| Scope boundary | The Data Act creates harmonised rules for fair access to and use of data, including Chapter II rights for users of connected products and related services. | GDPR remains the controlling law for personal-data processing, data subject rights, controller and processor duties, and supervisory authority powers. | Start with the Data Act only for the access question. If personal data is involved, Article 1(5) makes the privacy-law boundary explicit: GDPR and related privacy law prevail in a conflict. |
|---|
| Covered actors | Data Act roles include the user, data holder, data recipient, third party, manufacturer, related-service provider, and public-sector requester depending on the chapter and request type. | GDPR roles include data subject, controller, processor, joint controller, recipient, data protection authority, and European Data Protection Supervisor where EU institutions are involved. | Do not translate roles mechanically. A Data Act user can be a GDPR data subject in one flow, a controller in another flow, and neither in a request involving another person's personal data. |
|---|
| Trigger | Chapter II focuses on raw and pre-processed product data and related service data that is readily available to the data holder, plus metadata needed to interpret and use it. Inferred or derived data and content are outside that Chapter II scope. | GDPR applies to personal data in the export, including personal data inside mixed datasets. The fact that the same file contains non-personal data does not remove GDPR duties for the personal-data portion. | Build exports at field level. Separate raw/pre-processed data from inferred, derived, content, trade-secret, personal, non-personal, and mixed fields before deciding what can be sent. |
|---|
| Core obligations | The Data Act gives users access to product data and related service data generated by their use of a connected product or related service, regardless of whether the data is personal or non-personal, when the data is in scope. | GDPR gives data subjects personal-data rights, including access and portability rights. These rights are not narrowed by Data Act access limits or trade-secret mechanisms. | If the requester is the data subject, consider both regimes. If the Data Act route is unavailable or narrowed, GDPR rights may still need to be handled through the GDPR rights process. |
|---|
| Evidence record | The Data Act can oblige a data holder to make personal data available to the user or a third party at the user's request, but it does not create a legal basis to collect or generate personal data. | GDPR requires a valid legal basis for personal-data processing. If the user is not the data subject, the personal data can be made available only where the GDPR basis and any relevant special-category or ePrivacy conditions are met. | A request form should ask who the data subject is, who will receive the data, the requested purpose, and the GDPR basis before any personal data is disclosed. |
|---|
| Timing and deadlines | A Data Act user may ask the data holder to share in-scope data with a third party of the user's choice. Data holders are not obliged under the Data Act to share with third parties outside the EU, and DMA gatekeepers are excluded from the Chapter II third-party route. | GDPR still controls personal-data disclosure to the third party, including purpose, lawful basis, transparency, security, and restrictions on further processing. | For each recipient, record the user's instruction, recipient identity, service purpose, location, personal-data basis, security commitments, and onward-use restrictions. |
|---|
| Enforcement | Member States designate competent authorities for Data Act enforcement and set penalties that must be effective, proportionate, and dissuasive. Users can challenge certain withholding, suspension, refusal, and access disputes through competent authorities, courts, or dispute settlement routes. | Data protection authorities remain responsible for Data Act application insofar as personal-data protection is concerned, and GDPR enforcement paths continue for GDPR infringements. | Escalate to the right authority path. A Data Act access dispute, a trade-secret refusal, and a GDPR unlawful-disclosure complaint may involve different competence even when they arise from the same export. |
|---|
| Overlap and reuse | The Data Act requires trade secrets to be preserved through agreed technical and organisational measures. Withholding, suspension, or refusal must be justified and tied to the Data Act conditions. | GDPR privacy controls can require minimisation, anonymisation, pseudonymisation, access control, and security measures for personal data in the same export. | Do two separate reviews: one for trade-secret confidentiality and serious economic damage, another for personal-data minimisation and security. Do not use either label as a generic refusal reason. |
|---|
| Practical decision rule | Beyond Chapter II, the Data Act also covers B2G exceptional-need requests, switching between data processing services, and safeguards against unlawful third-country government access to non-personal data. | For B2G requests involving personal data, the Data Act requires privacy safeguards and does not lower personal-data protection. International transfers of personal data remain governed by GDPR rather than the Data Act's non-personal-data third-country access rules. | Do not apply the connected-product access analysis to every Data Act chapter. B2G and cloud matters need their own scope check, and personal data still moves back to GDPR. |
|---|