Data ExchangeLegal Questions and Answers About the EU Data Act
From
Dr. Hannah Bug & Dr. Herwig Lux* | Translated by AI
6 min Reading Time
What exactly does the Data Act regulate, how does it relate to GDPR, and what legal consequences arise from violations? Experts from the law firm Gleiss Lutz have summarized answers to these and other questions in this article for you.
What exactly does the Data Act regulate, and how does it relate to GDPR? We have summarized answers to these and other questions for you in this article.
The EU Data Act came into force on January 11, 2024. Since then, an implementation period has been underway. Starting September 12, 2025, it will be applied in all EU member states. The EU Data Regulation is intended to ensure that data generated in the EU is more easily accessible and usable to promote innovation and growth.
The idea behind the Data Act is to create a legal framework that encourages both companies and consumers to share their data, thereby enhancing competition and efficiency across various sectors. In particular, the Data Act aims to remove barriers to widespread data usage, laying the foundation for new business models in the context of Industry 4.0. Another focus is on ensuring data security and protecting personal information. Overall, the EU Data Act is considered a key element of Europe's digital transformation, designed to strengthen the EU's competitiveness in the global market.
What does the Data Act regulate? When does it apply?
The Data Act has several regulatory areas. The most important are:
Access rights of users of so-called ‘connected products’ (in particular IoT products) or associated services to the data generated by such connected products or associated services1;
Product design obligations of manufacturers of connected products and associated services;
Specifications for data-related terms and conditions—these apply to contracts concerning any type of private sector data that is accessed, shared or used on a contractual basis;
Regulations to simplify switching between cloud services and other data processing services (including gradual abolition of switching fees and interoperability requirements).
The Data Act will generally apply from September 12, 2025. However, the design obligations for manufacturers of connected products and related services will only apply to products placed on the market after September 12, 2026. For already concluded data contracts with an indefinite term or a minimum contract term of at least ten years, the Data Act will apply from September 12, 2027.
For which companies is the Data Act relevant? Who can assert access claims against whom under the Data Act? Are there other data access claims that apply alongside the Data Act, for example, from antitrust law?
The Data Act is relevant across all industries for companies that hold, license, voluntarily provide, or are required to provide any kind of data. It is especially relevant for companies that develop, manufacture, and offer connected products or related services, as well as those that have (de facto) control over the data generated by connected products or related services (so-called "product data" and "connected service data"). Exceptions apply to SMEs, such as exemptions from the obligation to provide data.
The Data Act grants the user of a connected product or a related service—but not other third parties—a right against the data holder to access data generated through the use of such a connected product or service. The user can request the release of the data either to themselves or to third parties. However, a right to data access by the user themselves is excluded if the user can already directly access the data from the connected product or service (e.g., download from the device). This does not exclude the right to have the data provided to a third party.
The refusal of access to data by dominant companies or companies with relative market power can also be relevant under antitrust law and establish access claims that go beyond the scope of the Data Act ("user-generated data"). However, these are associated with high hurdles for the party requesting access.
What is the relationship between the Data Act and the General Data Protection Regulation (GDPR)?
The Data Act covers both personal data and purely machine data that has no personal reference. While the purpose of the Data Act is to enable extensive data access and fair data use, the GDPR aims to ensure comprehensive protection for natural persons in the processing of personal data. The provisions of the GDPR apply alongside the Data Act.
How are the interests of data holders protected? Are there exceptions to the data provision obligation? Can I contractually exclude user claims?
Exceptions to the obligation to provide data only exist under narrowly defined conditions. Data holders are generally also required to disclose trade secrets. However, to safeguard confidentiality, technical and organizational measures (TOM) may and should be required from the user, such as adherence to confidentiality agreements, implementation of strict access protocols, and codes of conduct.
A contractual exclusion of the user's claims is generally inadmissible. However, according to the EU Commission, it should be possible to agree on restrictions regarding the use or sharing of data with third parties, provided the user receives appropriate compensation for this (for example, in the case of joint industrial projects).
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
What should companies consider in contracts with other companies regarding data access and data usage?
The data holder is generally not allowed to charge the user for providing product data and connected service data. However, if a user requests the provision of data to a third party, compensation may be charged. This compensation must be fair, reasonable, and non-discriminatory. Factors such as the costs of provision, investments made in data generation, the scope, format, and type of the data can be taken into account. These so-called "FRAND" criteria are already known from other areas of patent and antitrust law but regularly raise questions in their application due to their ambiguity. If the data is provided to an SME, the compensation cannot exceed the costs of provision, meaning no margin may be charged. The calculation of the specific fee must be disclosed to the data recipient.
Contract clauses in B2B transactions that regulate data access and data usage are subject to a new standard terms review (Art. 13 Data Act). Exceptions only apply to clauses that determine the main subject of the contract or the appropriateness of the price.
For which purposes may the provided data be used?
The user is generally allowed to use the data made available to them for any lawful purpose and may also share it with third parties. However, they are not permitted to develop a competing connected product; the development of a competing related service, on the other hand, is allowed. The data may also not be used to gain insights into the economic situation, assets, or production methods of the manufacturer of the connected product or the data holder.
What restrictions exist for data holders on using data generated by a connected product or associated service themselves?
Data holders may only use this data if there is a legal basis for doing so: If the data is personal data, it may only be used if and to the extent permitted by the GDPR. If it is non-personal data, it may only be used if and to the extent contractually permitted by the user.
The use of non-personal data that does not solely serve to fulfill the contract with the user (e.g., to improve existing products or develop new products) must be contractually agreed upon in the future. The right to share data with third parties must also be contractually agreed upon (possibly only in exchange for appropriate compensation to the user).
Prohibited in any case:
The use of the data to gain insights into the economic situation, assets, or production methods of the user (or of a third party to whom the user has disclosed the data).
The use of the data for the development of a product that competes with the connected product or the associated service from which the data originates.
What legal consequences arise from violations of the Data Act?
Fines can be imposed for violations of the Data Act. The amount depends on the nature, severity, scope, and duration of the violation, as well as the financial advantages gained, and can amount to up to 4 percent of the global (group-wide) annual revenue. In some cases, civil law consequences are also specified, for example, contractual clauses on data may be invalid (see the question "What should companies consider in contracts with other companies regarding data access and usage?"). Affected parties can file complaints with the competent national authority and seek legal remedies in court.
1The Data Act contains a multitude of specific terms that are defined within it but are not necessarily self-explanatory. These include terms such as “connected product,” “related service,” “data holder,” and “user.” A glossary that can help with this can be found, for example, here: www.gleisslutz.com/de/data-act-glossar.
:quality(80)/p7i.vogel.de/wcms/33/ab/33abf15b4b5625a8904cb57c51597709/0129982307v1.jpeg "This is a new development from Fraunhofer IFAM and partners: an automated adhesive splitting system for the reliable and more productive bonding of composite parts. Here, a frame for an airplane window is measured in real time and a precise amount of adhesive is applied. (Image:Fraunhofer IFAM)")
:quality(80)/p7i.vogel.de/wcms/df/26/df26e72a2f7c890171a1059b48eef68e/0129962397v1.jpeg "The Swedish cutting tool manufacturer Sandvik Coromant now has two additional geometries for its Corodrill DE10 replaceable head drilling system, which it says will further expand the already wide range of applications - for example for cast materials ... (Image:Sandvik Coromant)")
:quality(80)/p7i.vogel.de/wcms/81/c6/81c6f01476cd66350d1a6467efede21d/screenshot-202026-01-28-20174921-783x440v1v1.png "Vacuum-brazed probes. (Image:iew inductive heating systems)")
:quality(80)/p7i.vogel.de/wcms/40/c5/40c5051cebdb10fdee9a283303434d9d/0129881741v1.jpeg "3D-printed tools and other components contribute to energy-saving, precise processes. (Image:Gerhard Schubert GmbH)")
:quality(80)/p7i.vogel.de/wcms/92/5e/925ee98ea36ad9bd574fa1cea11d0e53/0129964352v1.jpeg "The production of hardware components for humanoid robots offers great market potential. (Image:Fraunhofer IPA)")
:quality(80)/p7i.vogel.de/wcms/08/72/0872dd2dd119a54824c41e0e580e45a8/0129576591v1.jpeg "The Rose enclosure systems can be customized on request. (Image:Rose Systemtechnik GmbH)")
:quality(80)/p7i.vogel.de/wcms/73/17/7317794432521bf911711b91287cfc28/0129961259v1.jpeg "ABB Robotics and Nvidia are enabling the widespread use of physical AI in the world of robotics. This means that systems can be created virtually and with high precision and optimized much more cost-effectively. In the large image the virtual system, next to it the real robot cell ... (Image:ABB)")
:quality(80)/p7i.vogel.de/wcms/09/a2/09a2e832b1c0271d299fc130201e5717/adobestock-1767409934-4191x2360v1.jpeg "(Source: © ImageFlow - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/9e/98/9e984afbf9c6f2bcc8963bd13465b180/26-02-pi-fraunhofer-iws-41300-ultragrain-project-closing-pic-02-1562x878v1v1.png "The process of laser wire build-up welding (DED-LB) with pulse laser-induced plasma, which contributed to the success of the Ultra Grain project, is shown at high speed. (Image:Fraunhofer IWS)")
:quality(80)/p7i.vogel.de/wcms/28/00/28008d9477bb07daa3b28ce4ac0ae907/newsimage418436-1536x864v1v1.jpeg "Researchers have produced elastic ear cartilage from human cells in the laboratory, which remains dimensionally stable in animal models. (Image:ETH Zurich)")
:quality(80)/p7i.vogel.de/wcms/1e/7d/1e7d6a316cdd7a7ba5e84d7c9a3efb80/newsimage418837-3000x1687v1v1.jpeg "Driverless shuttles can strengthen public transport, especially in rural areas. (Image:ZF Friedrichshafen)")
:quality(80)/p7i.vogel.de/wcms/85/e8/85e89606edeeec55feac9ab5617e2440/newsimage418885-3500x1969v1v1.jpeg "Flexible: The solid electrolyte based on silicone is expandable and thus compensates for the cavities that form in solid-state batteries during charging and discharging. (Image:Empa)")
:quality(80)/p7i.vogel.de/wcms/c5/d2/c5d2655e427c7cbfe2f537dccfbd06e3/0129971639v1.jpeg "Volkswagen Group Charging, Elli, has connected its first electricity storage system to the grid. (Image:Elli)")
:quality(80)/p7i.vogel.de/wcms/b4/fc/b4fc9420fca6915b291eca0ae2532688/0129978040v1.jpeg "MAN has completed winter tests with nine buses. (Image:Bulent Camci)")
:quality(80)/p7i.vogel.de/wcms/a7/22/a722a06c823b5d7405eb9fb15a0b4e7d/0129931201v1.jpeg "The company offers access to its charging network, which now has more than 1,000,000 charging points across Europe, via the Elli app. (Image:Elli | Volkswagen)")
:quality(80)/p7i.vogel.de/wcms/89/5d/895dfb4fb9a90c33ddd287c7d09c9ffd/0129938355v1.jpeg "Ganfeng Lithium has developed semi-solid batteries for eVTOLs together with Geely subsidiary Aerofugia. (Image:Aerofugia)")
:quality(80)/p7i.vogel.de/wcms/aa/4c/aa4cd2c6c10199015d47caf72eca2115/0129962687v1.jpeg "Bosch Rexroth and AMD are working together on Software-Defined Automation: ctrlX OS now also supports AMD Embedded x86 CPUs and adaptive SoCs, promising even greater hardware design flexibility, seamless scalability and a secure, modular operating system foundation. (Image:Bosch Rexroth AG)")
:quality(80)/p7i.vogel.de/wcms/7b/10/7b108d8ec7bf09cb1a20998364483525/0129923685v1.jpeg "The concept of the blade battery. (Image:BYD Europe B.V.)")
:quality(80)/p7i.vogel.de/wcms/64/97/6497d264fcf62cf4325443498b3826f3/0129930890v1.jpeg "Switching without mechanical contacts (Image:Endrich)")
:quality(80)/p7i.vogel.de/wcms/f3/c0/f3c0040f2b655e91b80158029c65b0cc/0127314142v1.jpeg "Nexperia's assembly and testing fab in Guangdong, China. (Image:Nexperia)")
:quality(80):fill(efefef,0)/p7i.vogel.de/wcms/67/ad/67adf92d254d2/elatec-wp-smart-factory.png "Elatec WP Smart Factory")
:quality(80)/p7i.vogel.de/wcms/fe/21/fe2195356233cf56e7763bf1a2c9ff71/0124389421v1.jpeg "The core of the AI regulation consists of the extensive provisions for high-risk AI—what falls under this? (Image:freely licensed)")
:quality(80)/p7i.vogel.de/wcms/48/3b/483bf2210f6160df5b2ff1ff895ec228/0124197821v1.jpeg "The \"Connected Vehicles Final Rule\" presents challenges for automakers and suppliers. (Image:Dall-E / AI-generated)")