The Data Act comes into force
From September 12, 2025, the provisions of the Data Act will apply directly in all European Union member states. It is another EU regulation, following the Data Governance Act, that implements the European Data Strategy. This act does not exempt or replace the GDPR.
Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data (Data Act) entered into force on January 11, 2024, and applies from September 12, 2025. From that date, it will generally apply directly in all EU Member States. However, in order to ensure its full functioning, it is necessary to adopt appropriate national legislation to a certain extent. Therefore, the Draft Act on Fair Access to and Use of Data has been included in the List of Legislative and Programmatic Work of the Council of Ministers. The President of the Personal Data Protection Office is ready to issue an opinion on the draft act during the legislative process.
The Data Act focuses on fair access to data and user rights, while ensuring the protection of personal data. It sets out a legal framework for data exchange between businesses, between businesses and consumers, and between businesses and public administrations, as well as facilitating the switching of cloud service providers and introducing interoperability standards. This includes data generated when users use, for example, Internet of things devices or cloud services.
The President of the Personal Data Protection Office emphasises that the Data Act does not exclude or replace the GDPR. It is complementary to the GDPR and, as such, does not regulate the protection of personal data. Thus, the GDPR applies to all personal data processing operations within the scope of the Data Act.
In accordance with Article 1(5) of the Data Act, this Regulation is without prejudice to existing Union and national laws on the protection of personal data, privacy and confidentiality of communications, and the integrity of terminal equipment, which apply to personal data processed in connection with the rights and obligations established in this Regulation, in particular for the GDPR and Regulation (EU) 2018/1725 and Directive 2002/58/EC, including the powers and competences of supervisory authorities and the rights of data subjects. Furthermore, where users are data subjects, the rights laid down in Chapter II of the Data Act supplement their right of access and right to data portability under Articles 15 and 20 of the GDPR.
In the event of a conflict between the Data Act and Union law on the protection of personal data or privacy, or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data or privacy shall prevail.
Pursuant to Article 37(3) of the Data Act, data protection authorities, including the President of the Personal Data Protection Office, are responsible for monitoring its application in the field of personal data protection, regardless of the competent authority designated by the Member State responsible for its application and enforcement.
Data protection authorities participate in the implementation of the Data Act within their remit, as exemplified by the position adopted by the European Data Protection Board on the European Commission's recommendations on non-binding model contractual clauses for data access and use.
The European Commission has also published answers to frequently asked questions about the Data Act, which provide a more detailed explanation of the content of the Regulation.