FAQs on the Data Act

Does the Data Act apply to manufacturers of connected products and providers of related services that are established outside the EU, for example in Switzerland?

Yes. The Data Act does not require the manufacturer or related service provider to be established in the EU. The Data Act establishes a right for users in the EU to access, use and share the readily available data they are entitled to. All connected products and related services placed in the EU must therefore be designed in such a way that this right can be exercised.

Which products are in scope of the Data Act?

In scope of the Data Act are ‘connected products’. Connected products are items that can generate, obtain or collect data about their use, performance or environment and that can communicate this data via a cable-based or wireless connection. This includes communication of data outside the product on an ad hoc basis (e.g. during maintenance operations). Connected products can be found in all areas of the economy and society. They include smart home appliances, consumer electronics, industrial machinery, medical devices, smartphones and TVs.

Products which primarily fulfil the function of storing, processing or transmitting data (e.g. servers and routers) are outside the scope of the mandatory data-sharing obligations under Chapter II, unless they are owned, rented or leased by the user.

A connected product falls within the scope of the Data Act if it has been ‘placed on the Union market’. ‘Placing on the market’ concerns the transfer of ownership, possession or any other property right between two economic actors that occurs after the manufacturing stage.

Which data are in scope?

Generally speaking, raw and pre-processed data (simply put, ‘raw but usable’ data) that are readily available to a data holder as a result of the manufacturer’s technical design are subject to mandatory data-sharing obligations. This includes:

• Product data: Data obtained, generated or collected by a connected product and which relates to its performance, use or environment. Purely descriptive data that accompanies the connected product (e.g. in user manuals or on the packaging) is not product data.
• Related service data: Data representing user action, inaction and events related to the connected product during the provision of a related service.
• Readily available data: Product data and related service data that a data holder can obtain without disproportionate effort going beyond a simple operation. The definition of ‘readily available data’ does not include a reference to the time of their generation or collection. Only data generated/collected after the entry into application of the Data Act should be considered as falling within the scope.
• Level of enrichment of the data: In scope: raw data and pre-processed data, accompanied by the necessary metadata to make it understandable and usable. For example, data collected from a single sensor or a connected group of sensors for the purpose of making the collected data comprehensible for wider use cases by determining a physical quantity or quality or a change in a physical quantity (e.g. temperature, pressure, flow rate, audio, pH value, liquid level, position, acceleration or speed).
• Personal vs. non-personal data: Users are entitled to access all data generated by the connected product or related service, whether personal or non-personal. However, personal data processing is governed by GDPR rules, so the user’s rights provided by the Data Act have to be exercised in compliance with the GDPR.

What happens if a connected product is resold (‘second-hand connected products’)?

When it comes to the user’s right to access data generated by the use of a connected product, the Data Act does not distinguish between ‘first-hand’ and ‘second-hand’ connected products.

If a connected product is being (re)sold, the seller must comply with the ‘transparency obligation’. This requires the seller to provide the necessary information for the future owner to exercise their new data access rights under the Data Act. As a result, the future owner will be informed as to who the data holders are as well as the modalities to accessing and using the generated data.

What are ‘users’?

A ‘user’ is a natural or legal person that owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives a related service.

This implies the user has a stable right to the connected product (e.g. ownership or a right from a rent or lease contract). Such a user has a legal right under the Data Act over the data being generated by the connected product.

Does the Data Act apply to users established outside the EU?

A user must be established in the EU. A user may request access to data on the basis of the Data Act, irrespective of whether the data are stored inside or outside the EU.

How can users access their data?

Data holders need to provide users with information on the data that their connected product or related service generates. This is known as the ‘transparency obligation’.

As part of the transparency obligation, data holders must inform users how to access the generated data. Data can be made available ‘directly’ or ‘indirectly’. Different configurations are possible (for instance, part of the data could be made available directly, and the rest could be made available indirectly).

• Direct access means that the user has the technical means to access, stream or download the data in question without having to request the data holder to do so. For instance, a connected product has a digital interface where the user has control over the access mechanism, controlling the interface and workflows, and where the user can directly extract data from the connected product.
• Indirect access means that the connected product or related service is designed in such a way that the user is required to ask the data holder for access (i.e. an approval process). An example would be a web portal where the user can submit a request to access data.

There is some flexibility (‘where relevant and technically feasible’) for a manufacturer to decide whether or not to design for direct access. This is because not all products (and not all data) are designed in such a way as to make data directly accessible to users. 

Is a manufacturer always a data holder?

Even though manufacturers will typically be a data holder, this is not always the case. The Data Act allows an entity to ‘outsource’ the role of ‘data holder’. For example, a manufacturer may contract out to another entity the role of ‘data holder’ for all or part of the manufacturer’s connected products.

Does the Data Act oblige manufacturers of connected products to design or redesign their connected products so that users can access the data directly?

No. The Data Act does not oblige manufacturers to grant direct access to data in all situations and for all connected products. Data should be ‘directly accessible’ to the user ‘where relevant and technically feasible’.

The EU Data Act marks a significant step towards a more connected and data-driven European economy. Since September 2025 is not far away, you should ask yourself the following questions:

• Which connected products are in scope?
• What is the scope of the relevant data that need to be considered?
• How do I need to update my contracts with clients to use the data of the connected products?
• How can I collect and document user consent?
• How do I ensure the confidentiality of my trade secrets?
• Since there will be increased competition in the aftermarket services, how can I position myself strategically to stay relevant for my clients in this area?

Please contact our experts for more information or if you need support.