DATA ACT IN QUESTIONS AND ANSWERS

• What is the Data Act?

The Data Act is an EU regulation that introduces common rules for access to and use of data. It mainly concerns data generated by IoT devices and services and defines the rules of cooperation between manufacturers, users, and third parties. Its goal is fair data trading, ensuring interoperability, and the ability to easily switch cloud service providers and data processing systems.

• What are the main goals of the Data Act?

The Data Act aims to ensure a fair distribution of benefits from data and give users real control over the information generated by their devices. It guarantees simple and free access to data, the ability to securely share it with other entities, and facilitates the transfer of data between digital service providers. It complements the GDPR, also covering non-personal and technical data from IT devices.

• What is the essence of the regulation?

The Data Act grants the end-user the right to free access to data generated by their devices, as well as the right to share this data with third parties (e.g., services, providers of additional services). At the same time, it imposes obligations on manufacturers and service providers related to transparency, interoperability, and fair data trading.

• What are the most important obligations of companies in this regard?

-providing the end-user with easy, free, and understandable access to data (e.g., through an application, portal, or API)

- preparing clear information before sale/service: what data is generated, who has access to it, in what format can it be downloaded, whether and how it can be transferred to a third party,

- implementing mechanisms to enable data transfer to other systems and services (interoperability)

- adapting contracts and documentation (sales, user instructions, data policies),

- protecting trade secrets while ensuring transparency towards customers,

- enabling the change of data processing service providers (limiting the so-called vendor lock-in).

• What is the relationship between the Data Act and the GDPR? 

The Data Act mainly concerns non-personal data, but in practice, it very often also includes personal data. This means the need to apply the provisions of the Data Act and the GDPR in parallel and close cooperation between legal, technical departments, and the data protection officer.

• What is the information obligation regarding the sales contract party?
  Each entity participating in the supply chain of connected products has its own information obligation towards the user. The fact that the manufacturer has fulfilled this obligation does not release subsequent entities (e.g., sellers) from the need to fulfill it. Entities in the supply chain must remember to fulfill the obligation, which in practice requires, among other things, verifying the information provided by the manufacturer (customers can verify the information provided).

• When should the information obligation be fulfilled?

Each seller must provide the user with the required information before the contract is concluded. There are no exceptions or limitations here - the right to information is granted to every user and is always associated with the moment of signing the sales contract.

• How can the information obligation be fulfilled?

It is enough to provide the user with a stable internet address (URL), e.g., as a link to a page or a QR code leading to the required information. The seller, as well as the manufacturer, can provide such a link before signing the contract. It is important that the user can save this information in a permanent form so that they can access it in the future and reproduce it without changes.

Do medium-sized entrepreneurs have any additional rights?

Each new IoT product introduced to the market by a medium-sized enterprise is covered by a 12-month transition period (counted from the date of its premiere). During this time, data from the product does not yet have to be made available in accordance with the Data Act. After a year, the obligations are already fully applied. This solution gives medium-sized companies additional time to prepare systems and processes for the new requirements.

• When does the Data Act come into force?

Full application begins on September 12, 2025. This is the date from which market entities (manufacturers, service providers, users) must start complying with the new rules. From September 12, 2026, all new smart products and services introduced to the market will have to be designed so that the user, as a rule, has easy, free, and secure access to data in a readable format (the so-called access by design principle). Older devices sold earlier do not have to be adapted to this. However, from September 12, 2025, the seller or manufacturer must provide clear information before the contract is concluded about what data the product generates and how the user can obtain it. The seller/manufacturer must therefore inform the customer whether and what data is available, and in what form - even if access does not meet the requirements of the Data Act. And if there is no technical possibility of access in the mode required by the Data Act (\"easy, free, machine-readable\"), the customer must be informed about this before the contract is concluded.