2. How does the relationship between the Data Act and the GDPR affect the enforcement and protection of personal data?

The Data Act respects the competence of the data protection authorities (DPAs) to enforce rules on personal data protection. The Data Act provides a coherent enforcement and cooperation mechanism between DPAs and other competent authorities. Article 1(5) of the Data Act establishes that the GDPR applies to the processing of personal data in the framework of the Data Act. In this context, it recalls that the DPAs are competent to enforce the obligations stemming directly from the GDPR. Article 37(3) of the Data Act provides that, insofar as the protection of personal data is concerned, the DPAs are responsible for monitoring the application of the Data Act and can rely on the tasks and powers laid down in the GDPR. This is also stated in recital 107 of the Data Act. The protection of personal data captures, for example, the power to assess: (i) whether a user who is a data subject has received or has been allowed to port all personal data it requests; (ii) whether the data holder correctly qualifies which data should be considered personal data; and (iii) whether a valid legal basis under the GDPR exists for a user who is not a data subject to request and port personal data. Article 37(3) of the Data Act also ensures that data subjects are not required to go to two different authorities in cases where the rights of access and porting would apply under both the Data Act and the GDPR or where there could be any other grievance relating to the protection of their personal data in the application of the Data Act. More generally, the Commission strives to promote a strong working relationship between the authorities that enforce data legislation in the EU, including through the membership of the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) in the European Data Innovation Board.