In earlier articles in our Data Act series, we outlined the core obligations for smart device manufacturers and highlighted the information duties for dealers, lessors, and leasing companies. We summarised what manufacturers and dealers must do to comply with the regulation – from ensuring that a product’s data profile is available to clearly explaining what data the device generates and how it can be used before an agreement is entered into. With the Data Act taking effect across the EU on 12 September 2025, we have prepared this summary article for those who have not yet had time to get ready for the new requirements. It provides an overview of the main changes: strengthening users’ rights to data from smart devices, setting rules for sharing data with third parties, and balancing trade secret protection with data openness.
In this final article in our Data Act series before the regulation takes effect, we provide a comprehensive overview of the fundamental obligations for manufacturers, sellers, and other players involved in the distribution of smart devices. We highlight pre-contractual information duties, key user data rights, rules on data access and sharing, and safeguards for manufacturers’ trade secrets. This article serves as a practical guide to understanding how to prepare for implementation and how to ensure that products and services comply with the new fair data access requirements.
What do customers need to know before buying or renting?
Starting 12 September 2025, sellers, lessors, leasing companies, and digital service providers of connected products must clearly inform customers of the following before an agreement is entered into:
- what data the device will generate during normal use,
- where and how this data will be stored,
- who will have access to it,
- what rights the user has to access it,
- under what conditions the data can be shared with third parties,
- whether the device enables easy access to “readily available data”.
This obligation applies to all data generated after 12 September 2025, even for products already on the market. Below is a simple checklist to help dealers, lessors, and leasing companies comply with the Data Act’s information duties:
- 🔍 Map which products in your portfolio fall under the scope of the Data Act.
- 📩 Obtain the required information from suppliers about the data generated by these products.
- 🌐 Create a clear landing page (or subpage) where customers can find basic information about the Data Act, an explanation of their rights, and links to details on the data generated by specific products.
- 📄 Update printed materials – especially contracts, terms and conditions, and product leaflets – to include the mandatory information.
- 🎓 Train employees to communicate this information to customers clearly and practically.
What obligations do manufacturers of connected devices have under the Data Act?
Manufacturers of electronic devices – such as smart products, cars, or other consumer goods that generate data – must ensure their products comply with the Data Act. In addition to the pre‑contractual information obligations placed on retailers, lessors, and leasing companies, manufacturers must:
- 🔍 Identify all products that qualify as connected products.
- 📊 Map the data these devices generate.
- 📂 Assess which data is readily available and which requires special access.
- 🔑 Define how users will access the data – either directly through the device interface or via customer portals or forms.
- 📄 Update technical and contractual documentation to reflect the new rules.
- 💡If you plan to use the data for your own purposes, obtain consent or a licence from users to do so.
The manufacturer, as the “primary” seller, is responsible for providing its partners with all the documentation necessary to meet these new information obligations at the pre-contractual stage, i.e. before the customer receives the product. In practice, this means preparing a data profile for each product and creating an interface, a customer portal, or at least a section in the product manual where the required information is clearly presented. Certain exceptions apply, particularly for products intended for export outside the European Union, which are not subject to the new obligations.
But the obligations do not stop at new products sold through selected distributors – they also extend to leasing companies, lessors, and sellers of pre-owned smart devices, provided the devices continue to generate data.
What rights does a device user have under the Data Act?
One of the key benefits of the Data Act is the significant strengthening of user rights. It gives individuals far greater control over the data their devices generate and empowers them to decide how that data is used. The regulation requires that, before purchasing the device, users must be informed in a clear and transparent way not only about where their data will be stored and who will have access to it, but also about the specific rights attached to that data.
Users’ rights primarily include the right to access all data generated by their device. This means they can check at any time what data is being collected about them or their device, as well as the scope and format in which it is stored. This right also covers the ability to retrieve the data and use it for their own purposes – for example, to verify device functions, track statistics, or optimise processes. In addition, the Data Act guarantees users the right to data portability, enabling them to migrate easily to other service providers or applications without losing access to their information.
Manufacturers and related service providers must ensure that users have easy and secure access to data through clear, user-friendly interfaces – for example, customer portals or directly via the device itself. This also requires transparency about how long the data is stored, whether it can be deleted or restricted, and compliance with both trade secret protection and data protection rules.
How should processes for sharing data with third parties be set up?
The Data Act lays down clear rules on sharing data with other entities. The data holder – typically the manufacturer or a related service provider – must enable the data user to share the generated data with a third party of their choice. This could be an independent service provider, a research institute, or even a competitor of the manufacturer. In principle, no one can be excluded in advance, provided the user requests it and sharing is technically feasible.
The Data Act allows for certain safeguards, particularly where data sharing could compromise trade secret protection. However, simply referring to a potential risk is not enough: trade secret protection applies only where disclosure would cause demonstrable serious economic harm. Otherwise, the data must be shared under reasonable conditions. Disclosure to third parties may be subject to contractual and technical limits, such as restrictions on the purpose of use, but cannot be prohibited without an objective reason. The Data Act also permits data holders to claim reasonable compensation for costs incurred in making the data available to a third party, provided that the terms of sharing are neither discriminatory nor unfair.
To comply with the Data Act, manufacturers and service providers should establish internal mechanisms and processes for secure and transparent data sharing:
- Internal disclosure rules: set clear policies on when and how data may be shared with third parties.
- Template contracts and technical safeguards: prepare model agreements and technical procedures to ensure data is shared only under fair conditions and with trade secret protection.
With the Data Act applying from 12 September 2025, it is essential for all affected entities to begin implementing the new obligations without delay. While the regulation is about to take effect, there is still time to make the necessary adjustments and preparations.
Whether it is reviewing pre-contractual documentation, updating internal procedures or seeking expert advice on the interpretation of the new rules, we recommend acting without delay. If you are a manufacturer of smart devices, sell new or used cars, or operate a brick-and-mortar store or e‑commerce electronics shop, we can help you prepare for the new legislation while minimising the risk of potential penalties or reputational impact.
