18. How does the Data Act complement the GDPR’s data portability rights?

Article 1(5) of the Data Act clarifies the relationship between the Data Act and the GDPR, namely that Articles 4 and 5 of the Data Act (right to access and share data from IoT devices) complements Articles 15 and 20 of the GDPR (right to access and port personal data). Recital 35 of the Data Act further clarifies this interaction. The Data Act complements the data portability right established under Article 20 of the GDPR. Under the GDPR, only data subjects can exercise such a right and only when the personal data are processed under certain legal bases (consent or contract) and where technically feasible. The Data Act creates an enhanced portability right specifically for the IoT context. Thanks to the Data Act, users (e.g. data subjects and businesses) can access and port any data (both personal and non-personal) generated by the use of a connected product or related service. They can do so independently of the legal basis and, where applicable, in real time. Data subjects are therefore able to move their personal data between controllers (e.g. entities offering repair and maintenance services) more easily.