Intellectual Property and Privacy, Data and Cybersecurity Associate Anita Hodea was quoted in two Compliance Week articles about the new EU Data Act (EDA), what companies must know in order to comply with the EDA, and how it may impact their compliance efforts with the General Data Protection Regulation (GDPR).
Anita Hodea commented that transparency is central to the EDA, and companies will need to clearly inform users before contracts are signed about what types of data will be collected, how and for how long it will be stored, and who can access said data. She used a smart home device that collects personal data, such as user preferences, and non-personal data, such as energy usage, as an example. The device would require compliance with the GDPR for any personal data and would also need to provide users with "structured, machine-readable access to all data" under the EDA. She added that quick-reference tools, such as URLs or QR codes, could also be useful for making such information easily accessible and understandable to users.
"The EDA complements the GDPR by covering non-personal and IoT-generated data, whereas the GDPR governs personal data only," Anita said. "Both emphasize transparency, fairness and accountability, with the EDA focused on improving data portability, interoperability and seamless switching. Conflicts may arise when EDA obligations intersect with GDPR — for example, sharing personal data with third parties." She added that in such cases, the GDPR will take precedence. "To prepare, companies should segregate personal and non-personal data, implement safeguards and document legal bases for sharing personal data," she stated.
Regarding how the EDA may impact companies' compliance with the GDPR, Anita said that while the EDA is intended to spur competition, innovation and user empowerment, compliance with it "will require operational, technical and contractual changes." In order to avoid fines or litigation, "companies must review contracts, adapt infrastructure, and coordinate across legal, IT, and product teams," she added.
Further, Anita stated, "Even though the EDA covers all data types, it will not replace GDPR obligations," adding that "organizations must still ensure that they have a lawful basis to process personal data, while also meeting transparency and sharing obligations under the EDA."
"Complying with the EU Data Act – What companies should know," Compliance Week, October 30, 2025
"New EU Data Act may impact companies' GDPR compliance efforts," Compliance Week, October 27, 2025
London
