Why are there new data access rules?
In recent years the importance of data-driven technologies has increased considerably across all economic sectors. This has led to a further increase in the scope and potential value of data for consumers, enterprises and society. There are, however, numerous barriers with respect to using and sharing data that hinder an optimum distribution of data for the benefit of all players.
The new rules in the Data Act aim to enable reliable and safe access to data (in particular data from devices connected to the internet – Internet-of-Things (IoT) devices) and a wider use of data across all economic sectors of the European Union. The Data Act therefore puts particular focus on the opportunities to use data. To achieve these objectives, the Data Act creates a harmonised European framework with rules on who is entitled to use and share product data and related service data, and under which conditions.
The Data Act aims to ensure that users of connected products and related services can readily access the data generated by their use of the products and services. In the past, it was mostly only manufacturers or providers who could access the data. The Data Act breaks up this way of thinking. Data holders are now required to make data available to users and to share data with third parties at a user’s request. Data must be made available under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner.
This ultimately aims to foster an internal data market with a free flow of data, in turn strengthening the economy and promoting innovation. The new products and services created are intended to benefit both enterprises and consumers.
What are connected products and related services?
Connected products are objects that can record data about their use, performance or environment (in particular through sensors) and transmit the product data via a cable-based or wireless connection (for example via an internet connection such as WLAN or 5G or another type of access such as a USB port or an NFC interface). The products covered by this definition are mostly products that are commonly referred to as Internet-of-Things (IoT) devices and that exchange data via the internet.
- Connected products can be found in all areas of the economy and society and include infrastructure, vehicles, ships, aircraft, lifestyle equipment, home equipment and consumer goods, medical and health devices, and agricultural and industrial machinery.
A related service is a service that is linked to a connected product and affects the functionality of the product, for example by transmitting data or commands. There is therefore a bidirectional exchange of data between the connected product and the related service. Services that can only retrieve data are not considered to be related services.
Examples of connected products
Connected products can be found in various product categories, including smart household appliances (such as fridges, fire alarms, door locks), smart electronic equipment (such as televisions and smartwatches), connected vehicles (such as cars and aircraft), virtual assistants (that interact with connected products or related services), medical devices (including monitoring and diagnostics), connected industrial machinery (such as robots, wind turbines, pumps and agricultural machinery). Connected products do not include products whose main function is to store, process or transmit data (such as servers and routers) or prototypes.
Examples of related services
These include services that influence a connected product in a certain way, such as an app to adjust the brightness of lights or regulate the temperature of a smart fridge or an app for smartwatches that records and analyses sports activities.
When do the new rules on data access and data use become applicable?
The Data Act became applicable on 12 September 2025; since then users of connected products and related services have been able to assert their data access and sharing rights under the Act.
When does a connected product fall within the geographical scope of the Data Act?
All products and related services that have been placed on the market in the European Union must comply with the rules of the Data Act. The “marketplace principle” applies.
“Placing on the market” means the first making available of a connected product on the Union market. Making available means the permanent or temporary transfer or granting of property and usage rights, in particular through sales, rental or leasing contracts. If, for example, a manufacturer sells or rents out a connected product to a user in the European Union for the first time after the manufacturing stage, the product is considered as having been placed on the market in the European Union.
- A connected product can be placed on the market only once.
- The concept of placing on the market refers to each individual product, not to a type of product.
- In the case of connected products that have been placed on the market in the European Union but are used in third countries, both the data generated in Europe and the data generated outside Europe must be made available. However, only users established in the European Union may request provision of the data. In the case of an aircraft belonging to a European airline, for instance, the data generated by the aircraft in third countries outside the EU must also be made available.
- The rules do not cover products that have been bought in a third country and imported into the European Union or products that have been produced in the European Union for export and placed on the market outside the European Union. A smartwatch bought in the US and brought to the European Union afterwards, for example, is therefore considered as having been placed on the market in the US.
Which rules apply when a connected product is resold?
The Data Act does not distinguish between first-hand and second-hand connected products. Users have a right to access data, whether or not they are the first-time users. The same applies in this case: the connected product must have been placed on the market for the first time in the European Union and the user or the data recipient must be established in the European Union.
Who is covered by the rules?
The Data Act gives users a legal right to access data from connected products and related services. Data holders are required to provide information about the available product data and related service data and make the data available. Users can ask to access the data themselves or can ask data holders to share the data with a third party of their choice.
The Data Act therefore gives users the central role with respect to data use and data-driven value creation. A data holder may now only use the data on the basis of a contract with the user and may only make data available to other data recipients on the basis of such a contract.
The Data Act covers all private and business actors, in other words both consumers and enterprises, that use or offer connected products or related services, including:
- Users (private, business and public): A user is a natural or legal person that has a (temporary) right to use a connected product (in particular as a result of purchase, rent or lease) or that uses a related service. The rights under the Data Act only apply to users established in the European Union.
- Data holders (typically manufacturers): A data holder is a natural or legal person with product data or related service data at their disposal. It is not a question of who has manufactured individual (software or hardware) components but rather who has the right or obligation to use data or make data available. Users must be informed in advance (for example before they buy a product) who the data holder is, in other words who is required to provide the data.
- Data recipients/third parties: A data recipient, or third party, can generally be any natural or legal person other than the actual user of the connected device or related service. A data recipient can therefore be an enterprise commissioned by the user to develop new applications (for example aftermarket and ancillary services such as analysis, repair and maintenance services) on the basis of the data provided. A data recipient can generally also be a competitor of the data holder. However, third parties are not allowed to use the data provided to develop products that compete with the connected product. One general exception is made for enterprises designated as gatekeepers under the Digital Markets Act (DMA): these enterprises may not obtain any data on the basis of the Data Act on account of their dominant market positions.
Exemptions for small and medium-sized enterprises
The obligation to make data available does not apply to data generated by the use of connected products that have been manufactured or designed or related services that are provided by a microenterprise or a small enterprise.
The criteria for classifying enterprises are based on Commission Recommendation 2003/361/EC:
Category
| Employees
| Annual turnover/balance sheet total
|
|---|
Microenterprise
| up to 9 | and up to €2mn/€2mn |
|---|
Small enterprise
| up to 49 | and up to €10mn/€10mn |
|---|
Medium-sized enterprise
| up to 249 | and up to €50mn/€43mn |
|---|
Large enterprise
| more than 249 | or more than €50mn/€43mn |
|---|
However, the exemption does not apply if:
- the microenterprise or small enterprise has a partner enterprise or is part of a group enterprise that does not qualify as a microenterprise or small enterprise; or
- the microenterprise or small enterprise was subcontracted to manufacture or design the connected product or to provide the related service.
Microenterprises or small enterprises becoming medium-sized enterprises have a transitional period of one year before the obligations for making data available apply to them.
The obligations for medium-sized enterprises to make data available do not apply until one year after a connected product was placed on the market. There is no such transitional period for data generated by related services
When do I have to conclude a contract?
The Data Act contains various rules about contracts between different actors:
- Data holders and users: A data holder must conclude a contract (such as a sales, rental or related service contract) with the user that specifies the rights relating to accessing, using and sharing the data generated by the connected product or related service.
- Users and third parties: Third parties may only process the data provided for the purposes and under the conditions agreed with the users and in line with personal data protection rules. Third parties must delete the data as soon as the data are no longer needed for the agreed purpose.
- Data holders and third parties: If business relationships between enterprises require a data holder to make data available to a data recipient, then the data holder must agree with the data recipient on how the data should be provided. Data holders can request compensation from third parties for making data available.
The European Commission recommends using its non-binding model contractual terms for data access and data use.
The Federal Ministry of Agriculture, Food and Regional Identity recommends the use of the non-binding model conditions for contracts relating to agricultural data of smart agricultural machinery for the agricultural sector.
Are non-EU providers also required to make data available?
Yes. The Data Act applies to all manufacturers of connected products placed on the market in the European Union and to providers of related services, irrespective of where they are established, in other words to non-EU providers as well.
Providers are within the competence of the Member State in which they are established. If a provider is established in more than one Member State, the provider is within the competence of the Member State in which the provider has its main establishment. If a provider is not established in the European Union, the provider must designate a representative in one of the Member States.
Which rules apply if there are multiple users for a single product?
In cases where multiple users have a right to use the same connected product, multiple use is possible (referred to as a multiple-user scenario). Data holders should therefore have data management mechanisms in place (such as access restrictions to ensure that users can only access the data that they are actually entitled to access).
Which undertakings are gatekeepers within the meaning of the Digital Markets Act?
The Digital Markets Act (DMA) ensures fairness on online platforms and scope for contestability of the markets. The DMA lays down various objective criteria for classifying large online platforms as “gatekeepers”, which must comply with certain obligations. Gatekeepers are large digital platforms offering digital services known as “core platform services” such as search engines, app stores and social networks.
Gatekeepers:
- have a strong economic position with a significant impact on the internal market and are active in multiple EU countries;
- have a strong intermediation position, meaning that they link up a large user base to a large number of businesses; and
- have an entrenched and durable position in the market.
On 6 September 2023 the European Commission designated for the first time six gatekeepers: Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft.
Further information about the DMA, the designated gatekeepers and the services covered is available here.
Which information and data have to be made available to users under the Data Act?
Pre-contractual information:
Anyone selling, renting out or leasing connected products or providing related services must provide pre-contractual information relating to the connected product or related service with details of the scope of and possible options for data access, such as the type, format and estimated volume of product data (“transparency obligation”).
Format and nature of data:
Product data and related service data, including the relevant metadata, must be made available for users with the same quality as is available to the data holder, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, continuously and in real time. This also generally applies when a user requests data to be made available to a third party.
Type of access:
Data holders are required to make product data and related service data accessible to users (or third parties) either directly (“access by design”) or indirectly:
- Direct access: If direct data access is enabled, connected products must be designed so that the data can be directly retrieved from the data storage medium on a device (via an interface such as cable or Bluetooth) or via a server (such as a digital interface). A user can then directly retrieve the data for the product without the need for any further or additional action by the data holder. The product design obligation applies to connected products and related services placed on the market after 12 September 2026, provided that direct access is relevant and technically feasible.
- Indirect access: If users cannot retrieve the data directly from the product (for technical reasons, etc), the data holder must enable indirect access. In this case, the user has to ask the data holder for access to the data (for example via an appropriate web portal). The data holder must also make the relevant data available to third parties at the user’s request.
Data categories:
- Product data: Data obtained, generated or collected by a connected product relating to the product’s performance, use or environment, for example via integrated sensors. It must actually be possible for the data to be retrieved from the product.
- Related service data: Data of a related service representing actions and events relating to the use of a connected product.
- Readily available data: Product data and related service data that a data holder can obtain without disproportionate effort.
The obligation to make data available only applies to data generated/collected after the Data Act became applicable on 12 September 2025.
How important is the level of processing of data?
The Data Act covers raw data and (pre-)processed data, together with the relevant metadata necessary to understand the data. This includes, for example, data collected from a single sensor or a connected group of sensors such as temperature, pressure, flow rate, audio, pH value, liquid level, position, acceleration or speed.
It does not include highly enriched data enabling information resulting from additional investments to be inferred or derived, or content that is covered by intellectual property rights. There is no obligation to make such data available.
Do trade secrets have to be shared?
The Data Act safeguards trade secrets. Although the obligation under the Data Act to make data available covers trade secrets, it does not lead to the forfeiture of trade secret protection. The Data Act establishes a mechanism to protect trade secrets, known as the “trade secrets handbrake”. This mechanism frames the conditions under which a data holder can withhold, suspend or refuse to share trade secrets in exceptional circumstances. The Data Act does not modify the existing legal provisions protecting trade secrets; the Trade Secrets Directive, for example, continues to apply.
- Trade secrets must be identified as such before concluding a contract.
- Data holders have the right to require, prior to sharing data, that users and third parties preserve the confidentiality of their trade secrets by agreeing to and implementing the necessary technical and organisational measures (TOMs). Data holders can only refuse to share data in exceptional circumstances, for example if no agreement has been made or users/third parties do not implement the agreed measures.
- Data holders can also refuse to disclose or share trade secrets if they can demonstrate, on the basis of objective evidence, that the disclosure of trade secrets is highly likely to result in serious economic damage (meaning serious and irreparable economic loss).
Such decisions need to be made on a case-by-case basis. If a data holder decides to withhold, suspend or refuse to share data, the data holder must communicate the reasoning behind the decision to the user/third party and must notify the competent authority of the decision. The Bundesnetzagentur is to be the competent authority for data holders whose main establishment is in Germany, subject to a relevant decision by the legislature. Users and third parties will then have the right to lodge a complaint with the competent authority or a certified dispute settlement body.
Do safety-related and security-related data have to be shared?
The Data Act allows data holders to withhold safety-related and security-related data under certain circumstances. The “safety and security handbrake” allows users and data holders to agree to restrict or refuse to share data if there is a risk that the security requirements of a connected product could be undermined, resulting in a serious adverse effect on the health, safety or security of natural persons.
The relevant security requirements must be laid down in EU or national law. Sectoral authorities may provide users and data holders with technical expertise in order to determine whether restrictions are necessary or warranted. If a data holder intends to activate the safety and security handbrake, the data holder must notify the competent authority. The Bundesnetzagentur is to be the competent authority for data holders whose main establishment is in Germany, subject to a relevant decision by the legislature. Users and third parties will then have the right to lodge a complaint with the competent authority or a certified dispute settlement body.
Do personal data have to be shared?
The data access rights under the Data Act apply equally to non-personal and personal data. The relevant provisions of the General Data Protection Regulation (GDPR) are applicable to the processing of personal data. Requests to access data that include personal data must have a valid legal basis under Article 6 GDPR for processing personal data. A valid legal ground exists when the user requesting data and the data subject are identical. If the user requesting data is not the data subject, the Data Act does not provide a legal basis for granting access to personal data or making personal data available to third parties.
What are the rights and obligations relating to data access, sharing and use among enterprises?
The Data Act introduces binding rules for cases where one enterprise (“data holder”) is required under EU or national law to make data available to another enterprise (“data recipient”). These rules apply in particular in connection with data from connected products and related services.
All actors involved are subject to rights and obligations related to accessing, sharing and using data:
- Data holders required to make data available must agree with data recipients on fair, reasonable and non-discriminatory (FRAND) conditions and transparent arrangements for making data available.
- The use of unfair contractual terms is prohibited.
- Data holders required to share data may request “reasonable compensation” from data recipients.
What is “reasonable compensation”?
Data holders can request reasonable compensation for making data available to data recipients.
- Any compensation must be non-discriminatory and reasonable and may include a margin.
- When determining any compensation, the costs incurred in making the data available (including the costs for formatting, dissemination and storage) and any investments in the collection and production of data must be taken into account.
- However, microenterprises, SMEs and not-for-profit research organisations must not be charged more than the costs incurred in making the data available.
- Data holders must make the calculation of the compensation transparent to data recipients.
The European Commission plans to publish guidelines on calculating reasonable compensation.
What can I do if there are problems?
How can I lodge a complaint if I think my rights under the Data Act have been infringed?
First, you should contact the relevant actors to resolve the question or problem. If this is not successful, you can lodge a complaint with the Bundesnetzagentur (once the legislature has assigned responsibility for the application and implementation of the Data Act to the Bundesnetzagentur), contact a dispute settlement body or take civil action. The Bundesnetzagentur cannot certify any dispute settlement bodies until it has been assigned responsibility for the application and implementation of the Data Act.
