In episode 47 of the Data Navigator podcast, Dr Martin Schirmbacher and Dr Hubertus von Rönne address a topic that, since the Data Act came into force, has repeatedly been cited as a supposed counter-argument against claims for the disclosure of data: the GDPR. One of the reasons for this discussion is the third think tank organised by the Federal Commissioner for Data Protection and Freedom of Information on the Data Act, which took place last week.
The starting point is clear: the Data Act expressly applies to personal data as well. In the event of a conflict, the GDPR takes precedence. In practice, however, such conflicts arise far less frequently than is often assumed. The decisive factor here is what is known as ‘relative personal reference’. Whether data is personal is not assessed in the abstract, but from the perspective of the respective data controller.
Dr Martin Schirmbacher and Dr Hubertus von Rönne illustrate this principle using the example of a bus driver: for Berlin’s public transport authority, driver data is personally identifiable, as they know who was driving which bus at what time. For the bus manufacturer, which only receives vehicle data without any personal registration details, this link is generally missing. In the case of a wind farm, the situation may be the reverse: the manufacturer knows its maintenance staff, whilst the wind farm operator is usually unable to identify them.
It follows that: The same data set may be personal data for one party and not for another. In scenarios governed by the Data Act, it is often precisely the data recipient who cannot establish a link to an individual.
If, however, the recipient does establish a link to an individual, they require a legal basis under the GDPR. Legitimate interests are particularly relevant in this context. The manufacturer, in turn, may rely on Article 6(1), first sentence, point (c) of the GDPR for the data transfer, as the disclosure is made on the basis of a legal obligation under the Data Act.
Finally, Dr Martin Schirmbacher and Dr Hubertus von Rönne outline the responsibilities of the supervisory authorities. The Federal Network Agency is generally responsible for complaints relating to the Data Act. As soon as personal data is involved, it must involve the Federal Commissioner for Data Protection and Freedom of Information. The state data protection authorities remain responsible for traditional infringements of the GDPR – for example, if a farmer complains that a manufacturer is processing their personal data.
Please note: We use cookies to play videos on this page. Please enable them in your browser settings.