What does the Data Act regulate, and what is its significance for businesses?
The Data Act became applicable on 12 September 2025. What do businesses need to pay attention to under this new EU-wide regulation?
Nature and purpose of the Data Act
The Data Act—Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)—is an EU regulation, and as such applies directly in Poland and all other EU member states. At the national level the Data Act will be supplemented by local regulations, but these will essentially govern only procedural issues (e.g. infringement proceedings), not substantive issues. In other words, substantively the Data Act will govern across the entire EU.
As stated in the preamble to the Data Act, “High-quality and interoperable data from different domains increase competitiveness and innovation and ensure sustainable economic growth. The same data may be used and reused for a variety of purposes and to an unlimited degree, without any loss of quality or quantity.”
Thus, the main aims of the Data Act are to:
- Strengthen the EU’s data-based economy
- Support a competitive data market by increasing the accessibility and usefulness of data (in particular industrial data)
- Encourage data-based innovation
- Increase the availability of data.
Significantly, some of the obligations under the Data Act do not apply to small and micro enterprises. The Data Act also gives such enterprises certain additional rights, intended to stimulate smaller entities (e.g. startups) to participate actively in the data-based economy.
Key definitions
The Data Act employs distinct legal definitions (e.g. “connected product,” “related service,” and “data processing service”) which are essential to understanding the act. Below we present some of these key definitions.
| Concept | Legal definition | Examples
|
| Connected product | An item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user | Various types of electronically connected products (e.g. connected to the internet) with internet-of-things (IoT) functionalities (e.g. household appliances, vehicles, watches, bands, industrial devices, medical devices, agricultural equipment, and systems for lighting, monitoring or heating) |
| Related service | A digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product | Applications for remote servicing of IoT devices |
| Data processing service | A digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction | Cloud computing or edge computing services |
| User | A natural or legal person that owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives related services | The owner of an IoT device A person using an IoT device under a lease |
| Data holder | A natural or legal person that has the right or obligation, in accordance with the Data Act, applicable EU law or national legislation adopted in accordance with EU law, to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service | The manufacturer of an IoT device The provider of an online application for servicing an IoT device |
| Data recipient | A natural or legal person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected product or related service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under EU law or national legislation adopted in accordance with EU law | A service provider (other than the manufacturer of an IoT device) to whom the user of the device transmits data from the IoT device, e.g. for the purpose of delivery of services (such as servicing or analysis) by the service provider |
| Product data | Data generated by the use of a connected product that the manufacturer designed to be retrievable, via an electronic communications service, physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturer | Data from an IoT device generated during the users’ operation of the device (varying depending on the device), e.g. concerning calibration of the device, efficiency, errors in use, energy consumption, atmospheric conditions, outages etc |
| Related service data | Data representing the digitisation of user actions or of events related to the connected product, recorded intentionally by the user or generated as a by-product of the user’s action during the provision of a related service by the provider | Data concerning the time and manner of use of an application for control of an IoT device, and settings employed by users of the application |
| Readily available data | Product data and related service data that a data holder lawfully obtains or can lawfully obtain from the connected product or related service, without disproportionate effort going beyond a simple operation | Data typically generated as a result of use of a connected product, when the design of the connected product provides for storage or transmission of such data, apart from the integral element in which they are generated or apart from the overall product |
What does the Data Act apply to? Key regulations for businesses
The Data Act establishes harmonised regulations primarily in the following areas:
Making data accessible to the user of a connected product or related service
Connected products and related services must be designed in such a manner that product data and related service data (including the metadata necessary to interpret and use the data) are always easily and securely accessible to the user, free of charge, in a comprehensive, structured, commonly used and machine-readable format.
Making data available to data recipients indicated by users
Users may require the data holder to make “readily available data” from a product or service available to a third party, as well as the metadata necessary to interpret and use the data. The data and metadata must be of the same quality as is available to the data holder. They must be provided to the third party without undue delay, easily, securely, and free of charge to the user, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real time.
Data holders are also required to inform users of these rights. In certain instances data holders must include relevant provisions in their form contracts with users, as well as providing the technical ability for users or third parties indicated by them to access the data. It is advisable in this respect for data holders to take steps to secure their interests in a situation where exercise of these rights could lead to disclosure of trade secrets.
Easily changing providers of data processing services
The Data Act contains provisions intended to combat the phenomenon of vendor lock-in in data processing services. The key new obligations of service providers in this respect include:
- Specific informational duties to customers concerning the possibility of changing providers
- The duty to include provisions in data processing service contracts concerning changes in the data processing service provider, so that users can easily and securely change providers.
Ban on unfair unilateral contractual provisions on the use of data
To combat unjustified restrictions on the use of data, the Data Act provides that a contractual term concerning access to and use of data which has been unilaterally imposed (on a “take it or leave it” basis) by one enterprise on another enterprise, shall not be binding on the latter enterprise if the contractual term is unfair (i.e. it meets certain conditions indicated in the Data Act).
Making data available to public-sector bodies
The Data Act also includes an extensive set of provisions allowing public-sector bodies to access data from data holders in certain instances.
The Data Act defines such aspects as:
- The circumstances in which such a request can be made
- The procedure for submitting such requests
- The requirements for justifying such requests
- Certain technical and organisational provisions related to the flow of data between data holders and public-sector bodies (e.g. possible compensation to the data holder for providing the data).
Importantly, the Data Act also impacts businesses from outside the EU, because it applies to manufacturers of connected products and providers of related services which are marketed in the EU, regardless of where these manufacturers and providers are based.
Is the Data Act a revolution?
It is hard to say for sure what consequences the Data Act will bring.
Undoubtedly the regulation introduces major legal changes in the segment of the internet of things and related services, particularly by giving users the right to access the data generated by these devices and services, and through the provisions on making data available to public-sector bodies. It should be expected that complying with the new legal obligations will pose a challenge for businesses operating in the IoT space.
The Data Act will also have a major impact on data processing services. The provisions combatting vendor lock-in will require providers to amend their contract forms, and sometimes also change their business processes or service delivery models. These regulations may also increase competition on the market for data processing services and increase service recipients’ openness to changing their service providers.
But the most interesting issue is the impact that the Data Act will have on innovation more broadly. The potentially vast quantity of data generated by IoT devices and related services may be exploited by recipients and users to expand on existing solutions, products and services, or to create entirely new ones. And thanks to the use of artificial intelligence, analysis of such data may also lead to scientific discoveries.
It is hard to judge at present whether, and to what degree, such positive impacts will actually be achieved. Much will depend on how data holders carry out their duties to provide data to users and recipients, as well as users’ and recipients’ awareness of the ability to exercise the rights given them by the Data Act. Perhaps the Data Act will serve as a catalyst for growth of the data-based economy, as EU lawmakers hope.
This article was originally published on the newtech.law blog.
Krzysztof Wojdyło, adwokat, New Technologies practice, Łukasz Rutkowski, attorney-at-law, Data Protection practice, Wardyński & Partners
