Give me the data! What the Data Act requires

It covers, among other things

• Console manufacturers and game providers
• Car-sharing companies
• Providers of navigation devices and services
• Manufacturers of industrial and agricultural machinery
• Manufacturers of fitness trackers
• Manufacturers of smart home devices

Small businesses and micro-enterprises are exempt from the scope of the Data Act. Chapter 2 of the Data Act does not apply to them.

Medium-sized companies are generally exempt from the scope of the Data Act if they have met the “medium-sized company” threshold for less than one year. If a product of a medium-sized company is affected, this product is exempt from the scope of Chapter 2 if the product was placed on the market less than one year ago. New networked products from medium-sized companies that have been in existence for longer are therefore subject to a grace period.

• A small company has fewer than 50 employees and an annual turnover or annual balance sheet of no more than €10 million
• A micro-enterprise has fewer than 10 employees and an annual turnover or annual balance sheet of no more than €2 million

• A medium-sized enterprise has fewer than 250 employees and either an annual turnover of no more than €50 million or an annual balance sheet total of no more than €43 million.

product

• physical object that collects, generates or receives data about its use or environment and is capable of analysing the product data.
  • via a physical connection,
  • via on-device access or
  • via an electronic communication service
• The main function of the product must not be the storage, processing or transmission of data on behalf of a party other than the user
• The following products, among others, are covered:
  • Vehicles, ships, aeroplanes
  • Household appliances and consumer goods
  • Medical devices and lifestyle devices

• Not an electronic communication service
• Includes software and its updates
• Connected to a product at the time of purchase, rental or lease in such a way that its absence would prevent the product from performing any of its functions, or
• Subsequently added to the product by the manufacturer or a third party to extend, update or modify functions of the connected product.

• Who is it for? Manufacturers of connected products and providers of connected services
• How? By customising the manufacture of connected products and the provision of connected services:
  • Product data must be standardised
    • simple,
    • secure,
    • free of charge &
    • be accessible in a comprehensive, structured, commonly used and machine-readable format
  • This also applies to metadata required to interpret the data.
  • As far as relevant and technically feasible:
    • Data must be directly accessible to the user via the product or service.
    • If this is not possible, data owners must be able to make it available at any time.
  • Simply displaying the data (e.g. via a screen) without having access to this data is not sufficient.
• Until when? The obligation to provide data applies to connected products and connected services that are brought onto the market 32 months after the Data Act comes into force (approx. September 2026).

• When should you do this? Before concluding a contract for the purchase, rental or leasing of a connected product or connected service
• Who? Seller, landlord or lessor (who may also be the manufacturer)
• About what? The user must be provided with the following information in an understandable and clear form:
  • The type, format and estimated volume of product data that the connected product can generate
  • Information on whether the networked product is capable,
    • generate data continuously and in real time
    • Data to be stored on the device or on a server, including duration of intended storage
  • the nature and volume of data generated through use
  • the way in which the user can access this data, including information on whether the user can delete it, including technical means to do so
  • Identity of the data controller, such as company and company address
  • Information as to whether the data controller wishes to use the data for its own purposes or whether it wishes to grant a third party the right to use the data and the purpose of use
  • Contact information of the data owner
  • How the user can request the sharing of data with a third party
  • Right to lodge a complaint.

• Data that
  • generated or generatedby the use of your connected products or connected services and
  • designed by the manufacturer of the product to be retrievable via:
    • A physical connection
    • on-device access
    • An electronic communication service
• Data from various areas may be affected:
  • Data collected and generated by smart home devices
  • Data generated during the use of an electric car
  • With navigation systems: Information on travel routes, traffic patterns and average speeds
  • Information on shopping behaviour with loyalty cards or a loyalty programme
  • Step counts, app usage, geodata, sleep patterns and much more for smartphones and fitness trackers
• This does not include data that
  • are the result of processing that significantly alters the data
  • Recorded when using the product to use software applications that are not part of the associated service
  • Generated during the recording, transmission or playback of content and the content itself

• As the data controller, you may only use readily available data that is non-personal data on the basis of a contract with the user in accordance with Art. 4 para. 13 DA
  • Readily available data are according to Art. 2 No. 17 DA:
    • Product data and related service data,
    • which a data controller can obtain without disproportionate effort
    • obtains or can obtain from the connected product or service without disproportionate effort
  • If the generated data is to continue to be used, a data licence agreement must be concluded
• Important: This does not apply to personal data collected, generated or received by the connected product or service
  • Here, the lawfulness of the processing is always based on Art. 6 para. 1 subpara. 1 GDPR

• Authorised persons are:
  • Users of the product or the connected service
  • Authorised third parties on behalf of the user
• Are not authorised:
  • Gatekeepers within the meaning of the Digital Markets Act
    • are generally not authorised to make requests to data owners
  • Persons who are neither users nor authorised third parties

• Only collect data that is necessary to identify the requestor as a user or authorised third party
  • Requesting further data is not permitted (Art. 4 II, 5 III, 8 V DA-E)
• Access to the data (and the associated exercise of users’ rights) must not be made unnecessarily difficult
  • Autonomy, decision-making and choice must not be impaired or undermined by
    • the structure,
    • the design
    • the function or
    • the operation of the user interface or parts thereof.
• Taking technical protective measures is permitted!
  • Objective: to prevent unauthorised access to the data and ensure compliance with data protection regulations
  • The protective measures must not cause discrimination or impairment of the rights of users or third parties
  • The protective provisions may only be changed or removed with the consent of the data owner

• Requests may be refused if, in individual cases, there is a risk of serious economic damage as a result of disclosure.
  • The mere preservation of business secrets is not a sufficient reason
    • Can usually be guaranteed by a non-disclosure agreement and agreed technical and organisational measures.
• Requests from a gatekeeper within the meaning of the Digital Markets Act may be rejected without further examination.
• Does the request involve personal data that does not correspond to the person making the request?
  • Check the lawfulness of the processing in accordance with Art. 6 GDPR!

• Under certain circumstances, users must also be granted access to trade secrets
  • You and the user must take the necessary measures to ensure the protection of your trade secrets, especially in relation to third parties
• Is it clear that simply taking measures is not sufficient?
  • If you can prove this: Agree on additional necessary measures with the user
    • For example: binding technical and organisational measures.
  • Do not forget to label relevant data, including metadata necessary for interpretation, which is protected by trade secrets!

• The data must be made available free of charge to users of the products and associated services
• You may demand reasonable remuneration from third parties who receive the data on behalf of the user
  • The amount of the costs depends on the costs and investments required for the provision of the data, in particular
    • Costs for formatting the data
    • the distribution by electronic means
    • storage
  • If the data recipient is not an SME, the remuneration may include a margin.
    • The amount of the remuneration must nevertheless be within a reasonable range.

• If the data is used without authorisation or if access to the data is gained without authorisation, you have a right to appropriate compensation
• You may claim compensation in the following scenarios:
  • The data recipient has provided false or inadequate information, or otherwise used reprehensible means to gain access to the data
  • The data recipient has exploited a security vulnerability
  • The data recipient has used the data for unauthorised purposes, such as the development of a competing product
  • The data recipient has disclosed the data to third parties without the data owner’s authorisation
  • The agreed technical and organisational measures to protect business secrets were not complied with by the data recipient
  • Protective measures have been removed or changed without the permission of the data owner
• In the same cases, you may also request the data recipient to delete the data and to refrain from the above-mentioned activities

• The GDPR and the e-Privacy Directive apply without restriction
  • They are not limited in their effect by the Data Act
  • No separate authorisations are created
    • When handling personal data, the question of lawfulness is answered by the GDPR!
    • Art. 20 GDPR, which concerns data portability, is merely supplemented by the Data Act.
• Important: Machine-generated data can also have a personal reference!
  • In this context, a processing basis pursuant to Art. 6 para. 1 subpara. 1 GDPR must always be evident during processing

one of the obligations imposed by the DA is violated, a fine may be imposed on the company. The Federal Network Agency is responsible for this.

The German legislator has opted for a moderate catalogue of fines and in particular has not sanctioned the continued use of data by the manufacturer, contrary to Art. 4 para. 3 DA. 4 levels of the catalogue of fines, whereby only the gatekeepers under the DSA have to fear really severe sanctions. The maximum fines for other companies are between €50,000 and €500,000. However, the Federal Network Agency has already announced that it will make more moderate use of fines.

As already mentioned, the GDPR applies without restriction. Violations in this context can therefore also be penalised on the basis of the GDPR.

The Data Act already came into force on 11 January 2024. The Data Act has been in force since 12 September 2025.

Individual provisions also provide for longer transitional periods. Of particular note is Article 29, which stipulates that providers of data processing services (e.g. cloud providers) may no longer charge fees for switching providers from 12 January 2027. You can find more information on switching data processing services in a separate article.

The central authority will be the Federal Network Agency under the Data Act Implementation Act. The data protection authorities are responsible for the protection of personal data within the scope of the Data Act, but in deviation from the usual distribution of responsibilities under Section 40 BDSG, this is not the respective state data protection authority, but the Federal Commissioner for Data Protection and Freedom of Information (BfDI) – also for non-public bodies.