Data Act: Mapping the Interplays with the GDPR
This resource maps the interplays between the Data Act and the GDPR.
Published: 25 Feb. 2026
This infographic is part of a series that maps different EU digital laws with the GDPR. The full series can be accessed here.
The EU Data Act creates new rules on who can access and use data generated in the EU across all economic sectors. It aims to ensure fairness in the allocation of value from data, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible to all users. It focuses primarily on industrial, nonpersonal data but is relevant to data protection.
This resource, drawing from the EU Digital Laws Report 2025, maps interplays between the Data Act and the GDPR.
The IAPP additionally hosts a Data Act 101 chart, which is part of a European Strategy for Data series, which provides an overview of EU privacy, cybersecurity and AI legislation.
Data Act and GDPR interplay mapping
Data Act
- Article 1(5)
Insofar as any personal data or datasets containing both personal and non-personal data that are inextricably linked are processed in connection with the Data Act, the GDPR’s rules and protections prevail. In the event of a conflict between the Data Act and GDPR, the latter prevails.
GPDR
- Article 2 and 4
Insofar as a Data Act user, i.e., a “natural or legal person that owns a connected product … or that receives related services,” is a GDPR data subject, the rights under the Data Act complement those of the GDPR.
Data Act
- Article 4(12) and 5(8) Articles 6(1), 9, 15 and 79
Personal data generated by the use of a connected product or related service may only be requested by a controller or a data subject. Data holders may set reasonable compensation to be met by third parties, but not by users, for costs incurred in providing direct access to the data generated by the user’s connected product.
GPDR
- Article 4(12) and 5(8) Articles 6(1), 9, 15 and 79
Controllers who request personal data generated by the use of a connected product or related service must have a legal basis for processing the data under the GDPR.If a data holder and a third party cannot agree on the terms of direct access, the data subject’s rights under the GDPR, e.g., the right to data portability, must not be impeded, and the data subject may seek remedies in accordance with the GDPR.
Data Act
- Recital 20
The Data Act does not impose an obligation to design connected products and related services in such a way as to store or process any personal data other than what is necessary in relation to the purpose limitation principle.
GPDR
- Article 5(1)(c)
Under the GDPR, the processing of personal data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
Data Act
- Recital 39
Third parties should erase personal data once it is no longer necessary for the purpose agreed upon with the user.
GPDR
- Article 17
Requirements under the Data Act for third parties to erase personal data once it is no longer required for the purpose agreed upon with the user complement the data subject’s right to erasure under the GDPR.
Data Act
- Recital 24
Data holders are not expected to indefinitely store data for users of connected products.
GPDR
- Article 5(1)(e)
Data holders should implement a reasonable data retention policy in line with the GDPR’s storage limitation principle.
Data Act
- Recital 22
Controllers may task processors with making certain data available from on-device data storage or from a remote server to which data are communicated. Where the data holder and user qualify as joint controllers within the meaning of GDPR Article 26, they must transparently determine their respective responsibilities and agree on how these will be arranged under the GDPR. Such users may subsequently become a data holder under the Data Act and become subject to its obligations to make data available.
GPDR
- Articles 4(7-8), 6(1)(a-b), 9(2)(a), 20 and 26
Processers are not considered to be data holders but may be tasked by controllers to make certain data available. Failure to agree on arrangements for transmitting data by a data holder and third party shall not hinder the right to data portability under the GDPR.
Data Act
- Article 6
Third parties shall only process data they receive under Article 5 of the Data Act for the purposes and under the conditions agreed upon with the user. Third parties are prohibited from using the data they receive for profiling except when it is necessary to provide a service requested by the user.
GPDR
- Article 22(2)(a-c)
The Data Act’s prohibition on third-party use of data for profiling applies notwithstanding the GDPR’s exceptions for profiling based on consent or the performance of a contract.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Data Act: Mapping the Interplays with the GDPR
This resource maps the interplays between the Data Act and the GDPR.
Published: 25 Feb. 2026
Contributors:
Müge Fazlioglu
CIPP/E, CIPP/US
Principal Researcher, Privacy Law and Policy
IAPP
This infographic is part of a series that maps different EU digital laws with the GDPR. The full series can be accessed here.
The EU Data Act creates new rules on who can access and use data generated in the EU across all economic sectors. It aims to ensure fairness in the allocation of value from data, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible to all users. It focuses primarily on industrial, nonpersonal data but is relevant to data protection.
This resource, drawing from the EU Digital Laws Report 2025, maps interplays between the Data Act and the GDPR.
The IAPP additionally hosts a Data Act 101 chart, which is part of a European Strategy for Data series, which provides an overview of EU privacy, cybersecurity and AI legislation.
Data Act and GDPR interplay mapping
Data Act
- Article 1(5)
Insofar as any personal data or datasets containing both personal and non-personal data that are inextricably linked are processed in connection with the Data Act, the GDPR’s rules and protections prevail. In the event of a conflict between the Data Act and GDPR, the latter prevails.
GPDR
- Article 2 and 4
Insofar as a Data Act user, i.e., a “natural or legal person that owns a connected product … or that receives related services,” is a GDPR data subject, the rights under the Data Act complement those of the GDPR.
Data Act
- Article 4(12) and 5(8) Articles 6(1), 9, 15 and 79
Personal data generated by the use of a connected product or related service may only be requested by a controller or a data subject. Data holders may set reasonable compensation to be met by third parties, but not by users, for costs incurred in providing direct access to the data generated by the user’s connected product.
GPDR
- Article 4(12) and 5(8) Articles 6(1), 9, 15 and 79
Controllers who request personal data generated by the use of a connected product or related service must have a legal basis for processing the data under the GDPR.If a data holder and a third party cannot agree on the terms of direct access, the data subject’s rights under the GDPR, e.g., the right to data portability, must not be impeded, and the data subject may seek remedies in accordance with the GDPR.
Data Act
- Recital 20
The Data Act does not impose an obligation to design connected products and related services in such a way as to store or process any personal data other than what is necessary in relation to the purpose limitation principle.
GPDR
- Article 5(1)(c)
Under the GDPR, the processing of personal data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
Data Act
- Recital 39
Third parties should erase personal data once it is no longer necessary for the purpose agreed upon with the user.
GPDR
- Article 17
Requirements under the Data Act for third parties to erase personal data once it is no longer required for the purpose agreed upon with the user complement the data subject’s right to erasure under the GDPR.
Data Act
- Recital 24
Data holders are not expected to indefinitely store data for users of connected products.
GPDR
- Article 5(1)(e)
Data holders should implement a reasonable data retention policy in line with the GDPR’s storage limitation principle.
Data Act
- Recital 22
Controllers may task processors with making certain data available from on-device data storage or from a remote server to which data are communicated. Where the data holder and user qualify as joint controllers within the meaning of GDPR Article 26, they must transparently determine their respective responsibilities and agree on how these will be arranged under the GDPR. Such users may subsequently become a data holder under the Data Act and become subject to its obligations to make data available.
GPDR
- Articles 4(7-8), 6(1)(a-b), 9(2)(a), 20 and 26
Processers are not considered to be data holders but may be tasked by controllers to make certain data available. Failure to agree on arrangements for transmitting data by a data holder and third party shall not hinder the right to data portability under the GDPR.
Data Act
- Article 6
Third parties shall only process data they receive under Article 5 of the Data Act for the purposes and under the conditions agreed upon with the user. Third parties are prohibited from using the data they receive for profiling except when it is necessary to provide a service requested by the user.
GPDR
- Article 22(2)(a-c)
The Data Act’s prohibition on third-party use of data for profiling applies notwithstanding the GDPR’s exceptions for profiling based on consent or the performance of a contract.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
IAPP Global Legislative Predictions 2026
Data Protection Officer Requirements by Country
Global AI Governance Law and Policy: Jurisdiction Overviews
