---
title: "EU Data Act vs GDPR"
canonical_url: "https://www.sorena.io/artifacts/eu/data-act/data-act-vs-gdpr"
source_url: "https://www.sorena.io/artifacts/eu/data-act/data-act-vs-gdpr"
author: "Sorena AI"
description: "EU Data Act vs GDPR made practical: how Chapter II access/portability for connected product data differs from GDPR data subject rights."
published_at: "2026-02-23"
updated_at: "2026-02-23"
keywords:
  - "EU Data Act vs GDPR"
  - "Data Act portability vs GDPR portability"
  - "connected product data access GDPR"
  - "Data Act Chapter II personal data"
  - "direct access vs indirect access Data Act"
  - "lawful basis sharing personal data Data Act"
  - "Data Act user request workflow"
  - "EU compliance"
  - "data-act compliance"
  - "GDPR"
  - "data portability"
  - "IoT data access"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# EU Data Act vs GDPR

EU Data Act vs GDPR made practical: how Chapter II access/portability for connected product data differs from GDPR data subject rights.

*Artifact Guide* *EU*

## EU Data Act: Fair Access to Connected Product Data and Cloud Switching Data Act vs GDPR

Build one access workflow that is Data Act-compliant and GDPR-safe.

Focus: connected product data access and portability where datasets often contain mixed personal and non-personal data.

Many EU Data Act datasets are mixed: sensor streams and device logs can contain both personal and non-personal data. The EU Data Act does not replace the GDPR. It adds specific access and portability rules for connected product and related service data, and you must implement them in a way that respects GDPR principles (lawfulness, minimisation, security, transparency). This page explains how to design a single operational workflow that satisfies both regimes without over-sharing or building duplicate processes.

## 1) What is the Data Act doing that GDPR doesn't?

GDPR is a fundamental-rights regime for personal data. The EU Data Act is a market and fairness regime for access to and use of data (including non-personal data), with a specific focus on connected products, related services, and cloud switching.

The key operational impact: the Data Act can require access/portability mechanisms for datasets that are not purely personal data and that have multiple actors (user, data holder, third party).

- GDPR: rights and obligations tied to personal data and controller/processor roles
- Data Act (Chapter II): access/portability for connected product/related service data for the user, including sharing with third parties chosen by the user
- Data Act adds: direct vs indirect access design patterns and product UX obligations (transparency before purchase)

## 2) Portability: Data Act vs GDPR portability (don't conflate them)

GDPR portability is a data subject right for personal data under specific conditions. Data Act portability is designed for IoT-style operational data, often near real-time, with a focus on enabling switching and innovation.

Practically, teams should implement one export and sharing pipeline that can produce (a) GDPR portability packages for personal data and (b) Data Act exportable datasets for connected products.

- Data Act portability: operational, often continuous or near real-time, and includes non-personal data generated by use
- GDPR portability: personal-data-only conditions and format obligations; typically request/response rather than streams
- Engineering implication: build a shared data export service with policy-based filtering and purpose/recipient controls

*Recommended next step*

*Placement: after the comparison section*

## Use EU Data Act: Fair Access to Connected Product Data and Cloud Switching Data Act vs GDPR as a cited research workflow

Research Copilot can take EU Data Act: Fair Access to Connected Product Data and Cloud Switching Data Act vs GDPR from how this topic compares with adjacent regulations or standards to a reusable workflow inside Sorena. Teams working on EU Data Act: Fair Access to Connected Product Data and Cloud Switching can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for EU Data Act: Fair Access to Connected Product Data and Cloud Switching Data Act vs GDPR](/solutions/research-copilot.md): Start from EU Data Act: Fair Access to Connected Product Data and Cloud Switching Data Act vs GDPR and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through EU Data Act: Fair Access to Connected Product Data and Cloud Switching](/contact.md): Review your current process, evidence gaps, and next steps for EU Data Act: Fair Access to Connected Product Data and Cloud Switching Data Act vs GDPR.

## 3) Direct vs indirect access: privacy engineering consequences

The Commission's FAQs describe direct access (self-service technical means) and indirect access (request via the data holder). Both can be compliant; they create different privacy and security risks.

Direct access pushes more security responsibility into product design. Indirect access increases operational load but can simplify sensitive-data minimisation.

- Direct access: strong identity binding, secure client design, rate limits, and fraud/abuse monitoring
- Indirect access: request intake, identity verification, policy checks (personal vs non-personal), and auditable delivery receipts
- For mixed datasets: implement field-level classification and recipient-specific filtering

## 4) Sharing to third parties: lawful basis and safeguards (when personal data is included)

When the dataset includes personal data, GDPR still governs lawfulness and safeguards. The Data Act's sharing mechanisms must be implemented with GDPR principles: minimisation, purpose limitation, security, and transparency.

Operationally: you need a consistent way to verify who the requester is, who the recipient is, and what data is being shared.

- Define a recipient onboarding path: identity verification, security requirements, and permitted use attestations
- Use a policy engine: field-level filters, redaction, aggregation, and purpose-based access decisions
- Keep evidence: request logs, identity checks, dataset manifests, and delivery receipts

## 5) A combined implementation blueprint (single workflow, two legal lenses)

Avoid building separate "GDPR portal" and "Data Act portal". Build a single request and delivery workflow with two decision layers: (1) Data Act chapter/role eligibility and (2) GDPR personal-data safeguards.

This also improves UX: users get one consistent experience and you avoid inconsistent exports.

- Step A: scope memo per product/service (what is 'readily available', who is data holder, direct vs indirect access)
- Step B: data classification (personal vs non-personal) + disclosure policy and filters
- Step C: secure delivery pipeline (export formats, encryption, integrity checks, logs)
- Step D: evidence pack (requests, decisions, outputs, incidents, disputes)

## Primary sources

- [European Commission - Data Act FAQs (library page)](https://digital-strategy.ec.europa.eu/en/library/commission-publishes-frequently-asked-questions-about-data-act?ref=sorena.io) - Clarifications on how the Data Act complements GDPR portability and the direct vs indirect access patterns.
- [Commission Communication C/2025/5026 - Guidance on vehicle data accompanying the Data Act (ELI)](https://data.europa.eu/eli/C/2025/5026/oj?ref=sorena.io) - Example of Chapter II implementation framing in a sector where datasets often mix personal and non-personal signals.
- [Regulation (EU) 2023/2854 (Data Act) - Official Journal (ELI)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding legal text for Chapter II access and sharing and its interaction with other EU law (including GDPR references).

## Related Topic Guides

- [Access Rights and Portability | EU Data Act: Fair Access to Connected Product Data and Cloud Switching](/artifacts/eu/data-act/access-rights-and-portability.md): EU Data Act access rights and portability (Chapter II) made practical: direct vs indirect access, "readily available" data.
- [Applicability Test | EU Data Act: Connected Products, B2B Data Sharing, B2G Exceptional Need, Cloud Switching](/artifacts/eu/data-act/applicability-test.md): A practical EU Data Act applicability test you can run in 15 minutes: determine if Chapter II IoT access rights apply (connected products + related services).
- [B2B Data Sharing Contract Clauses | EU Data Act: Mandatory Sharing, Unfair Terms, Trade Secrets](/artifacts/eu/data-act/b2b-data-sharing-contract-clauses.md): EU Data Act contract clauses for B2B data sharing made practical: clause library for Chapter III access/use (purpose limits, compensation, security.
- [B2B Data Sharing Contract Template | EU Data Act: Data Access and Use Agreement (Drafting Checklist)](/artifacts/eu/data-act/b2b-data-sharing-contract-template.md): A practical EU Data Act-aligned B2B data sharing contract template: sections, annexes, and drafting checklist for dataset definition, permitted use.
- [B2G Exceptional Need Requests | EU Data Act: Public Emergency Data Requests, Safeguards, Compensation](/artifacts/eu/data-act/b2g-exceptional-need-requests.md): EU Data Act Chapter V B2G 'exceptional need' requests made practical.
- [Cloud Switching and Exit Plans | EU Data Act Chapter VI: Switch Providers, Port Data, Remove Egress Barriers](/artifacts/eu/data-act/cloud-switching-and-exit-plans.md): EU Data Act Chapter VI cloud switching made practical: Article 23 obstacle removal, Article 25 required contract terms (max 2-month notice, 30-day transition.
- [Cloud Switching Compliance Checklist | EU Data Act Chapter VI: Contracts, Exportable Data, Fees, Transparency](/artifacts/eu/data-act/cloud-switching-compliance-checklist.md): A detailed EU Data Act Chapter VI cloud switching compliance checklist: Article 25 contract terms (max notice period, 30-day transition, retrieval period).
- [Compliance Program | EU Data Act Implementation Playbook: Governance, Controls, Evidence, Operating Cadence](/artifacts/eu/data-act/compliance.md): Turn the EU Data Act into an implementation program: chapter scoping, roles and ownership, product workflows for Chapter II access.
- [Deadlines and Compliance Calendar | EU Data Act](/artifacts/eu/data-act/deadlines-and-compliance-calendar.md): Plan EU Data Act delivery with real dates: Regulation applies from 12 Sep 2025.
- [EU Data Act Checklist | Chapter II Access, B2B Sharing, Unfair Terms, B2G Requests, Cloud Switching](/artifacts/eu/data-act/checklist.md): A comprehensive EU Data Act checklist organized by roles and chapters: Chapter II connected product data access (direct vs indirect access).
- [FAQ | EU Data Act Explained: Key Dates, Access Rights, Trade Secrets, B2G Requests, Cloud Switching](/artifacts/eu/data-act/faq.md): EU Data Act FAQ with practical answers grounded in official sources: when the Data Act applies (Article 50), direct vs indirect access.
- [Penalties and Fines | EU Data Act Enforcement: Member State Penalties, GDPR-Linked Fines, Risk Controls](/artifacts/eu/data-act/penalties-and-fines.md): EU Data Act penalties and fines made practical: how Member States set penalties (Article 40), the criteria authorities must consider.
- [Requirements | EU Data Act Obligations Explained: Chapter II Access, Chapter IV Unfair Terms, Chapter V B2G, Chapter VI Switching](/artifacts/eu/data-act/requirements.md): A structured EU Data Act requirements breakdown across Chapters II-VI: connected product data transparency and access workflows.
- [Scope, Connected Products and Data Types | EU Data Act: Fair Access to Connected Product Data and Cloud Switching](/artifacts/eu/data-act/scope-connected-products-and-data-types.md): EU Data Act scope explained: connected products vs related services, product data vs related service data, readily available data.
- [Trade Secrets and Protection | EU Data Act: Confidentiality Measures, Withholding Rules, Evidence Pack](/artifacts/eu/data-act/trade-secrets-and-protection.md): EU Data Act trade secrets protection made practical: how to identify trade secret fields before disclosure, how to agree confidentiality measures (NDAs.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/data-act/data-act-vs-gdpr