Data Governance Act: Mapping the Interplays with the GDPR
This resource maps the interplays between the Data Governance Act and the GDPR.
Published: 28 Jan. 2026
This infographic is part of a series that maps different EU digital laws with the GDPR. The full series can be accessed here.
Additional Insights
- Data Governance Act: 101 (Chart)
- EU Digital Laws (Report)
- European Strategy for Data Overview (Chart Series)
This resource provides an overview of the rules and requirements that sit at the intersection of the EU Data Governance Act and the EU GDPR. As a legal framework to create an infrastructure for the public sharing of both non-personal and personal data, the DGA intersects in several ways with the rights enshrined within and the rules laid down by the GDPR.
While the DGA does not create a new legal basis for the processing of personal data, and the rules of the GDPR prevail whenever personal data is processed under the DGA, there are several areas where the DGA and GDPR intersect or overlap, namely, with regard to: consent, anonymization of personal data, data intermediation services that facilitate exercise of data subject rights, and data transfers of personal and non-personal data.
Data Governance Act and GDPR interplay mapping
Data Governance Act
- Article 1(3)
Insofar as any personal data is processed in connection with the DGA, the GDPR’s rules and protections prevail. In the event of a conflict between the DGA and GDPR, the GDPR prevails, as do the powers and competencies of the GDPR’s supervisory authorities.
GPDR
- Article 4
The DGA adopted all of the GDPR’s definitions of “personal data,” “consent,” “data subject,” and “processing.”
Data Governance Act
- Article 5(3)(a-c), Recital 15
Public sector bodies that decide to grant access for reuse of protected data should anonymize any personal data. If the anonymization or the modification of the data makes it unusable for the re-user, and requirements for conducting a data protection impact statement and prior consultation with a supervisory authority under the GDPR have been fulfilled, and if the risks to the rights to the data subjects are minimal, then on-premise or remote re-use of the data within a secure processing environment could be allowed.
GPDR
- Articles 35-36
Data protection impact assessment and prior consultation with a supervisory authority may need to be carried out to allow on-premises or remote reuse of non-anonymized data within a secure processing environment under the DGA.
Data Governance Act
- Article 10(b), Recital 30
A specific category of data intermediation services that offers services to data subjects seeking to enhance the agency of data subjects and individuals’ control over data relating to them and assists them in exercising their rights under the GDPR.
GPDR
- Articles 7, 15-18, and 20
The DGA data intermediation services may offer assistance to data subjects in giving and withdrawing their consent as well as in exercising their GDPR rights to access, rectification, erasure (“right to be forgotten”), restriction of processing, and data portability.
Data Governance Act
- Article 25(3)
A data altruism consent form is to be developed by the European Commission in consultation with the European Data Protection Board and European Data Innovation Board to facilitate the collection of data based on data altruism.
GPDR
- Article 7
Whenever personal data is collected via the data altruism consent form, the data altruism organization should ensure that data subjects can give and withdraw consent from a specific data processing operation in compliance with the GDPR.
Data Governance Act
- Article 31
Public sector bodies, data intermediation services providers and data altruism organizations must take “all reasonable technical, legal and organizational measures, including contractual arrangements,” to prevent international transfer or governmental access to nonpersonal data where such transfer or access conflicts with EU or national law of the relevant member state.
GPDR
- Article 44
The DGA’s requirements around the international transfer of and access to nonpersonal data resemble the requirements imposed by the GDPR on international transfer and access to personal data.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Data Governance Act: Mapping the Interplays with the GDPR
This resource maps the interplays between the Data Governance Act and the GDPR.
Published: 28 Jan. 2026
Contributors:
Müge Fazlioglu
Principal Researcher, Privacy Law and Policy, IAPP
CIPP/E, CIPP/US
This infographic is part of a series that maps different EU digital laws with the GDPR. The full series can be accessed here.
Additional Insights
- Data Governance Act: 101 (Chart)
- EU Digital Laws (Report)
- European Strategy for Data Overview (Chart Series)
This resource provides an overview of the rules and requirements that sit at the intersection of the EU Data Governance Act and the EU GDPR. As a legal framework to create an infrastructure for the public sharing of both non-personal and personal data, the DGA intersects in several ways with the rights enshrined within and the rules laid down by the GDPR.
While the DGA does not create a new legal basis for the processing of personal data, and the rules of the GDPR prevail whenever personal data is processed under the DGA, there are several areas where the DGA and GDPR intersect or overlap, namely, with regard to: consent, anonymization of personal data, data intermediation services that facilitate exercise of data subject rights, and data transfers of personal and non-personal data.
Data Governance Act and GDPR interplay mapping
Data Governance Act
- Article 1(3)
Insofar as any personal data is processed in connection with the DGA, the GDPR’s rules and protections prevail. In the event of a conflict between the DGA and GDPR, the GDPR prevails, as do the powers and competencies of the GDPR’s supervisory authorities.
GPDR
- Article 4
The DGA adopted all of the GDPR’s definitions of “personal data,” “consent,” “data subject,” and “processing.”
Data Governance Act
- Article 5(3)(a-c), Recital 15
Public sector bodies that decide to grant access for reuse of protected data should anonymize any personal data. If the anonymization or the modification of the data makes it unusable for the re-user, and requirements for conducting a data protection impact statement and prior consultation with a supervisory authority under the GDPR have been fulfilled, and if the risks to the rights to the data subjects are minimal, then on-premise or remote re-use of the data within a secure processing environment could be allowed.
GPDR
- Articles 35-36
Data protection impact assessment and prior consultation with a supervisory authority may need to be carried out to allow on-premises or remote reuse of non-anonymized data within a secure processing environment under the DGA.
Data Governance Act
- Article 10(b), Recital 30
A specific category of data intermediation services that offers services to data subjects seeking to enhance the agency of data subjects and individuals’ control over data relating to them and assists them in exercising their rights under the GDPR.
GPDR
- Articles 7, 15-18, and 20
The DGA data intermediation services may offer assistance to data subjects in giving and withdrawing their consent as well as in exercising their GDPR rights to access, rectification, erasure (“right to be forgotten”), restriction of processing, and data portability.
Data Governance Act
- Article 25(3)
A data altruism consent form is to be developed by the European Commission in consultation with the European Data Protection Board and European Data Innovation Board to facilitate the collection of data based on data altruism.
GPDR
- Article 7
Whenever personal data is collected via the data altruism consent form, the data altruism organization should ensure that data subjects can give and withdraw consent from a specific data processing operation in compliance with the GDPR.
Data Governance Act
- Article 31
Public sector bodies, data intermediation services providers and data altruism organizations must take “all reasonable technical, legal and organizational measures, including contractual arrangements,” to prevent international transfer or governmental access to nonpersonal data where such transfer or access conflicts with EU or national law of the relevant member state.
GPDR
- Article 44
The DGA’s requirements around the international transfer of and access to nonpersonal data resemble the requirements imposed by the GDPR on international transfer and access to personal data.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
IAPP Global Legislative Predictions 2026
Data Protection Officer Requirements by Country
Global AI Governance Law and Policy: Jurisdiction Overviews
