What Is the Difference Between the GDPR and the Data Act?

Although both the GDPR and the EU Data Act concern data, they have distinct objectives and scopes. The GDPR is primarily focused on protecting personal data. It gives individuals the right to access, correct, or erase information that organisations hold about them, and requires organisations to be transparent about how personal data is used, who it is shared with, and to provide it in a usable format. Its purpose is to safeguard individual privacy and ensure that personal information is handled lawfully.

By contrast, the EU Data Act is designed to facilitate data sharing and reuse, particularly in business-to-business (B2B) and business-to-government (B2G) contexts. It applies mainly to non-personal data generated by connected products, such as IoT devices, and the digital services that operate them. Under the Data Act, manufacturers and service providers, known as “data holders,” must ensure that data generated by their products is accessible to the users, third parties chosen by users, and, in certain circumstances, public authorities. The Act aims to stimulate innovation, promote competition, and enable the creation of new services based on this data.

The two laws also differ in who is required to comply. GDPR obligations fall on data controllers, with data processors assisting where relevant, while the Data Act places responsibility on data holders and, in some cases, third-party recipients to share and manage data under agreed terms. While both frameworks share principles such as transparency and fairness, their focus diverges: the GDPR protects individual privacy, whereas the Data Act promotes access and reuse of data to drive economic and technological opportunities. Organisations handling connected products or mixed datasets will need to carefully navigate both regimes, ensuring proper classification of data, lawful processing, and robust contractual arrangements to meet their obligations.