The data access rights under the Data Act and their restrictions are extensive – we provide an overview.
European legislators have recognised that data is an essential resource which is required for the digital transformation to be successful and an economic asset that can only be realised if there is extensive access to data. As an important part of the European digital strategy, the Data Act (DA) came into force on 11 January 2024 and will apply throughout the EU from 12 September 2025 after a transition period of 20 months. Together with the Data Governance Act (DGA), the DA aims to create a single market for data and help Europe become a global leader in the data economy (The Data Governance Act - Overview (cms-lawnow.com)).
Rights to data access and sharing
In order to achieve these goals, the DA contains new requirements for data access and data sharing in favour of those who generate data through the use of connected devices. The DA already points out in Recital 6 that also users and not just manufacturers are generators of data. The results of data generation should no longer just benefit manufacturers alone but should be used in line with the objectives of the European digital strategy. In this blog post, we provide an overview of the data access rights created against this background.
People who generate data through the use of connected devices can either request that they themselves be given access to this data or that this data be shared with third parties. The user is entitled to access or sharing. But who is a data user and therefore authorised to access data within the meaning of the DA?
Data access authorisation: users of connected products or related services
Whether someone is a user depends largely on that person's legal relationship to the product or service and the characteristics of the product or service. Users within the meaning of Art. 2 no. 12 DA are natural or legal persons who own a so-called "connected product", to whom rights of use have been contractually transferred or who use a "related service". The DA also provides definitions and examples in its recitals for the terms "connected products" and "related services".
According to Art. 2 no. 5 DA, "connected products" are devices that generate data about their use or environment and can transmit data via an interface, e.g., devices of the Internet of Things or Internet of Things (IoT devices):
"connected product" [means] an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user".
Art. 2 no. 6 DA defines "related services" and means the control software linked to the connected product via an interface, which is used to control the functionality of the product:
"related service" [means] a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product".
Third parties can also gain access to data
The user can request access to the data for itself or – as the user often does not have the means to further utilise the generated data itself – request access to the data in favour of a third party who is not also the holder of the right. This is meant to increase competitiveness and innovation with the help of data available from secondary markets. The DA leaves it largely open with regard to who can be a "third party", but defines the "data recipient" in Art. 2 no. 14 DA as:
"a natural or legal person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected product or related service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation adopted in accordance with Union law".
This clearly defines: the data recipient is not itself a user and does not act for private purposes. In addition, the DA expressly excludes certain third parties: data access is denied to so-called unauthorised third parties within the meaning of Art. 5 (3) DA. These are the large digital companies categorised as "gatekeepers" by the EU Commission under the Digital Markets Act (DMA). This is based on the assumption that they would already have large amounts of data at their disposal and that a right to data access in their favour would be disproportionate (see Recital 40 DA).
The user's right to data access for itself or in favour of a third party is directed against the holder of the data. We will also take a closer look at this term.
Data access controller: the data holder
According to Art. 2 no. 13 DA, the data holder is
"a natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service".
In fact, there would have to be control over the generation of data by means of a connected product or related service in order to be a data holder within the meaning of the DA (cf. Art. 4 (1) and Art. 5 (1) DA).
As fulfilling access requirements can entail considerable effort, which is likely to overburden small companies and start-ups, Art. 7 (1) DA in particular, provides for an exception for micro and small enterprises that offer IoT devices or provide related services and so they do not become subject to the obligations (see Recital 41 DA).
The asset "data" as the object of the DA's access rights
As an asset, data is at the centre of the DA's new access rights. The term "data" is to be understood more broadly here than, for example, in the sense of the EU General Data Protection Regulation (GDPR) and does not differentiate, for example, according to personal reference. Data within the meaning of Art. 2 no. 1 DA means "any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording", whereas the access rights in Chapter II of the DA under Art. 1 (2) lit. a) DA only apply to data generated by connected products and related services: "data, with the exception of content, concerning the performance, use and environment of connected products and related services".
Recitals 15 and 16 of DA provide further clarification, giving examples of data covered by the DA (e.g. data in raw form (source or primary data), data about the environment, interactions of the connected product, automatically sensor-generated data, data recorded by embedded applications including applications indicating hardware status or malfunctions) and non-covered data (e.g. derived and aggregated data).
How data access rights are configured: from direct access by the user to sharing with third parties
According to the DA, users have the right to access their data and the data generated by them. If users expressly request this, the above-mentioned third parties must also be authorised to access the user's data.
Accessibility by design and by default: the user's direct access to data in accordance with Art. 3 DA
Art. 3 (1) DA requires that connected products and related services are designed, manufactured or provided in such a way that the product data and related service data are "by default" accessible to the user as "easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format" – where this is "relevant and technically feasible". The user must, therefore, have direct access to the data. This is intended to increase the availability of IoT data, for example.
The obligation under Art. 3 (1) DA applies primarily to developers and manufacturers. However, the DA leaves it open as to what exactly is meant by "by default", in what specific way access is to be granted technically and under what circumstances relevance or technical feasibility exist. Although the DA remains technically open, it leaves the specific implementation to the obliged party and the courts to decide on the scope of the right and, thus, in which cases the right has been fulfilled. Recital 22 does, however, provide some examples.
Special information obligations arise from Art. 3 (2) DA towards the user prior to the conclusion of a purchase, rental or leasing contract for a connected product, according to which the contractual partners of the user, i.e. in particular sellers, lessors and lessors, are obliged to inform the user about certain aspects of data processing, e.g. whether the connected product can generate data continuously and in real time (Art. 3 (2) lit. b) DA). Sellers, landlords and lessors are not necessarily identical to the developer and manufacturer, so in this case they must obtain the information.
Replacement for direct data access: the user's right of access against the data holder pursuant to Art. 4 DA
If the user cannot access the product data directly from the connected product or from the related service, the user has a right against the data holder pursuant to Art. 4 (1) sentence 1 DA for free data access, which corresponds in its configuration to the above-mentioned right under Art. 3 (1) DA. As far as technically feasible, Art. 4 (1) sentence 2 DA requires that data access be granted upon simple request by the user and by electronic means.
Whereas in the case of direct data access in accordance with Art. 3 DA, the user has de facto access to the data via the interface created by the data holder and, thus, full power of disposal, data access in accordance with Art. 4 DA is based on a right by the user against the data holder. The latter must first check whether the claimant is a user at all before fulfilling the right. For this authentication, however, the data holder may only request minimum information that is limited to the extent necessary in accordance with Art. 4 (5) sentence 1 DA. At the same time, the data holder may not retain any information about the user's access to the data that goes beyond what is necessary for the proper execution of the access request and the security and maintenance of the data infrastructure (Art. 4 (5) sentence 2 DA). However, there are limits to the right to data access.
Data access rights may be subject to certain restrictions
The right to data access is subject to certain restrictions, meaning that the data holder can refuse or limit data access under certain conditions. At the same time, the DA imposes further restrictions on use. According to Art. 4 (2) DA, the data holder has a right to refuse performance: the latter and the user can contractually restrict the access, use and transfer of data if the impairment of such security requirements, e.g. of an IoT product, could lead to serious negative effects on the health or safety of persons.
The protection of trade secrets when fulfilling access rights
Since the data to be disclosed in the context of the fulfilment of access rights may also contain trade secrets, the protection of trade secrets was particularly controversial in the legislative process surrounding the DA. Restrictions on data access are now allowed to result from the protection of trade secrets, but not in such a way that data access could be completely denied with reference to the protection of trade secrets (see Recital 31 DA). Rather, the DA provides for some protective mechanisms in Art. 4 (6), (7) and (8) DA. These can be, for example, necessary and appropriate technical and organisational measures (TOM) to maintain confidentiality, e.g. NDAs and strict access controls (you can find out more about the relationship between the DA and trade secret protection here in our German blog: Data Act – Data access and secrecy protection – CMS Blog (cmshs-bloggt.de)).
No disclosure of personal data without a legal basis within the meaning of the GDPR
Data protection law may also prevent data access rights if the requested data is related to a data subject other than the user and there is no legal basis within the meaning of Art. 6 GDPR. A legal basis in accordance with Art. 6 GDPR is also required for mixed data sets (i.e. a mix of personal data and data from the industry). The DA itself does not provide such legal bases within the meaning of the GDPR, cf. Art. 6 (12) DA (further information on the relationship between the DA and the GDPR can be found here in our blog: Disharmony between EU Data Act and GDPR.
Data transfers under the DA and the limits imposed by competition law
Furthermore, competition limits must be observed: Recital 116 DA expressly points out that the provisions of the DA may not be used to restrict competition contrary to the Treaty on the Functioning of the European Union (TFEU), so that the DA does not constitute a justification for any anti-competitive exchange of information. Data access rights can therefore be rejected under certain circumstances with reference to competition law.
The ban on use of the DA: obtained data may not be used in full
The DA tries to strike a balance between promoting innovation, extensive data utilisation and the simultaneous protection of innovation and information. If the user has received the requested data in accordance with Art. 4 (1) DA, he or she is subject to certain restrictions on its use in order to protect the data holder: for example, Art. 4 (10) DA provides for a prohibition on competition for the development of competing products and a ban on spying on the economic situation, assets or production methods of the manufacturer of an IoT product or the data holder. However, a similar prohibition also applies to protect the user in accordance with Art. 4 (13) DA at the expense of the data holder.
Access by third parties: disclosure of data to third parties at the request of the user
Art. 5 DA contains provisions on the user's right to transfer the data, which would also have to be made available to the user itself on the basis of Art. 4 (1) DA, to third parties. According to Art. 5 (1) DA, this requires a request from the user and must be free of charge for the user, whereby the provisions of Art. 5 DA and the obligations of the third party based on it according to Art. 6 DA generally correspond to the provisions of Art. 4 DA just described, e.g. with regard to the reservation of a GDPR legal basis for personal data (Art. 5 (7), (8) DA) and trade secrets (Art. 5 (9) to (11) DA), the prohibition on competition and spying (Art. 6 (2) lit. e) DA) as well as restrictions under competition law. However, there are also differences: for example, the general provisions of Art. 8 and Art. 9 DA – probably including the cost regulations – apply to the relationship between the data holder and the third party.
The third party may only process the data provided to it in accordance with Art. 5 DA for the purposes and under the conditions agreed between it and the user who requested the third party receive the data (Art. 6 (1) DA). Again here, a restriction applies at the expense of the "gatekeepers" in the sense of the DMA: they may also not receive the data via a diversion via a third party as data recipient, i.e. the third party may under no circumstances pass on the data obtained in accordance with Art. 5 DA to "gatekeepers" (Art. 6 (2) lit. d) DA).
Companies should now review their data strategy in light of the DA
The DA provides for numerous limitations, exemptions, obligations for data holders and recipients as well as prohibitions with regard to the data obtained for its extensive access rights and, thus, attempts to harmonise the objectives of the European digital strategy of creating a single market for data in the EU, promoting innovation and establishing the EU as a pioneer of the data economy with data and trade secrecy protection as well as other interests and existing legislation. Only time will tell whether this will succeed and whether the fulfilment of the obligations for data holders and recipients will entail considerable expense for the economy or whether the costs and benefits are in reasonable proportion.
But one thing is clear: the DA will essentially apply from 12 September 2025. Until then, the necessary implementation measures must be taken (e.g. with regard to the fulfilment of any data access rights).
Please also visit our CMS Insight page "Data Law".
For more information on the Data Act contact your CMS client partner or these CMS experts:
Philippe Heinzke, Björn Herbers, Michael Kraus, Julia Dreyer, Tom De Cordier, Italo de Feo, María González Gordon, Johannes Juranek, Ian Stevens.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.