Compliance dilemma: Data Act forces companies to walk a tightrope between data disclosure and data protection. Will the politically motivated guidance from the HmbBfDI help?

From September 12, 2025, most of the obligations under the European Data Act (Regulation (EU) 2023/2854) must be implemented (we reported on the objectives, addressees, and provisions of the Data Act in Data Protection Update No. 200, No. 187, No. 158, No. 148). The regulatory objective of facilitating the free flow of data is pursued through a series of obligations and requirements, some of which overlap with data protection law, thus creating an area of tension. Both data controllers and users or data recipients who wish to benefit from the Data Act must familiarize themselves with the regulations applicable to them and establish appropriate compliance structures.

The Hamburg Commissioner for Data Protection and Information Security (HmbBfDI) published a guide at the end of April entitled "The Data Act as a challenge for data protection" to provide assistance in navigating this new legal territory. The paper explains the relationship between the two laws and raises awareness of data protection issues in the application of the Data Act. The HmbBfDI clearly aims to highlight the extent of the overlaps between the Data Act and the GDPR. This presentation ultimately leads to a call on legislators not to allow supervision of the GDPR and the Data Act to diverge, as well as a subtle plea to leave supervision of the Data Act to the data protection supervisory authorities. Many of the statements in the HmbBfDI's information must be viewed against this background. We present the main contents of the paper, supplemented by practical information.

1. Personal reference of data even when applying the Data Act as a guiding principle

The guidance document first outlines the main areas covered by the Data Act (data access rights, emergency provisions, cloud switching, and international data transfers). Not all of these apply to personal data, so there is no need to examine the GDPR in more detail in this regard. The HmbBfDI emphasizes that this classification alone makes it clear that specialist knowledge of data protection law is required to implement the Data Act. The classification of data into personal and non-personal data categories is decisive not only for determining which provisions of the Data Act apply, but also for determining which additional requirements of the GDPR must be observed.

This area of conflict is particularly evident in the provisions on data transfer in Chapter II of the Data Act. Specifically, for example, the provision of personal data to the user (Art. 4 DA) or to a third party (Art. 5 DA) is only permissible if there is a legal basis for doing so. Secondly, if a legal basis exists, other data protection requirements of the GDPR must also be observed. If, on the other hand, there is no legal basis, the access rights under the Data Act take a back seat in favor of data protection in individual cases.

The HmbBfDI's note that, in future, a more careful distinction must be made between non-personal and personal data, particularly in the case of mixed data sets, is very relevant in practice. Until now, data protection supervisory authorities and courts have tended to subject a data set that contains at least one identifying feature that can be assigned to a person to the GDPR as a whole. So, if a technical data set contained predictive maintenance data but was also linked to log files that could be used to determine which person had used the corresponding smart device at what time, the entire data set was often treated as if it were completely personal. The announcement by the HmbBfDI that it now intends to distinguish between personal and non-personal information in "mixed data sets" is therefore very welcome in practice. This is because anyone who prematurely affirms the personal reference within the framework of the Data Act and, on this basis, rejects claims for data transfer, exposes themselves to the risk of sanctions under the Data Act. If, on the other hand, personal data is disclosed prematurely in order to fulfill obligations under the Data Act, the sanction regime of the GDPR applies. Because mixed data sets are widespread in practice, it is a considerable relief – from the perspective of the GDPR and its sanction regime – that these are now partially exempt from the GDPR. With regard to the handling of the Data Act, this naturally results in a complex task: All data generated by a networked product and an associated service must be carefully separated into data with and data without personal references, preferably before the first claim under the Data Act is made. This may require the distinction to be made at the level of individual databases and at the level of individual data fields or individual pieces of information. This will need to be further clarified in practice on a case-by-case basis.

2. Requirement for a legal basis

Following the first question of whether personal data is present, if the answer is yes, the question arises as to whether there is a legal basis for the transfer of this data. The reason for this is the relationship between the Data Act and the GDPR explained at the beginning: the laws complement each other and the application of the Data Act must not lead to a reduction in data protection.

The obligations under Art. 4 (1) and Art. 5 (1) of the Data Act do not constitute a "legal obligation" within the meaning of Art. 6 (1) subpara. 1 lit. c) GDPR and therefore cannot themselves be used as a legal basis. In its guidance on this matter, the HmbBfDI distinguishes between the following scenarios that may arise when applying the Data Act:

a) Case group 1: The data subject and the claimant are identical

The user is the data subject entitled under Articles 4 and 5 of the Data Act. If a user who is also the only data subject (often in B2C transactions) requests that their data be disclosed to themselves or made available to a third party, the HmbBfDI believes that a legal basis can generally be established by obtaining the consent required under data protection law. It is even possible that the request itself could be seen as implied consent.

However, caution is advised here: firstly, the strict requirements for consent, such as the prohibition of coupling, must be taken into account. Furthermore, implied consent is ruled out if the data in question is sensitive personal data within the meaning of Art. 9 (1) GDPR, such as health data. In this case, at least explicit consent is always required. The GDPR even allows Member States to completely exclude consent to the processing of sensitive data. This must be checked in particular by data controllers who operate in several countries.

Whether consent is valid must therefore be examined carefully in each individual case. In addition, in many cases, a legal basis can also be found by concluding a corresponding contract with the user pursuant to Art. 6 para. 1 lit. b) GDPR.

The HmbBfDI also points out the parallels to the claims under Art. 15 and Art. 20 GDPR, which grant the data subject a right to information and portability of their personal data, which companies should already be aware of. The claims under the Data Act go further in that they cover not only personal data but also non-personal data and can be asserted not only by the data subject but also by users who are not themselves affected.

b) Case group 2: Data subject and claimant are not the same person

The situation becomes more difficult when the user requests the disclosure of personal data that (also) concerns third parties. This constellation can be found in the use of a networked product by multiple persons (e. g., families, shared households) and in the B2B sector (e. g., employees, car-sharing users). The HmbBfDI merely recommends examining a legitimate interest pursuant to Art. 6 (1) lit. f) GDPR, a contract pursuant to Art. 6 (1) lit. b) GDPR, and consent as a legal basis. Because each of these possible legal bases encounters difficulties in practical implementation, the guidance requires additional information.

Processing on the basis of a legitimate interest is all the more appropriate the less significant the personal data in question is and the more advantageous the intended use by the user or data recipient is for the data subject. In practice, however, the data controller is often unaware of the purposes for which the data will be used, meaning that this key aspect cannot be taken into account when balancing interests in specific cases. Companies should therefore be guided by the general criteria for balancing interests under data protection law. It remains to be seen what specific criteria for the specific balancing of interests in the context of access rights under the Data Act will be developed by supervisory authorities and case law as this issue progresses.

Data transfer on the basis of a contract pursuant to Art. 6 (1) lit. b) GDPR is likely to be considered in particular if such a contract exists between the user and the third party concerned. The data controller must then carefully examine whether the transfer is actually "necessary" for the performance of this contract. This examination may be time-consuming in individual cases or even impossible due to a lack of the necessary information.

The above comments on consent also apply in this situation: the validity of the consent must be carefully checked, in particular with regard to the requirements of voluntariness and the prohibition of coupling. This check is difficult to carry out for data controllers who are not themselves in contact with the data subject.

If the data controller nevertheless wishes to rely on a contract or consent as the legal basis, it could contractually ensure that the data protection requirements for the data transfer are actually met. Although such a civil law agreement does not affect their own data protection obligations, it may enable them to seek recourse against the user who invokes the consent or contract with the data subject. This also creates an incentive for the user to work towards establishing an effective legal basis.

3. Parallels in information obligations

In addition to the requirement for a legal basis, the other requirements of the GDPR must also be observed when transferring personal data under the Data Act.

These include, in particular, the information obligations under Article 13 GDPR. The data subject must be informed about a number of aspects, such as the identity and contact details of the controller, the purposes and legal basis of the processing, and the duration of storage. The HmbBfDI rightly points out that the information obligations under the Data Act (Art. 3 (2), (3) DA) overlap with those under the GDPR, but are not entirely the same. For example, under the Data Act, information must also be provided about the type, format, and scope of the data to be generated or the rights of use of the data owner. The timing of the information also differs: while the GDPR requires the information to be provided at the time of data collection, the Data Act requires the information to be provided before the connected product or related service is acquired or used, i. e., before the contract is concluded. Particularly when processing mixed data sets, it is therefore necessary to carefully analyze both sets of obligations and to ensure that the "package inserts" are complete.

4. Uncertainty about the expected supervisory structure

Finally, the HmbBfDI addresses the regulatory supervisory structure in its guidance. The associated uncertainty is only briefly outlined here, as it has little impact on the current implementation phase in companies.

The Data Act provides for a division of responsibilities: Member States are to designate a lead supervisory authority for the Data Act. However, if personal data is involved, the authorities responsible for monitoring the GDPR shall also be responsible for the Data Act. A positive consequence of this division is that data protection expertise will be pooled among the data protection authorities. However, as the HmbBfDI points out, there is a risk that questions of jurisdiction will arise. In Germany, the situation is complicated by the fact that the draft bill for a Data Act implementation law presented on February 5, 2025, designates the BfDI as the sole supervisory authority for cases involving personal data. This proposal by the last federal government has met with considerable criticism. The HmbBfDI therefore expresses justified doubts as to whether the new federal government will, firstly, enact an implementation act by September 12, 2025, and, secondly, whether the content of this act will correspond to the previous draft bill.

5. Guidance with reservations – further clarification on the Data Act and GDPR required

The HmbBfDI's guidance clarifies the relationship between the Data Act and the GDPR and raises awareness of legal issues that arise in the area of conflict between the two laws. In particular, the implementation activities identified with regard to data protection can serve as a point of reference for companies for the timely establishment of compliance structures.

However, the ongoing complications with the concept of personal reference are now reflected not only in the GDPR but also in the application of the Data Act, making it difficult for companies to identify the obligations that apply to them. Beyond this issue, companies must check particularly carefully whether there is a legal basis for the provision of personal data. The most appropriate legal basis depends largely on the nature of the business relationship.

Overall, due to the existing legal uncertainties and the balancing act that companies must perform between sanctions under the Data Act and the GDPR, particular care is required during implementation.