The Data Act and GDPR — New Rules on Data Sharing

Since 12 September 2025, new EU-wide rules on access to and sharing of data have applied, stemming from the Data Act. It is one of the most important regulations in the EU’s data strategy — and an area many companies still underestimate. The Data Act grants users of internet-connected devices broad rights to the data they generate, and obliges manufacturers and service providers to make that data available.

What matters from a data protection perspective: the Data Act covers both non-personal and personal data. Where personal data is involved, the new act meets the GDPR — and a key question arises: does the Data Act change the rules for processing personal data? The answer is no. The GDPR remains paramount, and the Data Act creates no new legal basis for processing.

This article explains what the Data Act is, what it changes in practice, how it relates to the GDPR, and what steps companies processing data from IoT devices and services should take.

What the Data Act Is

The Data Act is Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data. It entered into force on 11 January 2024 and has applied since 12 September 2025. Together with the Data Governance Act, it forms the foundation of a single market for data in the EU.

The aim of the regulation is to unlock the value of data generated by internet-connected devices (IoT), increase competition and counter the “lock-in” of users with a single provider. The Data Act applies in phases:

• 12 September 2025 — most provisions (user access rights, sharing rules, fair contractual terms, public-sector access).
• 12 September 2026 — the requirement to design products so that data is available “by default” (for products placed on the market after that date).
• 12 September 2027 — the rules on unfair terms will also cover earlier, long-term B2B contracts, and fees for switching cloud service providers will be completely abolished.

Scope of the Regulation — Who It Affects

The Data Act uses broad definitions. The key terms are:

Connected product — any physical product that collects or transmits data about its use, performance or environment: vehicles, home appliances, industrial equipment, medical devices, wearables, smartphones.

Related service — a digital service that affects the product’s functions and exchanges data with it.

Data holder — an entity entitled or obliged to make data available (typically the manufacturer or service provider).

User — a person or business that owns the product or uses the service and generates data.

Data recipient — a third party to whom the user requests that data be made available.

The regulation also has extraterritorial reach — it may cover entities outside the EU offering products or services on the EU market. Data is defined very broadly and covers both personal and non-personal data.

What the Data Act Changes in Practice

The regulation addresses six main areas:

Sharing IoT data (B2C and B2B). A user of a connected product has the right to access the data they generate and the right to request that it be shared with a chosen third party. The data holder must make it available in a structured, commonly used, machine-readable format and, where technically feasible, continuously and in real time.

B2B sharing. Where legislation requires data to be shared with another business, the terms must be fair, reasonable and non-discriminatory (FRAND), with reasonable compensation.

Unfair contractual terms. The provisions protect businesses, in particular SMEs, against unilaterally imposed, unfair terms on data sharing.

B2G sharing. In situations of exceptional need (for example, a state of emergency or natural disaster), public bodies may request access to certain private-sector data — proportionately and only to the extent necessary.

Switching data processing services. Cloud providers must enable smooth data porting and switching between services, removing technical barriers and fees (the latter ultimately by 2027).

Protection against third-country access. Non-personal data stored in the EU is protected against unlawful access requests from authorities outside the EU.

The Data Act and GDPR — Which Prevails

This is the most important part of the puzzle. The Data Act expressly states that it is without prejudice to the GDPR, and that in the event of a conflict with EU law on the protection of personal data, the GDPR prevails. Several practical rules follow.

The Data Act creates no new legal basis. The mere fact that a user has the right to have data shared does not remove the obligation to have a basis under Article 6 GDPR where the data is personal data. Sharing personal data with a third party still requires a valid legal basis.

A user’s request is not automatically GDPR consent. A request to share data under the Data Act is not the same as consent within the meaning of the GDPR. If consent is to be the basis, it must meet all GDPR requirements (freely given, specific, informed, unambiguous).

Mixed datasets. Data from IoT devices often combines personal and non-personal data inseparably. Where these elements cannot be separated, the GDPR applies to the entire dataset.

The user is not always the data subject. Where a user (for example, a company leasing a vehicle) requests data containing other people’s data (drivers, passengers), additional complexity arises — a legal basis and caution are needed so as not to infringe third parties’ rights.

The data recipient becomes a controller. A third party that receives personal data must process it in accordance with the GDPR — only for the agreed purpose, respecting the principles, and with an obligation to delete the data when it is no longer needed. The Data Act here expressly mirrors part of the obligations known from the GDPR.

It is worth adding that, already at the legislative stage, the European Data Protection Board and the European Data Protection Supervisor drew attention to the risks at the Data Act–GDPR interface, calling for clear primacy of data protection principles. For every new data flow, the core GDPR principles therefore continue to apply: minimisation, purpose limitation, transparency and security.

The Data Act and the Right to Data Portability (Article 20 GDPR)

The Data Act’s access right is sometimes confused with the right to data portability under Article 20 GDPR. These are two distinct, though complementary, mechanisms. The Article 20 GDPR right concerns personal data processed by automated means on the basis of consent or a contract. The Data Act right is broader: it also covers non-personal data, concerns specifically data from IoT products and related services, and — where possible — sharing in real time. In practice, a company may receive both types of request at once.

Sharing with Public Bodies (B2G) and Personal Data

The chapter on sharing data with public bodies allows the administration to request private-sector data in situations of exceptional need. If the request covers personal data, GDPR safeguards apply in full — the processing must have a basis, be proportionate and limited to what is necessary, and where it suffices, sharing anonymised data is preferred.

What to Do — Practical Steps for Businesses

Preparing for the Data Act and reconciling it with the GDPR requires structured action:

1. Inventory the data generated by IoT products and services — separate personal from non-personal data and identify mixed data.
2. Establish your role — whether you are a data holder, user or recipient; a controller or a processor.
3. Review contracts — sharing terms (FRAND), cloud-switching clauses, provisions with data recipients.
4. Establish legal bases for sharing personal data — do not assume the Data Act replaces them.
5. Update privacy notices — inform users about the data, its sharing and their rights.
6. Implement a request-handling procedure for access and sharing (separately from GDPR requests or jointly).
7. Assess the need for a DPIA for new, higher-risk data flows.
8. Protect trade secrets — the Data Act provides exceptions safeguarding trade secrets and security.

The European Commission has published supporting materials — including frequently asked questions (FAQs) and model contractual terms (MCTs) and standard clauses for cloud contracts. At national level, competent authorities and enforcement rules are being designated — an area worth monitoring.

Common Mistakes and Pitfalls

Assuming the Data Act replaces the GDPR — these are two parallel regimes; for personal data, the GDPR prevails.

Treating a user’s request as GDPR consent without verifying the legal basis.

Overlooking mixed data and wrongly treating the whole dataset as “non-personal”.

No basis for sharing personal data with a third party at the user’s request.

Failing to account for third parties’ rights whose data is contained in the device data.

Ignoring the data recipient’s obligations — purpose, minimisation, deletion.

Checklist — The Data Act and GDPR

1. Inventory data from IoT products and services (personal / non-personal / mixed).
2. Establish your role and status in the data chain.
3. Identify GDPR legal bases for each sharing of personal data.
4. Review and adapt contracts (FRAND, cloud, data recipients).
5. Update privacy notices for the new data flows.
6. Implement a procedure for handling access and sharing requests.
7. Assess the need for a DPIA for new flows.
8. Protect trade secrets and data against third-country access.
9. Monitor national authorities and Commission guidance (FAQs, model terms).

Need Help Aligning with the Data Act and GDPR?

The Data Act opens a new chapter in the data economy — and it must be reconciled with the GDPR. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we help companies map data from IoT products and services, establish roles and legal bases, adapt contracts, and prepare request-handling procedures and privacy notices compliant with both the GDPR and the Data Act.