EU Data Act

The most important requi­re­ments to be met by manu­fac­tu­r­ers, data hol­ders and data contracts

With the recent­ly adopted Data Act, the EU is con­ti­nuing to imple­ment its data and digi­tal stra­tegy and, in addi­ti­on to data access rights for users of IoT pro­ducts, is intro­du­cing requi­re­ments for data con­tracts, the swit­ching of cloud ser­vices as well as inter­ope­ra­bi­li­ty requi­re­ments. All non-personal data affec­ted in con­nec­tion with the use of an IoT pro­duct are covered.

Data hol­ders: Grant of data access

The regu­la­to­ry focus of the Data Act is user access to the pro­duct data of an IoT pro­duct. Pro­duct data include both data that are gene­ra­ted deli­bera­te­ly – for exam­p­le, through user input – and data that are gene­ra­ted indi­rect­ly through user actions or even during user inac­ti­vi­ty. The data must be made available to a third par­ty at the user’s request. The hand­ling of per­so­nal data poses a par­ti­cu­lar chall­enge: The seam­less tran­si­ti­on bet­ween the Data Act and the GDPR is likely to lead to con­sidera­ble legal uncer­tain­ty in prac­ti­ce with regard to the distinc­tion bet­ween per­so­nal and non-personal data, which is not always clear, and the dif­fe­rent requi­re­ments under the two legal acts.


Check the tech­ni­cal opti­ons for the grant of data access and the sepa­ra­ti­on of pro­ces­sed per­so­nal and non-personal data in accordance with data pro­tec­tion law.

Manu­fac­tu­r­ers: Acces­si­bi­li­ty by design

The requi­re­ments of the Data Act begin with the manu­fac­tu­re of IoT pro­ducts: Pro­ducts must be desi­gned and manu­fac­tu­red in such a way that pro­duct data can be made available, by default, easi­ly, secu­re­ly, free of char­ge and in a com­pre­hen­si­ve, struc­tu­red, com­mon­ly used and machine-readable for­mat. Non-compliance with the­se requi­re­ments can lead to more than just regu­la­to­ry mea­su­res: In the fore­seeable future, ope­ra­tors and data hol­ders will only purcha­se pro­ducts that enable them to imple­ment their own obli­ga­ti­ons under the Data Act. If the pro­duct manu­fac­tu­rer is also the data hol­der, the­se requi­re­ments must also be taken into account.


Check and, if neces­sa­ry, intro­du­ce a tech­ni­cal opti­on for pro­vi­ding pro­duct data in a struc­tu­red, com­mon­ly used and machine-readable format.

Data con­tracts and GTC: Fair terms

The Data Act also sti­pu­la­tes con­trac­tu­al requi­re­ments for the use and trans­fer of data in the B2B sec­tor: For exam­p­le, the trans­fer of data must gene­ral­ly take place on FRAND terms, i.e. on fair, reasonable and non-discriminatory terms. In addi­ti­on, no unfair con­trac­tu­al terms may be used. A con­trac­tu­al term is unfair if it is of such a natu­re that its use gross­ly devia­tes from good com­mer­cial prac­ti­ce in data access and use. This includes, for exam­p­le, terms that grant the par­ty that uni­la­te­ral­ly impo­sed the term the exclu­si­ve right to deter­mi­ne whe­ther the data sup­pli­ed are in con­for­mi­ty with the contract.


Draf­ting, revie­w­ing, adjus­ting or amen­ding con­tracts and gene­ral terms and con­di­ti­ons for the pro­vi­si­on and use of data in accordance with the requi­re­ments of the Data Act.


The Data Act is ano­ther cor­ner­stone in the new Euro­pean digi­tal law and, along­side the GDPR, brings num­e­rous requi­re­ments to be met by manu­fac­tu­r­ers, ope­ra­tors and data con­tracts in rela­ti­on to non-personal pro­duct data. Even though most of the requi­re­ments will not take effect until the end of 2025/2026, initi­al pre­cau­ti­ons must alre­a­dy be taken now with regard to pro­duct deve­lo­p­ment cycles.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.