Source - 13 September 2024 - v1.1
The Data Act (Regulation (EU) 2023/2584) establishes harmonised, horizontal rules to ensure fairness in the allocation of value generated from data across market actors, while safeguarding the interests of those who invest in data-generation technologies.
For an introduction to the Data Act, we invite you to consult the “Data Act Explained” fact page.
This set of more technical Frequently Asked Questions (FAQs), published approximately a year before the entry into application of the Data Act, is designed to assist stakeholders in the implementation of the legal provisions. The FAQs are the product of extensive stakeholder interactions, and this is intended to be a ‘living document’ that will be updated as and when necessary. The version history can be found at the end of the document.
This document should not be considered as representative of the European Commission’s official position.
The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union.
Please contact us if you have a question that is not covered here and we will try to get back to you as quickly as possible. For any complaints related to the Data Act’s implementation, please consider contacting the data coordinator in your Member State.
The General Data Protection Regulation (GDPR) is fully applicable to all personal data processing activities under the Data Act. The Data Act does not regulate as such the protection of personal data. Instead, the Data Act enhances data sharing and enables a fair distribution of the value of data by establishing clear rules related to the access and use of data within the EU’s data economy.
In some cases, the Data Act specifies and complements the GDPR (e.g. real-time portability of data from Internet-of-Things (IoT) objects). In other cases, the Data Act restricts the re-use of data by third parties (e.g. Article 6 of the Data Act). In the event of a conflict between the GDPR and the Data Act, the GDPR rules on the protection of personal data prevail (cf. Article 1(5) of the Data Act).
The Data Act respects the competence of the data protection authorities (DPAs) to enforce rules on personal data protection. The Data Act provides a coherent enforcement and cooperation mechanism between DPAs and other competent authorities.
Article 1(5) of the Data Act establishes that the GDPR applies to the processing of personal data in the framework of the Data Act. In this context, it recalls that the DPAs are competent to enforce the obligations stemming directly from the GDPR.
Article 37(3) provides that, insofar as the protection of personal data is concerned, the DPAs are responsible for monitoring the application of the Data Act and can rely on the tasks and powers laid down in the GDPR. This is also stated in recital 107. The protection of personal data captures, for example, the power to assess: (i) whether a user who is a data subject has received or has been allowed to port all personal data it requests; (ii) whether the data holder correctly qualifies which data should be considered personal data; and (iii) whether a valid legal basis under the GDPR exists for a user who is not a data subject to request and port personal data. Article 37(3) also ensures that data subjects are not required to go to two different authorities in cases where the rights of access and porting would apply under both the Data Act and the GDPR or where there could be any other grievance relating to the protection of their personal data in the application of the Data Act.
More generally, the Commission strives to promote a strong working relationship between the authorities that enforce data legislation in the EU, including through the membership of the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) in the European Data Innovation Board.
The Data Act is a horizontal piece of legislation that aims to significantly enhance fair access to and use of data across all sectors of the economy. Chapter III, in particular, establishes a framework regarding the conditions, compensation, and technical protection measures for whenever a data holder is obliged under EU or national law to share data with a data recipient.
More concretely, Article 44 addresses two key dimensions that structure the interaction between the Data Act and other EU legislation that include rules on data access and use: time of entry into force (Article 44(1)) and sectoral specificities (Article 44(2)).
According to Article 44(1), data-sharing obligations that entered into force on or before 11 January 2024 (the Data Act’s entry into force) remain unaffected. If EU legal acts introduce rules on data between 11 January 2024 and 12 September 2025 (the Data Act’s entry into application), best efforts should be made to ensure alignment, but there is no legal obligation to do so.
The Data Act sets horizontal rules for data access, sharing and use. However, Article 44(2) allows the Data Act to be complemented by sector-specific legislation, where necessary, with practical and technical modalities (e.g. safety, standardisation, or technical matters) and with specific limits on data holders’ access rights or actions. However, the development of such sectoral rules should be approached cautiously and consistent with the principles laid down in the Data Act to the greatest extent possible, thus avoiding unnecessary complexity. The principles of the Data Act apply for all matters related to ‘access to data’ that are not specifically regulated in such sectoral rules.