The Data Act Compliance Checklist: Is Your Business Ready?

Most of the Data Act’s provisions will take effect on 12 September 2025. The Data Act aims to enhance the EU’s data economy and to foster a competitive data market by establishing rules for accessing and using data, data sharing in different relationships, switching between data processing services and interoperability. The intent of the EU legislative bodies has been to ensure the use of fair, reasonable and non-discriminatory (FRAND) terms and conditions and to guarantee the protection of fundamental rights in the data economy. Now is the time to start preparing for the new obligations.  

Start the preparations with our Checklist for Data Act Compliance:

☑ Determine that you are in scope

The Data Act gives multiple definitions for different types of data that may be connected to IoT products, related services and data processing services such as cloud and edge services. It also provides for the protection of trade secrets, intellectual property rights and personal data. 

Before the obligations for data sharing and switching between data processing services begin, we recommend assessing what type of data is being obtained, generated, collected and stored, and whether the data will need special protection or contracting to fulfill the obligations of the Act. The assessment is also needed for the transparency obligations of the provider before concluding contracts for connected devices or related services. 

☑ Update your pre-contract materials

Before concluding a contract for the purchase, rent or lease of a connected product, the seller, rentor or lessor, (which may also be the manufacturer), must give the user certain information regarding the data to be generated, the storage and retention of the data and the ability to access, retrieve or erase it. Providers of related services must also give information regarding the ability to make requests for data sharing to third parties, identities and contact information of the parties that have access to the data, the provider’s and third party intents to use the data and the purposes for the use, the duration of the contract and the arrangements for terminating the contract as well as the right to lodge a complaint to the competent authority for infringements of the Data Act’s rules.

The information needs to be given in a clear and comprehensible manner. The information obligations may require updates to product and service descriptions and brochures or other materials that customers are given before concluding contracts. 

☑ Review your B2B contracts for unilaterally imposed unfair contractual terms

The Data Act prohibits the use of certain unilaterally imposed contractual terms between enterprises, that have been defined as unfair under the Act’s provision. Such contractual terms concerning access to and the use of data or liability and remedies for the breach of termination of data related obligations are not binding and will be severed from the remaining terms of the contract when possible. Existing B2B contracts and contract templates may require updates to comply with the prohibition. 

The prohibition will apply to contracts concluded after 12 September 2025. However, from 12 September 2027, it will also apply to contracts concluded before that date, if the contract has indefinite duration or is due to expire after 11 January 2034.

☑ Create processes for data sharing

The Data Act gives obligations for data sharing in business-to-consumer, business-to-business and business-to-government situations, along with the rules on switching between data processing services. Companies need to create processes and measures to perform the technical procedures of data sharing in time for September. The Data Act gives closer rules on how this is to be executed depending on the recipient and service type, and harmonised standards or common specifications for interoperability will also be given later.  

☑ Take measures to enable customers to switch to another data processing service

Providers of data processing services must take measures to enable customers to switch to another data processing service or to an on-premises ICT infrastructure, or to use several providers of data processing services at the same time. This will require the removal of pre-commercial, commercial, technical, contractual and organisational obstacles. The Data Act gives closer rules on the minimum requirements for the contents of the contracts, technical aspects of switching, functional equivalence and continuity of services, informing obligations and gradual withdrawal of switching charges.

☑ Draft new contractual terms that comply with the Data Act 

Many of the Data Act’s obligations require changes to existing contracts or create a need for completely new ones, imposing some limitations to the freedom of contract. For example, changes may need to be done to B2B contracts and contract templates on data access and use, existing data processing contracts for personal data and the contracts for different IoT products and services or cloud services. Further contractual needs include the contracts for switching between data processing services and contracts for recipients of the shared data. 

For more information on how the Data Act will affect contracts, take a look at our earlier article on Concluding contracts in the era of the Data Act.  

Why is it important to comply with the Data Act? 

Non-compliance with the Data Act can result in penalties enforced by authorities. They can include non-monetary penalties such as reprimands, warnings, orders and prohibitions, as well as administrative fines that are based on the infringing party’s annual turnover in the preceding financial year. In Finland, the government’s proposal sets the amount at up to 4% of the annual EU-wide turnover from the preceding financial year, which is the same amount as for infringements of the GDPR. The Data Act will change how data moves between companies and consumers and create a stronger market for the use of data. Our team at Bird & Bird is ready to help you prepare for the obligations and the possibilities the Act provides.