Data access rights are a beacon of transparency for individuals and a maze of complexity for organisations. As data protection laws evolve, the right to access personal data has become fundamental, allowing individuals to understand what data is being held about them and how it is being used.
This right is now embedded in laws across the globe, from the General Data Protection Regulation in the UK (UK GDPR) and in the EU (EU GDPR), together the GDPR, to new emerging frameworks in countries such as Canada, Brazil, Japan, and the United States. For organisations operating across borders, handling access requests under multiple laws presents significant challenges.
The EU Data Act, which came into force on 11 January 2024 and will apply from 12 September 2025 introduces new rules governing the access and use of data generated by connected products and related services across the EU. While both the GDPR and the Data Act regulate data rights, their scopes differ significantly. Understanding these differences is critical for businesses to maintain compliance and manage data access effectively. |
Key differences in data access rights
- Under the GDPR, data subjects have the right to request access to their personal data from organisations (data controllers). Organisations must provide a copy of the requested data, explain how it is being used, and disclose with whom it has been shared. This right is extensive, applying to any personal data processed by an organisation, regardless of its origin or purpose.
The data must be provided in a commonly used, machine-readable format, ensuring transparency and empowering individuals to have full control over their data. Organisations must typically respond to requests within one month, but this timeline can be extended if the request is complex.
However, the GDPR also requires organisations to carefully balance these rights with data security and applicable legal exemptions. They must ensure that only legitimate requests are fulfilled, which can involve verifying the identity of the requester and ensuring that they have a lawful basis for the access. - The EU Data Act, by contrast, is focused on facilitating data sharing between businesses (business-to-business, or B2B) and between businesses and governments (business-to-government, or B2G). It primarily addresses non-personal data, particularly that generated by connected products (such as Internet of Things (IoT) devices) and related services. The Act introduces new obligations for manufacturers and service providers, referred to as data holders, to ensure that data generated by these products is accessible to both the users of the products and third parties. It also introduces the prohibition on gatekeepers, as designated under the EU Digital Markets Act, and their affiliated companies, from requesting or receiving access to any user data generated by the use of a product, related service, or virtual assistant from any third-party data holder, under the Data Act.
The aim is to promote innovation, competition, and new service offerings. For example, a manufacturer of an IoT device must ensure that data generated by the device is accessible to its users and, if requested, to third parties chosen by the user. This facilitates the creation of new services based on this data.
Unlike the GDPR, the Data Act also allows businesses to request access to data. This includes not only the direct user of a product but also third-party service providers who need access to data to offer or improve services. For governments, access may be granted under specific conditions, such as when access is required for public policy or emergency management purposes.
Access rights under the GDPR and the EU Data Act
SCOPE |
GDPR |
EU DATA ACT |
Who can request? |
Data subjects whose personal data is being processed. |
- Users (individuals or businesses) who generate data through connected products. |
What data must be provided? |
Personal data relating to the data subject. |
Both personal and non-personal data generated by the connected product, including metadata to interpret the data. |
Who must comply? |
Data controllers (with assistance from data processors, if relevant). |
Data holders (e.g., manufacturers, service providers) must provide access to users, third parties, and public bodies under specific circumstances. Third-party recipients receiving the data must also comply with agreed terms and conditions for data sharing. |
Strategy for compliance with the GDPR and the EU Data Act
Compliance challenges
For businesses, managing access requests under the GDPR and the EU Data Act can be complex. Identifying what data is subject to each regulation, verifying the legitimacy of the request, and delivering the information promptly, all require careful coordination. The challenge is particularly pronounced when dealing with both personal and non-personal data.
The introduction of the EU Data Act adds an extra layer of complexity, especially for companies operating in the connected products and services market. These organisations must ensure they comply with both sets of rules, providing access to personal data in line with the GDPR while simultaneously managing access to non-personal data under the EU Data Act.
Practical steps for compliance
We outline key steps organisations should take to ensure compliance with the GDPR and the EU Data Act while minimising regulatory risks and streamlining data access management.
- Data mapping and scoping:
A thorough data mapping exercise is essential to understand the data your organisation holds, both personal data (regulated by the GDPR) and non-personal data (governed by the EU Data Act). While organisations may already have mapped personal data for GDPR compliance, additional mapping may be necessary for the EU Data Act to focus on non-personal data generated by connected products and IoT devices. This includes identifying:
- The origin of the data (whether personal or non-personal).
- Where it is collected or stored.
- How it is generated and flows through your systems.
- The roles of data holders, users, and third-party recipients.
This mapping should also cover metadata and the types of connected products generating the data. At this stage, it should be possible to scope out and determine if the data contains personal data and, if so, decide the lawful basis under which it can be shared. The lawful basis under the GDPR must be clarified to avoid breaching data protection laws when responding to requests for access to mixed datasets.
- Update policies and procedures: Organisations that handle data generated by connected products should implement a tailored governance framework for the EU Data Act. This involves:
- Reviewing and updating privacy policies, notices, and data protection impact assessments to include data generated by non-personal sources.
- Updating existing data access request procedures to differentiate between GDPR-related individual requests and business-to-business (B2B) requests under the EU Data Act.
It may be sensible to consider creating distinct processes for handling requests depending on whether the data falls under the GDPR or the Data Act, ensuring that personal and non-personal data are treated according to their respective legal requirements.
- Review contractual obligations:
It may be sensible to consider creating distinct processes for handling requests depending on whether the data falls under the GDPR or the Data Act, ensuring that personal and non-personal data are treated according to their respective legal requirements.
- Contracts with users should clearly outline these usage restrictions and include provisions for compensation related to for providing access to data. Data holders should be transparent about any costs associated with sharing data, ensuring fair and reasonable terms.
- Data holders should also establish a standard data-sharing agreement that defines the rights, obligations, and restrictions applicable to third-party recipients who access the data upon user requests. This agreement should be structured to ensure compliance with the EU Data Act and provide a clear framework for data sharing, including obligations on confidentiality, data security, and permissible uses of the data.
By implementing these steps, organisations can enhance their data governance and ensure compliance with the GDPR and the EU Data Act, reducing the risk of regulatory penalties and facilitating smoother data access and sharing processes, both within the organisation and with external partners.