Interaction between the GDPR and other EU regulations

March 2025  |  SPECIAL REPORT: DATA PRIVACY & CYBER SECURITY

Financier Worldwide Magazine

March 2025 Issue

Since its entry into force in 2018, the General Data Protection Regulation (GDPR) has become a reference point and source of inspiration for many legislators around the world. Its extraterritorial reach, enhanced rights of individuals and principles of accountability, among other provisions, introduced significant innovation at that time. Overall, it represented a fairly balanced approach.

Bolstered by success and in response to the challenges brought by technological innovation and the need to better protect individuals and consumers in the European market, the European Union (EU) has ramped up its adoption of regulations and directives in relation notably to data, online content and cyber security, each imposing new sets of obligations.

This rapid acceleration of reforms in connection with highly complex issues within a short timeframe does not necessarily contribute to clarity; on the contrary, it has added extra layers of complexity for companies. With operators still struggling to fully understand and comply with the GDPR, they are now dealing with another challenge that consists of satisfying additional regulatory requirements that sometimes overlap or collide with the GDPR.

This article provides an overview of areas of possible interaction and conflict.

The GDPR and the European Data Act

In contrast to the GDPR, the Data Act’s main objective is to promote fair access to and sharing of data between various stakeholders within the digital economy to foster innovation and growth in the EU. The GDPR and Data Act are bound to interact on different levels because they are both considered ‘data regulations’, and the Data Act specifically makes references to the GDPR.

The GDPR and the Data Act have distinct scopes. On one side, the GDPR exclusively governs the processing of ‘personal data’ – defined as “any information relating to an identified or identifiable natural person”. On the other, the Data Act governs the processing of ‘data’ – defined as “any digital representation of acts, facts or information and any compilation of such acts, facts or information”, which includes personal data and non-personal data. However, we understand from the two regulations that, in the case of a conflict between the two, the rules on personal data protection provided by the GDPR will prevail. More specifically, the Data Act provides that in a situation where both personal and non-personal data are inextricably linked in a dataset, the GDPR will prevail.

Furthermore, the Data Act should be considered as an additional layer of requirements that apply on top of the preexisting GDPR obligations, and not the other way around. Therefore, any processing of personal data under the Data Act will be subject to the conditions set out in the GDPR. As such, where the GDPR imposes that the processing of personal data is subject to the existence of a specific legal basis, this requirement must be complied with when personal data is processed under the Data Act.

The GDPR and the Data Act also have overlapping goals. With respect to their respective definition of a ‘user’ (the Data Act) and ‘data subject’ (the GDPR), both regulations aim to provide enhanced data access. Under the GDPR, individuals have the right to access their personal data to have better control over it by understanding what data relating to them is processed, by whom, and for what purpose. In a similar manner, the Data Act imposes that data holders provide users with access to data that is generated by a connected product or service.

Both regulations also highlight the importance of transparency. The GDPR mandates that controllers provide clear information about the personal data they process, its nature, the related purpose, conservation period, legal basis for processing as well as data subjects’ rights. Such information is usually provided to data subjects through privacy policies.

The Data Act creates its own set of information to be provided to a user prior to agreeing a contract for a connected product or service (e.g., nature of the data, retention duration, estimated volume of product data that can be generated, on-device storage capacity, and how to retrieve or erase data). Some of this data could qualify as personal data under the GDPR. Therefore, companies could work toward providing the information required under the GDPR and the Data Act in the same policy, to ensure clarity for data subjects and users.

Under the GDPR, article 20 introduced a right for data subjects to obtain personal data concerning them provided to a controller and transmit it to another controller (portability right). The Data Act has enhanced this ability and extended it to non-personal data, allowing users to switch services and request that data is shared with third parties.

Finally, one of the most contentious issues under the GDPR – the transfer of personal data to third countries, which still fuels complaints – is also mirrored in the Data Act. So-called ‘providers of data processing services’ are required to take measures to prevent third country governmental access and transfer of non-personal data held in the EU, if such transfer would create a conflict with EU or national law.

More specifically, foreign decisions requiring the transfer of or access to such data will only be enforceable if based on an international agreement. The aim of this measure is similar to that in the GDPR: to protect fundamental rights, but also to protect commercial or national interests, such as national security, commercially sensitive data or trade secrets.

The GDPR, NIS 2 and Cyber Resilience Act

The measures imposed by the GDPR on controllers and processors to protect personal data include obligations to implement security measures, as well as to disclose personal data breaches under certain circumstances.

The NIS 2 directive on measures for a high common level of cyber security across the EU focuses on improving the security and resilience of information systems across the EU. Therefore, a company subject to NIS 2 which complies with its obligations will in turn also comply with security obligations under the GDPR.

The scope of application of NIS 2 is more restrictive than the scope of the GDPR, which means that not all companies subject to the GDPR will be subject to NIS 2. The NIS 2 Directive applies to companies in critical sectors such as certain energy providers, online marketplaces and social networking platforms.

Additionally, the GDPR and NIS 2 Directive contain a similar obligation with respect to cyber incidents. Under the GDPR, if a company that suffered a data breach is a controller, it should notify the breach to the competent supervisory authority within 72 hours (unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons) and evaluate whether it should also notify data subjects of the breach.

If the company is a processor, it should notify the breach to the controller without undue delay. The NIS 2 Directive imposes that entities subject to a ‘significant incident’ must provide an early warning within 24 hours before notifying the incident to the competent authority within 72 hours, as well as file a final report within one month of the incident. As such, companies subject to both the GDPR and NIS 2 will have to synchronise their information gathering and notification processes to ensure consistent reporting and avoid effort duplication.

Similarly to the GDPR regime under which processors must ensure that subprocessors comply with data protection obligations, even if they are not themselves subject to the GDPR, the NIS 2 Directive aims to ensure that a certain level of security is maintained throughout the entities’ supply chain. Thus, the NIS 2 Directive provides that risk management measures must cover supply chains, and therefore suppliers, which may not fall within the scope of the NIS 2 Directive.

The GDPR and other regulations

From a privacy perspective, when processing personal data in the context of artificial intelligence (AI) – for development and training, or when using an AI system – the GDPR will apply. Just like the Data Act gives prevalence to GDPR provisions, the regulation laying down harmonised rules on AI (the AI Act) follows the same approach. As such, AI providers and deployers will need to comply with GDPR requirements in addition to AI Act-specific requirements.

From a cyber security perspective, it is also worth noting that the obligation to disclose cyber incidents is also present in other EU regulations. For instance, the Cyber Resilience Act, which aims to ensure the security of products with digital elements (defined as a “software or hardware product and its remote data processing solutions”) mandates that manufacturers must notify “actively exploited vulnerabilities” contained in the product.

Similarly, the AI Act mandates that providers of high-risk AI and general-purpose AI models with systemic risk must report any serious incidents.

Conclusion

Because of the multiplication of obligations from different sources applicable to companies simultaneously and in similar areas (e.g., user transparency and data breaches), the challenge of complying with these rules has reached a new level of complexity.

In addition to implementing required measures, companies need to swiftly build internal processes to identify their obligations in each area and document their efforts to be able to demonstrate compliance to authorities. Consequently, the industry is calling for clearer guidance from and cooperation between authorities to help them navigate this highly complex regulatory environment.

 

Ahmed Baladi is a partner and Thomas Baculard is an associate at Gibson, Dunn & Crutcher LLP. Mr Baladi can be contacted on +33 (1) 5643 1350 or by email: abaladi@gibsondunn.com. Mr Baculard can be contacted on +33 (1) 5643 1300 or by email: tbaculard@gibsondunn.com.

© Financier Worldwide

BY

Ahmed Baladi and Thomas Baculard

Gibson, Dunn & Crutcher LLP

©2001-2025 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.