Data Act - Networked products must make product data accessible
Placing on the market requires user access to product data
According to the Data Act, networked products may only be placed on the market if the product data and the associated service data, including certain metadata, are directly accessible to users free of charge and in machine-readable form. This results from Art. 3 Data Act (DA):
"Connected products shall be designed and manufactured, and connected services shall be designed and provided, in such a way that product data and connected service data - including relevant metadata necessary for the interpretation and use of that data - is, by default, directly accessible to the user in a simple, secure, free of charge, comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible."
The regulation is also referred to as "Access by Design".
This regulation applies from 12.09.2026 and therefore very promptly, considering that the company's own products and services must be adapted by then. Various other provisions of the Data Act will already apply from September 12, 2025.
If we look at IoT devices, for example, completely new options may need to be created to make the product data and associated service data accessible, such as setting up an online platform or providing a companion app. Fortunately, certain exceptions apply in favor of SMEs.
Transfer to competitors at the user's request
The Data Act is also intended to avoid lock-in effects. It is therefore envisaged that users will be able to request the "transfer" of their data to third parties, including competitors. This underlines the parallel nature of the Data Act to the GDPR, in which a data portability claim has already been regulated for some time. However, while the claim in the GDPR only relates to personal data, it is also directed at non-personal data under the Data Act.
Use of data only with a data use agreement
The Data Act contains numerous prohibitions regarding the use of data. In this respect, too, there is a parallel to the GDPR, where the use of data is prohibited in principle unless a legal basis applies. Under the Data Act, this is now structured similarly, but in relation to non-personal data. A data usage agreement will therefore be required for the use of non-personal data from September 12, 2025.
Data processing via products and associated services usually involves both: personal data and non-personal data. In future, a legal basis will be required for both areas:
personal data => legitimate interest, consent, etc. in accordance with the GDPR
Non-personal data => data usage agreement in accordance with the Data Act
In practice, this has considerable relevance. Until now, the processing of non-personal data has not been significantly restricted. Therefore, as soon as there was a mixture of personal data and non-personal data, it was possible to refer to the legal basis under the GDPR without much differentiation. In future, it will be much more relevant to differentiate which data is personal and which data is non-personal. The exact distinction has already caused considerable difficulties to date.
Changes to general terms and conditions and other requirements
The Data Act contains many other regulations that will soon have to be observed and implemented. Only individual aspects have been outlined above. In particular, it may be necessary to revise your own T&Cs, as the Data Act contains prohibitions for provisions in T&Cs. In addition, new information obligations will be introduced, according to which certain information must be provided before a contract for the product is concluded. There are also regulations on so-called "cloud switching", i.e. regulations on how users can transfer "their" data to a competitor's offering and what assistance the provider is obliged to provide in this regard.
Implementation through product compliance
The Data Act presents companies with new challenges, particularly with regard to the handling of data and compliance with legal requirements. It is crucial to review and adapt products and services promptly so that the requirements of the Data Act are met from September 2025 or September 2026.
At the same time, other requirements can be considered and implemented, e.g. with a view to the upcoming Cyber Resilience Act. In this way, additional expenses due to multiple adjustments to the product can be avoided. As part of our services for comprehensive product compliance, we can determine the specific requirements for you if required.