Commission Publishes Frequently Asked Questions about the Data Act

Data Protection Law

On September 6, 2024, The European Commision (“EU”) has published Frequently Asked Questions (“FAQs”) about the Data Act (“Act”) that become applicable on 12 September 2025.

FAQs and answers about the Act, which will increase trust in voluntary data sharing mechanisms, summarised as follows:

1.How Does the Data Act Interact with the General Data Protection Regulation?

The General Data Protection Regulation (“GDPR”) is fully applicable to all personal data processing Activities under the Act. The ACt does not regulate as such the protection of personal data.Instead, the Act enhances data sharing and enables a fair distribution of the value of data by establishing clear rules to the Access and use of data within the EU’s data aconomy.

2.How Does the Relationship Between the Act and the GDPR Affect the Enforcement and Protection of Personal Data?

The Data Act respects the competence of the data protection authorities (DPAs) to enforce rules on personal data protection The Data Act provides a coherent enforcement and cooperation mechanism between DPAs and other competent authorities.

Article 1(5) of the Data Act establishes that the GDPR applies to the processing of personal data in the framework of the Data Act. In this context, it recalls that the DPAs are competent to enforce the obligations stemming directly from the GDPR.

Article 37(3) provides that, insofar as the protection of personal data is concerned, the DPAs are responsible for monitoring the application of the Data Act and can rely on the tasks and powers laid down in the GDPR. This is also stated in recital 107. The protection of personal data captures, for example, the power to assess: (i) whether a user who is a data subject has received or has been allowed to port all personal data it requests, (ii) whether the data holder correctly qualifies which data should be considered personal data; and (iii) whether a valid legal basis under the GDPR exists for a user who is not a data subject to request and port personal data. Article 37(3) also ensures that data subjects are not required to go to two different authorities in cases where the rights of access and porting would apply under both the Data Act and the GDPR or where there could be any other grievance relating to the protection of their personal data in the application of the Data Act.

More generally, the Commission strives to promote a strong working relationship between the authorities that enforce data legislation in the EU, including through the membership of the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) in the European Data Innovation Board.

3.How Does the Data Act Interact with Existing Data-Sharing Obligations under other EU Legislation?

The Data Act is a horizontal piece of legislation that aims to significantly enhance fair access to and use of data across all sectors of the economy. Chapter III, in particular, establishes a framework regarding the conditions, compensation, and technical protection measures for whenever a data holder is obliged under EU or national law to share data with a data recipient.

More concretely, Article 44 addresses two key dimensions that structure the interaction between the Data Act and other EU legislation that include rules on data access and use time of entry into force (Article 44(1)) and sectoral specificities (Article 44(2)).

According to Article 44(1), data-sharing obligations that entered into force on or before 11 January 2024 (the Data Act's entry into force) remain unaffected. If EU legal acts introduce rules on data between 11 January 2024 and 12 September 2025 (the Data Act's entry into application), best efforts should be made to ensure alignment, but there is no legal obligation to do so.

The Data Act sets horizontal rules for data access, sharing and use. However, Article 44(2) allows the Data Act to be complemented by sector-specific legislation, where necessary, with practical and technical modalities (e.g. safety, standardisation, or technical matters) and with specific limits on data holders' access rights or actions. However, the development of such sectoral rules should be approached cautiously and consistent with the principles laid down in the Data Act to the greatest extent possible, thus avoiding unnecessary complexity. The principles of the Data Act apply for all matters related to 'access to data' that are not specifically regulated in such sectoral rules.

4.What is a 'Connected Product'?

Connected products are items that can generate, obtain, or collect data about their use, performance, or environment and that can communicate this data via a cable-based or wireless connection. This includes communication of data outside the product on an ad hoc basis (e.g. during maintenance operations). Connected products can be found in all areas of the economy and society. They include smart home appliances, consumer electronics, industrial machinery, medical devices, smartphones, and TVs (cf. recital 14).

Products which primarily fulfil the function of storing, processing, or transmitting data (e.g. servers and routers) are outside the scope of the mandatory data-sharing obligations under Chapter II, unless they are owned, rented, or leased by the user.

Similarly, the fact that a connected product (e.g. a wagon, airplane, or vehicle) must use certain infrastructure (e.g. railways, airports, or highways) to function does not entitle the user of that connected product to access data generated by, for instance, sensors that are part of that infrastructure. Access would only be granted if the user has received ownership or contractual rights over the sensors embedded in the infrastructure. Finally, the Data Act specifies that prototypes are out of scope, as their manufacturing stage has not been completed.

You can find further information for the FAQs here.

 

 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr