The EU Data Act’s implementation on September 12, 2025, introduced a critical challenge for organizations: coordinating compliance between two powerful yet distinct data regulations. While the General Data Protection Regulation (GDPR) has governed personal data since 2018, the Data Act now establishes comprehensive rules for both personal and non-personal data generated by connected devices. Understanding how these regulations interact—and occasionally conflict—is essential for effective compliance.

This framework provides practical guidance for navigating the complex relationship between GDPR and the Data Act, helping organizations build coordinated data governance programs that satisfy both regulatory regimes.

EU Cyber Resilience Act Implementation Guide: Building Secure Products for Europe’s Digital Future

Understanding the Fundamental Relationship

Complementary, Not Duplicative

The European Commission states explicitly: “The Data Act is fully compliant with data protection rules, notably the GDPR. The GDPR is fully applicable to all personal data processing activities under the Data Act. The Data Act does not regulate as such the protection of personal data.”

However, this official position oversimplifies a complex reality. While the Data Act complements the GDPR, it also specifies and enhances certain aspects of data protection law, creating areas where the two regulations must be carefully coordinated.

Core Distinction:

  • GDPR: Regulates the processing of personal data exclusively, focusing on protecting fundamental rights and freedoms of natural persons- Data Act: Regulates access to and use of data (both personal and non-personal) generated by connected products, focusing on economic fairness and innovation

When Both Regulations Apply

Personal data within the scope of the Data Act triggers obligations under both regulations. Organizations must simultaneously:

  1. Ensure Data Act compliance: Provide users access to data, enable third-party sharing, respect design requirements2. Maintain GDPR compliance: Verify legal bases, honor data subject rights, implement appropriate security measures, conduct data protection impact assessments where required

Critical Insight: Compliance with the Data Act does not automatically ensure GDPR compliance, and vice versa. Each regulation must be addressed independently, then coordinated.

Defining Scope: Personal vs. Non-Personal Data

Classification Challenges

The distinction between personal and non-personal data is critical but often ambiguous in IoT contexts:

Personal Data (GDPR applies) Data relating to an identified or identifiable natural person. In connected device contexts, this includes:

  • User location data from smart vehicles or wearables- Usage patterns that can identify individuals- Biometric data from health monitors- Voice recordings from smart speakers- Home activity patterns from smart home devices- Any data that can be linked to a specific person

Non-Personal Data (Data Act applies without GDPR) Data that does not relate to identifiable individuals:

  • Aggregated sensor readings stripped of identifying information- Anonymous machine performance metrics- Environmental measurements without user association- Technical system logs with personal identifiers removed

Mixed Data Sets (Both regulations apply) Most IoT data contains both personal and non-personal elements, creating significant challenges:

  • Smart thermostat data: Temperature readings (non-personal) + usage times that reveal when someone is home (personal)- Industrial machinery data: Performance metrics (non-personal) + operator identification (personal)- Connected vehicle data: Engine diagnostics (non-personal) + driving behavior and location (personal)

Practical Classification Framework

Organizations should implement a three-step classification process:

Step 1: Initial Assessment For each data point generated by connected products, determine:

  • Can this data identify a natural person directly?- Can this data, combined with other available information, identify someone?- Does this data relate to someone’s behavior, characteristics, or choices?

Step 2: Context Evaluation Consider:

  • Who has access to auxiliary data that could enable identification?- What is the reasonable likelihood of re-identification?- How is the data actually used in practice?

Step 3: Conservative Approach When uncertain, classify data as personal. The consequences of misclassification—treating personal data as non-personal—are severe under GDPR.

Coordinating Core Rights and Obligations

Access Rights: GDPR vs. Data Act

Both regulations grant access rights, but with different scopes and requirements:

GDPR Access Rights (Article 15)

Data subjects have the right to:

  • Confirmation whether personal data is being processed- Access to the personal data- Information about processing purposes, categories, recipients- Storage periods or criteria- Right to rectification, erasure, or restriction

Delivery requirements:

  • Provide copy free of charge (first request)- Respond within one month (extendable to three months)- Deliver in accessible, intelligible format- Include all personal data undergoing processing

Data Act Access Rights (Article 4)

Users of connected products have the right to:

  • Access all data generated by their use of the product- Receive data in structured, machine-readable format- Obtain data continuously and in real-time where feasible- Share data with third parties

Delivery requirements:

  • Provide data free of charge (except archived data retrieval costs)- Respond within reasonable timeframe- Deliver in comprehensive, commonly used format- Include raw data and necessary metadata

Coordination Framework for Access Requests

When a request involves personal data:

  1. Determine applicable regulation(s)
  • Is requester the data subject? → GDPR access right may apply- Is requester the user of a connected product? → Data Act access right applies- Both? → Coordinate to satisfy both regimes2. Identify legal basis for sharing
  • Under Data Act, user access is required- Under GDPR, sharing must have lawful basis (often legitimate interest or consent)- Where user is not the data subject, additional GDPR analysis required3. Apply strictest requirements
  • If GDPR requires response in 30 days and Data Act requires real-time access, prioritize real-time where feasible- If GDPR requires specific information elements, include them even if Data Act doesn’t mandate them- Document coordination decisions4. Manage conflicting interests
  • When multiple data subjects’ rights conflict with Data Act user rights- Apply data protection by design principles to separate or anonymize data- Document why full access cannot be provided if necessary

Portability: Enhanced Rights Under Data Act

The Data Act significantly extends GDPR’s data portability right (Article 20):

GDPR Portability (Article 20)

  • Applies only to data processed based on consent or contract- Limited to personal data provided by the data subject- Must be in structured, commonly used, machine-readable format- Right to transmit directly to another controller where technically feasible

Data Act Portability (Articles 4-5)

  • Applies to all data generated by connected product use- Includes both personal and non-personal data- Mandates continuous and real-time access where possible- Requires direct transmission to third parties upon user request

Coordination Strategy: Implement systems that satisfy Data Act’s broader portability requirements, which automatically encompasses GDPR portability for personal data within that scope. Ensure GDPR-specific elements (e.g., origin information, processing purposes) are included for personal data.

The Critical GDPR Overlay

The Data Act mandates data sharing, but does not provide a legal basis for processing personal data under GDPR. Organizations must independently establish lawful processing grounds.

Common Misconception: “Data Act requires sharing, therefore sharing is automatically lawful under GDPR.”

Reality: Data Act obligations do not override GDPR legal basis requirements. Organizations must identify appropriate GDPR grounds for any personal data processing, including sharing.

1. Legal Obligation (Article 6(1)(c) GDPR)

Applicability: Processing necessary for compliance with a legal obligation

Application to Data Act:

  • Data Act creates legal obligations on data holders- Some personal data sharing may qualify as legal obligation- Most reliable basis for mandatory Data Act sharing

Limitations:

  • Legal opinion varies on whether Data Act creates sufficient “legal obligation”- Some authorities may require additional justification- Does not cover voluntary data use by data holders

2. Legitimate Interest (Article 6(1)(f) GDPR)

Applicability: Processing necessary for legitimate interests pursued by controller or third party

Application to Data Act:

  • Data holders may have legitimate interest in complying with Data Act- Users may have legitimate interests in accessing their data- Third-party recipients may have legitimate business interests

Requirements:

  • Conduct legitimate interest assessment (balancing test)- Document why processing is necessary- Ensure interests don’t override data subjects’ rights and freedoms- Provide clear information to data subjects- Honor objections from data subjects

Critical Recent Development: CJEU decisions in Mousse (January 2025) and Koninklijke Nederlandse Lawn Tennisbond (November 2024) significantly tightened legitimate interest requirements:

  • Data subjects must be directly informed of the pursued legitimate interest at the time of data collection- Controllers must comply with all other GDPR obligations- Balancing test must be thoroughly documented

3. Consent (Article 6(1)(a) GDPR)

Applicability: Data subject has given consent for specific purposes

Application to Data Act:

  • Can be used for data holder’s own use of data (Article 4(13) Data Act)- May be appropriate for some third-party sharing scenarios- Flexible but administratively burdensome

Requirements:

  • Freely given, specific, informed, unambiguous- Clear affirmative action required- Easy withdrawal mechanism- Cannot be bundled with product purchase as condition- Separate consent for each processing purpose

Challenges:

  • Difficult to obtain valid consent in B2B contexts- Consent must be granular (separate for each third-party recipient)- Withdrawal must be honored, potentially conflicting with Data Act mandates

4. Contract (Article 6(1)(b) GDPR)

Applicability: Processing necessary for contract performance

Application to Data Act:

  • Limited applicability to mandated sharing- May apply to data holder’s use of data for product functionality- Narrow interpretation by data protection authorities

Limitations:

  • Cannot be stretched to cover all beneficial processing- Must be genuinely necessary for contract performance- Over-reliance on this basis attracts regulatory scrutiny

For Data Act-mandated personal data sharing:

  1. Primary basis: Legal obligation (Article 6(1)(c)) where defensible2. Secondary basis: Legitimate interest (Article 6(1)(f)) with thorough documentation3. Data holder’s own use: Obtain explicit consent via data license agreements4. Third-party recipients: Require recipients to establish own legal basis

Critical: Document legal basis decisions thoroughly. Regulators increasingly scrutinize GDPR legal bases, and justifications that seemed clear in 2018 face stricter interpretation today.

Third-Party Data Sharing: Complex Coordination

Data Act’s Third-Party Sharing Mandate

Under Article 5, data holders must transmit data to third parties designated by users. When personal data is involved, this creates a complex three-party relationship requiring careful GDPR coordination.

Role Mapping Under Both Regulations

Data Holder

  • Data Act role: Entity with right/obligation to make data available- GDPR role: Typically data controller for connected product data- Obligations: Provide data to user and designated third parties; ensure GDPR compliance when sharing personal data

User

  • Data Act role: Person/entity that owns or has right to use connected product- GDPR role: May be data subject (if individual user) OR data controller (if business using employee/customer data)- Rights: Access data; designate third-party recipients

Third-Party Recipient

  • Data Act role: Entity to whom user directs data be shared- GDPR role: Data controller or processor depending on context- Obligations: Establish legal basis for processing; implement appropriate security; respect usage limitations

Important Note: Data Act roles do not map neatly to GDPR roles. Detailed analysis is required for each scenario.

Coordination Requirements for Third-Party Sharing

Before Sharing Personal Data:

  1. Verify User Authority
  • Is user the data subject? → Proceed with Data Act sharing- Is user not the data subject but has legitimate access? → Additional GDPR analysis required- Are multiple data subjects’ data involved? → Complexity increases significantly2. Establish GDPR Legal Basis
  • Data holder must have basis for disclosure (likely legal obligation or legitimate interest)- Third-party recipient must establish independent basis for processing- If user is data controller, they must ensure basis for directing transfer3. Execute Data Sharing Agreement
  • Include GDPR-compliant clauses- Specify third party’s obligations as controller or processor- Address trade secret and confidentiality protections- Define permitted and prohibited uses (Data Act Article 6 restrictions)4. Provide Transparency
  • Inform data subjects of third-party sharing- Update privacy notices- Ensure information meets GDPR Article 13/14 requirements5. Implement Technical Safeguards
  • Secure transmission methods- Authentication of recipient identity- Audit trails of data transfers- Capability to honor data subject rights post-sharing

Special Case: User Is Not the Data Subject

Common scenarios where this complexity arises:

  • Business purchases connected machinery used by employees- Hospital acquires medical devices used on patients- Fleet operator uses connected vehicles driven by employees- Building owner operates smart building systems affecting tenants

Coordination Framework:

  1. Clarify Relationships
  • User (business) = Data controller under GDPR- Data holder (manufacturer) = Controller or processor depending on arrangement- Individuals (employees/patients/tenants) = Data subjects- Third-party recipient = Controller or processor depending on purpose2. GDPR Requirements for User-Controller
  • Must have lawful basis for directing data transfer- Must inform data subjects about processing- Must implement Article 32 security measures- Remains accountable for data protection compliance3. Data Protection Agreements
  • Between data holder and user- Between user and third-party recipient- Clearly allocate responsibilities- Address liability for GDPR violations4. Data Subject Rights
  • Must remain exercisable despite Data Act sharing- Establish clear mechanisms for data subjects to contact relevant controllers- Coordinate responses to access, erasure, objection requests

Conflicting Obligations: Resolution Framework

When GDPR and Data Act Appear to Conflict

Several scenarios create apparent tensions between the regulations:

Scenario 1: Erasure vs. Continued Access

Situation: Data subject exercises GDPR right to erasure (Article 17), but Data Act requires ongoing user access to historical data.

Resolution:

  • GDPR Article 17 includes exceptions to erasure (e.g., legal obligations, legitimate interests)- Data Act compliance may qualify as legal obligation or legitimate interest- However, cannot blanketly refuse erasure citing Data Act- Analyze specific circumstances:Is continued storage necessary for Data Act compliance?- Can data be anonymized while preserving Data Act utility?- Is data truly historical or actively being used? Document analysis thoroughlyInform data subject of reasoning if erasure refused Best Practice: Design systems to separate personal identifiers from operational data, enabling erasure of personal data while maintaining non-personal product data.

Scenario 2: Third-Party Sharing vs. Data Minimization

Situation: User directs sharing with third party, but GDPR principle of data minimization (Article 5(1)(c)) suggests limiting data disclosure.

Resolution:

  • Data Act mandates sharing upon user request- This creates legitimate basis for broader disclosure than typical data minimization- However, data holder should:Clarify with user exactly what data is needed for third party’s purpose- Offer options to share subsets rather than complete data sets- Implement technical means for granular sharing- Document that comprehensive sharing was user-directed

Scenario 3: Purpose Limitation vs. Data Holder Use

Situation: Data holder wants to use personal data from connected products for product improvement, but data was originally collected for product operation.

Resolution:

  • Data Act Article 4(13) requires user consent for data holder to use data- GDPR requires compatible purpose or new legal basis- Coordination approach:Implement data license agreements (Data Act requirement)- Ensure licenses provide GDPR-compliant consent or establish legitimate interest- Clearly inform users of intended uses- Honor refusals or withdrawals- Consider using anonymized data where possible

Scenario 4: Security vs. Accessibility

Situation: Data Act requires continuous real-time access, but GDPR Article 32 security principles suggest limiting access.

Resolution:

  • Both regulations require appropriate security- Real-time access can be secured through:Strong authentication mechanisms- Encrypted transmission- Access logging and monitoring- Rate limiting to prevent abuse- Anomaly detection Security does not justify refusing legitimate Data Act accessBalance accessibility and security through technical measures

Hierarchy Principle

Article 1(5), Sentence 3 of the Data Act states: “In case of conflict between this Regulation and Union law on the protection of personal data, the latter shall prevail.”

Interpretation:

  • True conflicts are rare if both regulations are properly applied- Most apparent conflicts can be resolved through appropriate legal bases and technical measures- GDPR prevails when genuine, irreconcilable conflict exists- However, cannot cite GDPR to avoid all Data Act obligations involving personal data

Practical Application:

  • Exhaust coordination efforts before claiming conflict- Document why conflict is genuinely irreconcilable- Seek legal counsel on high-stakes scenarios- Report problematic conflicts to supervisory authorities for guidance

Data Protection Impact Assessments (DPIAs)

When DPIAs Are Required

Article 35 GDPR requires DPIAs for processing likely to result in high risk to rights and freedoms. Data Act implementation may trigger DPIA requirements:

High-Risk Indicators in Data Act Context:

  • Systematic monitoring of connected product users at large scale- Processing special categories of data from health/medical devices- Automated decision-making based on IoT data- Large-scale sharing of personal data with multiple third parties- Innovative use of technologies creating new privacy risks- Combining data from multiple IoT sources creating comprehensive profiles

Integrated Data Act-GDPR DPIA

Organizations should conduct DPIAs that address both regulations:

1. Necessity and Proportionality Assessment

  • Why is personal data processing necessary for Data Act compliance?- What are legitimate purposes under both regulations?- Can objectives be achieved with less data or anonymization?

2. Risk Identification

  • What risks arise from Data Act-mandated sharing?- How might third-party recipients use data?- What security vulnerabilities exist in data access systems?- Could continuous access enable surveillance or profiling?

3. Stakeholder Perspectives

  • Views of data subjects (if practical to consult)- Input from Data Protection Officer- Perspectives of potential third-party recipients- Relevant industry best practices

4. Risk Mitigation Measures

  • Technical measures: encryption, access controls, anonymization- Organizational measures: staff training, policies, audit procedures- Contractual measures: third-party agreements, usage restrictions- Governance measures: oversight, regular reviews, incident response

5. Documentation

  • Record DPIA findings and decisions- Update as processing evolves- Make available to supervisory authorities upon request

Data Processing Agreements and Contracts

Data Act-Compliant Agreements with GDPR Integration

All Data Act data sharing agreements involving personal data must incorporate GDPR-compliant terms.

Essential Contractual Elements

1. Roles and Responsibilities

  • Clearly define who acts as controller vs. processor under GDPR- May differ from Data Act role definitions- Specify accountability for GDPR compliance

2. Purpose Limitations

  • Define permitted uses (Data Act Article 6 restrictions)- Prohibit unauthorized secondary processing- Address what happens if recipient wants additional uses

3. Data Subject Rights

  • How will data subjects exercise rights?- Which party responds to access, erasure, objection requests?- Timelines for coordinating responses- Financial responsibility for responding

4. Security Requirements

  • Article 32 GDPR appropriate technical and organizational measures- Encryption, access controls, logging- Incident notification procedures- Regular security assessments

5. International Transfers

  • Applicable mechanisms if recipient outside EEA- Standard Contractual Clauses if needed- Transfer impact assessment documentation- Compliance with Data Act Article 31 non-personal data restrictions

6. Sub-Processing

  • Conditions for recipient engaging sub-processors- Prior authorization requirements- Flowing down obligations

7. Data Return and Deletion

  • What happens when Data Act access terminates?- Procedures for returning or destroying personal data- Exceptions for legal retention requirements

8. Liability and Indemnification

  • Allocation of liability for GDPR violations- Indemnification for breaches caused by each party- Insurance requirements

9. Audit Rights

  • Ability to verify GDPR and Data Act compliance- Access to relevant documentation- Frequency and notice periods

10. Trade Secret Protection

  • Confidentiality obligations (Data Act requirement)- Measures to protect proprietary information- Balance with GDPR transparency requirements

Model Contract Clause Considerations

The EU Commission is developing Model Contractual Terms for Data Act scenarios. Organizations should:

  1. Monitor MCT Release: Expected autumn 20252. Assess Applicability: Determine whether MCTs fit specific situations3. Integrate GDPR Provisions: MCTs may not cover all GDPR requirements4. Customize as Needed: MCTs are non-binding benchmarks, not mandatory templates5. Document Deviations: Explain why specific terms differ from MCTs

International Data Transfers

Dual Considerations for Cross-Border Data Flows

Data Act Article 31 creates new restrictions on international transfers of non-personal data, working alongside GDPR Chapter V provisions for personal data.

Personal Data Transfers (GDPR Chapter V)

  • May only transfer to adequate countries or with appropriate safeguards- Standard Contractual Clauses, Binding Corporate Rules, or derogations required- Transfer Impact Assessments for high-risk countries- Additional obligations post-Schrems II rulings

Non-Personal Data Transfers (Data Act Article 31)

  • Providers of data processing services must prevent unlawful governmental access- Technical, organizational, and legal measures required- Applies to non-personal data stored in EU- Conflicts with EU or Member State law must be avoided

Coordination Framework for International Transfers

When international transfers involve mixed personal/non-personal data:

Step 1: Separate Analysis

  • Identify personal data components → Apply GDPR Chapter V- Identify non-personal data components → Apply Data Act Article 31- Document classification decisions

Step 2: GDPR Compliance for Personal Data

  • Verify adequacy decision OR- Implement appropriate safeguards (SCCs, BCRs) AND- Conduct Transfer Impact Assessment if needed- Implement supplementary measures if government access risk identified

Step 3: Data Act Compliance for Non-Personal Data

  • Assess third-country legal framework for governmental access- Implement measures to prevent unlawful access:Technical: encryption, data localization, access controls- Organizational: policies, training, monitoring- Legal: contractual commitments, challenges to improper requests Document compliance approach Step 4: Align Measures

  • Use comprehensive approach covering both personal and non-personal data- Implement highest standard where regulations overlap- Avoid creating separate systems for personal vs. non-personal data where practical

Step 5: Governmental Access Requests

  • Establish protocol for evaluating third-country requests- Assess legality under EU law- Challenge improper requests- Notify affected parties where permitted- Document all governmental access incidents

Practical Implications

For cloud service providers and data holders using international infrastructure:

  1. Preferred Approach: Keep EU-sourced IoT data within EEA to avoid transfer complexities2. If Transfers Necessary: Implement robust safeguards meeting both GDPR and Data Act requirements3. Vendor Selection: Assess cloud providers’ ability to prevent unlawful governmental access4. Transparency: Inform users of international transfer risks5. Incident Response: Prepare for scenarios where foreign authorities demand access

Organizational Compliance Framework

Building Integrated Governance

Effective coordination requires organizational structures and processes that address both regulations holistically.

Governance Structure

1. Cross-Functional Team

  • Data Protection Officer (GDPR lead)- Data Act Compliance Lead (may be same person or separate)- Legal counsel with expertise in both regulations- IT/Security teams implementing technical measures- Business units handling data from connected products- Product development teams

2. Coordinated Policies

  • Single integrated data governance policy covering both regulations- Avoid creating parallel GDPR and Data Act silos- Ensure consistent terminology and approaches- Regular policy reviews as enforcement evolves

3. Roles and Responsibilities

  • Clear accountability for GDPR compliance- Clear accountability for Data Act compliance- Identified coordination points where regulations intersect- Escalation procedures for conflicts or ambiguities

Operational Procedures

Data Request Handling

  1. Intake and assessment
  • Identify whether GDPR, Data Act, or both apply- Verify requester identity and authority- Determine scope of data covered2. Legal analysis
  • Confirm legal basis for sharing under applicable regulation(s)- Identify any restrictions or conditions- Assess risks and mitigation measures3. Data preparation
  • Extract requested data in appropriate format(s)- Apply any necessary redactions or anonymizations- Verify data quality and completeness4. Delivery
  • Use secure transmission methods- Provide required accompanying information- Document delivery for audit trail

Third-Party Sharing Workflow

  1. User request received2. Verify user authority under Data Act3. Analyze GDPR implications4. Contact third party to negotiate agreement5. Execute data sharing agreement6. Configure technical access7. Monitor ongoing compliance8. Review periodically

Security Incident Response

  1. Detect and contain incident2. Assess whether personal data involved → GDPR breach notification obligations3. Assess whether incident affects Data Act obligations4. Notify supervisory authorities as required (GDPR 72-hour deadline)5. Notify affected data subjects as required6. Notify user of connected product if their data affected7. Document incident and response8. Implement corrective measures

Training and Awareness

Staff Training Program

  • GDPR fundamentals for all relevant staff- Data Act overview and organizational obligations- Integrated compliance approach- Scenario-based training on common situations- Regular refreshers as enforcement evolves

Specialized Training

  • Customer service: Handling data access requests- Technical teams: Implementing secure data access- Legal/compliance: Coordinating legal analyses- Leadership: Strategic implications and risk oversight

Monitoring and Auditing

Key Performance Indicators

  • Percentage of data requests fulfilled within required timeframes- Number of GDPR/Data Act compliance incidents- Third-party data sharing agreements reviewed and updated- DPIAs completed for new processing activities- Staff training completion rates

Regular Audits

  • Internal audits: Quarterly or semi-annual reviews- External audits: Annual independent assessments- Focus areas:Accuracy of personal vs. non-personal data classification- Adequacy of legal basis documentation- Effectiveness of technical access controls- Compliance of third-party agreements- DPIA quality and completeness

Continuous Improvement

  • Track regulatory guidance and enforcement trends- Update policies and procedures accordingly- Share lessons learned across organization- Participate in industry working groups- Engage with supervisory authorities proactively

Enforcement Coordination

Supervisory Authorities

Different authorities may enforce GDPR vs. Data Act:

GDPR Enforcement

  • Data Protection Authorities (DPAs) in each Member State- European Data Protection Board (EDPB) coordinates- Well-established enforcement mechanisms- Seven years of precedent and guidance

Data Act Enforcement

  • Member States designating authorities (ongoing)- Data coordinators in each Member State- New enforcement frameworks being established- Limited precedent; enforcement approaches evolving

Coordination Scenarios

  • Some Member States may assign both to same authority- Others may split responsibilities- Coordination mechanisms being developed- Potential for conflicting guidance or enforcement

Managing Regulatory Inquiries

If subject to investigation or inquiry:

For GDPR Issues

  1. Engage Data Protection Officer and legal counsel immediately2. Preserve all relevant evidence3. Cooperate fully with DPA4. Provide requested information within deadlines5. Consider voluntary corrective measures6. Document all interactions

For Data Act Issues

  1. Engage Data Act compliance lead and legal counsel2. Gather evidence of compliance efforts3. Cooperate with designated authority4. Provide requested documentation5. Implement recommended corrections6. Track for precedent value (limited case law exists)

For Coordinated Issues Touching Both Regulations

  1. Ensure both GDPR and Data Act teams involved2. Present unified compliance position3. Highlight coordination efforts between regulations4. Provide comprehensive documentation5. Request coordinated regulatory response if possible6. Document any conflicting guidance received

Practical Implementation Checklist

Phase 1: Foundation (Completed by Q1 2026)

Data Classification

  • Inventory all connected products and data flows- [ ] Classify data as personal, non-personal, or mixed- [ ] Document classification methodology- [ ] Implement automated classification tools where possible- [ ] Create data catalog accessible to compliance teams

Role Mapping

  • Identify all Data Act roles (data holder, user, recipient)- [ ] Map to GDPR roles (controller, processor, data subject)- [ ] Document role relationships- [ ] Update privacy notices to reflect both frameworks- [ ] Train staff on role distinctions

Legal Basis Documentation

  • Analyze legal bases for all personal data processing- [ ] Document coordination with Data Act obligations- [ ] Conduct legitimate interest assessments where applicable- [ ] Update internal policies with legal basis decisions- [ ] Prepare explanations for data subjects

Phase 2: Operational Integration (Q1-Q2 2026)

Access and Portability

  • Implement technical infrastructure for user data access- [ ] Ensure GDPR and Data Act access rights both satisfied- [ ] Create user-friendly request mechanisms- [ ] Develop internal workflows for handling requests- [ ] Test systems with sample requests

Third-Party Sharing

  • Develop template data sharing agreements- [ ] Incorporate both GDPR and Data Act requirements- [ ] Establish vetting process for third-party recipients- [ ] Implement secure data transmission methods- [ ] Create monitoring procedures for ongoing sharing

Privacy by Design

  • Review product development lifecycle- [ ] Integrate both GDPR and Data Act requirements- [ ] Implement data minimization and anonymization- [ ] Enable granular user control over sharing- [ ] Build audit trails for data access and sharing

Phase 3: Advanced Compliance (Q3 2026 onwards)

DPIAs

  • Conduct DPIAs for high-risk Data Act processing- [ ] Address both GDPR and Data Act risks- [ ] Implement identified mitigation measures- [ ] Document DPIA findings- [ ] Review and update regularly

International Transfers

  • Map all cross-border data flows- [ ] Implement GDPR transfer mechanisms (SCCs, etc.)- [ ] Address Data Act non-personal data restrictions- [ ] Conduct Transfer Impact Assessments- [ ] Document compliance for both personal and non-personal data

Monitoring and Improvement

  • Establish KPIs for coordinated compliance- [ ] Conduct regular internal audits- [ ] Track regulatory guidance and enforcement- [ ] Update policies and procedures as needed- [ ] Provide ongoing staff training

Future Developments and Guidance

Anticipated Regulatory Clarification

Both GDPR and Data Act enforcement will evolve significantly in coming years:

GDPR Evolution

  • European Commission proposed simplifications to GDPR (May 2025)- Potential streamlining of Article 30 record-keeping- Improved cooperation among supervisory authorities- Continued high-profile enforcement creating precedent

Data Act Maturation

  • Model Contractual Terms (autumn 2025)- National implementation laws (ongoing)- Supervisory authority guidance (emerging)- First enforcement actions (2026-2027)- Three-year evaluation (by September 2028)

Coordination Guidance Organizations should watch for:

  • European Data Protection Board opinions on Data Act-GDPR interaction- Commission FAQs and guidance documents- Member State interpretations- Court decisions clarifying ambiguities- Industry best practice development

Strategic Recommendations

1. Adopt Integrated Approach Don’t treat GDPR and Data Act as separate compliance silos. Build unified data governance addressing both regulations holistically.

2. Invest in Technology Technical solutions (automated classification, secure APIs, granular access controls) enable compliance with both regulations more effectively than purely procedural approaches.

3. Document Thoroughly Coordination decisions, legal basis analyses, and risk assessments should be comprehensively documented. Regulatory scrutiny will increase as enforcement matures.

4. Engage Proactively Participate in industry working groups, consult with supervisory authorities on novel issues, and contribute to developing best practices.

5. Maintain Flexibility Enforcement approaches and regulatory interpretations will evolve. Build compliance frameworks that can adapt to new guidance.

6. Focus on Substance Over Form Regulators will look beyond checkbox compliance to whether organizations genuinely respect data rights and implement effective protections.

Conclusion

The coordination of GDPR and the Data Act represents one of the most complex data governance challenges European organizations face. While the regulations are complementary in purpose—both seeking to empower individuals and promote fair data practices—their interaction creates genuine operational complexity.

Success requires moving beyond treating these as separate compliance exercises. Organizations must build integrated data governance frameworks that respect personal data protection while enabling the innovation and competition the Data Act seeks to foster.

The regulatory landscape will continue evolving. Early enforcement actions will clarify ambiguities, supervisory authorities will issue guidance, and courts will resolve conflicts. Organizations that invest now in robust coordination frameworks will be better positioned not only for compliance, but for the opportunities that effective data governance creates.

The future of data regulation in Europe involves multiple overlapping frameworks—GDPR, Data Act, Cyber Resilience Act, AI Act, and others. Organizations that master coordination between GDPR and the Data Act will have built the capabilities needed to navigate this increasingly complex regulatory ecosystem.

Additional Resources

About ComplianceHub: We provide authoritative guidance on navigating complex regulatory frameworks, with particular expertise in data governance, IoT compliance, and privacy law coordination. Our analysis helps organizations transform overlapping compliance obligations into strategic advantages.

Disclaimer: This article provides general information about coordinating GDPR and Data Act compliance and should not be considered legal advice. Organizations should consult qualified legal counsel to address their specific situations. Regulatory interpretations continue to evolve.