this article to design the measures described above is also crucial, ensuring that only information necessary to protect the patient’s life and health is processed by default. In the event of a personal data breach, the controller should (within 72 hours of becoming aware of the breach) notify the relevant supervisory authority of the personal data breach. However, the controller is not obligated to do so if the likelihood of a breach affecting the rights and freedoms of natural persons is low. If the risk of a breach is high, the controller should also notify the affected individual. Furthermore, before processing begins, even using new technologies (including AI), if it may result in a high future risk to the rights and freedoms of natural persons, it will be necessary to assess the impact of the planned processing on personal data protection. If such an assessment indeed reveals a high risk, and if the controller fails to implement any measures to mitigate it, the controller must contact the relevant supervisory authority (in Poland, the President of the Personal Data Protection Office [President of the UODO]), which then provides the controller with a written recommendation and may also temporarily restrict or prohibit processing or issue a warning to the controller. General obligations, according to which personal data must be processed lawfully and fairly, in a transparent manner, and limited to what is necessary for the purposes for which they are processed, are also important.

In this situation, Regulation 2024/1689 (“AI Act”) also provides an interesting requirement. According to Article 4 thereof, healthcare entities using AI systems to make strategic decisions about patients are responsible for maintaining an appropriate level of AI competence among their staff, taking into account the purpose of using the system and the persons for whom the systems are to be used.

Requirements for the AI systems themselves

The basic requirements that AI systems used for data processing would have to meet are set out in the aforementioned AI Act. This document explicitly classifies AI systems as “high-risk systems”, and therefore, the requirements set out in the act apply to them. Primarily, this requires maintaining appropriate documentation for the system: technical documentation regarding the quality management system (including data acquisition, collection, analysis, and labeling) and an EU declaration of conformity confirming the system’s compliance with the requirements set out in the regulation. Furthermore, this documentation should be kept at the disposal of the competent national authorities for 10 years after the system’s commissioning. Such systems should also meet transparency requirements, meaning they should be designed to facilitate proper use and interpretation of their actions (they should also have clear operating instructions). They must also have an appropriate oversight system that allows for human oversight of the AI if necessary, especially if its operation were to get out of control and harm others. Finally, AI systems are also subject to certain formal requirements, such as undergoing a pre-market conformity assessment and registering in a dedicated EU database for high-risk AI systems. It is also important to remember that high-risk AI systems are subject to general CE marking regulations. Once placed on the market, suppliers are required to establish a post-market monitoring system for AI systems to ensure their legal compliance.

The issue of non-personal data

It is also worth raising the issue of non-personal data, for example, in the context of a situation where a hospital, in order to decide on the appropriate medication for a patient, requests information about certain medications from a pharmacy. A public sector body may request such information only to the extent that the lack of this data would prevent it from performing its public interest tasks or when the body has no other available means of obtaining such data. A request for this purpose should be submitted (specifying, in particular, the purpose for which the information is requested). However, the data subject who received it may refuse to provide it if they have no control over the requested information or if a similar request for the same purpose has already been submitted by another public sector body. Once the requested information is in the possession of the requester, they must not use it in a manner inconsistent with the purpose for which the data was provided. They must ensure measures to protect its confidentiality or integrity, and they must delete the data as soon as it is no longer needed for the specified purpose. They are also prohibited from using the information obtained to improve a competitive product or from disclosing any information in this regard to third parties. It is also important to bear in mind the right of a public sector body to share the data received with individuals or organisations for the purposes of scientific research or analyses consistent with the purpose for which the data was requested, or with national statistical offices (e.g. the Central Statistical Office). It is important here that these organisations do not have a commercial nature or are not related to entities that do.

The status in Poland

As mentioned above, Poland has established a special supervisory authority for personal data protection, the President of the Personal Data Protection Office (UODO), acting with the assistance of the Office for Personal Data Protection. Among other things, this authority is responsible for consultations on data processing that poses a significant risk of violating the rights of others. It also conducts proceedings in cases of violations of personal data protection regulations and establishes a plan for monitoring compliance with these regulations.

It is also worth remembering the regulations of the Polish Act on Patients’ Rights and the Patient Ombudsman. It stipulates that patients have the right to access medical records concerning their health and the services provided to them. The entity storing this documentation is obligated to disclose the data contained therein only to the patient themselves or an authorized person (or, for example, to a university or research institute for scientific purposes, but without any data allowing for the identification of the individual). Furthermore, the entity providing services is obligated to retain medical records only for a specified period (generally 20 years), after which they should be destroyed in a way that prevents the identification of the patient to whom they pertained. The Act on the Healthcare Information System also limits access to these records to medical professionals and physicians.

Also important are the provisions of the Act on the computerization of the activities of entities carrying out public activities, under which an entity maintaining a public register (i.e. any type of records used to carry out public tasks based on the relevant provisions) should provide another public entity with access to the data in its possession to the extent necessary to carry out public tasks.

It is also important to remember the Polish Code of Medical Ethics, which, in Article 14, requires physicians to inform patients about the benefits and risks associated with proposed diagnostic procedures and, where appropriate, about the possibility of using other methods. Furthermore, according to Article 12, the use of AI in treatment may only occur after the following conditions are met: informing the patient that artificial intelligence will be used in the diagnosis or therapeutic process; obtaining the patient’s informed consent to the use of artificial intelligence in the diagnostic or therapeutic process; and using AI algorithms that are approved for medical use and have the appropriate certifications. However, the final decision always rests with the physician.

A government draft legislation is currently being prepared, which will be designed to adapt the national legal system to the requirements imposed by the AI Act. The government’s proposals primarily envisage the establishment of the Artificial Intelligence Development and Security Commission, which will oversee the AI market within the scope specified in Article 2 of Regulation 2024/1689. The second main body will be the President of the Personal Data Protection Office (UODO) that will oversee high-risk AI systems, including those related to healthcare.

Summary

Processing personal data for healthcare purposes, additionally supported by artificial intelligence, is undoubtedly a convenient and practical solution, but it is associated with a number of legal obligations intended to ensure the security of the data used (e.g., using the acquired data only for a strictly defined purpose), the security of patients themselves (e.g., the obligation to inform the patient of the intention to use artificial intelligence in the treatment process), or simply related to formalities (e.g., the requirement to register the artificial intelligence system in an EU database). Currently, EU regulations are much more detailed in this matter.

Artykuł National Healthcare and the processing of personal data by means of AI pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.