Data Governance Act: Mapping the Interplays with the GDPR
This resource maps the interplays between the Data Governance Act and the GDPR.
Contributors:
Müge Fazlioglu
CIPP/E, CIPP/US
Principal Researcher, Privacy Law and Policy
IAPP
This infographic is part of a series that maps different EU digital laws with the GDPR. The full series can be accessed here.
Additional Insights
- Data Governance Act: 101 (Chart)
As a legal framework to create an infrastructure for the public sharing of both non-personal and personal data, the EU Data Governance Act intersects in several ways with the rights enshrined within and the rules laid down by the GDPR.
This resource, drawing from the EU Digital Laws Report 2025, provides an overview of the rules and requirements that sit at the intersection of the DGA and the GDPR.
While the DGA does not create a new legal basis for the processing of personal data, and the rules of the GDPR prevail whenever personal data is processed under the DGA, there are several areas where the DGA and GDPR intersect or overlap, namely, with regard to: consent, anonymization of personal data, data intermediation services that facilitate exercise of data subject rights, and data transfers of personal and non-personal data.
The IAPP additionally hosts a , which provides an overview of EU privacy, cybersecurity and AI legislation.Data Governance Act and GDPR interplay mapping
Data Governance Act
- Article 1(3)
Insofar as any personal data is processed in connection with the DGA, the GDPR’s rules and protections prevail. In the event of a conflict between the DGA and GDPR, the GDPR prevails, as do the powers and competencies of the GDPR’s supervisory authorities.
GPDR
- Article 4
The DGA adopted all of the GDPR’s definitions of “personal data,” “consent,” “data subject,” and “processing.”
Data Governance Act
- Article 5(3)(a-c), Recital 15
Public sector bodies that decide to grant access for reuse of protected data should anonymize any personal data. If the anonymization or the modification of the data makes it unusable for the re-user, and requirements for conducting a data protection impact statement and prior consultation with a supervisory authority under the GDPR have been fulfilled, and if the risks to the rights to the data subjects are minimal, then on-premise or remote re-use of the data within a secure processing environment could be allowed.
GPDR
- Articles 35-36
Data protection impact assessment and prior consultation with a supervisory authority may need to be carried out to allow on-premises or remote reuse of non-anonymized data within a secure processing environment under the DGA.
Data Governance Act
- Article 10(b), Recital 30
A specific category of data intermediation services that offers services to data subjects seeking to enhance the agency of data subjects and individuals’ control over data relating to them and assists them in exercising their rights under the GDPR.
GPDR
- Articles 7, 15-18, and 20
The DGA data intermediation services may offer assistance to data subjects in giving and withdrawing their consent as well as in exercising their GDPR rights to access, rectification, erasure (“right to be forgotten”), restriction of processing, and data portability.
Data Governance Act
- Article 25(3)
A data altruism consent form is to be developed by the European Commission in consultation with the European Data Protection Board and European Data Innovation Board to facilitate the collection of data based on data altruism.
GPDR
- Article 7
Whenever personal data is collected via the data altruism consent form, the data altruism organization should ensure that data subjects can give and withdraw consent from a specific data processing operation in compliance with the GDPR.
Data Governance Act
- Article 31
Public sector bodies, data intermediation services providers and data altruism organizations must take “all reasonable technical, legal and organizational measures, including contractual arrangements,” to prevent international transfer or governmental access to nonpersonal data where such transfer or access conflicts with EU or national law of the relevant member state.
GPDR
- Article 44
The DGA’s requirements around the international transfer of and access to nonpersonal data resemble the requirements imposed by the GDPR on international transfer and access to personal data.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Submit for CPEsContributors:
Müge Fazlioglu
CIPP/E, CIPP/US
Principal Researcher, Privacy Law and Policy
IAPP
Tags:
