The EU’s Data Act and the GDPR sit side by side but aim at different outcomes. The GDPR protects personal data and limits how it is used. The Data Act, on the other hand, promotes openness and data sharing to stimulate boost innovation and competition. Although the Data Act states that it applies “without prejudice to the GDPR”, in practice organisations and DPOs may need to navigate conflicting demands and implementation uncertainties as the Data Act enters into force in September 2025

Under the GDPR, data subjects hold a right of access to personal data, which includes disclosure of how the data is used and shared. The Data Act goes beyond that by granting rights not only to users of connected products, but also, in certain cases, to third parties (as designated by the user) or public bodies, for both personal and non-personal data generated by the product. The two frameworks thus sometimes call for divergent handling of the same dataset, making harmonisation in practice more challenging than theory might suggest.

Sharing meets minimising

The most significant tension lies between data sharing and data minimisation. The Data Act introduces a new concept of “data access by design and default”, meaning users and -where applicable third parties-can easily access and use data generated through their use of connected products or related services. The GDPR, by contrast, restricts the collection and retention of personal data to what is necessary, proportionate, and limited to the stated purpose of processing.

Take a connected car or smart appliance. Previously, a manufacturer might have collected only basic diagnostic data for maintenance purposes. Under the Data Act, it must ensure that granular usage data can be made available to the user, or to another service provider designated by that user. This obligation could create pressure to retain or process personal data for longer than would otherwise be justified under the GPDR.

DPOs can mitigate this tension by designing data sharing mechanisms that provide real time access or on device processing, without requiring continuous centralised storage. Once the data is no longer needed for its original purpose, it should be deleted or anonymised. In addition, any new accesses or sharing functionality should undergo a DPIA to ensure alignment with privacy-by-design standards.

Users, third parties and blurred lines

The GDPR grants rights to data subjects over their personal data. The Data Act, meanwhile, introduces rights for “users” of connected products or related services who may be individuals or legal entities. This distinciton often blurs in practice and can create friction between the two regimes.

For example, if an employer seeks access to driving data from a company vehicle, that data may contain information revealing an employee’s behaviour. The Data Act entitles the employer, as the “user” of the product, to access such data. However, where that data also identifies an individual, the GDPR still applies — meaning the employer must rely on a valid legal basis such as legitimate interest and must respect principles like data minimisation and transparency.

Third-party access introduces further risks. While the Data Act prohibits third parties from prifiling, advertising, or developing competing products using shared data, it does not automatically ensure GDPR compliance. DPOs should therefore implement contractual safeguards, such as written data sharing or processing agreements, that bind recipients to GDPR-level standards and define purpose limitation and security measures. Accountability for compliance cannot be delegated.

Portability and purpose

The Data Act also expands data portability. Under the GDPR, users can only move personal data they provided, when processing is based on consent or contract. The Data Act goes further by enabling users — who may be individuals or organisations — to access and share data generated through the use of a connected product or related service, regardless of whether it is personal or non-personal. However, this does not extend to inferred or derived data, such as data resulting from manufacturer analytics or algorithmic processing.

While this greater openness appears empowering, it also raises new tensions. Making product-use data available can expose behavioural insights that go beyond what users or data subjects expected when the data was first collected. For example, sharing detailed energy-use information from a smart thermostat might reveal household routines or occupancy patterns. To ensure lawful handling, controllers should identify an appropriate GDPR legal basis for any disclosure that involves personal data.

The DPO’s growing role

DPOs will need to run two overlapping compliance tracks: the GDPR for personal data and the Data Act for access and sharing rules. The work ahead is practical, operational, and practical, and cross-functional.

Dual compliance checks. Each new product feature, connected service, or API should be reviewed under both regimes. Privacy and security measures must remain robust even as obligations to make data accessible and expand.

Role mapping. The Data Act introduces new concepts as “data holder”, “user”, and “data recipient”, which do not neatly align with the GDPR’s controller and processor roles.

Mixed datasets. Since the Data Act covers both personal and non-personal data, DPOs should assume mixed datasets and apply privacy safeguards by default.

Government requests. Under Chapter V of the Data Act, public sector bodies and EU institutions may request data in cases of exceptional needs, for example during emergencies or public-interest situations. DPOs should ensure procedures are in place to anonymise or pseudonymise personal data swiftly and lawfully before disclosure.

For UK organisations, the Data Act does not apply directly, but those with EU operations or customers must comply. UK DPOs should still pay attention, as similar principles are likely to appear in future UK policy.

Monday morning actions

Here’s what privacy leaders can start doing this week:

Map connected data sources. Identify which devices, services, and data flows fall within the Data Act’s scope, and flag datasets that contain or combine personal data.
Apply minimisation. Keep only what is necessary and build systems that allow access without long retention.
Check legal bases. Confirm every shared dataset has a valid GDPR ground for processing.
Update privacy notices. Explain to users that the Data Act gives new access rights and describe your safeguards.
Design privacy into APIs. Add permission layers, audit trails, and approval steps for sensitive data.
Tighten contracts. Require third parties to use shared data only for the purpose requested and to delete it afterwards.
Train your teams. Product and engineering teams must understand that openness cannot override protection.

Balancing openness and protection

The GDPR and the Data Act are not adversaries. Both aim to make data use fair, transparent, and responsible. The GDPR ensures individual rights remain protected. The Data Act ensures that data’s value is shared. DPOs stand at the intersection of these goals. By planning early, running joint privacy-and-access reviews, and keeping users informed, DPOs can turn these apparent contradictions into good governance. When the Data Act takes effect in 2025, those who prepare now will already have the balance right.

Grow your People-First Privacy knowledge

Articles