For investors
Go to MyFondia

Data Act and GDPR interplay

Fondia
Blogs
September 24, 2024

The Data Act came into force on 11 January 2024 and will apply in most respects from 12 September 2025. The Data Act imposes obligations regarding access to data by so-called connected products and related services (for example, IoT devices). The Data Act applies to both personal and non-personal data, making it particularly important to pay attention to the GDPR's provisions on personal data in situations where the processed data also includes personal data. 

A brief overview of the Data Act

The growing widespread use of the Internet of Things (IoT) has made it necessary to set clear and fair rules regarding accessing and utilizing data within the European data economy. This will be made possible by the Data Act. The aim of the Data Act is to improve the EU's data economy and create a competitive data market through boosting the availability of data, promoting data-driven innovation, and improving the usability and accessibility of data, particularly industrial data. To achieve this, the Data Act ensures fair distribution of data value among actors involved in the data economy. It makes clear who has access to what data and when, while ensuring the protection of personal data. Of particular interest from a data protection perspective are the data sharing obligations in Chapter II of the Data Act and how they interact with the General Data Protection Regulation (GDPR). Chapter II sets out the obligations of data holders to make product data and related service data available to the user or a third party at the user’s request.  

Relationship between the Data Act and the GDPR

The right to the protection of personal data should not be restricted or compromised by the interpretation or application of the Data Act. When applying the Data Act, Union data protection legislation, such as the GDPR, should be respected. However, it is beneficial to keep in mind that the Data Act and the GDPR have different aims. The Data Act's primary goal is to ensure fair sharing of data value between different actors and to promote data access and use. The GDPR aims to safeguard and protect natural persons' personal data and privacy during processing.   

The Data Act does not establish a new legal basis for processing or generating personal data. The Data Act serves as a complementary regulation to the GDPR, necessitating parallel application. However, in the event that the provisions of the Data Act conflict with the legislation on personal data protection, the relevant personal data protection legislation shall prevail. Therefore, it's important to understand that the GDPR ultimately holds the highest priority in the hierarchy. The Data Act encompasses both personal and other data, thereby enhancing certain rights granted to the data subject, including the right to data portability.  

When does the GDPR apply?

GDPR applies to the processing of personal data. Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an ID, location data, or to one or more factors specific, for example, to the physical, physiological or social identity of that natural person. 

A connected product (IoT product), such as a smartwatch, can and often does generate data about an identified or identifiable natural person among other data. In such cases, the so-called IoT data can also be considered personal data, and the combined data sets may include personal data in varying quantities. When other data and personal data are inseparably combined, the data is subject to the provisions and general principles of the GDPR, such as data minimisation, even if the data set includes only a small amount of personal data. Aggregating data in a way that allows for individual identification can transform non-personal data into personal data. Even though it's not personal data now, it might be in the future.  

It is also noteworthy to bear in mind the broad interpretation of the concept of personal data by the Court of Justice of the European Union (CJEU). In its rulings, the CJEU has held that the definition of personal data under the GDPR applies when the information in question is linked to a particular person by reason of its content, purpose or effect (see, for example, Case C-180/21). 

When data that is considered to be personal data is to be requested by a user that is not the data subject, it must be ensured that there is a legal basis for processing it under the GDPR, such as consent or performance of a contract. Consequently, personal data may restrict the user's access to the data.  

Roles from a data protection perspective

Roles create their own challenges for the parallel application of the GDPR and the Data Act. The GDPR uses the terms ‘controller’ and ‘processor’, while the Data Act refers to the ‘data holder’ and ‘user’. Despite this, the roles can be seen as partly overlapping and relative. When processing personal data, the data holder can often also be considered to be acting as the controller. The user is also considered to be a controller if it is not a data subject but a company. It is also possible that the data holder and the user are joint controllers under the GDPR. According to the recital of the Data Act processors are not considered to be data holders.  

For example, a company that leases cars to natural persons is a user in relation to the manufacturer. However, in relation to a natural person, who in this case is a user and a data subject, when the company processes personal data, such as the location data of the car, the company can be considered to be a controller and a data holder. It is possible that this equation also includes data processors.  

However, it is important to understand that just because a certain actor is in a certain role under the Data Act, this does not mean that it will automatically be in a certain role under the GDPR. For example, ‘user’ may not always be equivalent to ‘data subject’ or ‘data holder’ is not necessarily always ‘controller’. Roles are therefore not predetermined, but GDPR roles should be assessed on a case-by-case basis. 

What's next?

Aligning the Data Act and the GDPR creates its own challenges, so preparations for the parallel application of the Data Act and the GDPR should start early. Manufacturers and providers of connected products must distinguish between personal and non-personal data, and consider the obligations imposed by data protection legislation when handling user requests for data access, particularly when the requested data includes personal data. 

Fondia's experts at your side

Help in figuring out the business implications of the Data Act is available from Fondia's Data Economy expert group or through contacting fondia@fondia.com⁠.  

This article is part of a series of articles focusing on the Data Act, which delves into individual issues of the Data Act from different perspectives and as practically as possible. Previous parts of the series: 

Rules on switching cloud service providers under the Data Act⁠ 

Data Act – Key points to consider⁠ 

We law your business.

Privacy⁠Privacy⁠
Cookies⁠Cookies⁠
CSR⁠CSR⁠
Contact us⁠Contact us⁠

Copyright © Fondia 2022. All rights reserved.