The Data Act will come into force on 12 September
In just a few days, on 12 September 2025, Regulation (EU) 2023/2854 of the European Parliament and of the Council on harmonised rules on fair access to and use of data, known as the Data Act, will come into force. The new regulations will introduce significant changes in the way data is managed in the digital economy and will have a direct impact on the activities of businesses in many industries.
The biggest changes await manufacturers, importers and distributors of so-called connected products (IoT devices), such as smart home appliances, industrial machinery, and cars and bicycles with smart features. However, the regulation goes far beyond this sector. The Data Act will affect, among other things, the way IT infrastructure providers operate in the cloud model and entities offering Internet-based programmes that enable data processing.
Users’ right to data
The Data Act introduces an obligation to make data generated by connected products and related services available to users. Data holders, including IoT device manufacturers, will be required to provide users with access to raw and pre-processed data, together with relevant metadata. Users will receive the data in a machine-readable format and have the right to share it with selected third parties, such as websites, after-sales service providers or companies offering innovative data-based solutions (such as content recommendations based on all streaming services subscribed to by the user).
The regulation covers both personal and non-personal data, but does not apply to highly enriched data or audiovisual content.
Data exchange between businesses
The regulation also establishes rules for the exchange of data between the device manufacturer and the business that wants to offer the user an additional service based on that data (e.g., smart home integration with a smart car and smart bicycle). In such cases, the data holder will be required to transfer the data in exchange for appropriate compensation. The aim is to open up access to user-generated data, create new business models and strengthen competition in the digital market.
Protection against unfair contractual terms
The Data Act also provides protection against unfair contractual terms between businesses regarding access to data. Unfair terms will include, among others, terms that exclude liability for intentional acts or gross negligence, allow for unilateral determination of whether the data provided is in accordance with the contract, or reserve the exclusive right to interpret contractual terms in favour of one of the undertakings.
Change of processing service provider
Chapter VI of the Data Act, which concerns the change of data processing service provider, deserves special attention. Cloud and edge computing service providers will have to comply with a number of obligations designed to facilitate interoperability and enable a smooth change of provider.
The regulations contained in this chapter will have far-reaching consequences for businesses using cloud services, regardless of their industry or size.
Data processing service providers will not be able to impose pre-commercial, technical, contractual or organisational barriers that make it difficult to terminate a contract. In practice, this means greater freedom for businesses in choosing IT providers and a reduction in vendor lock-in.
From 12 January 2027, data processing service providers will not be able to charge fees for changing service providers. Until then, there will be a transition period with reduced fees, which cannot exceed the actual costs associated with the change process.
In addition, the Data Act also introduces an obligation for data processing service providers to publish on their websites information about the jurisdiction to which their ICT infrastructure is subject, as well as general descriptions of the technical and organisational measures in place to prevent international access to non-personal data. This will make it easier for customers to assess the compliance of services with data protection and information security requirements.
Summary
The Data Act is a comprehensive regulation that could significantly impact the data-driven digital economy in the European Union. The regulation introduces new standards for data access and exchange, which may have a positive impact on the competitiveness and innovation of businesses by democratising access to information resources. However, its impact extends beyond the technology sector to include all businesses using digital solutions, enabling them to change their processing service providers more easily.
If you are interested in analysing the impact of the Data Act on your business or need support in adapting to the changing regulations, we remain at your disposal.
KONTAKT
E: magdalena.patryas@pl.Andersen.com
T: +48 32 731 68 84
M: +48 502 392 419
