Implementing the Data Act without Clashing with the GDPR?

The Data Act in a nutshell

The Data Act (Regulation (EU) 2023/2854) is one of the cornerstones of the EU Data Strategy, which aims to create a single market for data within the EU and boost the European data economy by facilitating innovation and new data-driven business models. The Data Act is binding and directly applicable in all Member States, including Finland.

The Data Act sets out rules on a number of contexts regarding, in particular:

• the access to and use of data generated by connected products and related services, including the design, manufacturing and provision of such products and related services (Chapter II);
• the contents of data sharing agreements, including protection against unilaterally imposed unfair contractual terms (Chapters III and IV);
• mechanisms for public sector bodies to access private sector data on the basis of exceptional need (Chapter V);
• switching between cloud data processing service providers (Chapter VI);
• unlawful international governmental access and transfer of non-personal data (Chapter VII); and
• requirements regarding data interoperability (Chapter VIII).

The Data Act will apply from 12 September 2025 with a few exceptions. For more information on the Data Act, please see our previous posts The Big 5 – Status of National Preparation in Finland and The Data Act Approved by the European Parliament.

Personal data under the Data Act

The Data Act includes a broad definition of ‘data’ covering any digital representation of acts, facts or information, including in the form of sound, visual or audio-visual recording. However, as the Data Act regulates several different contexts, its scope of application varies between its chapters, also affecting what is considered data in a given situation. Pursuant to Article 1(2), the Data Act governs the following types of data, in the following contexts:

• Chapter II: Data, with the exception of content, concerning the performance, use and environment of connected products and related services;
• Chapter III: Any private sector data that is subject to statutory data sharing obligations;
• Chapter IV: Any private sector data accessed and used on the basis of contract between enterprises;
• Chapter V: Any private sector data with a focus on non-personal data;
• Chapter VI: Any data and services processed by providers of data processing services; and
• Chapter VII: Any non-personal data held in the EU by providers of data processing services.

Unlike the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the application of which is limited to the processing of personal data, the Data Act covers both personal and non-personal data. For ‘personal data’, the Data Act refers to the definition within the GDPR, whereas ‘non-personal data’ covers all data other than personal data. Data sets may be so-called mixed data sets, comprising both personal and non-personal data. In practice, this is often the case. When data processed under the Data Act includes personal data, the GDPR must be carefully observed.

In fact, the Data Act itself explicitly states that, in case of a conflict between the Data Act and data protection laws, including the GDPR, data protection laws will prevail.

As the Data Act applies in different contexts, the careful assessment of the correct data processing roles under the GDPR (namely, processor and controller) plays an important role. As an example, the GDPR roles in the context of Chapter II of the Data Act are further discussed below.

In turn, Chapter V of the Data Act regulates the access rights of public sector bodies to private sector data on the basis of exceptional need, with a primary focus on non-personal data. However, the GDPR should not be overlooked in this context either. Where the requested data includes personal data, data holders are obliged to anonymise the data, unless compliance with the data request requires disclosure of personal data. In this case, the data holder must pseudonymise the personal data. Therefore, in practice, Chapter V’s primary focus on non-personal data does not necessarily alleviate the need for data protection work for companies, since measures such as anonymisation and pseudonymisation can be considerably burdensome.

Sharing use data of connected products and related services

A key area regarding the interplay between the GDPR and Data Act is the data sharing obligations introduced in Chapter II of the Data Act. Chapter II obliges data holders to make so-called product data and related service data available to the user and/or a third party at the user’s request. The data must be accessible either directly from the connected product and related services, in accordance with Article 3(1), or on the basis of a simple request under Article 4(1). Where personal data is included in such requested data, the required data sharing is, in parallel, subject to the requirements of the GDPR.

A particular issue requiring parallel GDPR and Data Act assessment is the correct determination of roles, as mentioned above. For example, the Data Act roles of ‘data holder’ and ‘user’ are not equivalent to the GDPR roles of ‘controller’ and ‘processor’. GDPR roles should always be assessed on a case-by-case basis. For instance, a Data Act ‘user’ can be a GDPR ‘data subject’ but this is not always the case. Where the user is not the data subject (for example, the user is an organisation), the data set to be shared may include personal data of third parties, such as the user’s employees or other individuals. In such cases, the user could be considered a controller, with the data holder acting as a separate or, in some cases, joint controller in relation to the user.

Another evident GDPR-related tension, when applying the Data Act, is identifying the appropriate legal basis for the personal data processing involved when sharing data in accordance with Chapter II of the Data Act.

As stated in its recitals, the Data Act does not provide any new legal bases for the processing of personal data. Such processing should, therefore, be based on one of the legal bases in the GDPR.

Accordingly, it is explicitly stated in Data Act Articles 4(12) and 5(7) that, where the user is not the data subject whose personal data is requested for sharing, any personal data shall be made available only where there is a valid legal basis for such processing. Thus, processing the data may be based on, for example, the consent of the data subject or so-called legitimate interests in accordance with Article 6 of the GDPR. In addition to a legal basis, also other obligations under the GDPR should be observed, such as information obligations and data minimisation requirements.

Where the user is the data subject, the rights laid down in Chapter II of the Data Act complement the existing rights of access and data portability under the GDPR. Under the Data Act and the GDPR, a data subject, as a user of a connected product, will be entitled to receive the data generated by the use of the connected product, whether personal or non-personal. Consequently, data holders may wish to streamline the handling of data access requests under the two regulations.

As a conclusion, we recommend that manufacturers and providers of connected products and related services carefully consider also the personal data angle in cooperation with the data protection resources of their respective organisations, in order to ensure seamless compliance with the GDPR when implementing the Data Act. Tensions between the GDPR and the Data Act should not be exaggerated either: the various references to the GDPR within the Data Act mainly serve as a useful reminder to continue ensuring GDPR compliance when adopting new data sharing activities.