Data Act

The EU Data Act became law on 12 September 2025. It’s a major step in Europe’s data strategy and introduces new rights for users, new duties for companies, and new rules for how data is shared.

In practice, the Data Act means: users of connected products and services should have easy access to the data they generate – and be able to share it with third parties if they choose. At the same time, businesses will need to rethink contracts, product design, and processes to stay compliant.

“This Regulation ensures that users of a connected product or related service in the Union can access, in a timely manner, the data generated by the use of that connected product or related service and that those users can use the data, including by sharing them with third parties of their choice.” (Recital 5 Data Act)

What the Data Act Covers

Using non-personal data: Data holders (often manufacturers) can only use non-personal data if they have a contract with the user.
Sharing data with third parties: Transfers must be contractually regulated – including purpose, fees, protective measures, and confidentiality.
Information duties: Before any contract is signed (purchase, lease, rental), users must get clear and understandable information.

Geschäftsleute in einer Sitzung, fotografiert durch eine Glaswand.

Who Is Affected?

Most companies that provide connected products or services fall under the Data Act. But there are important exceptions for smaller businesses:

Micro and small companies are generally exempt.
Medium-sized companies are also exempt if they have been classified as such for less than one year.

That said, there are many nuances. Applicability depends not only on company size, but also on contracts, risks, and how users interact with your products.

Safeguards for Data Holders

The Data Act also recognises the need to protect trade secrets. Data holders can refuse or suspend sharing if:

protective measures aren’t agreed or implemented,
confidentiality is at risk, or
disclosure would likely cause serious economic harm.

Sanctions under the Data Act

Penalties for violating the Data Act are not harmonised across the EU but are set by each member state. What is clear, however, is that they must be effective, proportionate, and dissuasive. In practice, this means they are expected to be on par with GDPR fines – up to 20 million euros or 4 percent of a company’s worldwide annual turnover.

Sanctions may involve significant financial penalties as well as other administrative actions. The exact amount or type of measure will depend on factors such as the nature, seriousness, and duration of the breach, together with any circumstances that may increase or lessen the responsibility.

What Should Companies Do Now?

Check if the Data Act applies to you

Review and update contracts

Meet new information obligations

Align processes with GDPR and trade secret rules

Set up user and consent management

How We Can Help

We support you in:

Clarifying whether the Data Act applies to your Business
Mapping your data and identifying sensitive areas
Distinguishing between personal data and trade Secrets
Drafting and adjusting contracts
Implementing the right technical, organisational and legal measures
Meeting transparency requirements

Contact Us

If you have questions about the Data Act or need support with implementation, please get in touch with our team.

Wiebke Kummer, Jurist

ppa | Head of Compliance International

Email: wkummer@re-move-this.first-privacy.com

Phone: +49 421 69 66 32-884

FIRST PRIVACY GmbH, Bremen

Cihan Parlar, LL.M. (Tilburg), Lawyer

Managing Director

Email: cparlar@re-move-this.first-privacy.com

Phone: +31 20 211 71 16

FIRST PRIVACY B.V., Amsterdam

Mag. iur.

Markus Strasser

Managing Director | Senior Privacy Counsel

Email: mstrasser@re-move-this.first-privacy.com

Phone: +43 662 62 10 04-11

FIRST PRIVACY Austria GmbH, Salzburg

If your inquiry concerns an organization based in Germany, these contacts will help you

Dominik Bleckmann, Lawyer

ppa | Head of Compliance

Email: dbleckmann@re-move-this.datenschutz-nord.de

Phone: +49 421 69 66 32-349

datenschutz nord GmbH, Bremen

Markus Schönmann, Lawyer

Head of Compliance | Senior Privacy Counsel

Email: mschoenmann@re-move-this.datenschutz-sued.de

Phone: +49 931 30 49 76-24

datenschutz süd GmbH, Würzburg

FAQ

We have put together answers to the most common questions about the Data Act. If you need further details, please feel free to get in touch with us.

What’s the aim of the Data Act?

To give users access to the data generated by connected products and services – and the freedom to use or share that data.

Which contracts are required?

A contract with users for any use of non-personal data.
Contracts for sharing data with third parties, covering purpose, fees, confidentiality, and safeguards.

What information obligations apply?

Before signing a contract, companies must provide users with clear and detailed information as required by Art. 3(2) and (3) of the Data Act. These obligations are similar in structure to GDPR rules (Art. 13 and 14), but cover more complex content.

Are SMEs exempt?

Yes, micro and small companies are generally exempt. Medium-sized companies are exempt if they’ve only recently been classified as such.

How are trade secrets protected?

Data holders can withhold data if trade secrets are at risk, protective measures aren’t agreed, or confidentiality is breached.

What penalties apply?

Fines may reach up to 4% of global annual turnover.

When does the Data Act apply?

It has been in force since 12 September 2025.

Which products and services are affected?

All connected products (such as IoT devices) and related services that generate data during use – where users or third parties must have access to that data.

How does the Data Act relate to the GDPR?

The Data Act complements the GDPR. While the GDPR governs personal data, the Data Act regulates the use and sharing of non-personal data. Companies need to comply with both in parallel.