In the previous article, we focused on the EU Data Act, which introduces new rules for the use of data generated by smart devices and related digital services. The regulation sets new rules on who can access this data, under what conditions and what rights and obligations apply to each party involved. A key part of the obligations falls on the data holders – mainly device manufacturers and related service providers. They will have to adjust not only their contractual relationships but also the technical and operational set-up of their products. In today’s article, we will therefore look in more detail at the specific requirements the Data Act imposes on data holders.
Under the Data Act, it is essential to draw a line between the data holder and the user. This distinction determines who is responsible for disclosing data generated by smart products and related smart services, how the data are to be provided, and what rights and obligations each party has in handling the data.
Data holder is typically the manufacturer of a smart device or the provider of related services, who has actual control over the data generated by the use of the product or service. Another entity in the supply chain may also be a data holder if it has access to the data and makes decisions on their disclosure.
User is any individual or a legal entity (i.e. not only a consumer but also a company) who is the owner, renter, lessee, or another authorised user of the connected product or recipient of the related service. Under the Data Act, a user has the right to access all data generated by the use of a smart device or service.
What are the new obligations for manufacturers and service providers?
The Data Act applies to connected products, i.e. devices that obtain, generate or collect data concerning their performance, use or environment by means of their components, sensors or operating systems, and are able to transmit the data to other entities (typically via the internet, but also by exporting the data offline).
In addition to data obtained directly from connected products, the Data Act also applies to data obtained from related services. Related services are typically applications on mobile devices and computers that are linked to the connected product in such a way that their absence would prevent the connected product from performing its functions, or services provided to extend the product functionality. For a digital service to be considered a related service, two basic conditions must be met: (i) there must be a two-way data exchange between the connected product and the service provider, and (ii) the service must affect the functionality, behaviour or operation of the connected product. Simply put, related services are not standard system applications, but only those that actually enable or affect the functions of the product itself.
The data that are subject to the Data Act include both data generated directly by the use of the product (e.g. sensor data, operational logs) and data generated by related services (e.g. cloud platforms, mobile applications). On the other hand, the Data Act does not apply to static data (e.g. device serial number, model, etc.) or copyrighted content accessed by the user (e.g. music, videos) if the user only plays it through the device, or to data that are only stored on the device on behalf of third parties (e.g. third-party cloud servers).
Below you will find a practical list of steps that data holders should take to prepare for the entry into force of the Data Act.
- If you as a company manufacture smart devices or provide services related to them, it is essential to thoroughly identify all the data your devices generate and distinguish the data that are “readily available” before the Data Act comes into force.
- Provide the user with free access to readily available data, i.e. data that are already available to the data holders themselves. The data must be provided in a commonly used and machine-readable format.
- Transparently inform users before entering into a contract with a data user about what data the product will generate, in what format and how it can be accessed. In this respect, data holders must ensure that customers throughout the supply chain receive all mandatory information before entering into a contract (e.g. via ...).
- Allow users to make their data available, upon request, to third parties of their choice, such as repairers, insurance companies or analytics companies through transfer by the data holder.
- Comply with data protection rules – if the data contain personal information, the disclosure must comply with GDPR and other regulations.
The above obligations apply to all devices that will generate data after 12 September 2025, including those placed on the market before that date.
Devices placed on the market after 12 September 2026
For connected devices placed on the market after 12 September 2026, data holders will now have to disclose not only readily available data to users but all data generated by the device itself. In practice, this means that both products and related services must be designed and provided in such a way that the data – including the necessary metadata for their correct interpretation – are available to the user by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format. Where relevant and technically feasible, the data have to be directly accessible to the user without the need for further intermediation.
Manufacturers will already have to think about how they will make data available to users and how they will fulfil their information obligations when designing a product .
For devices placed on the market before this date, a certain “transitional period” of the Data Act and therefore a less strict regime applies.
Exceptions and limitations
The Data Act does not apply to prototypes and certain types of services that are not closely related to the functionality of the product (e.g. consulting or analytics services that do not affect the operation of the device).
Specific rules apply to SMEs and to situations where the data holder is a public sector body.
In the next in a series of articles focusing on the Data Act, we will also look at specific user rights, obligations when sharing data with third parties, trade secret protection issues and related legal risks.
With only a few months to go before the Data Act becomes directly applicable, it is high time to start preparing for the new obligations. The Data Act will affect most smart device sales – from e‑commerce to retail, and in the IoT, automotive, and pharmaceutical sectors, among others. If you are affected by the new obligations, we will be happy to help you with their implementation.
