---
title: "Data Act and GDPR Personal Data Overlap FAQ"
canonical_url: "https://www.sorena.io/artifacts/eu/data-act/faq/gdpr-personal-data-overlap"
source_url: "https://www.sorena.io/artifacts/eu/data-act/faq/gdpr-personal-data-overlap"
author: "Sorena AI"
description: "FAQ on how the EU Data Act works when connected-product or related-service data includes personal data, mixed datasets, GDPR roles, lawful basis, trade secrets, and third-party sharing."
published_at: "2026-05-06"
updated_at: "2026-05-06"
keywords:
  - "EU Data Act"
  - "GDPR"
  - "personal data"
  - "mixed datasets"
  - "data holder"
  - "data subject"
  - "lawful basis"
  - "third-party sharing"
  - "Regulation (EU) 2023/2854"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# Data Act and GDPR Personal Data Overlap FAQ

FAQ on how the EU Data Act works when connected-product or related-service data includes personal data, mixed datasets, GDPR roles, lawful basis, trade secrets, and third-party sharing.

*FAQ* *EU* *Data Act*

## Data Act GDPR Personal Data Overlap FAQ

How to handle Data Act access and sharing requests when the dataset includes personal data.

Use this FAQ to separate Data Act access rights from GDPR conditions, map user and data-subject roles, and decide when data can be delivered, minimised, anonymised, or withheld.

The EU Data Act can require access to raw and pre-processed data from connected products and related services, including mixed datasets that contain both personal and non-personal data. It does not displace the GDPR. When personal data is involved, teams still need a GDPR role map, lawful basis, minimisation decision, data-subject rights route, and recipient restriction before they disclose or port the data.

## Does the Data Act override the GDPR when requested data includes personal data?

No. Article 1(5) is the boundary rule: the Data Act complements EU data-protection and privacy law, and GDPR rules prevail where personal-data protection conflicts with a Data Act access or sharing step. The Data Act is therefore not a shortcut around GDPR purpose limitation, lawful basis, special-category conditions, transparency, minimisation, security, or data-subject rights.

The practical consequence is that a Data Act request should be split into at least two questions: what product or related-service data is in Data Act scope, and what GDPR condition allows the personal-data part to be processed or disclosed. Non-personal data can often proceed under the Data Act while personal data is limited, separated, anonymised, or routed through a GDPR process.

- Treat the Data Act as the access-and-sharing regime for connected-product and related-service data, not as a GDPR lawful basis.
- Escalate any personal-data element to the privacy owner before disclosure to a user, third party, or public body.
- Document the split between non-personal data, personal data relating to the requesting user, and personal data relating to other people.

Sources for this answer:

- [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 1(5) and Recital 7 establish that EU personal-data and privacy law remain controlling when personal data is processed under the Data Act.
- [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - The Commission FAQ states that the GDPR is fully applicable to personal-data processing under the Data Act.

## How should mixed datasets be handled under the Data Act for GDPR Personal Data Overlap implementation evidence?

Start with the Data Act scope, then classify the dataset. Chapter II covers raw and pre-processed data generated by the use of a connected product or related service that is readily available to the data holder, including relevant metadata. Commission material explains that this can include personal and non-personal data, and that co-generated IoT data may be difficult to separate.

A mixed dataset should not be treated as all-disclosable or all-blocked. Separate fields, records, time ranges, identifiers, and metadata where possible. Deliver non-personal data and personal data that can be lawfully provided; anonymise, pseudonymise, aggregate, redact, or withhold the rest when GDPR conditions are not met.

- Classify each requested field as non-personal data, personal data about the requesting user, personal data about another data subject, or trade-secret-encumbered data.
- Record whether the data is raw, pre-processed, metadata, inferred, derived, or outside the readily available data set.
- Keep the transformation note for any anonymisation, pseudonymisation, redaction, aggregation, or field exclusion.

Sources for this answer:

- [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explanation of Chapter II scope, including raw and pre-processed readily available data and mixed personal/non-personal IoT data.
- [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - The FAQ explains that privacy-enhancing technologies can help where several data subjects or non-data-subject users are involved.

## What changes when the requesting user is also the data subject under the Data Act?

When the user is the data subject for the requested personal data, the Data Act access or porting request resembles GDPR access and portability in an IoT setting. The Data Act can complement GDPR Articles 15 and 20 by covering connected-product and related-service data and, where relevant and technically feasible, real-time access or portability.

That still does not remove GDPR controls. The data holder should verify identity, scope the request to data concerning the requester, protect other data subjects, and use a format that supports Data Act access while remaining consistent with GDPR transparency and security duties.

- Confirm that the requester is the data subject for the personal-data records being delivered.
- Screen shared-device, fleet, household, workplace, and rental contexts for other people whose personal data appears in the same dataset.
- Use the Data Act delivery route only for the data that can be tied to the requester without infringing other data-subject rights.

Sources for this answer:

- [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Questions 18 and 25a explain how the Data Act complements GDPR access and portability when the user is the data subject.

## What changes when the requesting user is not the data subject under the Data Act?

This is the highest-risk overlap. Recital 7 and the Commission FAQ make clear that the Data Act does not create a GDPR lawful basis for disclosing personal data to a user who is not the data subject or to a third party chosen by that user. The controller must identify an Article 6 GDPR basis or provide data in a form that no longer identifies the data subject.

Common examples include an employer requesting connected-equipment data that includes worker data, a fleet owner requesting vehicle data about drivers, or a buyer of a used connected product requesting historical data about the previous user. In those cases, the answer may be partial delivery, anonymisation, disclosure only of the requester-related data, or refusal of the personal-data portion.

- Do not cite the Data Act itself as the GDPR Article 6 basis for disclosing other people's personal data.
- Check whether the requester is a controller for the requested personal data and can demonstrate its own GDPR compliance.
- If the lawful basis is missing or unclear, provide anonymised data or exclude the personal-data portion.

Sources for this answer:

- [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Recital 7 states that the Data Act does not create a legal basis for access or third-party disclosure where the user is not the data subject.
- [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Question 25a explains that the controller must assess a GDPR lawful basis or provide anonymised data when the user is not the data subject.

## Who is the controller, processor, user, data holder, and third party in a Data Act/GDPR overlap?

Data Act roles and GDPR roles are separate labels. A data holder is typically the connected-product manufacturer or related-service provider that can make readily available data available. A processor under GDPR is not considered a data holder merely because it processes data for a controller, although a controller can task a processor with making data available.

For GDPR purposes, the Commission FAQ explains that personal data may be requested by a controller or by the data subject. Where a business user is not the data subject and is not in a shared-household situation, it should be treated as a controller for the requested personal data and must meet its own GDPR obligations.

- Map Data Act roles first: user, data holder, data recipient, and third party.
- Map GDPR roles separately: data subject, controller, processor, joint controller, and recipient.
- Require controller-to-controller accountability evidence when personal data moves from the data holder to a business user or third party.

Sources for this answer:

- [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Recitals 18 and 22 distinguish users, data holders, processors, controllers, and third-party processing environments.
- [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Question 30 explains that a user who is not the data subject can be a controller when requesting personal data from IoT devices.

## Must the data holder verify the requester's GDPR lawful basis before sending data under the Data Act?

The Data Act context is the starting point for this answer. For controller-to-controller sharing, each controller must be able to demonstrate GDPR compliance. The Commission FAQ says controllers should cooperate by sharing strictly necessary information so each can demonstrate compliance. That does not mean the data holder should collect excessive privacy paperwork, but it should not transmit personal data blindly.

A practical request form should ask whether the requester is the data subject, whether another lawful basis is relied on, whether special-category data may be present, whether other data subjects appear in the file, and which third party will receive the data. The data holder can then decide whether to deliver, narrow, anonymise, pseudonymise, or refuse the personal-data element.

- Ask for enough information to distinguish data-subject access from business-controller access.
- Keep only the lawful-basis evidence needed to justify the disclosure decision.
- Escalate special-category, children's, workplace, health, precise-location, or multi-user data before third-party transfer.

Sources for this answer:

- [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Question 25b explains controller accountability and cooperation when personal data is shared between controllers.
- [European Commission - Data protection overview](https://commission.europa.eu/law/law-topic/data-protection_en?ref=sorena.io) - Commission overview used for the baseline point that EU data protection rules protect personal data and are enforced by data protection authorities.

## How do data-subject rights fit with Data Act access and portability?

Data-subject rights do not disappear because a request is framed as a Data Act request. Data subjects can still use GDPR access, portability, information, objection, restriction, and complaint routes where applicable. The Data Act can add an IoT-specific access or sharing route, but the personal-data part remains supervised through data-protection authorities.

Commission FAQ guidance says data subjects should not need to go to two authorities when access and porting rights overlap under the Data Act and GDPR. For operational teams, that means complaint handling should route privacy issues to the privacy function or DPO while preserving the Data Act request file.

- Show users where Data Act access, GDPR access, and GDPR portability routes differ.
- Do not use Data Act wording to narrow GDPR rights or complaint channels.
- Log whether a request was completed as Data Act access, GDPR access, GDPR portability, or a combined response.

Sources for this answer:

- [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Questions 2 and 18 explain DPA competence and the Data Act's relationship with GDPR access and portability rights.
- [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 37(3) gives GDPR supervisory authorities responsibility for Data Act monitoring insofar as personal-data protection is concerned.

## Can trade secrets or security concerns justify limiting personal-data delivery under the Data Act?

Trade secrets and GDPR are different protections. The Data Act does not remove trade-secret protection, and it allows confidentiality safeguards before disclosure. If agreed safeguards are missing or not implemented, sharing trade-secret-protected data can be withheld or suspended. In exceptional cases, refusal may be possible where disclosure is highly likely to cause serious economic damage.

Do not use a trade-secret label to hide a weak GDPR analysis, and do not use GDPR as a blanket reason to suppress non-personal data. The review should identify the affected fields, the protected interest, the safeguard proposed, and what data remains available after applying privacy, trade-secret, and security controls.

- Separate privacy redactions from trade-secret safeguards in the response record.
- Identify the trade-secret holder and the precise protected data or metadata.
- Notify and preserve challenge routes where the Data Act requires notice for withholding, suspension, or refusal.

Sources for this answer:

- [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explanation of trade-secret safeguards, withholding or suspension, and exceptional refusal under the Data Act.
- [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Question 23 explains the Data Act trade-secret mechanism and challenge routes.

## What can a third party do with personal data received through a Data Act request?

Under the Data Act, a third party may use received data only for purposes agreed with the user, and Article 6 includes prohibitions such as using the data to develop a competing connected product and sharing it with a Digital Markets Act gatekeeper. Where the received data is personal data, the third party must also satisfy GDPR controller or processor obligations for its own processing.

Before sending data to a third party, the data holder should confirm the user's instruction, identify the receiving entity, record the agreed purpose, restrict further use, and handle any GDPR transfer or recipient information duties. If the user is not the data subject, the lawful-basis analysis becomes decisive.

- Record the third party's identity, purpose, data categories, delivery method, and restrictions.
- Do not send personal data to a third party on the user's instruction unless the GDPR basis and role allocation are clear.
- Keep a narrower non-personal-data delivery option available when the personal-data part cannot lawfully be shared.

Sources for this answer:

- [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explanation of users sharing data with third parties and the exclusion for DMA gatekeepers.
- [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Questions 31 and 35 explain third-party transfer rights and third-party use limits under Chapter II.

## What evidence should a Data Act/GDPR overlap file contain for GDPR Personal Data Overlap implementation evidence?

The evidence file should show how the team separated the Data Act question from the GDPR question. Keep the request form, requester identity and role, data-scope decision, field-level classification, lawful-basis check, minimisation step, trade-secret or security review, third-party recipient details, and the final decision to disclose, limit, anonymise, or refuse.

Use one short decision note per request that points to the controlling legal rule and the operational action taken. That keeps the file auditable without burying the reviewer in free-form commentary or repeating template language.

- Store the Data Act scope decision separately from the GDPR lawful-basis decision.
- Keep field-level notes for excluded, anonymised, pseudonymised, aggregated, or redacted data.
- Preserve the recipient restriction and user instruction for each third-party transfer.

Sources for this answer:

- [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Data Act scope, personal-data hierarchy, role distinctions, trade-secret safeguards, and supervisory-authority competence.
- [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Implementation FAQ grounding the evidence fields for GDPR lawful basis, role allocation, portability, third-party sharing, and trade secrets.

## What Data Act source evidence should teams keep for the GDPR Personal Data Overlap FAQ decision?

Keep the source evidence tied to the legal point the team actually used. That means the Data Act article or recital, the Commission FAQ question or fact page, the request date, the internal owner, and the specific data categories affected.

The record should also show why the decision was made, not just what text was cited. If the team relied on anonymisation, minimisation, a GDPR lawful basis, or a trade-secret safeguard, the file should say so plainly and link it to the relevant source URL.

- Keep the cited Data Act article or recital, the Commission FAQ reference, and the source URL with the decision note.
- Record the affected workflow, data categories, decision date, reviewer, and unresolved assumptions.
- Store the implementation artifact or approval record together with the source evidence so the same file supports later audits.

## How should teams assign ownership for Data Act GDPR Personal Data Overlap implementation work?

Assign one accountable owner for the process change, usually the team that can actually update the intake form, workflow, contract, or API rule. For Data Act/GDPR overlap, that is often privacy, legal, product, support, procurement, security, or data governance, depending on where the request enters the business.

Ownership should be clear even when several teams are consulted. The accountable owner should decide whether the request can move forward, needs redaction or anonymisation, or must be escalated for a GDPR or trade-secret review.

- Assign a single accountable owner for each request path and keep consulted teams in a separate field.
- Map the decision to the source clause, implementation rule, and the workflow it changes.
- Record the owner of the intake form, approval step, and escalation path so future requests follow the same rule.

## Primary sources

- [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding EU Data Act text used for Article 1(5), Recital 7, user/data-holder role boundaries, processors, trade-secret safeguards, and DPA competence where personal-data protection is concerned.
- [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission implementation FAQ used for GDPR overlap, mixed personal and non-personal data, lawful basis where the user is not the data subject, portability, third-party use limits, and trade-secret handling.
- [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission fact page used for Chapter II scope, connected-product and related-service data, third-party sharing, mixed datasets, and trade-secret safeguards.
- [European Commission - Data protection overview](https://commission.europa.eu/law/law-topic/data-protection_en?ref=sorena.io) - Commission overview used only for general EU data-protection context and authority framework around personal data.

## Topic Guides

- [Data Act and Common European Data Spaces](/artifacts/eu/data-act/data-act-and-common-european-data-spaces.md): How Data Act Article 33 connects data-space participation with metadata, vocabularies, APIs, access terms, data quality, governance, and standards monitoring.
- [Data Act and Data Governance Act Overlap FAQ](/artifacts/eu/data-act/faq/data-governance-act-overlap.md): FAQ explaining where the EU Data Act and Data Governance Act overlap, how they differ, and how to route product, cloud, public-sector reuse, intermediary, and data altruism workflows.
- [Data Act Audit Evidence And Request Logs FAQ](/artifacts/eu/data-act/faq/audit-evidence-and-request-logs.md): FAQ for Data Act request logs covering user and third-party access, B2G exceptional need requests, cloud switching records, contract terms, trade secrets, and GDPR boundaries.
- [Data Act B2B Data-Sharing Contract Clauses](/artifacts/eu/data-act/b2b-data-sharing-contract-clauses.md): Clause guide for EU Data Act B2B data sharing: FRAND terms, compensation, trade secret safeguards, recipient limits, termination, logs, and GDPR boundaries.
- [Data Act B2B Data-Sharing Contract Template](/artifacts/eu/data-act/b2b-data-sharing-contract-template.md): A usable EU Data Act B2B data-sharing template outline covering access requests, data schedules, permitted use, trade secrets, security, compensation, GDPR boundaries, audit records, and termination.
- [Data Act B2G Exceptional-Need Requests](/artifacts/eu/data-act/b2g-exceptional-need-requests.md): A grounded guide to EU Data Act Chapter V requests from public bodies: exceptional need, public emergencies, request contents, limits, safeguards, costs, and records.
- [Data Act Cloud Switching Compliance Checklist](/artifacts/eu/data-act/cloud-switching-compliance-checklist.md): A grounded EU Data Act checklist for cloud and data processing service providers covering switching clauses, notices, export formats, charges, interoperability, and evidence.
- [Data Act Cloud Switching Contract Terms FAQ](/artifacts/eu/data-act/faq/cloud-switching-contract-terms.md): FAQ on EU Data Act cloud switching contract terms: Article 25 clauses, assistance, notice, transition, charges, export, termination, interoperability, and records.
- [Data Act Cloud Switching Fees And Deadlines FAQ](/artifacts/eu/data-act/faq/cloud-switching-fees-and-deadlines.md): FAQ on EU Data Act cloud switching charges, 2027 fee removal, notice periods, transition windows, data retrieval, contract terms, and evidence records.
- [Data Act Complaints and Dispute Settlement FAQ](/artifacts/eu/data-act/faq/complaints-and-dispute-settlement.md): FAQ on EU Data Act complaints, competent authorities, dispute settlement bodies, B2B data-sharing disputes, B2G requests, cloud switching disputes, and evidence records.
- [Data Act Exportable Data and Metadata FAQ](/artifacts/eu/data-act/faq/exportable-data-and-metadata.md): FAQ explaining which product, related service, metadata, and cloud switching data must be exportable under the EU Data Act, and which data can be excluded.
- [Data Act FAQ for Aftermarket Repair and Mobility Services](/artifacts/eu/data-act/faq/aftermarket-repair-and-mobility-services.md): FAQ on EU Data Act vehicle-data access for repairers, independent service providers, fleets, insurers, and mobility services.
- [Data Act Functional Equivalence FAQ](/artifacts/eu/data-act/faq/functional-equivalence.md): FAQ on Data Act functional equivalence for cloud switching: IaaS scope, customer outcomes, export support, interoperability duties, limits, and evidence.
- [Data Act Indirect Access Request Flows FAQ](/artifacts/eu/data-act/faq/indirect-access-request-flows.md): FAQ for Data Act teams handling user and third-party data requests when direct connected-product access is unavailable, incomplete, or limited.
- [Data Act International Government Access FAQ](/artifacts/eu/data-act/faq/international-government-access.md): FAQ on EU Data Act safeguards for non-EU government access to non-personal data held in the Union by data processing service providers.
- [Data Act Interoperability Standards FAQ](/artifacts/eu/data-act/faq/interoperability-standards.md): FAQ on EU Data Act interoperability standards for data spaces, cloud switching, smart contracts, harmonised standards, common specifications, and M/614.
- [Data Act Model Contractual Terms FAQ](/artifacts/eu/data-act/faq/model-contractual-terms.md): FAQ on the EU Data Act non-binding model contractual terms for data access and use, cloud switching clauses, B2B use, unfair terms, and evidence.
- [Data Act Public Emergency Requests FAQ](/artifacts/eu/data-act/faq/public-emergency-requests.md): FAQ on EU Data Act public emergency requests: exceptional need, request content, timing, data holder response, compensation, confidentiality, and records.
- [Data Act Smart Contracts for Data Sharing](/artifacts/eu/data-act/smart-contracts-for-data-sharing.md): Data Act Article 36 smart contract guide for data-sharing agreements: scope, robustness, access control, termination, interruption, archiving, standards status, and conformity evidence.
- [Data Act SME Exceptions and Startups FAQ](/artifacts/eu/data-act/faq/sme-exceptions-and-startups.md): FAQ on where the EU Data Act gives micro, small, medium-sized, startup, and SME actors narrower treatment for access duties, compensation, and B2B terms.
- [Data Act Trade Secret Technical Protection Measures FAQ](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md): FAQ on how EU Data Act data holders can protect trade secrets with confidentiality safeguards, technical measures, limited withholding, suspension, refusal, and evidence.
- [Data Act Trade Secrets and Protection Measures](/artifacts/eu/data-act/trade-secrets-and-protection.md): Data Act guide for protecting trade secrets during access and sharing: classification, safeguards, refusal thresholds, notices, evidence records, and reviews.
- [Data Act Unfair Contractual Terms | Article 13 B2B Contract Review](/artifacts/eu/data-act/unfair-contractual-terms.md): Review B2B data-sharing clauses under EU Data Act Article 13: unilateral terms, always unfair examples, presumed unfair terms, model clauses, evidence, and remediation.
- [Data Act Vehicle Data Guidance](/artifacts/eu/data-act/vehicle-data-guidance.md): Commission-grounded guide to Data Act vehicle data access: connected vehicles, vehicle-related services, raw and pre-processed data, aftermarket use cases, access routes, safeguards, and GDPR boundaries.
- [Data Act vs GDPR: connected-product data access](/artifacts/eu/data-act/data-act-vs-gdpr.md): Compare EU Data Act connected-product access duties with GDPR personal-data rules: scope, roles, lawful basis, data subject rights, third-party sharing, trade secrets, and conflicts.
- [EU Data Act and Common European Data Spaces FAQ](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md): FAQ on how EU Data Act interoperability duties, Data Governance Act rules, and sector data-space governance fit together without treating participation as a general obligation.
- [EU Data Act Applicability Test](/artifacts/eu/data-act/applicability-test.md): Check whether a product, related service, data holder, cloud service, data-space role, smart contract, or B2G request is in scope of the EU Data Act.
- [EU Data Act Application Dates And Transition FAQ](/artifacts/eu/data-act/faq/application-dates-and-transition.md): FAQ on when the EU Data Act applies, which obligations are delayed, and what product, contract, cloud, and evidence records teams should maintain.
- [EU Data Act Article 3 Pre-Contract Information](/artifacts/eu/data-act/pre-contractual-information-obligations.md): What Article 3 of the EU Data Act requires before connected-product purchase, rent, lease, or related-service contracting: data categories, access, data holder identity, third-party sharing, complaints, and evidence.
- [EU Data Act Article 36 Smart Contract Controls FAQ](/artifacts/eu/data-act/faq/article-36-smart-contract-controls.md): FAQ explaining when EU Data Act Article 36 applies to smart contracts for data-sharing agreements and what controls, conformity evidence, and limits it requires.
- [EU Data Act B2B Data Sharing Compensation FAQ](/artifacts/eu/data-act/faq/compensation-for-b2b-data-sharing.md): FAQ on when Data Act data holders may charge B2B data recipients, what reasonable compensation can include, SME limits, unfair terms, disputes, and trade secret safeguards.
- [EU Data Act B2G Compensation and Costs FAQ](/artifacts/eu/data-act/faq/b2g-compensation-and-costs.md): FAQ on when Data Act B2G exceptional-need requests are free, when fair compensation may be claimed, which costs can be included, and what records to keep.
- [EU Data Act B2G Exceptional Need FAQ](/artifacts/eu/data-act/faq/b2g-exceptional-need.md): When public-sector bodies can request business-held data under the EU Data Act, what a valid request must contain, and how data holders handle limits, trade secrets, compensation, and evidence.
- [EU Data Act Checklist for Product, Cloud, and Contract Teams](/artifacts/eu/data-act/checklist.md): A grounded EU Data Act checklist for connected-product data access, third-party sharing, B2G requests, cloud switching, unfair terms, smart contracts, personal data boundaries, evidence, and owners.
- [EU Data Act Cloud Switching and Exit Plans](/artifacts/eu/data-act/cloud-switching-and-exit-plans.md): A grounded EU Data Act guide for data processing service exit plans: switching contracts, exportable data, assistance, charges, interoperability, retrieval, erasure, and records.
- [EU Data Act Cloud Switching Procurement FAQ](/artifacts/eu/data-act/faq/cloud-switching-procurement-checklist.md): Procurement checklist FAQ for EU Data Act cloud switching: contract terms, exit support, exportable data, switching charges, interoperability, termination, and supplier evidence.
- [EU Data Act Compliance Program](/artifacts/eu/data-act/compliance.md): Build a Data Act compliance program for connected-product data access, contracts, B2G requests, cloud switching, smart contracts, GDPR boundaries, records, and ownership.
- [EU Data Act Connected Product Scope and Data Types](/artifacts/eu/data-act/scope-connected-products-and-data-types.md): Classify EU Data Act connected products, related services, product data, related-service data, readily available data, metadata, and excluded derived outputs.
- [EU Data Act Connected Product Scope FAQ](/artifacts/eu/data-act/faq/scope-connected-products.md): FAQ explaining when connected products, related services, generated data, EU market placement, and SME exceptions fall within EU Data Act scope.
- [EU Data Act Data Processing Service Switching](/artifacts/eu/data-act/data-processing-services-switching.md): A grounded EU Data Act guide for provider and customer switching duties: exit assistance, exportable data, contract clauses, charges, interoperability, retrieval, and erasure.
- [EU Data Act data spaces interoperability FAQ](/artifacts/eu/data-act/faq/data-spaces-interoperability.md): FAQ explaining Article 33 Data Act interoperability requirements for data-space participants, common European data spaces, standards, APIs, metadata, and architecture evidence.
- [EU Data Act deadlines and compliance calendar](/artifacts/eu/data-act/deadlines-and-compliance-calendar.md): A source-linked calendar for EU Data Act application dates, product design timing, contract remediation, cloud switching charges, response periods, standards work, and evidence records.
- [EU Data Act Direct Access by Design FAQ](/artifacts/eu/data-act/faq/direct-access-by-design.md): FAQ for product and legal teams designing user access to connected-product and related-service data under the EU Data Act.
- [EU Data Act Enforcement And Competent Authorities FAQ](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md): FAQ on who enforces the EU Data Act, how complaints work, how Member States set penalties, when dispute settlement can be used, and when GDPR authorities remain responsible.
- [EU Data Act FAQ: scope, access rights, B2G, cloud switching, GDPR, and dates](/artifacts/eu/data-act/faq.md): Grounded EU Data Act FAQ index covering connected-product data access, third-party sharing, B2G exceptional need, cloud switching, smart contracts, GDPR boundaries, unfair terms, trade secrets, and application dates.
- [EU Data Act Non-Emergency Public-Sector Requests FAQ](/artifacts/eu/data-act/faq/non-emergency-public-sector-requests.md): FAQ on EU Data Act requests where a public body claims exceptional need outside a public emergency, including scope, request contents, limits, compensation, confidentiality, and evidence.
- [EU Data Act Non-Personal Data and Mixed Datasets FAQ](/artifacts/eu/data-act/faq/non-personal-data-and-mixed-datasets.md): FAQ on how the EU Data Act treats non-personal data, mixed datasets, GDPR precedence, user and third-party access, trade-secret limits, and evidence records.
- [EU Data Act Penalties and Enforcement](/artifacts/eu/data-act/penalties-and-fines.md): Grounded guide to Data Act penalties under Article 40, Member State enforcement, penalty factors, complaints, judicial remedies, and the GDPR enforcement boundary.
- [EU Data Act Pre-Contractual Information FAQ](/artifacts/eu/data-act/faq/pre-contractual-information.md): FAQ on EU Data Act Article 3 pre-contract information for connected products and related services, including data categories, access methods, data holder identity, third-party sharing, and GDPR boundaries.
- [EU Data Act Product Data vs Related Service Data FAQ](/artifacts/eu/data-act/faq/product-data-and-service-data.md): FAQ explaining how the EU Data Act separates connected product data, related service data, readily available raw and pre-processed data, metadata, and inferred or derived outputs.
- [EU Data Act Readily Available Data FAQ](/artifacts/eu/data-act/faq/readily-available-data.md): FAQ on what counts as readily available data under the EU Data Act, including product data, related service data, metadata, inferred data, and access mechanics.
- [EU Data Act Related Services FAQ](/artifacts/eu/data-act/faq/related-services.md): FAQ explaining when software is a Data Act related service, how it links to connected products, which product and service data are in scope, and what exclusions apply.
- [EU Data Act requirements](/artifacts/eu/data-act/requirements.md): Source-grounded EU Data Act requirements for connected-product data access, B2B sharing terms, B2G exceptional needs, cloud switching, smart contracts, interoperability, GDPR boundaries, and records.
- [EU Data Act Smart Contracts for Data Sharing FAQ](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md): Answers on Article 36 Data Act smart-contract requirements for data sharing: scope, robustness, access control, termination, archiving, conformity assessment, contract terms, and standards status.
- [EU Data Act Third-Party Data Sharing FAQ](/artifacts/eu/data-act/faq/third-party-data-sharing.md): FAQ on user-directed third-party data sharing under the EU Data Act, covering data holder duties, recipient limits, trade secrets, security, GDPR, and gatekeepers.
- [EU Data Act Trade Secret Safeguards FAQ](/artifacts/eu/data-act/faq/trade-secrets-safeguards.md): FAQ on protecting trade secrets when handling EU Data Act user and third-party data access requests, including safeguards, withholding, suspension, refusal, notices, and records.
- [EU Data Act Unfair Contractual Terms FAQ](/artifacts/eu/data-act/faq/unfair-contractual-terms.md): FAQ on Article 13 of the EU Data Act: B2B unfair contract terms, unilateral take-it-or-leave-it clauses, always-unfair terms, presumed-unfair terms, SMEs, model terms, and review evidence.
- [EU Data Act User Access and Portability Rights](/artifacts/eu/data-act/access-rights-and-portability.md): Practical guide to EU Data Act user access, connected-product data portability, third-party sharing, trade secret safeguards, and the GDPR boundary.
- [EU Data Act Users, Data Holders, and Recipients FAQ](/artifacts/eu/data-act/faq/users-data-holders-and-recipients.md): FAQ explaining Data Act users, data holders, data recipients, connected products, related services, user access, third-party limits, and GDPR boundaries.
- [EU Data Act Vehicle Data Guidance FAQ](/artifacts/eu/data-act/faq/vehicle-data-guidance.md): FAQ on EU Data Act vehicle data guidance for connected vehicles, aftermarket repair, mobility services, third-party access, trade secrets, security, and GDPR boundaries.
- [EU Data Act vs Data Governance Act](/artifacts/eu/data-act/data-act-vs-data-governance-act.md): Compare the EU Data Act with the Data Governance Act: connected-product access, cloud switching, B2B/B2G duties, protected public-sector reuse, intermediaries, altruism, governance, and enforcement.

*Recommended next step*

*Placement: after evidence section*

## Review Data Act and GDPR overlap

Map Data Act access rights against GDPR roles, lawful basis, minimisation, trade-secret safeguards, and third-party sharing before changing product, support, or contract workflows.

- [Open Research Copilot](/solutions/research-copilot.md): Get cited answers on Data Act/GDPR overlap and adjacent connected-product data obligations.
- [Discuss Data Act Overlap](/contact.md): Review mixed dataset, lawful-basis, role-mapping, and third-party sharing impacts across product and legal workflows.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/data-act/faq/gdpr-personal-data-overlap