Author
Dr. Benedikt Vogel, LL.M. (London)
Lawyer, Counsel
12.03.2025
Data Act 2025: Rights & obligations for affected businesses
The Data Act, which came into force on 11 January 2024 and will be fully applicable from 12 September 2025, aims to address these challenges by providing clear guidance on the access and use of data. For businesses and consumers, this means new obligations and rights that will have a significant impact on practice.
Content
- The vision of the Data Act: Promoting free access to data and innovation
- When will the Data Act come into force?
- Who will be affected by the Data Act? An overview
- Rights and obligations for businesses under the Data Act
- Data Act and GDPR: Data protection too
- Seizing the opportunities of the Data Act: Strategies for the future
The vision of the Data Act: Promoting free access to data and innovation
The Data Act takes the form of an EU Regulation. Unlike European Directives, European Regulations have direct effect in EU Member States without the need for national transposition.
The Regulation harmonises rules on fair access to and use of data. It is therefore intended to be the 'second pillar' of the European Data Strategy, which aims to better exploit the economic potential of the growing volume of data and to promote a competitive data market through new rules. The 'first pillar' is the Data Governance Act, which will come into force in September 2023. While the Data Governance Act regulates processes and structures that enable the voluntary exchange of data, the Data Act clarifies who can create value from data and under what conditions.
The main thrust of the Data Act is to allow users of connected devices, machines or other products to decide how the data they have helped to create should be handled.
When will the Data Act come into force?
The Data Act will be published in the Official Journal of the EU on 22 December 2023 and will enter into force on 11 January 2024. After a basic transition period of 20 months, the Data Act will be directly applicable from 12 September 2025.
Who will be affected by the Data Act? An overview
An overview of the substantive scope
The Data Act concerns data generated during the use of connected products or connected services, in particular non-personal data, which means that its scope goes beyond that of the GDPR.
Art. 2 of the Data Act contains a series of definitions of terms that define the elements of the material scope of application, and thus also delimit it in more detail. The regulation covers IoT or IIoT devices, i.e. products that can receive, generate or collect data about the environment through their connected functions. However, it does not cover tablets, smartphones, cameras, webcams or text scanners, for example. This is because they require human input to generate data, whereas the first-mentioned devices can do this fully automatically.
Addressees of the Data Act
The Data Act is aimed in particular at manufacturers of networked products and providers of networked services and their users, as well as data owners and public authorities. The location of the company is irrelevant: the marketplace principle applies.
Users of a product include both legal entities and natural persons, such as businesses or consumers, provided they have bought, rented or leased the product. However, there is a privileged status for micro or small enterprises (SMEs), which means that, in particular, the obligations of Chapter II (transfer of data from businesses to consumers and between businesses) do not apply to them.
Rights and obligations for businesses under the Data Act
For the B2C and B2B sectors, Chapter II of the Data Act contains important provisions on the transfer of data from businesses to consumers and between businesses.
Art. 3 Data Act: Access by design & pre-contractual information obligation
One of the central obligations of the Data Act is the obligation to make data generated during the use of networked products or connected services accessible, which is set out in Art. 3 Data Act. In particular, Art. 3 para. 1 DSG takes up the idea of access by design.
Directly following this, Art. 3 para. 2 Data Act contains another important provision: the pre-contractual duty to provide information prior to the conclusion of a purchase, rental or leasing contract for an IoT product. The transparent presentation of relevant information is intended to contribute to fairness for the user. For example, information such as the type, format and estimated volume of product data, as well as whether the connected product is capable of generating data continuously and in real time, must be provided to the user in an understandable and clear manner.
Art. 4 Data Act: Right to access and use data
Art. 4 Data Act is another important standard. It regulates the right of users and data owners to access and use product data and related service data. This right aims to provide users with transparent access rights without losing sight of fair competition, which also takes into account regulations on trade secrets or product development.
It should also be noted that data owners may only process or use readily available data that is not personal data on the basis of a contractual agreement with the user in accordance with Art. 4 par. 13 of the Data Act. Readily available data within the meaning of the Regulation are product data and data relating to connected services that a data controller obtains or can obtain without disproportionate effort from the connected product or service. The Regulation therefore requires the conclusion of data licensing agreements where necessary.
Art. 5 Data Act: Data traffic
Art. 5 of the Data Act also deals with data traffic and regulates the disclosure of data to third parties, which must take place at the user's request.
Art. 13 Data Act: Unfair terms
The Act also provides for a prohibition of unfair terms. Art. 13 of the Data Act regulates the treatment of unfair contractual terms relating to data access and use that are unilaterally imposed on a company. In this respect, it is a competition and antitrust component of the Data Act. The agreed contractual clauses are intended to promote fairness in the data economy and in the market.
Interoperability (Chapter VIII)
Another important provision for achieving the objectives of the Data Act is the provision on interoperability (Chapter VIII). In simple terms, interoperability under this regulation is the ability of different systems, networked products or applications to exchange and use data to fulfil their function. The Data Act requires services to be compatible with open standards and interfaces in order to increase interoperability between services. This should make it easier to move between cloud and edge services.
The right of customers to switch between different data processing services free of charge and to transfer all their exportable data to a new service should also be seen in this context. Chapter VI of the Data Act, which regulates switching between data processing services, stipulates, inter alia, that there must be no obstacles to switching providers. Data processing services must assist their customers in switching, inter alia, by means of tailor-made contractual clauses and information obligations. After a switch, the contract with the previous provider is deemed to have been terminated - the rules can therefore lead to extraordinary termination rights.
The obligations arising from the Data Act can be enforced by customers contractually, and by member states through sanctions. Breaches can result in fines, based on methods already known from the GDPR. These can amount to up to €20 million or 4 per cent of annual global turnover.
Data Act and GDPR: Data protection too
In addition to the Data Act, the GDPR remains fully applicable. Therefore, if personal data is collected that also falls within the scope of the Data Act, both regulations must be complied with. In particular, the processing of personal data requires a legal basis. The Data Act makes it clear that the processing of personal data must be carried out in accordance with the provisions of the GDPR, but does not itself constitute a legal basis for data processing. In practice, therefore, consent will still be required under the GDPR in most cases. In this respect, the GDPR must always be taken into account when interpreting and applying the Data Act.
In addition, the requirements of the AI Act, which is expected to come into force in the middle of this year, must also be taken into account when interacting with IoT data.
Seizing the opportunities of the Data Act: Strategies for the future
The Data Act is a milestone in European data policy and has the potential to significantly expand the use of data in the EU's single market. With its new obligations, it addresses a wide range of stakeholders, from manufacturers of connected products to public authorities. While the GDPR opens up a wide range of opportunities, it also brings with it complex requirements that affect businesses and consumers alike.
With extensive information requirements, the need to adapt contracts and specific rules for non-personal data, it is essential to familiarise yourself with the provisions at an early stage. With our expertise in the Data Act, we can help you implement the new rules and ensure that you make effective use of the transition period until 2025. Contact us to find out how we can help you capitalise on the opportunities presented by the Data Act while ensuring compliance.
Content
- The vision of the Data Act: Promoting free access to data and innovation
- When will the Data Act come into force?
- Who will be affected by the Data Act? An overview
- Rights and obligations for businesses under the Data Act
- Data Act and GDPR: Data protection too
- Seizing the opportunities of the Data Act: Strategies for the future
Our Experts
More news
19.03.2025
DORA Regulation: Deadline, scope & requirements
12.03.2025
Data Act 2025: Rights & obligations for affected businesses
13.02.2025