Which parties are affected by the Data Act?
According to Article 1(3), the Data Act applies to:
a) manufacturers of connected products,
b) users of connected products or related services,
c) data holders that make data available to data recipients in the Union,
d) data recipients in the Union to whom data are made available,
e) providers of data processing services,
f) participants in common European data spaces,
g) providers of applications using so-called smart contracts.
What is the Data Act and who does it affect?
Contrary to what is often assumed in practice, the Data Act does not only concern manufacturers of connected products or providers of related services. Rather, it addresses a wide range of actors along the entire data value chain. Different obligations apply depending on the addressee.
Where does the Data Act apply?
The Data Act follows the market-location principle, well known from the GDPR. For example, under Article 1(3)(a), it only covers manufacturers of connected products that are placed on the market in the Union, regardless of their establishment. Data holders falling under Article 4 are covered under Article 1(3)(c) whenever they make data available to data recipients in the Union, irrespective of their place of establishment.
What are the objectives of the Data Act?
The Data Act aims to ensure fair access to and fair use of data, while at the same time enhancing their economic value. In short: those who bear the risks of a connected product or related service should also be able to benefit from the data generated. The scope of regulation is accordingly broad, both with regard to the data concerned (personal and non-personal) and the addressees. Furthermore, data holders are required to make data available to data recipients in the Union under fair, reasonable, non-discriminatory and transparent conditions. In addition, contractual law provisions are adjusted in order to prevent the exploitation of contractual imbalances that would otherwise impede fair access to and use of data.
What are the timelines?
The Data Act applies from 12 September 2025, although some obligations will only become applicable after a transitional period. The obligation laid down in Article 3(1) to make data of connected products and related services accessible only applies to those placed on the market after 12 September 2026. Independently, the obligation under Article 5(1) for data holders to make the same data available already applies from 12 September 2025. Chapter IV, regulating the use of unfair contractual terms concerning access to and use of data between businesses, will apply only from 12 September 2027 to contracts concluded on or before 12 September 2025, provided they are of indefinite duration or expire not earlier than ten years after 11 January 2024.
How can companies adapt existing data governance processes to the Data Act?
Many companies already have processes in place for managing data flows, responsibilities and access rights. These can be adapted to comply with the Data Act. Processes previously designed for data processing agreements or non-disclosure agreements can be extended to cover data sharing agreements, incorporating criteria such as fairness, transparency and reasonable conditions.
Does the Data Act also provide for exceptions?
The Data Act sets out several important exceptions:
a) Derived data are excluded from the obligations of the Data Act. These are information not directly obtained from the use of the product or service but resulting from additional investments in processing or the attribution of values or insights, in particular by means of complex proprietary algorithms that may form part of proprietary software. Data holders are therefore not required to make such data available to a user or third party, unless contractually agreed otherwise. Typical examples include outcomes of sensor fusion, where data from multiple sensors are inferred or derived under the use of proprietary algorithms, which may also be protected by intellectual property rights.
b) Prototypes do not fall within the scope of the Data Act, according to Recital 14.
c) In individual cases, under Recital 31, data holders may refuse a data access request if they can demonstrate to the user or the third party that disclosure of trade secrets would, despite the application of technical and organisational measures, with high probability cause serious economic damage.
d) According to Article 1(2)(a), Chapter II does not apply to content that relates to the performance, use or environment of connected products and related services. Content refers to the semantic level of data, i.e. the meaning or significance inferred from a data category. While “data” refers neutrally to the existence of characters, numbers or formats, “content” captures their information value. Example: a temperature value of “23.4 °C” is a datum; the fact that it refers to the measured indoor temperature of a car constitutes content.
Which addressees does the Data Act recognise and what are their obligations?
- Manufacturers of connected products and providers of related services: subject to design and manufacturing obligations to ensure “data accessibility by design.”
- Sellers, lessors and licensors: subject to pre-contractual information obligations.
- Data holders: subject to a wide range of obligations, including ensuring data access and sharing, contractual requirements, information duties and data availability towards public sector bodies.
- Data recipients: subject to restrictions on data use; in particular, they may not use data for product development or make it available to other third parties.
- Users: may not use data for product development or disclose it to third parties; they must also accept the data holder’s protective measures.
- Providers of data processing services: subject to obligations facilitating switching between providers.
- Participants in data spaces and providers of smart contracts: subject to interoperability requirements.
- Public sector bodies: subject to conditions when requesting and using data.
One company may assume multiple roles and thus be subject to multiple obligations.
Who is a data holder under the Data Act?
According to Article 2(13), a data holder means a natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service.
The definition is vague and partly circular, creating open questions. Pending further clarification, in practice any person who (lawfully) exercises factual control over data generated or retrieved during the use of a product or service should be regarded as a data holder. This may be the product manufacturer or the service provider – but not necessarily.
What are the obligations of a data holder?
The main obligations include ensuring access to and sharing of data:
- Access for users: On request, the data holder must make “readily available” product and related service data, including metadata, available to the user.
- Sharing with third parties: In addition, upon the user’s request, the data holder must make the same data available to a designated third party (data recipient). Data sharing takes place on the basis of a contract subject to strict requirements, including rules on trade secrets and a margin for the third party. Refusal is only possible in exceptional cases. The data recipient itself is subject to obligations.
Who is a user under the Data Act?
According to Article 2(12), a user means a natural or legal person that owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives related services.
The user bears the risks of the product and should therefore have access to, and benefit from, the data generated by that use, including necessary metadata. Owners, tenants and lessees are all users, even if several entities are users of the same product. In multi-party situations (e.g. fleet management by a lessor vs. mobility use by car-sharing customers), different contributions to data generation and different interests coexist. Practically, clear contractual role and purpose allocation, combined with technical role management and segmentation, is recommended to ensure authorised access while safeguarding data subjects’ rights.
What is a connected product or a related service?
Covered are product data of connected products and related service data of related services.
- A connected product under Article 2(5) means an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user.
- A related service under Article 2(6) means a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product.
All product and service data generated during use, including required metadata, are covered, regardless of whether they are personal or non-personal. Virtual assistants are included to the extent that they interact with the product/service. Pure content data are not covered. In practice this means telemetry, error logs, usage records, condition and environment signals and related parameterisations are in scope of access and sharing rules.
What about existing and new products?
The product-specific obligations of the Data Act are linked to the concept of “placing on the market.” Products and related services placed on the market after 12 September 2026 must be designed to ensure that relevant data are accessible to the user by default (including real-time, where technically feasible). The obligation attaches to the individual product; there is no “series” or stock exemption. Companies should therefore adapt development, data and interface design as well as contract and go-to-market processes in good time. For products/services already on the market, the remaining obligations of the Data Act apply equally. No exemption exists for products placed on the market before a given date.
How does the Data Act interact with trade secret protection?
Although the Data Act aims to ensure access to data, trade secrets are not left unprotected. Agreements on appropriate technical and organisational measures must be concluded before disclosure. Refusal to disclose is permissible only in exceptional cases, e.g. where there is a high probability of serious economic damage. Disclosure may also be withheld if no agreement is reached, if agreed measures are not implemented, or if trade secrets would otherwise be compromised.
How should trade secrets be protected in practice?
In practice, NDAs are the instrument of choice. Their effectiveness depends heavily on drafting quality. Additional monitoring processes are required, since even with confidentiality agreements, breaches are difficult to control – especially with a large number of users.
How does the Data Act interact with the GDPR?
The Data Act applies without prejudice to the GDPR and does not establish a legal basis for processing personal data. Any processing still requires a legal basis under Article 6 GDPR. If the user is also the data subject (e.g. a private customer), a request to make data available may, in some cases, constitute implied consent – but only if GDPR requirements (informed, freely given, specific, revocable, documented) are met. If the user is not the data subject (e.g. fleet operator, lessor), they act as a controller and need their own legal basis (typically legitimate interest or performance of a contract) and must comply with the GDPR.
For mixed datasets, the presence of a single personal datum suffices for the entire dataset to fall under the GDPR (Recital 34). In practice, this requires early separation of personal and non-personal streams, technical filtering, pseudonymisation/ anonymisation (with re-identification risk assessment), and sharing only what is strictly necessary. ePrivacy rules on device access remain applicable.
How should data sharing agreements be drafted under the Data Act?
In contractual practice, the Data Act both grants leeway (no purpose limitation or bundling prohibition under the regulation itself) and imposes restrictions (GDPR rules on purpose limitation, transparency and legal basis remain applicable).
A “dual-layer” approach is recommended: a data sharing agreement (covering access, format, service and trade secret protection) plus a GDPR annex (purposes, legal basis, recipients, storage periods, TOMs, data subject rights).
Organisationally, manufacturers and providers should align user access processes (Articles 3–5 DA) with GDPR processes. For mixed datasets, the presence of one personal datum is enough for the whole dataset to fall under the GDPR. In practice: separate streams as early as possible, apply filtering, pseudonymisation/anonymisation with re-identification checks, and share only what is necessary.
What obligations apply to third parties receiving data at the user’s request?
Third parties may only process the data for the purposes agreed with the user; disclosure to further third parties requires the user’s explicit consent. Data must be deleted when no longer necessary. Profiling is prohibited, unless strictly necessary for the provision of the service. Use for developing a competing connected product is forbidden. Dark patterns in user interfaces that manipulate decisions on data disclosure are not permitted.
When may public sector bodies request data?
Public sector bodies may only access business data in strictly limited cases, namely in case of exceptional need, e.g. in public emergencies or clearly defined tasks in the public interest, provided the data cannot otherwise be obtained in time. Requests must be specific, transparent, purpose-bound and proportionate, and must explain why equivalent data cannot otherwise be obtained.
Who enforces the Data Act and what remedies/sanctions apply?
Member States must designate competent authorities and a single data coordinator. These cooperate cross-border. Data subjects have the right to lodge complaints and access effective judicial remedies. Sanctions must be effective, proportionate and dissuasive. Interim measures are possible. The European Data Innovation Board (EDIB) supports coordination, convergence of sanctions and standardisation. The Commission may issue model contractual clauses. Companies should implement internal processes for complaints, authority requests, litigation holds, audit trails and compliance training.
What should companies do now?
Given the variety and complexity of requirements, companies should first assess whether they fall within the scope of the Data Act and clarify their role in the data value chain. If applicable, they should inventory the data generated, collected or received in the course of use. A gap analysis should then identify which requirements are already met and which still need implementation. Particular attention should be paid to extensive contract review in order to safeguard corporate interests in commercial practice.