The Data Act aims to foster fair access to and use of data generated by connected devices and services, encompassing both personal and non-personal information. But the devil, as always, is in the details. The AP is urging Dutch organizations to get their ducks in a row – and fast.
The Dutch approach to the Data Act involves a split supervisory role. While the Authority for Consumers and Markets (ACM) takes the lead as the main supervisor and national data coordinator, the AP retains oversight of GDPR-related provisions. This division of responsibilities means companies must navigate two regulatory bodies, potentially complicating compliance efforts.
The AP emphasizes the importance of a comprehensive data flow inventory. Organizations need to determine if they fall under the Data Act’s purview by assessing their use or provision of connected devices and related services. This includes identifying the types of user and product data generated and whether that data includes personal information, triggering GDPR obligations.
A thorough data flow inventory is not just a box-ticking exercise; it’s the bedrock of demonstrating compliance and mitigating potential risks.
Transparency and Access: Meeting User Expectations
One of the Data Act’s core principles is empowering users with greater control over their data. The AP stresses that organizations must provide users with access to the data they generate through connected products. This necessitates clear and transparent communication about what data is collected, why, with whom it is shared, and how.
Furthermore, any processing of personal data must have a valid legal basis under the GDPR, such as consent or contract performance. Transparency, lawfulness, and purpose limitation are key.
Cloud Migration: Privacy Considerations
Article 23 of the Data Act addresses cloud service provider switching, mandating that providers facilitate seamless migration between services. The AP cautions organizations to ensure that GDPR principles remain intact during such migrations. This is a critical consideration, especially for companies handling sensitive personal data.
Data residency, security measures, and compliance certifications all need careful evaluation when considering a cloud switch.
Data Sharing Agreements: Fairness and Security
The Data Act introduces requirements for fair contractual conditions between data holders and data users. The AP advises organizations to carefully evaluate their contractual and technical safeguards, ensuring appropriate security and data-protection measures are in place when sharing data. Contracts should clearly define data usage rights, responsibilities, and liabilities.
Handling Data Requests: A Balancing Act
Organizations must be prepared to provide data to users and, in some cases, to third parties, in accordance with the Data Act. This requires technical and organizational readiness to handle such requests, ensuring each request meets the Data Act conditions and remains compatible with GDPR. Establishing clear internal workflows is crucial to efficiently and compliantly address these new obligations.
GDPR Prevails: Protection First
The AP unequivocally states that the Data Act must not diminish the level of protection afforded by the GDPR. If a request under the Data Act violates the GDPR, the organization should deny it. Moreover, the AP advises documenting each assessment meticulously, providing a clear audit trail for regulators and internal stakeholders. This documentation serves as evidence of accountability and responsible data handling.
“The Data Act marks a shift toward a more data-driven European economy, with increased user control and transparency.”
The Dutch Data Protection Authority‘s guidance serves as a crucial reminder that navigating the EU’s Data Act requires careful planning, diligent execution, and a deep understanding of both the new regulations and existing GDPR requirements. The road ahead may be complex, but organizations that embrace transparency and prioritize data protection will be best positioned to thrive in this evolving data landscape.
