21 May 2025
8 minute read

Overview EU Data Act

Access to and use of data according to the European Data Act

The Data Act creates new and complex regulatory requirements. However, it also brings potential for the monetization and commercialization of data, which can be used to refine existing or create new business models.

Christopher Eduard Bösch
Dr. Till Contzen

A key pillar of the European Data Strategy is Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023, which entered into force on 11 January 2024 (herinafter reffered to as the “Data Act”). Its provisons will become directly applicable across the EU in a phased approach, starting on 12 September 2025 and continuing from 12 September 2026.

A) Why has the EU adopted the Data Act?

By 2025, global data volumes are expected to reach 175 zettabytes – equivalent to 175 billion gigabytes. Estimates project that the value of the data economy could rise to as much as EUR 11 trillion by 2030. Through its data strategy, the European Commission seeks to create a single market for data, fostering Europe’s global competitveness and digital sovereignty. At the same time, the framework aims to enable opportunites for data monetization.

A significant portion of the data concerned is generated by digital products and services, which is precisely where the Data Act’s regulatory scope applies.

Who is affected by the Data Act?

  • In particular, all manufacturers of connected/smart products and providers of related services in all industries in case of access to the data
  • Users of connected/smart products and services (legal entities/natural persons)
  • Third parties as (potential) data recipients


What Data is covered? – “In Scope” vs. “Out of Scope”

The Data Act covers all data generated thorugh the use of a “connected product” or a “related service”. Such connected products are often referred to as “Internet of Things” (IoT). In essence, it addresses data that arises from the use of a product and would not exist without that use.

After extensive debate, the EU legislator decided to draw a (more or less clear) distinction between two categories of data. On one hand, the Act defines a broad set of “in scope” data – particularly including metadata and data from interactions with virtual assistans. On the other hand, it explicitily excludes “dervied data” (“out of scope”).

In Scope: Covered are so-called “primary data”, i.e., raw data that is actually generated thorugh the use of a product or service. This also includes data resulting through interactions with virtual assistants.

Metadata is likewise relevant. Metadata are strcutred descriptions of the content or use of primary data, aimed at improving the findability or usability of the data (e.g. author, creation date, file size, format, access rights, licensing terms, encoding, data source, modification history, etc.).

  • Vehicle data on range, occupancy, usage times or locations
  • Wearable devices data (e.g. from fitness trackers or smartwatches) such as battery consumption or screen activation frequency
  • Smart home device data (e.g. usage duration, lifespan, energy consumption)
  • Data generated via text or voice input into virtual assistants
  • Data from connected industrial machinery (e.g. electricity consumption, wear levels, productivity metrics)

Out of Scope: In contrast, derived data or information is not covered. Such data or information is not generated by the mere use of the connected product or service but requires further analysis processing (especially by means of proprietary algorithms) or transformation of the primary data and typically has a more extensive informative value than primary data (e.g. statistical data, aggregated data, forecasts, reports). In some cases, this is also referred to as “refined data”.

Relationship with Data Protection Law

Data protection law remains unaffected (cf. Recitals 20 and 34 of the Data Act). The provisions of the GDPR and other data protection regulations continue to apply in parallel. Consequently, where personal data is involved, all Data Act obligations must be implemented in full compliance with data protection law.

In practice, datasets often include both personal and non-personal data (“mixed-datasets”) and are thus subject to the Data Act as a whole. The key challenge lies in fulfilling data access requests under the Data Act while also observing the applicable data protection requirements – to avoid exposure to fines under both frameworks.

B) Understanding the Data Act and Planning Measures

The key innovation – or “revolution” – of the Data Act lies in its contractual approach: any use of data by the data holder or third-party recipients requires a contract with the user. In this “contractualization of data law”, the agreement with the user becomes the central legal anchor point.

Accordingly, the necessary measures must be tailored from the perspective of the main stakeholders involved.

The user is the “purchaser, renter or lessee” of a data-generating product, or the recipient of a data-generating service. See Art. 2 Nr. 12 Data Act.

The data holder is typically the party with factual control over the data, meaning they have lawful and technical access to (e.g. a vehicle manufacturer). See Art. 2 No. 13 Data Act.

The data recipient is the party, that, in a business context and without being the user, receives data from the data holder. See Art. 2 No. 14 Data Act.

Note: The classification of natural persons / legal entities into the respective roles must be done on a case-by-case basis. In some cases, the exact scope of the definitions is still unclear.

In the simplest case, the conditions of the data flow are regulated by two parties: the user and the data holder. More frequently, a third party, the data recipient, is added to these two parties. Finally, multi-layered constellations involving data holders, several users (e.g. in cases of multiple user accounts), and data recipients and other entities (e.g. data aggregators, including those under the Data Governance Act) are also relevant. Overall, the technical and legal requirements result in a wide range of design options.


Action Planning Overview

Each stakeholder group faces distinct questions and considerations when preparing for the Data Act. Below is a summary of the key obligations and opportunities.

Starting 12 September 2025: “Access at request” (Art. 4 (1) Data Act)

  • Implement technical and organizational measures in response to third-party access requests. This may require adjusting access permissions and aligning with the privacy team. This applies only to “readily available data”, i.e. data that the data holder1 can access from the user without making a disproportionate effort (see Art. 2 No. 17 Data Act).
  • If the data controller is also the direct contractual partner in relation to the user, they must fulfil their pre-contractual information obligations with regards to purchase, rental or leasing contracts for the networked product / connected service.
  • Ensure contractual safeguards for own data usage rights.


Starting 12 September 2026: “Access by design” (Art. 3 (1) Data Act)

  • If the data controller is also the manufacturer, they must design and provide connected products / connected services in such a way that the relevant data is directly accessible to the user in a “comprehensive, structured, commonly used and machine-readable format”.


Starting 12 September 2025, if the data holder is also the trade secret holder: Implement measures to protect trade secrets. If necessary, communicate with the relevant authorities (e.g. in Germany, the Federal Network Agency) to protect trade secrets in the event of rejected data access requests.

  • Users can be both natural and legal persons. Companies can therefore also assert claims as users.
  • The relevant data must be made available to users for free of charge (“access by design” or “access on request”), and data holders must not unreasonably hinder users from exercising their rights.
  • The data controller may impose certain contractual obligations on the user for data access or transfer. This may include an obligation to provide a legal basis under data protection law if the user makes the networked product / connected service available to others.
  • Users will often request that data be provided to third parties or that third parties exercise their rights (see data recipients).
  • The data pool of data holders opening up could be of interest to many companies. Aggregating and processing data streams can also lead to the development of new business areas and markets.
  • Data holders or users may impose certain contractual obligations on data recipients for access or transfer of data. Furthermore, data recipients must comply with certain Data Act provisions, which should be included in the contract design, in addition to pricing the data.

Contract Drafting

Designing the contract is a key element in implementing the Data Act’s requirements. Before the Data Act comes into force, potential data holders should consider the conditions, modalities, and purposes of data provision and use.

The Data Act contains a large number of requirements and restrictions in terms of contract design. For instance, data holders must provide data to data recipients (B2B) under “fair, reasonable, and non-discriminatory conditions” (FRAND) and in a transparent manner. A margin is permitted under Art. 9 of the Data Act. Furthermore, contractual provisions are subject to (split2) general terms and conditions control in accordance with Art. 13 Data Act. Additionally, requirements for the protection of trade secrets may be included. One component of this is providing various contract templates according to a predefined scheme. It is advantageous to embed them in a contract management system (CMS). However, it should be noted, that the Data Act’s requirements and restrictions only apply directly to contracts for “in scope” data, not “out of scope” data.

The Commission has already published the initial drafts of the model contract clauses (Article 41 of the Data Act). These should be taken into account when drafting and implementing the Data Act requirements, even though the Commission's models will not be finalized until September 12, 2025.

Legal Consequences of Non-Compliance

The Data Act has the potential to permanently transform the data economy. Non-compliance with the Data Act can result in fines of up to 20 million euros or four percent of a company's total revenue, which lends weight to the Data Act. Therefore, companies should familiarize themselves early on with the requirements that apply to them, as well as the potential opportunities, and prepare for the gradual implementation.


How we can support you

We are happy to support you throughout your entire EU Data Act journey, from compliance and pricing and monetisation strategies to service delivery and the fulfilment of data sharing requests. We draw on proven accelerators such as our EU Data Act Compliance Framework (for maturity assessments and action planning) and a broad network of regulatory, technical and strategic experts.

Please do not hesitate to contact us.

Further Resources

________________

There are exceptions to these obligations for micro and small enterprises (see Art. 7 Data Act). Microenterprises are companies with fewer than 10 employees and an annual turnover or balance sheet total of no more than EUR 2 million. Small enterprises are companies with fewer than 50 employees and an annual turnover or balance sheet total of no more than EUR 10 million. See commission recommendation (2003/361/EG).

The GTC control pursuant to Art. 13 of the Data Act is limited to the Data Act provisions. Thus, the national GTC control applies to non-regulated areas as well (split GTC control).

Reach out

Christopher Eduard Bösch

Senior Associate
+49 69 7191 88457

Dr. Till Contzen

Partner | Lead Digital Law
+49 69 719188439

Did you find this useful?

Yes
No

Thanks for your feedback

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Recommendations

Cross-jurisdictional Data protection, cybersecurity and AI overview - third edition

In today's digital economy, Data is king. Yet, harnessing its power requires navigating a complex and evolving legal landscape. This report provides a comprehensive overview of recent developments and future trends in Data protection, cybersecurity and artificial intelligence across 50 jurisdictions.
Analysis
5 minute read

Digital Law: Intangibles, Data & Technology

Digitalization and technology do not only foster today's growth and jobs, but are also essential for tomorrow’s innovation and competitiveness.
Service

Deloitte Survey: Scepticism towards EU AI Act

The EU AI Act has officially been in force since the beginning of August and must now be implemented in the EU member states. But how ready are German companies for the new AI regulation? Are they missing an important step on the road to the future of AI? Will the new EU AI Act even hinder AI development in Europe?
Research

The coalition agreement between the CDU, CSU and SPD

The future governing parties CDU/CSU and SPD had already presented the coalition agreement for their term of government on April 14, 2025. After the coalition agreement also received the placet of the SPD members called to vote on April 30, 2025, Friedrich Merz is now to be elected as the new German Chancellor on May 6, 2025.