Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: Commission publishes FAQs on the Data Act

On September 6, 2024, the European Commission published a set of frequently asked questions (FAQs) on the Regulation on Harmonised Rules on Fair Access to and Use of Data (the Data Act). The Data Act enters into force on September 12, 2025.

How does the Data Act interact with the GDPR?

The FAQs provide that, pursuant to Article 1(5) of the Data Act, in the event of a conflict between the General Data Protection Regulation (GDPR) and the Data Act, the GDPR rules on the protection of personal data will prevail. The Data Act does not regulate the protection of personal data specifically but instead enhances the sharing and enabling of fair distribution of data by establishing rules for accessing and using data within the EU.

Regarding enforcement, data protection authorities (DPAs) are designated under the GDPR, insofar as the protection of personal data is concerned, the DPAs are responsible for monitoring compliance with the Data Act and can rely on powers given under the GDPR. In addition, data subjects are not required to go to two different authorities where the right of access applies under both the Data Act and GDPR, or for any other grievance relating to the protection of their personal data in applying the Data Act.

How does the Data Act interact with other legislation?

The FAQs clarify that the Data Act sets horizontal rules for data access, sharing, and use, but that the Data Act is complemented by sector-specific legislation. Where this is the case, the FAQs note that sector-specific legislation should be approached in compliance with principles under the Data Act, which apply to all matters related to 'access to data.'

Notably, the FAQs stipulate that gatekeepers under the Digital Markets Act (DMA) are prohibited from relying on the specific mandatory data-sharing mechanisms under Articles 4 and 5 of the Data Act. However, DMA gatekeepers are not entirely excluded from the Internet of Things (IoT) data market.

The Data Act and the IoT

The FAQs note the type of IoT data covered by the Data Act. Regarding 'product data,' data on a product's use, or environment that is purely descriptive is not considered 'product data.' While 'related service data' is considered data representing user action, inaction, and events related to the connected product during the provision of a related service. The FAQs detail that 'readily available data' does not include a reference to the time of generation or collection.

The level of enrichment of the data also determines whether such data falls within the scope of the Data Act. Data that is highly enriched, through proprietary or complex algorithms for example, and content that is covered by IP rights, is out of the scope of the Data Act. More generally, only data generated/collected after the entry into application of the Data Act should be considered as falling within the scope of Chapter II of the Data Act.

In addition, the FAQs clarify information on what a 'connected product' is, whether a 'connected product' falls within the scope of the Data Act, and what a 'related service' to a connected product is. On data access rights and trade secrets under the Data Act, the FAQs provide that when a data holder receives a request to access data, it must identify the trade secrets that need to be shared and agree with the user/third party on the necessary measures to preserve their confidentiality. Data holders can refuse to share trade secrets if, based on objective evidence, it is highly likely that serious economic damage would result from the disclosure.

You can read the press release here and download the FAQs here.