25a. What GDPR legal bases could the data holder rely on when replying to a request for data?

Different scenarios and different processing operations need to be distinguished.

• The user is the data subject in relation to the data in question. Article 1(5) specifies that Data Act complements the rights of access by data subjects and rights to data portability under Articles 15 and 20 of Regulation (EU) 2016/679. This means that where the user is the data subject and requests the data under Article 4 of the Data Act for themselves, the situation is comparable to a data subject access request under Article 15 GDPR. Where the user asks data to be ported to a third party under Article 5 of the Data Act, the situation is comparable with Article 20 of the GDPR. The fact that the request to port the data is received via another actor does not change that assessment.

• The user is not the data subject in relation to the data in question. As specified in Recital 7, where the user is not the data subject, the Data Act was not intended as a legal basis for providing access or for making personal data available to a third party in the sense of Article 6(1) GDPR, including 6(1)(c). The intention was to protect data subjects in multi-user situations (either multiple users at the same level – co-ownership of a connected product – or layered user situations with owners and lessees).

This means that the data holder will have to make an assessment on an appropriate legal basis for providing access or for making personal data available – or alternatively it will have to provide anonymised data. Depending on the circumstances of the request, the controller could explore whether providing the data is necessary for the performance of the contract with the data subject or service legitimate interest of data holder or a third party.