EU Data Act: New obligations for data holders of connected products and related services

As we highlighted in our previous article, the Data Act (Regulation (EU) 2023/2854) establishes a clear legal framework that empowers users of connected products and related services with enhanced rights over their data.

In this article, we dive deeper into the rights and obligations of persons and entities involved in the ecosystem of connected products and related services.

Note that the obligations cited below shall in principle not apply to data generated through the use of connected products manufactured or designed or related services provided by (i) a microenterprise, (ii) a small enterprise, or (iii) an entity that qualifies as a medium-sized enterprise for less than 1 year.

1. Understanding the Scope

What are “connected products” and “related services:”?

“Connected products” are defined as any item that obtains, generates or collects data concerning its use or environment and can communicate this data via an electronic communications service, physical connection or on-device access.  The primary function of these products must not be to store, process or transmit data on behalf of any party other than the user. Examples include, connected cars, smart fridges or smart thermostats, and many connected medical devices.

A ”related service” is any digital service (other than an electronic communications service) including software, that is connected to the product at the time of the purchase, rental or lease in such a way that the absence of the service would prevent the connected product from performing one or more of its functions. It also includes any service that is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the products’ functions..

Finally, where the Data Act applies to connected products or related services, virtual assistants are also deemed to be included, insofar as they interact with a connected product or related service.

Which data are in scope ? 

Under the Data Act, access rights apply to both personal and non-personal data. However, the obligation to share data is limited to raw and pre-processed data that are readily available, along with the necessary metadata. Highly enriched data, as well as certain types of content, such as materials often protected by intellectual property rights, are out-of-scope.  Furthermore, the Data Act does not affect the existing legal protection for trade secrets.

It's important to note that the European Commission made it clear that “only data generated/collected after the entry into application of the Data Act should be considered as falling within the scope of Chapter II” (CHAPTER II. BUSINESS TO CONSUMER AND BUSINESS TO BUSINESS DATA SHARING).

Who qualifies as a “user” ?

The Data Act defines the user as “‘a natural or legal person that owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives related services”.

Under this definition, multiple parties may hold such a “stable right” over the same connected product. In these circumstances, data holders must have mechanisms to ensure that each entitled user can access the relevant data.

Importantly, only users in the European Union are concerned and are granted rights under the Data Act.

Who qualifies as a “data holder”?

A data holder is any natural or legal person that has the right or obligation (under EU law, national law, or contractual agreement) to use and make available data, including product and related service data retrieved or generated during the provision of a related service. Important is that determining who the data holder is does not depend on who produced the connected product or related service, but on who controls access to the readily available data.

Moreover, the Data Act applies regardless of where the data holder is established. However, if the data holder is a non-EU entity offering connected products or services within the EU, it must appoint a legal representative in the EU.

Examples include:

• A German hospital that manages usage and maintenance data from its MRI machines.
• A truck leasing company that has rights to vehicle telematics information under its lease agreements for company vehicles used by its employees in France.
• A Belgian farm cooperative that manages soil moisture data from rented smart irrigation systems installed on Belgian fields.
• A Canadian smart thermostat company selling in the EU, which must appoint an EU representative to manage collected home data.

2. Design and Pre-Contractual Duties

Design for accessibility (article 3(1) of the Data Act)

From 12 September 2026 onwards, connected products and related services must be designed so that, by default,  product data and related service data are:

• Easily and securely accessible to the user.
• Delivered in a structured, commonly used, machine-readable format.
• Directly accessible to the user wherever technically feasible.

This obligation shall apply to all manufacturers of connected products placed on the market in the EU and providers of related services, irrespective of the place of establishment of those manufacturers and providers.

Pre-contractual information (articles 3(2)–3(3))

Before a user commits to purchasing, renting, leasing, or subscribing to a connected product or related service in the EU, the seller, rentor, lessor or provider must disclose in clear and comprehensible language:

• For connected products:
  • Type, format, and volume of data generated.
  • Whether data is provided in real time.
  • Storage methods and retention periods.
  • How data can be accessed, retrieved, and erased.
• For related services:
  • Data type, volumes and frequency of generation.
  • Data storage methods and retention periods.
  • How data can be accessed, retrieved, and erased.
  • Whether and how the prospective data holder or third parties will use the data.
  • Identity and contact details of prospective data holder or other data processing parties.
  • Data sharing and termination processes.
  • Complaint and redress rights.
  • Trade secrets information.
  • Information on duration and termination on the contract.

3. Data holder rights and obligations

The pre-contractual obligations under Article 3 of the Data Act apply to manufacturers, sellers, providers, etc. of connected products and services, the obligations under Article 4 and following apply to the “data holder”, once the connected product (or related service) is sold, rented, etc. and starts to effectively produce data.

User access to data (article 4 of the Data Act)

If direct access is not feasible, the data holder must make the data available upon simple electronic request.

However, users may not:

• Use the data to develop competing products.
• Use the data to assess the data holder’s market position.
• Gain access through coercion or exploitation of technical loopholes.

The data holder may refuse access if it could cause serious adverse effects on health, safety, or security. Moreover, trade secret protection is crucial, data can only be disclosed if both parties agree on measures to safeguard confidentiality. If no agreement is reached, or the user compromises secrecy, sharing may be withheld.

The right to share (article 5 of the Data Act)

At the user’s request, and subject to certain modalities, exceptions and restrictions, the data holder must share data with a nominated third party:

• Without undue delay, and free of charge.
• In real time if applicable.
• Using structured, commonly used, machine-readable formats.

Gatekeepers under the Digital Markets Act are excluded from being eligible recipients, due to concerns about market dominance.

Personal data can only be shared where there is a lawful basis under the GDPR.

Obligations toward third parties (article 6 Data Act)

Where a third party receives data under the Data Act at the users’ request, that third party must ensure that it:

• Uses the data only for the agreed purposes.
• Uses the data in compliance with GDPR and with the user’s rights under Articles 5-6 of the Data Act.
• Erases the data when no longer needed for the agreed purpose (with limited exceptions).
• Abides by certain rules prior to making the data itself available to another third party.
• Respects all confidentiality and trade secret protections.
• Does not create competing products or undermine the data holder’s commercial position.
• Does not use the data in a manner that adversely impacts security of the connected product or related service.
• Does not pass the data to gatekeepers or unauthorised entities.

4. Specific sanction: invalidity of contractual clauses

Note that any contractual term which, to the detriment of a user, excludes the application of, derogates from or varies the effect of the user’s rights under the provisions cited above, shall not be binding on the user. It shall be deemed null and void for non-compliance with mandatory EU law.

Want to learn more?

Stay tuned for detailed insights into how this new regulation will affect your business, your contracts, and your practices. In the coming weeks, we will publish two more in-depth articles exploring important aspects of the Data Act:

• Unfair contract terms in business-to-business data-sharing agreements
• Requirements for data processing service providers on customer switching and portability

Should you require any legal or tax advice in the field of Data, not limited to the Data Act, please contact us below.