As the EU’s data regulatory framework continues to evolve, the General Data Protection Regulation (GDPR) and the newly implemented Data Act are jointly establishing the world’s strictest data governance system. For enterprises operating in or targeting the EU market, clearly understanding the differences, connections, and overlapping obligations between the two acts has become a prerequisite for mitigating legal risks and ensuring business continuity. Based on frontline compliance service experience, Energy Storage Testing provides an in-depth analysis of the core differences between the two regulations and integrated response strategies.

I. Fundamental Orientation: Differences in Objectives & Scope

GDPR (Effective 2018)

• Core Objective: Protect the fundamental rights and freedoms of natural persons, particularly the right to personal data protection. Essentially a "privacy protection law."
• Regulatory Focus: Governs the entire lifecycle of personal data processing (collection, storage, use, sharing, etc.).
• Key Concepts: Division of responsibilities between "data controllers" and "data processors"; "lawful bases for processing"; "data subject rights."

Data Act (Effective January 2024)

• Core Objective: Promote fair access to and utilization of data among entities, unlocking the economic value of data. Essentially a "data access and sharing law."
• Regulatory Focus: Mainly regulates the access, sharing, and transmission of data generated by connected products (IoT) and related services (which may include personal and non-personal data).
• Key Concepts: Obligations of "data holders" (e.g., device manufacturers) and "data recipients"; "Fair, Reasonable, and Non-Discriminatory (FRAND)" sharing principles.

II. Core Obligations: Focus on Differences in Rights & Responsibilities

GDPR Grants Individuals Rights, Primarily Binding "Data Controllers"

• Rights include: Right to information, access, rectification, erasure (right to be forgotten), restriction of processing, data portability, objection, etc.
• Enterprises must process data based on six lawful bases (e.g., "legitimate interest," "performance of a contract," "consent") and ensure Privacy by Design.

Data Act Grants Users (Individuals or Enterprises) Rights, Primarily Binding "Data Holders"

• Right to unimpeded access to and use of data generated by connected products (e.g., smart home appliances, industrial machinery, tablets) they use.
• Right to instruct data holders to share data with designated third parties (e.g., another maintenance service provider or data analysis company).
• Special emphasis on data portability and interoperability requirements to break data lock-in effects.

Key Distinction Example

• A user requests a tablet manufacturer to provide their personal behavioral data (e.g., app usage records) — this primarily falls under the GDPR right of access for data subjects.
• A user requests the same manufacturer to share anonymized aggregated datasets generated by their device with a third-party health research institution — this primarily triggers the Data Act data sharing obligation.

III. Integrated Challenges: How Do the Two Regulations Overlap for Enterprises?

For enterprises manufacturing and selling connected smart devices (e.g., tablets, smartwatches, smart home appliances), both regulations apply simultaneously, creating cumulative regulatory effects:

Dual Compliance Obligations

• Processing personal data in devices (e.g., user accounts, location) must comply with GDPR.
• Managing access to and sharing of all data generated by devices (including non-personal data) must comply with the Data Act.

Dual Design Considerations

• Product design must embed both "Privacy by Design" and "data accessibility/sharing" technical and organizational frameworks.

Dual Risks

• Non-compliance may result in heavy fines from GDPR regulators, as well as litigation and business losses due to violations of Data Act data sharing obligations — plus platform sanctions such as listing removal by Amazon.

IV. Professional Response by Energy Storage Testing: Integrated Compliance Solutions

Facing the integrated regulatory network formed by GDPR and the Data Act, enterprises urgently need systematic, forward-looking compliance strategies. Energy Storage Testing offers one-stop professional services:

1. Dual Regulatory Gap Analysis

• Conduct a comprehensive review of your products, data flows, and business models to identify specific obligations and compliance gaps under both GDPR and the Data Act.

2. Integrated Process & Design Transformation

• Assist in integrating "privacy protection" and "data accessibility/sharing" requirements into the product development lifecycle (DevSecOps), designing user-friendly consent and authorization management interfaces.

3. Data Classification & Governance Framework Establishment

• Develop a clear data classification strategy to distinguish between personal and non-personal data, and formulate corresponding access, sharing, protection, and retention policies to meet the different requirements of both regulations.

4. Documentation & Evidence Chain Management

• Assist in preparing GDPR-required Records of Processing Activities (RoPA) and Data Protection Impact Assessments (DPIA), as well as Data Act-required data sharing agreement templates and compliance statements.

5. Continuous Monitoring & Training

• Provide EU regulatory update tracking and customized training for R&D, legal, and marketing teams to build internal compliance resilience.

Navigating Steadily in the New Era of Data Governance

GDPR safeguards the fundamental rights of personal privacy, while the Data Act shapes the rules of the data economy. The two are not mutually exclusive but form the two pillars of the EU’s data strategy. For enterprises, understanding the differences is fundamental — achieving coordinated compliance is the key.

With in-depth insights into the EU’s digital regulatory system and rich experience in cross-border compliance projects, Energy Storage Testing is committed to becoming the most trusted data compliance partner for enterprises on their global journey. Let us help you clarify complex requirements, build a robust and sustainable compliance system, and confidently address dual challenges to win market trust.