The Data Act is now being applied – What Organisations Need to Know and Do
Written By
Senior Associate
Finland
I am a Senior Associate in our Commercial and Privacy & Data Protection groups in Helsinki, where I work with our local and international clients advising them on data protection, other data regulation, and commercial contracts.
Related
Practices
Sectors
Trending Topics
Countries
Offices
The Data Act became applicable on 12 September 2025 introducing groundbreaking rules on data access, sharing and transfer. The Data Act’s aim is to address the challenges and unleash the opportunities presented by data in the European Union, emphasising fair access and user rights, while ensuring the protection of personal data.
With the Data Act being applicable, many organisations may find themselves unprepared. If your business falls into this category, do not panic – now is the time to begin the work.
Below are some key points that organisations should know about the Data Act:
Where to start?
It is important to understand where your organisation stands in regard to the Data Act. Organisations need to identify the products and services they manufacture, offer or use. The Data Act applies to multiple types of data that may be connected to products, related services and data processing services such as cloud and edge services. It is important to determine the different types of data that is being obtained, generated, collected and stored by these products and services. Different obligations for organisations arise based on their connection to this data. Therefore, it is crucial to determine what roles your organisation plays in the data ecosystem.
It is very likely that the Data Act is relevant to your organisation as it applies to all industries and all levels of the economy and is relevant for anyone who holds, licenses, voluntarily makes available or is obliged to make available data to third parties. Similarly to the GDPR, the Data Act applies extraterritorially, to organisations outside the EU, if they offer products or services in the EU.
Understand your role
The Data Act assigns certain roles to organisations. These are mainly the data holder, the user of a product or service and data recipient. Also, the manufacturer of a connected product or service provider to a related service and a provider of a data processing service have obligations from the Data Act, even though these entities aren’t specifically defined in the Act.
Organisations' obligations are mainly determined based on their connection to the data produced and, also, whether they manufacture or provide services. It is possible that an organisation that manufactures a connected product is not a data holder within the meaning of the Data Act, if it does not handle the data produced by the use of the product. However, it still has the obligation to manufacture products or design services in a way that allows users to have direct access to their data.
It is also important to note that organisations can simultaneously have different roles subject to the Data Act. For example, it is possible that an organisation uses another organisation’s product as a user under the Data Act but processes data generated from the use of its own manufactured products as a data holder.
What are my obligations?
Regarding organisations offering connected products and related services, the key obligations fall to the data holder, the manufacturer of a product or the provider of a related service and the provider of a data processing service.
The main obligations include, for example, the following:
- the obligation to design and manufacture products and related services in a way that allows access to the generated data;
- transparent communication about what data is collected and in what form;
- the obligation to make data available to users and third parties designated by them as well as the obligation to make data available to public authorities in crisis situations;
- a prohibition of certain contractual terms.
These obligations are discussed in more detail below:
Design and manufacture of products and services
Primarily the manufacturer of a product or provider of a service has to manufacture the product or design the service in such a way that the user of the product can directly access the data generated by their use of the product. The obligation for these changes to product design and manufacture will apply to products and services brought to market after 12 September 2026.
However, this obligation leaves some flexibility to a manufacturer to decide whether or not to design for direct access, as not all products or data is designed in a way that data can be made directly accessible to users. In these cases, the data must be provided to the user when they request it.
Revise pre-contractual materials
Prior to finalizing agreements for purchasing, renting, or leasing connected products, the sellers, rentors, lessors or prospective providers are required to provide users with information on the data that their connected product or related service generates. This information can include specific details about data generation, storage practices, retention periods, and options for accessing, retrieving, or deleting information. Service providers must also disclose capabilities for requesting third-party data sharing, identification and contact details of data-accessing parties, intended data usage by providers and third parties, contract duration, termination procedures, and complaint rights regarding Data Act violations to relevant authorities.
The Data Act obligates that this information is presented clearly and understandably, which may necessitate modifications to product descriptions, service materials or other possible customer-facing documents that are provided before contract execution.
Data sharing
The Data Act mandates data sharing across business-to-consumer, business-to-business, and business-to-government contexts, alongside obligations for transitioning between data processing services. Organizations must develop procedures and implement measures to execute technical data sharing requirements.
As stated above, direct access to data is the primary obligation. However, if direct access is not possible or practical, the user has the right to request the data from the data holder. It is also possible that part of the data is made available directly, and the rest could be made available indirectly.
Switching between data processing services
Data processing service providers must facilitate customer transitions to alternative services, on-premises ICT systems, or multi-provider arrangements. This requires eliminating pre-commercial, commercial, technical, contractual, and organizational barriers. The Act specifies minimum contract content requirements, switching technical aspects, functional equivalence, service continuity, notification duties, and phased elimination of switching fees.
Contractual terms
The Data Act’s requirements demand modifications to existing agreements or creation of entirely new contracts, placing certain constraints on contractual freedom. These changes include B2B contract terms regarding data access and usage, current personal data processing agreements, and contracts for various IoT products, services, or cloud solutions. Additional contractual needs encompass agreements for data processing service transitions and contracts with data recipients.
The Data Act forbids specific unilaterally imposed contract provisions between businesses that are classified as unfair under the legislation. Such clauses related to data access, usage, liability, and remedies for breaching or terminating data-related obligations lack enforceability. Current B2B agreements and standard contract forms may need revision to meet these prohibitions.
The contractual restrictions introduced by the Data Act apply as follows:
- From 12 September 2025: The restrictions apply to all newly concluded contracts.
- From 12 September 2027: The restrictions will also apply to pre-existing contracts that:
- are of indefinite duration; or
- expire after 11 January 2034.
So, contracts concluded before 12 September 2025 and set to expire before 11 January 2034 are not subject to the contractual restrictions, creating a transitional gap in applicability.
What are my rights?
As important as it is to be aware of the obligations stemming from the Data Act, it is also important to be aware of the possibilities stemming from it and also possible remedies related to protecting one’s valuable data.
There have been some concerns regarding data access mandated by the Data Act. Mainly this discussion has revolved around the Act’s possible effect on the protection of trade secrets. Therefore, it is important for the data holder to be aware of its rights in regard to protecting its possibly valuable data.
The data holder has, for example, the right, prior to disclosure of data, to require users and third parties to preserve the confidentiality and secrecy of data containing trade secrets by agreeing to and implementing necessary safeguards. Possible safeguards could include model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct. As an additional layer of protection, the Data Act introduces mechanisms under which the data holder can withhold, suspend or even refuse to share data.
It is important to note that, also, users and data recipients have obligations that protect the data holder’s data from being used unfairly. They, for example, cannot use the data to develop a competing product or use the data to derive insight about the economic situation, assets and production methods of the data holder.
Even if no obligations fall on an organisation from the Data Act, it should still care about its impact. The aim of the Act is an open data market and both companies and customers can benefit from it. Most organisations use IoT products or services related to them, and this use generates data. Organisations in the position of a user should take advantage of the enhanced possibility to get access to this data as it could be valuable for the organisation.
The Data Act and the GDPR
It is important to note that the Data Act also applies to data containing personal data and in the event of conflict between the Data Act and the GDPR, the GDPR shall prevail. Therefore, it is important to be aware when an organisation is dealing with personal data and take into account the obligations coming from data protection legislation. When dealing with personal data, there can be some exceptions to data sharing. For example, when an organisation requests access to data generated by the use of an IoT product that its employees use, the data holder should not provide this data, if the organisation does not have a legal basis to process the data.
Do all obligations take effect in September 2025?
If an organisation has not prepared for the Data Act yet, some relief can come from the fact that not all obligations apply from 12 September 2025. As stated above, the changes to product design and manufacture will apply a year later from 12 September 2026 to products and services brought to market after that date. Also, certain provisions relating to unfair contractual terms will apply from 12 September 2027. However, it is still important to start to act now.
Why act now?
Non-compliance with the Data Act can lead to penalties enforced by competent authorities. These penalties can include, for example, warnings, prohibitions, orders or administrative fines. Administrative fines are counted based on the infringing organisation’s annual turnover in the preceding financial year. The percentage number of fines under the Data Act is determined by national enforcement authorities and may vary across Member States. While several Member States are still considering the appropriate level of sanctions, in some jurisdictions the fines may exceed those under the GDPR, which can reach up to 4% of global annual turnover.
