You ask, we answer: This is how the Data Act affects your company!

• the transfer of data from companies to consumers (B2C) and between companies (B2B) (Art. 2 ff.),
• the conditions for this (Art. 8 ff.),
• the control of related contracts between companies (B2B) (Art. 13),
• the provision of data to public authorities (B2A) (Art. 14 et seq.),
• the switching between data processing services (Art. 23 et seq.),
• the international transfer of non-personal data (Art. 32) and interoperability (Art. 33 et seq.),
• and finally contains provisions on application and enforcement (Art. 37 et seq.).

yes. in principle, the Regulation applies to all data. However, the Data Act distinguishes between data with and without personal reference at key points. The GDPR, which applies exclusively to personal data, should also remain unaffected and take precedence in cases of doubt.

No, the Data Act should not be interpreted as obliging manufacturers of networked products or providers of connected services to store data that they have not previously stored. The Data Act only applies to data that is already stored by the manufacturer or provider.

firstly, you should realise that you have a comprehensive right of access to the data generated by the use of connected products or connected services. This means that you should not rush into a data licence agreement that may restrict your rights.

At the same time, you should also be aware that you do not necessarily need all the data generated. It may make sense to focus on the data that is really relevant for your specific purposes in order to clearly define your negotiating position. Avoid requesting a wealth of data that may not be useful, as this could make negotiations unnecessarily difficult.

context of the Data Act? a standard format in the context of the Data Act means that data must be made available in commonly used and recognised formats to ensure its interoperability. It will be difficult to justify the use of other, less commonly used formats for already established standards, as this could make data access unnecessarily difficult. If a standard exists for certain data, it should be adhered to in order to ensure that the data can be easily used by other systems or third parties. If there is no standard yet, or if it is not adhered to, the standard format will otherwise be determined by the ECJ at the latest.

The Data Act grants users the right to access, use and port raw and pre-processed data and accompanying metadata. This data must always be understandable and usable – even for third parties who did not generate it themselves.

However, derived or indexed data isno longer covered by the scope of application, for example if:

• significant modifications have been made,
• significant investments have been made in cleansing, transformation or analysis,
• or proprietary, complex algorithms have been used (see recital 15).

The data controller must provide the data in the same quality as it is available to itself, e.g. for affiliated companies or in accordance with industry standards.
Technical protection measures such as anonymisation, pseudonymisation or encryption alone do not exclude the scope of application.

whether providers of business management systems and data analytics providers are considered data controllers or external data recipients depends on the individual case. As a rule, they are considered external data recipients because they receive and process the data on behalf of the user. However, there is an exception if these providers already receive the data without the active involvement of the user. In such cases, they could be classified as data controllers, as they have direct access to the generated data without the user having to actively authorise access.

yes, even as a small business you have a full right of access to data under the Data Act. The Data Act also provides for a privilege for SMEs in Art. 7 para. 1:

• Small businesses and micro-enterprises are exempt from the scope of the Data Act. Chapter 2 of the Data Act does not apply to them.
• Medium-sized companies are generally exempt from the scope of the Data Act if they have met the “medium-sized company” threshold for less than one year. If a product of a medium-sized company is affected, this product is exempt from the scope of Chapter 2 if the product was placed on the market less than one year ago. New networked products from medium-sized companies that have been in existence for longer are therefore subject to a grace period.

The manufacturer is obliged to inform customers about what non-personal data is being sent to them before concluding a contract for the purchase, rental or leasing of a connected product or a connected service. This information obligation is intended to ensure that you as the user know exactly what data is being collected, for what purpose it is being used and how you can access this data.

services can be offered as part of a purchase, rental or leasing contract. In such cases, the manufacturer’s role in relation to the data must be clearly spelt out.

Under certain circumstances, this service may constitute an associated service. For this to be the case, the service must affect the operation of the connected product and data or commands from the service provider must be transmitted to the connected product. This may not be the case for additional consulting, analysis or financial services or regular repair and maintenance services.

Depending on how the service is categorised, the user may also have rights and (further) obligations for the manufacturer.

If a connected product is placed on the EU market, it is subject to the Data Act – regardless of where it is subsequently used. This means that data generated outside the EU must also be made available to the user.

This also explicitly applies to mobile products such as ships, aeroplanes, trains or cars. The decisive factor is not the location of the product, but whether it has been legally placed on the EU market – for example through sale, leasing or registration in a member state.

The mere physical presence on EU territory (e.g. a ship travelling through) is not sufficient to be considered “placed on the market” within the meaning of the Data Act. Rather, a relationship under civil law between the person and the object, e.g. ownership or tenancy, is decisive.

A general problem with EU legislation is the coordination of different legal provisions. Manufacturers must comply not only with the Data Act, but also with other relevant EU legislation.

In principle, all applicable regulations must be complied with at the same time and the Data Act must not lead to other, overriding legislation being circumvented.
For example, if another EU regulation makes it mandatory to make certain data available, the Data Act does not override these obligations. Rather, in such cases, the Data Act must be harmonised with existing regulations to ensure that all legal requirements are complied with.

The Data Act stipulates that data must be provided in a common, standard format. This means that raw data that can only be read with specialised software must either be provided in a commonly used format (such as structured files) or the specific conditions for data provision must be agreed between the user and the manufacturer at the negotiating table.

However, there is no obligation for the manufacturer to provide specialised software free of charge. Users should therefore not expect the manufacturer to provide specialised programs free of charge.

The Data Act takes into account the protection of trade secrets, including confidential information that provides in-depth insights into the technology of a system such as a wind turbine

Sharing this data is possible in principle, but must be subject to appropriate technical and organisational measures (TOMs) to ensure the confidentiality and security of the sensitive data. This means that the data may only be passed on subject to strict security precautions and clear agreements with third parties in order to protect the manufacturer’s business interests.

The Data Act makes no distinction between the original manufacturer who was the data owner and the third party company who has become the new data owner. When a third party company takes over a manufacturer’s data, that company becomes the new data controller and assumes the obligations imposed on the original manufacturer in its role as data controller. As the new data controller, the third-party company must now provide access to the users’ data and may only use the data in accordance with the provisions of the Data Act.

The Data Act aims to promote competition and innovation in the area of data processing services. It is intended to enable users to switch easily between different providers and protect them from the so-called “lock-in” effect.

providers must implement technical and contractual measures to ensure the portability of data and facilitate switching to other services. Their contracts must not contain any unjustified technical or financial obstacles that make switching more difficult.

the term covers cloud services that provide network-based access to scalable and flexible IT resources. These include, in particular, Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS).

from 12 September 2025, providers of data processing services must comply with the requirements of the Data Act. This includes, in particular, the removal of technical, contractual and economic barriers to switching for users. There is no separate transition period for the cloud sector.

providers must ensure that switching to another provider is possible from 12 September 2025 without unjustified costs or obstacles. During a transitional period of two years, switching fees may still be charged provided they are objectively justified and proportionate. From 12 September 2027, any form of switching fee will be completely prohibited.

Providers must make their contractual conditions transparent and inform users about all relevant aspects of the switch. This includes a clear presentation of which technical measures facilitate the switch, the data format in which the transfer takes place and which third-party software or other dependencies are affected.

The Data Act requires providers to make the following data available:

• Exportable data: Input and output data, including metadata, generated directly or indirectly by the customer’s use of the data processing service or jointly.
• Digital assets: Digital elements (e.g. applications) for which the customer has a right of use, regardless of the cloud provider.

Data that is protected by intellectual property rights or trade secrets does not have to be exported.

Contracts for data processing services must contain at least the following points:

• Clauses that allow the customer to switch to another provider or transfer to their own ICT infrastructure (Art. 25 para. 2 lit. a DA)
• Obligation of the provider to actively support the switch (Art. 25 para. 2 lit. b DA)
• Definition of the date on which the contract is deemed to be terminated (Art. 25 para. 2 lit. c DA)
• Maximum notice period of two months (Art. 25 para. 2 lit. d DA)
• List of exportable data and digital assets (Art. 25 para. 2 lit. e DA)
• List of non-exportable data if business secrets are involved (Art. 25 para. 2 lit. f DA)
• Minimum period of 30 days for the retrieval of data after the end of the contract (Art. 25 para. 2 lit. g DA)
• Regulation on the final deletion of data after the retrieval period (Art. 25 para. 2 lit. h DA)
• Information on permissible switching fees during the transition period (Art. 25 para. 2 lit. i DA)

The EU Commission published the model contractual clauses on 19 November 2025. However, the rather complex clauses cannot be used 1:1. Every provider should carefully revise their own general terms and conditions.

In contrast to Chapter VI, Chapter IV does not provide for a transitional phase for existing contracts (cf. Art. 50 DA). Contracts for the use of data processing services must therefore be adapted and updated as of 12 September 2025. The process of updating and adapting the contractual clauses should therefore be started now.