GDPR and the Data Act: Building an Integrated European Data Governance Framework

‍A Decisive Shift Towards a Single Data Market

With the Data Act entering into force on January 11, 2024, and set to become applicable in September 2025, the European Union takes a significant step forward in establishing a single market for data. This ambitious regulation forms part of the EU’s European Data Strategy, launched in 2020, which aims to unlock the potential of data while ensuring an ethical, fair, and secure regulatory framework.

Until now, the General Data Protection Regulation (GDPR) has served as the cornerstone of European digital regulation, safeguarding personal data and the fundamental rights of individuals. However, in light of the rapid proliferation of connected devices, the exponential growth of data generated across industrial, agricultural, and urban sectors, and the increasing need for data sharing in the public interest, a new regulatory balance is needed.

The Data Act is not a competitor to the GDPR, but rather a complementary instrument. While the GDPR focuses on protecting individuals, the Data Act seeks to regulate access to, sharing, and reuse of both personal and non-personal data, under clear, fair, and innovation-friendly conditions.

‍A Key Objective: Rebalancing Power Dynamics in the Digital Economy

The Data Act—formally the Regulation on Harmonized Rules on Fair Access to and Use of Data—aims to ensure a fairer distribution of the value generated by data. Currently, this value is often concentrated in the hands of a few dominant players—connected product manufacturers, cloud giants, or platform operators—to the detriment of users, SMEs, and even public authorities.

Going forward, any connected product or service placed on the EU market must be designed to allow users—whether farmers, building owners, or fleet managers—access to the data generated through their use. More importantly, users will have the right to share this data with a provider of their choice, paving the way for greater competition in areas such as after-sales services, maintenance, and industrial optimization.

Enhanced data access will also benefit public authorities, who, in situations of crisis or overriding public interest—such as natural disasters or public health emergencies—may be granted access to private sector data under strict proportionality and compensation rules.

‍Data Act and GDPR: A Critical Interplay

A central challenge of the new regulation lies in its interoperability with the GDPR. Since both instruments regulate data at their core, their interaction must be clearly understood to avoid legal uncertainty.

The boundary between personal and non-personal data is increasingly blurred. For example, sensor data can, depending on context, reveal an individual’s identity, habits, or location. As such, the GDPR continues to apply in full whenever data can be linked to an identified or identifiable natural person—even if access is permitted under the Data Act.

The Data Act is not intended to diminish the rights enshrined in the GDPR, but rather to extend them into a broader digital environment. For instance, the right to data portability—as provided in Article 20 of the GDPR—is expanded and reinforced in the Data Act. It now applies not only to personal data obtained with consent, but also to data generated through the use of a device, whether personal or technical in nature.

As a result, businesses will need to implement hybrid compliance mechanisms, ensuring adherence to both regulatory frameworks. Facilitated data sharing does not exempt organizations from obligations related to security, purpose limitation, or transparency.

‍Cross-Sector Impacts for Economic Actors

The Data Act will have cross-cutting implications across industries. Manufacturers of connected devices will need to fundamentally redesign their products to incorporate secure data access interfaces, available to the end user or an authorized third party. The principle of “data by design” becomes both a technical and legal requirement.

Cloud service providers must enable effective data portability, without undue transfer fees or vendor lock-in. This aims to eliminate proprietary restrictions that stifle competition and innovation.

Data-using businesses will gain greater autonomy in exploiting data generated through their own activities—even if such data is held by external vendors. However, this new freedom comes with new responsibilities, particularly concerning GDPR compliance when data is reused for profiling, tracking, or personalization.

Public sector bodies will also benefit from regulated access to private data to support policy-making, crisis management, and research initiatives. Such access must be reasonable, proportionate, and appropriately compensated.

‍A Catalyst for Sectoral Transformation

The Data Act is not merely a legal framework—it serves as a driver for economic transformation. In industry, access to machine or sensor data will enable predictive maintenance, energy efficiency, and smoother logistics. In agriculture, it will support precision farming through granular insights into weather, soil conditions, and yields.

For consumers, the Data Act may translate into cheaper repair services, greater transparency about device performance, and longer product lifespans—thereby supporting the objectives of the European Green Deal.

The regulation also clarifies the application of the sui generis database right, limiting excessive protections that could obstruct data sharing from Internet of Things (IoT) ecosystems. The goal is clear: safeguard investment without hindering data flow.

Implementation Challenges Ahead

By 2025, organizations will need to rethink their data governance practices. This includes auditing connected systems, revising user contracts, redefining data-sharing clauses, and fostering cross-functional collaboration between legal, IT, and operational teams.

The European Commission is developing standard contractual clauses to facilitate fair data-sharing agreements. Additionally, new technical interoperability standards are in the pipeline to ensure effective portability.

Data governance must now evolve beyond a sole focus on protection (as under the GDPR), and incorporate a vision of responsible data valorization.

‍Towards a More Balanced Digital Ecosystem

The Data Act represents not a rupture, but a necessary evolution. It complements the GDPR, extending its principles into the economic domain without compromising its core values. Together, these two regulations form the foundation of a trust-based, equitable, and transparent European digital space.

The dual objective is clear: to uphold user rights while empowering European businesses to leverage data for innovation. In this light, the Data Act is far more than a technical regulation—it is a strategic tool for shaping Europe’s digital sovereignty.

DPO Consulting: Your Partner in AI and GDPR Compliance

Investing in GDPR compliance efforts can weigh heavily on large corporations as well as smaller to medium-sized enterprises (SMEs). Turning to an external resource or support can relieve the burden of an internal audit on businesses across the board and alleviate the strain on company finances, technological capabilities, and expertise. 

External auditors and expert partners like DPO Consulting are well-positioned to help organizations effectively tackle the complex nature of GDPR audits. These trained professionals act as an extension of your team, helping to streamline audit processes, identify areas of improvement, implement necessary changes, and secure compliance with GDPR.

Entrusting the right partner provides the advantage of impartiality and adherence to industry standards and unlocks a wealth of resources such as industry-specific insights, resulting in unbiased assessments and compliance success. Working with DPO Consulting translates to valuable time saved and takes away the burden from in-house staff, while considerably reducing company costs.

Our solutions

GDPR and Compliance

• GDPR Software (myDPO)
• GDPR Compliance Audits
• Privacy Impact Assessments (PIA)
• Initial Cybersecurity Audits
• Clinical Trial Compliance

Outsourced DPO & Representation

• Outsourced DPO
• International DPO
• CISO As A Service
• EU Representative
• UK Representative
• US Privacy Services

Training & Support

• Customized DPO Coaching
• GDPR Training