Use this comparison to keep personal data issues under GDPR safeguards even when a data-access or data-use workstream also considers the EU Data Act.
The available grounding supports GDPR obligations in detail and supports only limited Data Act identification, so Data Act comparator facts are deliberately source-limited.
Structured answer sets in this page tree.
Cited legal and guidance references.
This artifact compares GDPR with the EU Data Act only to the extent supported by the retained GDPR grounding folder. Treat GDPR as the controlling workstream for personal data processing, lawful basis, transparency, data-subject rights, controller and processor allocation, security, breach handling, international transfers, and accountability evidence. Treat the Data Act side here as a source-limited comparator, not a complete Data Act implementation guide.
Use these rows to keep GDPR obligations intact and to avoid treating unsupported Data Act details as sourced facts.
Detailed grounding is available for personal data processing, lawful basis, rights, transfers, security, controller and processor accountability, and records.
The GDPR grounding folder supports only limited identification of Regulation (EU) 2023/2854 as concerning fairness in access to and use of data.
| Dimension | GDPR | EU Data Act | Operational implication |
|---|---|---|---|
| Scope boundary | Covers processing of personal data, including information relating to an identified or identifiable natural person. | Source-limited here to the Data Act's identification as Regulation (EU) 2023/2854 on fairness in access to and use of data. | If personal data is involved, run the GDPR analysis even if another data-access or data-use regime is also being considered. |
| Covered actors | Requires role allocation for controllers, joint controllers, processors, representatives where relevant, DPO tasks where applicable, processor contracts, RoPA, security, breach, DPIA, and accountability records. | This folder does not ground Data Act actor allocation beyond the limited Regulation (EU) 2023/2854 identification. | Do not let a Data Act project label obscure who determines purposes and means for personal data or who processes on documented instructions. |
| Trigger | Requires a lawful basis for each processing purpose and accountability evidence for lawfulness, fairness, transparency, purpose limitation, minimisation, accuracy, storage limitation, integrity, and confidentiality. | No Data Act lawful-basis substitute is grounded in this folder. | Do not rely on a data-access or data-sharing rationale until the GDPR basis and purpose are recorded. |
| Core obligations | Requires transparent information and data-subject rights handling, including access, rectification, erasure, restriction, portability, objection, and automated-decision safeguards where applicable. | This folder does not ground Data Act request procedures, response windows, or recipient workflows. | Keep GDPR rights intake and fulfilment separate from any Data Act request queue unless a Data Act-specific source set supports integration. |
| Evidence record | Requires a Chapter V transfer basis or safeguard when personal data is transferred to a third country or international organisation. | No Data Act transfer safeguard rule is grounded in this folder. | Use GDPR transfer records, SCCs, adequacy, and supplementary-measures analysis where personal data crosses borders. |
| Timing and deadlines | GDPR grounding supports supervisory authorities, corrective powers, data-subject remedies, compensation, and administrative fines under GDPR. | No Data Act competent-authority procedure or penalty variant is grounded in this folder. | For this artifact, escalate GDPR issues through privacy governance and supervisory-authority readiness; do not invent Data Act enforcement details. |
| Enforcement | The GDPR gives supervisory authorities powers to monitor application, handle complaints, investigate, and impose corrective measures, including suspension of data flows or administrative fines where needed. | This folder does not ground Data Act enforcement bodies, remedies, or penalty scales. | If the issue is about personal data enforcement, route it through the GDPR authority first and only add Data Act enforcement steps from Data Act-specific sources. |
| Overlap and reuse | The GDPR analysis can still run even when another EU data regime is also relevant, and the same factual workflow may need a separate lawfulness, transfer, or security review. | This folder only identifies the Data Act at a high level and does not support reuse of Data Act conclusions for personal data questions. | Use shared facts, not shared conclusions: the same event may trigger both regimes, but GDPR findings do not automatically answer Data Act questions and vice versa. |
| Practical decision rule | Start with GDPR if any personal data is present, because the GDPR provides the grounded rules here for scope, lawful basis, rights, transfers, security, and accountability. | Treat the Data Act side as a cue to check whether a separate source set is needed; this folder does not ground the full Data Act rule set. | If the fact pattern contains personal data, document the GDPR decision first and only then layer in Data Act work from Data Act-specific sources. |
Covers processing of personal data, including information relating to an identified or identifiable natural person.
Source-limited here to the Data Act's identification as Regulation (EU) 2023/2854 on fairness in access to and use of data.
If personal data is involved, run the GDPR analysis even if another data-access or data-use regime is also being considered.
Requires role allocation for controllers, joint controllers, processors, representatives where relevant, DPO tasks where applicable, processor contracts, RoPA, security, breach, DPIA, and accountability records.
This folder does not ground Data Act actor allocation beyond the limited Regulation (EU) 2023/2854 identification.
Do not let a Data Act project label obscure who determines purposes and means for personal data or who processes on documented instructions.
Requires a lawful basis for each processing purpose and accountability evidence for lawfulness, fairness, transparency, purpose limitation, minimisation, accuracy, storage limitation, integrity, and confidentiality.
No Data Act lawful-basis substitute is grounded in this folder.
Do not rely on a data-access or data-sharing rationale until the GDPR basis and purpose are recorded.
Requires transparent information and data-subject rights handling, including access, rectification, erasure, restriction, portability, objection, and automated-decision safeguards where applicable.
This folder does not ground Data Act request procedures, response windows, or recipient workflows.
Keep GDPR rights intake and fulfilment separate from any Data Act request queue unless a Data Act-specific source set supports integration.
Requires a Chapter V transfer basis or safeguard when personal data is transferred to a third country or international organisation.
No Data Act transfer safeguard rule is grounded in this folder.
Use GDPR transfer records, SCCs, adequacy, and supplementary-measures analysis where personal data crosses borders.
GDPR grounding supports supervisory authorities, corrective powers, data-subject remedies, compensation, and administrative fines under GDPR.
No Data Act competent-authority procedure or penalty variant is grounded in this folder.
For this artifact, escalate GDPR issues through privacy governance and supervisory-authority readiness; do not invent Data Act enforcement details.
The GDPR gives supervisory authorities powers to monitor application, handle complaints, investigate, and impose corrective measures, including suspension of data flows or administrative fines where needed.
This folder does not ground Data Act enforcement bodies, remedies, or penalty scales.
If the issue is about personal data enforcement, route it through the GDPR authority first and only add Data Act enforcement steps from Data Act-specific sources.
The GDPR analysis can still run even when another EU data regime is also relevant, and the same factual workflow may need a separate lawfulness, transfer, or security review.
This folder only identifies the Data Act at a high level and does not support reuse of Data Act conclusions for personal data questions.
Use shared facts, not shared conclusions: the same event may trigger both regimes, but GDPR findings do not automatically answer Data Act questions and vice versa.
Start with GDPR if any personal data is present, because the GDPR provides the grounded rules here for scope, lawful basis, rights, transfers, security, and accountability.
Treat the Data Act side as a cue to check whether a separate source set is needed; this folder does not ground the full Data Act rule set.
If the fact pattern contains personal data, document the GDPR decision first and only then layer in Data Act work from Data Act-specific sources.
GDPR applies to processing of personal data and defines both personal data and processing broadly. If a connected product, service, data-sharing request, contract, support workflow, analytics feature, or export contains information relating to an identified or identifiable natural person, the GDPR analysis should run before any reuse of Data Act evidence.
The available Data Act grounding in this folder supports identifying Regulation (EU) 2023/2854 as a regulation on fairness in access to and use of data. It does not support detailed Data Act actor, deadline, procedure, or penalty claims in this artifact.
A Data Act workstream does not supersede GDPR Article 6 lawful-basis analysis, transparency duties, data-subject rights handling, processor terms, security controls, or breach documentation. Each processing purpose still needs its own GDPR basis and evidence.
For controller and processor accountability, maintain a record that shows who determines purposes and means, who processes on documented instructions, which processor terms apply, and how data-subject requests reach the accountable controller.
If a data-access, recipient, vendor, cloud, support, or analytics path sends personal data outside the EU/EEA or to an international organisation, keep the GDPR Chapter V transfer analysis separate from any Data Act comparison.
The Commission SCC source in the grounding folder supports SCCs as a GDPR transfer safeguard for transfers from EU/EEA controllers or processors to third-country controllers or processors in the relevant circumstances. This artifact does not add Data Act transfer rules because the folder does not ground them.
The safest comparison output is a two-column evidence record: GDPR evidence in one column and source-limited Data Act notes in the other. Do not merge them into one generic data-governance decision.
For GDPR, keep records that can show compliance to privacy, security, legal, product, procurement, support, and audit reviewers without relying on unsupported Data Act assumptions.
Sorena can help map each data-use scenario to GDPR scope, lawful basis, rights, transfers, and accountability evidence while flagging where Data Act-specific source work is still needed.
Ask source-linked questions about GDPR scope, lawful basis, data-subject rights, transfer safeguards, and accountability evidence.
Review where personal data safeguards apply and where a Data Act-specific source set is needed before implementation decisions.
"fairness in access to and use of data"
"appropriate data protection safeguards"
"under Article 30 GDPR"
"protection of personal data"