Hamburg DPA Publishes Data Act Guidance
The Hamburg Data Protection Authority has published new guidance on the EU Data Act's intersection with GDPR, providing much-needed clarity ahead of the regulation's full application date on September 12, 2025.
Key Takeaways
The guidance addresses several critical questions that businesses have been grappling with:
- Data Act vs. GDPR primacy: The Hamburg DPA confirms GDPR takes precedence where personal data is involved in Data Act data sharing obligations
- Anonymization as a bridge: Organizations can fulfill Data Act sharing requirements by anonymizing personal data before sharing
- Contractual frameworks: The guidance provides templates for B2B data sharing agreements that satisfy both regulatory frameworks
What This Means for Businesses
If you operate IoT devices, connected products, or cloud services in the EU, the September 2025 deadline requires action now. Key steps include:
- Audit your data flows — identify which data falls under Data Act sharing obligations
- Classify personal vs. non-personal data — determine where GDPR requirements apply
- Update contracts — ensure data sharing agreements address both frameworks
- Implement technical measures — build data access and portability mechanisms
Our Assessment
The Hamburg DPA guidance is a welcome development, but it leaves several questions open — particularly around mixed datasets containing both personal and non-personal data. We expect further guidance from the European Data Protection Board in the coming months.
"The Data Act creates a paradigm shift in data sharing obligations. Organizations need to act now to be compliant by September 2025."
For organizations operating at the intersection of GDPR and the Data Act, a structured compliance approach is essential. Contact us for a comprehensive assessment of your Data Act obligations.