Products
© Fiskil 2025. All rights reserved.
Products
© Fiskil 2025. All rights reserved.
GDPR protects privacy. The Data Act opens the data economy. Both apply to personal data—and you must comply with both.
GDPR: Personal data only. Data Act: Personal AND non-personal data.
GDPR: Privacy rights. Data Act: Economic access rights.
Where they overlap: Mixed datasets (e.g., vehicle telemetry, IoT sensors).
In the event of conflict, GDPR prevails. But conflicts are rare—most obligations coexist, creating dual compliance requirements.
Regulatory Context
Key Obligations
Article 1(5) Data Act: "Without prejudice to GDPR" - GDPR prevails in conflicts
GDPR applies to personal data processing
Data Act applies to both personal and non-personal data generated by connected products
Where datasets contain both: Both regulations apply simultaneously
Data Act access rights go beyond GDPR: real-time access, non-personal data, third-party sharing
GDPR legal basis still required for personal data processing under Data Act
Implementation Reality
Challenges
Mixed datasets: Vehicle telemetry, smart home sensors, industrial IoT contain both personal and non-personal data
Separating data types: Difficult to isolate personal data from non-personal data in real-time streams
Dual information obligations: Article 3 Data Act + Articles 13-14 GDPR have overlapping disclosure requirements
Different access scopes: GDPR provides snapshot; Data Act may require continuous real-time access
Trade secret protection: Allowed under Data Act, no equivalent exemption under GDPR
Misclassification risk: Unlawful denial under Data Act vs. unlawful disclosure under GDPR
Solution
Dual-Compliant Architecture
Single API infrastructure serves both GDPR Article 15 requests (personal data snapshot) and Data Act Article 4-5 obligations (real-time access, JSON format). Consent management ensures proper authorization for both frameworks.
Data Classification
Structured approach to identifying personal vs. non-personal data in mixed datasets. Apply appropriate regulatory framework to each data element.
Information Disclosures
Pre-contractual disclosures satisfy both Article 3 Data Act and Articles 13-14 GDPR requirements through comprehensive documentation.
Legal Basis Tracking
Platform manages GDPR legal basis requirements (consent, legitimate interest) for personal data shared under Data Act obligations through recipient onboarding workflows.
Trust & Proof
GDPR compliance certified (SOC 2 Type II)
Data protection by design and by default
Built with DPA guidance on Data Act + GDPR interplay
Dual-regulation audit trail
Handles mixed personal/non-personal datasets at scale
Real-time data classification (millions of data points/second)
Deployed across GDPR-regulated industries
Proven dual-compliance architecture
GDPR protects personal data and privacy rights of individuals. The Data Act facilitates economic access to data (both personal and non-personal) generated by connected products. GDPR is about privacy protection; Data Act is about fair data access and sharing to enable competition and innovation.
No. Article 1(5) of the Data Act explicitly states it is "without prejudice to GDPR." In the event of conflict, GDPR prevails. However, conflicts are rare—most obligations coexist. You must comply with both regulations simultaneously.
GDPR applies to all processing of personal data. The Data Act applies to data generated by connected products (both personal and non-personal). If a connected vehicle generates telemetry data, the Data Act applies to the entire dataset. If that dataset includes personal data (e.g., driver location), GDPR also applies.
GDPR Article 15 gives data subjects the right to a copy of their personal data (a snapshot at the time of request). Data Act Articles 4-5 give users the right to access data generated by their connected products, which can include real-time or continuous access, and covers both personal and non-personal data.
No. The Data Act requires you to share data, but it does not provide a GDPR legal basis for processing personal data. You must still establish a valid GDPR basis (consent, legitimate interest, contract, etc.) for processing personal data shared under the Data Act.
The Data Act allows data holders to withhold data that would reveal trade secrets (subject to demonstrating legitimate concerns). GDPR has no equivalent trade secret exemption—personal data access rights under Article 15 cannot be refused on trade secret grounds.
GDPR is enforced by Data Protection Authorities (DPAs) in each Member State, coordinated by the European Data Protection Board (EDPB). The Data Act is enforced by competent authorities designated by Member States (often different agencies). However, DPAs also enforce Data Act provisions where personal data protection is concerned.
Misclassification creates dual risk. If you treat personal data as non-personal and share it under the Data Act without a GDPR legal basis, you violate GDPR (potential €20M or 4% fine). If you treat non-personal data as personal and refuse Data Act access citing GDPR, you violate the Data Act (Member State penalties vary, some exceed GDPR).
Talk to our team about your EU Data Act compliance needs.