Summary statistics
Overlaps: 4 · Conflicts: 2 · Gaps: 2
8 article-level crossrefs catalogued between Data Act and GDPR from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| Data Act Art 18 | GDPR Art 5 | overlap | low | [entity affected: data holder] Both regulations require data holders to anonymize or pseudonymize personal data when sharing it, aligning with GDPR's data minimization and purpose limitation principle |
| Data Act Art 19 | GDPR Art 5 | overlap | low | [entity affected: public sector body] Both regulations mandate that data recipients implement technical and organizational measures to ensure security and confidentiality, and erase data when no longe |
| Data Act Art 11 | GDPR Art 17 | overlap | low | [entity affected: third party, data recipient] Both regulations require the erasure of data in specific circumstances, such as unauthorized use under the Data Act or when data is no longer necessary u |
| Data Act Art 26 | GDPR Art 20 | overlap | low | [entity affected: provider of data processing services] Both regulations facilitate data portability by requiring providers to supply data in structured, machine-readable formats and provide informati |
| Data Act Art 14 | GDPR Art 6 | conflict | high | [entity affected: data holder] The Data Act mandates data sharing for public interest tasks, which may conflict with GDPR's requirement for a specific lawful basis if the public interest task does not |
| Data Act Art 18 | GDPR Art 17 | conflict | high | [entity affected: data holder] The Data Act requires anonymization before sharing, but if anonymization is insufficient for the public task, pseudonymized data must be shared, potentially conflicting |
| Data Act Art ? | GDPR Art ? | gap | medium | [entity affected: data holder] Neither regulation clearly defines the technical standards for 'proper anonymization' under the Data Act, creating a compliance risk where data holders may fail to meet |
| Data Act Art ? | GDPR Art ? | gap | high | [entity affected: public sector body] There is no clear guidance on how public sector bodies reconcile the Data Act's obligation to share data for public emergencies with GDPR's restrictions on proces |
Conflicts explained
The 2 article-level conflicts between Data Act and GDPR mean a control that satisfies one can pull the wrong way on the other:
- Data Act Art 14 vs GDPR Art 6 — [entity affected: data holder] The Data Act mandates data sharing for public interest tasks, which may conflict with GDPR's requirement for a specific lawful basis if the public interest task does not explicitly override data subject rights or if consent was the original basis.
- Data Act Art 18 vs GDPR Art 17 — [entity affected: data holder] The Data Act requires anonymization before sharing, but if anonymization is insufficient for the public task, pseudonymized data must be shared, potentially conflicting with GDPR's right to erasure if the data subject has exercised that right.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between Data Act and GDPR. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.
What this means for your compliance team
Treat the 4 overlaps as design opportunities — one control, two regulatory anchors. Treat the 2 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 2 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.
Related Fontvera pages
- data act article 37 commission
- data act obligations data services
- data act vs data governance act comparison
- data act vs dma comparison
Check your full compliance exposure with the 5-minute Fontvera diagnostic →