The Data Act. A new legal regime for IoT data access

refinery, industry, steam-3127588.jpgSetting up the scene.


Data generated using connected products or related services can be personal and non-personal data and are often mixed sets of both types of data. 

Whereas GDPR regulates the processing of personal data, for most non-personal data generated by connected products or related services there was no similar legal regime. This led to manufacturers who are designing these products to preserve control over the data generated by their use. 

In this context, users most often did not have access to the data they generated by using the products they bought or rented; third parties who would have liked to have access to this data for the purpose of providing related services or for innovating new services and products did not get access to this data; contractual agreements between big and small and medium size enterprises did not guarantee adequate access to data given the disparities in negotiation power and expertise between parties. 

To address these discrepancies in data access and usage, the E.U. enacted the Data Act on November 27, 2023

The data in scope for the Data Act is industrial big data, generated by industrial equipment, also known as the Internet of Things (IoT) which have been generated by machines or by human use of such machines: i.e., average battery level or the quality and length of network connections, materials consumption (i.e., ash, limestone, clay, sand, coal, etc.), tonnage, equipment, human resources, labour productivity, personnel costs per hour, personnel costs per piece, production iterations, modifications, oil pressure, sensors, software development, etc. 

Why are the data valuable? They are an important input for aftermarket, ancillary and other services. Specification: personal computers, servers, tablets and smart phones, cameras, webcams, sound recording systems and text scanners are not covered by the DA. 

Stakeholders in the Data Act. 

  • Data holder. This is typically the entity that controls the technical design of the product/service (i.e., car, gas engine, turbomachinery manufacturer or, referring to other industries, medical devices/health, wearable manufacturers). 
  • User can be a business (legal entity) or a consumer (natural person) buying a connected product/related service from the data holder.
  • Data recipient/third-party is a legal entity or an individual, other than the user therefore, to whom the data holder makes data available basis on a user’s request or legal obligation; the Data Act prohibits undertakings designated as a gatekeeper under the Digital Markets Act to be third parties under the Data Act. 
  • Product is a tangible, movable item, including where incorporated in an immovable item, that obtains, generates, or collects, data concerning its use or environment, and that can communicate data via a publicly available electronic communications service and whose primary function is not the storing and processing of data.
  • Related service means a digital service, including software, which is incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing one of its functions. 
  • Data processing service means a digital service enabling on-demand administration and broad remote access to a pool of computing resources (i.e., providers of cloud services, data enrichment, transaction processing, document indexing, etc.)

Stakeholder’s rights and obligations

The Data Holder has the obligation to make the data available to the user, free of charge. Where the user is not a data subject under the GDPR (so, it’s a legal entity), personal data can be made available by the data holder to the user where there is a valid legal basis under Article 6 para. 1 of the GDPR or/and, an exception under Article. 9 para. 1 of the GDPR

Users are provided with accessing and sharing rights. User is prohibited from using the data to develop a product that competes with the product from which the data originate. User is allowed to share the data with a third party even if that third-party offers an aftermarket service that is in competition with a service provided by the data holder. 

The Data Act provides that the data holder can agree on a compensation with the data recipient for making the data available. The compensation must be fair, reasonable, and non-discriminatory. For supporting small and medium-sized enterprises the compensation is reduced to ‘the costs directly related to making the data available’. 

The data holder is obliged to provide the data recipient with information regarding the basis for the calculation of the compensation facilitating a check that the compensation is indeed reasonable. 

How is access being granted?

Users of products that generate data typically require a user account to be set up. This allows for identification of the user as well to communicate, exercise, and process the data access requests. Where automated execution of the data access request is not possible, the data holder must inform the user on how the data may be accessed.

Information provision obligations 

Before concluding a contract for the purchase, rent or lease of a product or a related service, at least the following information shall be provided to the user, in a clear and comprehensible format:

  • The nature and volume of the data likely to be generated by using the product/service.
  • If data is likely to be generated continuously and in real-time.
  • How the user may access the data.
  • Whether the manufacturer or the service provider intends to use the data itself or allow a third party to use the data and, if so, the purposes for which those data will be used.
  • Whether the seller, renter or lessor is the data holder and, if not, the identity of the data holder.
  • The means of communication which enable the user to contact the data holder.
  • How the user may request that the data are shared with a third-party.
  • The user’s right to lodge a complaint alleging a violation of the with the competent Supervisory Authority 

Contractual Obligations


There are at least 4 types of contractual clauses that must be put in place: 

  1. A contractual clause for the purchase, rent or lease of a product or a related service. Note bene. This should be preceded by the information provision obligations under Art. 3 para 2 of the Data Act. 
  2. A contractual clause to allow the data holder (if the data holder is the manufacturer) to use the data (if that is the case, and the user agrees to that). 
  3. An arrangement between the data holder and the third party for the transmission of the data. It is the user of the product/service who decides for which purposes the data should be used by the third party. The purpose of this arrangement depends on the contract between the user and the third party. 
  4. A contract between the third party and the user of the product/service laying down conditions for the use of data.  

The Commission has been tasked to develop and recommend non-binding model contractual terms on data access and use to assist parties in drafting and negotiating contracts with balanced contractual rights and obligations.

Unfair terms related to data access and use between enterprises.

Contractual terms imposed on the SME are unfair, if:

  • It grossly deviates from good commercial practice, or they are contrary to good faith and fair dealing. 
  • Its object:
  • exclude or limit the liability for intentional acts of the party that unilaterally imposed the contract.
  • exclude liability of the party that unilaterally imposed the contract in case of breach of obligations or gross negligence.
  • exclude the remedies available to the party upon whom the contract has been unilaterally imposed in case of non-performance of contractual obligations. 
  • give the party that unilaterally imposed the term the exclusive right to determine whether the data supplied are in conformity with the contract or to interpret any term of the contract.
  • Contractual terms imposed on the SME are presumed unfair if its object or effect is to: 
  • inappropriately limit the remedies in case of non-performance of contractual obligations or the liability in case of breach of those obligations.
  • allow the party that unilaterally imposed the term to access and use data in a manner that is significantly detrimental to the legitimate interests of the other contracting party.
  • prevent the party upon whom the term has been unilaterally imposed from using the data or limits the use of such data.
  • prevent the party upon whom the term has been unilaterally imposed from obtaining a copy of the data contributed or generated.
  • enable the party that unilaterally imposed the term to terminate the contract with an unreasonably short notice.

Qualifications under the GDPR. 

Where the user is not the data subject but an enterprise or sole trader, the user will be deemed a controller within the meaning of the GDPR. Accordingly, such a user as controller intending to request personal data generated using a product or related service is required to have a legal basis for processing the data under Article 6 para 1 of the GDPR, such as the consent of the data subject or a legitimate interest. 

This user should ensure that the data subject is appropriately informed of the specified, explicit, and legitimate purposes for processing those data, and how the data subject may effectively exercise their rights.

Where the data holder and the user are joint controllers within the meaning of Article 26 of the GDPR they are required to determine, in a transparent manner by means of an arrangement between them, their respective responsibilities for compliance with the GDPR. 

Making data available to public sector bodies and Union’s Institutions, agencies, or bodies based on exceptional need. 

Upon request, a data holder must make data available to a public sector body or to a Union institution, agency or body demonstrating an exceptional need to use the data requested. Such exceptional needs are listed by Article 15 of the Data Act:

  • Where the data requested is necessary to respond to a public emergency. 
  • Where the data request is necessary to prevent a public emergency or to assist the recovery from a public emergency. 
  • Where the lack of available data prevents the fulfilment of a specific task in the public interest; and:
  • the public sector body or Union institution, agency or body has been unable to obtain such data by alternative means.

The Data Act provides for the possibility of the data holder to decline or seek the modification of the request within specific timelines. 

International sharing of non-personal data 

The Data Act mandates providers of data processing services to prevent transfer or to deny access to data held in the EU where such a transfer or access would create a conflict with E.U. law. This means that, similarly to the mechanism under Article 48 GDPR, transfers will have to be blocked and access denied, unless the transfer is based on an international agreement such as a mutual legal assistance treaty. Alternatively, the transfer or access may only happen under the condition that the third country offers sufficient legal guarantees. It is worth noting that the same mechanism is introduced under the Data Governance Act for data sharing intermediaries and re-users of data held in public databases. 

Conclusion. The basic mechanism of the Data Act is the introduction of non-waivable rights of the users to access and share with third parties the data they have generated using connected products. These rights cover only the raw data not derived or inferred data.

The Data Act adapts rules of the contract law and prevents the exploitation of contractual imbalances that hinder the fair data access and use for SME and enables public sector bodies to obtain access to data, where there is an exceptional need, for the performance of a task carried out in the public interest. 

Author: Petruta Pirvan, Founder and Legal Counsel Data Privacy and Digital Law at EU Digital Partners