From 12 September 2025, the EU’s Data Act will usher in a new era of data access and data responsibility – with direct implications for businesses that manufacture, distribute or use IoT products. The legal framework aims to increase transparency, competition and usability of data. For many companies, this means new rights – and new obligations.
But what does this mean for your business? Who is considered the Data Holder? What data must be provided – and to whom?
In our series blog posts on the Data Act, we provide practical insights into the new regulation. We start with the basics: terms, roles and initial recommendations for action.
What is the Data Act about?
The Data Act has an ambitious goal: to improve the availability and reuse of data in order to strengthen innovation and competitiveness in the EU. At the same time, new obligations arise for companies – especially if they offer or use so-called connected products or related services.
The key principle: The User is central. Anyone who uses an IoT product – whether a business or a consumer – should also be in control of the data it generates. Users can request to access the data, use it themselves, or have it shared with third parties.
Overview of important roles
To correctly identify your obligations, it’s important to know the key stakeholders of the Data Act:
- Manufacturer – provides the IoT product
- Data Holder – has actual control over the dataUser – is entitled to use the connected product (e.g. customer, lessee, operator)
- Data Recipient – receives the data at the User’s request
- Data Subject – insofar as personal data is affected, the GDPR also applies
What are “connected products” and “product data”?
The Data Act does not apply to every product, but specifically to connected products that can generate and transmit product data. Examples are:
- Vehicles and machinery
- Household and medical products
- Agricultural products
- Smart home or lifestyle applications
Product data is generated by sensors, for example, for temperature, pressure, speed, position or fill level – regardless of whether the device is actively used or on standby.
The following data is not affected by the Data Act:
- Content data (e.g. text or image files)
- Data whose value has been created through extensive further processing (investment protection)
Contractual obligations: What needs to be done now
A central element of the Data Act is the obligation of the Data Holder to contractually secure the use of data:
If you want to use product data from an IoT product for your own purposes, you need the user’s express consent – and thus a corresponding contract. Without this, you risk severe fines based on the standards of the GDPR (up to 20 million euros or 4% of global revenue).
Many companies will have to include this point in future purchase, rent or lease contracts. Now is the time to review existing contracts and adapt them if necessary.
New rights – new challenges
In the future, users will be able to:
- Request access to product data
- Request to share data with a third party (data recipient)
Data Holder are obliged to comply with this – provided that there are no interests worthy of protection or legal barriers to prevent it. In practice, clear processes, technical interfaces and legally sound contracts will be essential here.
Data as a business model?
The Data Act not only creates obligations – it also opens up potential: Companies that act as data recipients or provide platforms for data exchange could unlock entirely new data-driven business models. Provided, that the legal requirements are met.
Our advice: act early
There is still uncertainty regarding many details – not least because the case law interpreting the Data Act is yet to emerge. But one thing is already clear: the Data Act will change many processes, contract templates and responsibilities.
We support companies from a wide range of industries in analyzing their role, developing contract strategies and designing legally compliant data processes.
Contact us if you would like to check how the Data Act affects your organization – and how you can benefit from it.
Coming soon:
In the next articles in our series, you will read about
- how specific agreements to secure the use of data may look like under the Data Act
- the Data Act’s obligations regarding data provision
- and how the Data Act interlinks with the GDPR
Note: Our event on the Data Act on 3 July 2025 in Frankfurt (Main)
In cooperation with the DATENSCHUTZ-BERATER, we are hosting an exclusive event on 3 July 2025:
The Data Act – the new driving force behind the data economy?
We bring together leading minds from business, law and regulation to provide practical orientation in data strategy. During expert talks, interactive workshops and a panel discussion, the following questions, among others, will be discussed:
- How can data be made accessible to the user without endangering one’s own know-how and business model?
- How should agreements to secure the use of data be designed in the future?
- What are the specific considerations when using AI and which innovative business models are possible?
- How do the GDPR and the Data Act relate to each other and what applies to mixed data sets?
- What impact do the interoperability rules have on cloud services and hyperscalers?
Further information and registration at:
https://www.ruw-fachkonferenzen.de/veranstaltung/der-data-act/