Data Act vs GDPR: what if my data contains personal data?
Adopted 2026-06-14 ยท ≈ 2 min read ยท 
edited by Dirk Baaijen
If your connected product's data contains personal data, the Data Act and the GDPR apply side by side. The Data Act governs access and sharing; the GDPR governs the lawful basis and protection of personal data.
Short answer: If your connected product's data contains personal data, the GDPR applies on top of the Data Act. The two regimes apply side by side: the Data Act governs access to and sharing of data, while the GDPR protects the personal data within it.
Two regimes, one dataset
The Data Act, Regulation (EU) 2023/2854, has applied since 12 September 2025. It governs access to and the sharing of data generated by connected products and related services. In transport and logistics, think of truck telematics, trailer sensor data, refrigeration units or loading systems. The user, defined as the owner, renter or lessee of the product, has the right to access this data and to share it with third parties.
Much of this data is technical and non-personal. But as soon as a dataset can be traced back to a natural person, for example a driver via driving behaviour, location or working hours, it becomes personal data. In that case the General Data Protection Regulation applies alongside the Data Act. The Data Act does not replace the GDPR and leaves it fully intact.
What this means in practice
The Data Act requires data to be shared on fair terms. Sharing conditions must be FRAND: fair, reasonable and non-discriminatory. Unfair contractual terms on data access are prohibited. The regulation also makes it easier to switch between cloud service providers.
If the data to be shared contains personal data, you must satisfy the GDPR on top of these Data Act requirements. That means a valid lawful basis for processing, transparency towards data subjects, and appropriate security. A data-sharing request under the Data Act does not release you from your GDPR obligations; you must address both at the same time.
Getting ready
Note that for new products placed on the market from 12 September 2026, a design obligation applies: they must be designed so that data is accessible by default. Map now which data flows contain personal data, so you can address the Data Act and the GDPR together from the design stage.
Read the main file: Data Act for transport & logistics. Or take the Transport & Logistics scan.
Sources
- https://eur-lex.europa.eu/eli/reg/2023/2854/oj
Regulation (EU) 2023/2854 (Data Act); applicable since 12 September 2025.
Read next
What do I risk for non-compliance with the Data Act?
The Data Act applies since 12 Sep 2025. Non-compliance risks civil claims, contract terms that are not binding, and GDPR enforcement where personal data is involved. From 12 Sep 2026 the design obligation applies.
The Data Act and trade secrets: must I share data that is my trade secret?
Not a free pass to refuse. The Data Act gives users a right to data from connected products, but protects trade secrets: you may take safeguards and, in exceptional cases, refuse where serious harm is shown.
Should I join the European mobility data space?
Participation is voluntary, not a legal duty like the Data Act or eFTI. Even so, joining early is strategic: it shapes your future data position and interoperability within the transport and logistics sector.