Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

Introduction

Since the General Data Protection Regulation (GDPR) came into force in 2018, the European Union has profoundly transformed the legal framework applicable to personal data. By establishing strong principles (Accountability, transparency, minimization, enhanced individual rights), the GDPR a major turning point in digital regulation, both in Europe and beyond its borders, with impacts across all sectors of activity.

But the European data strategy did not stop at the protection of personal data alone. With the rapid rise of connected objects,the Internet of Things (IoT), cloud computing, and more broadly,the data economy, new challenges have emerged: Who can access the data generated by a digital object or service? Who can use, share, or reuse it? And under what legal and economic conditions?

It is in this context that a new piece of legislation has been added to the European regulatory framework: the Data Act.

Adopted in 2023, the Data Act aims to regulate access to, sharing and use of data, particularly data generated by connected objects, digital services and cloud infrastructure. It has two objectives: to promote better data circulation within the internal market while rebalancing the power relations between economic players, particularly between technology providers and professional users or consumers.

The Data Act is therefore a continuation of GDPR, but it pursues a distinct objective. Whereas the GDPR on protecting individuals and their personal data, the Data Act is primarily concerned with the use, sharing, and governance of data, whether personal or not.

So, what exactly is the Data Act? Who is affected by this new regulation? And above all, how does it differ from GDPR, with which it will have to coexist in practice?

data act

1. What is the Data Act?

The Data Act is a European regulation that imposes new rules on the access, use, and sharing of data generated by connected products and their associated services.

Its distinctive feature is that it covers all data generated by the use of connected objects, whether personal or non-personal, including data relating to the products themselves.

In other words, the Data Act covers the entire ecosystem surrounding connected products and aims to promote the free flow of data within a secure and balanced framework.

Which items are affected?

The Data Act applies to all objects capable of communicating data via the Internet or another public network.

This includes, in particular:

  • A connected vehicle, a connected watch or fitness tracker, a smart thermostat, an industrial machine equipped with sensors, smart agricultural equipment, etc.

These objects generate technical, usage, performance, or environmental data.

Which services are affected?

The regulation does not only apply to the objects themselves, but also to the associated services necessary for their operation.

For example:

  • The mobile app for controlling a connected thermostat
  • The online platform displaying sensor data
  • A fleet management service linked to a telematics box
  • An intelligent assistant integrated into a product

In other words, the Data Act covers the entire ecosystem surrounding connected products.

All data is affected.

The Data Act applies to all data generated by the use of these objects:

  • Technical data
  • Performance data
  • Usage data
  • Industrial data
  • Non-personal data

And sometimes, this data may also contain personal data. In this case, its processing remains subject to GDPR constitutes data processing within the meaning of this regulation. The Data Act does not override the GDPR it works in conjunction with it.

Let's take a few examples:

  • A connected industrial machine generates data on its operation.
  • A connected vehicle collects technical data on its use.
  • Smart agricultural equipment records crop data.

Until now, this data was often used exclusively by the manufacturer or the provider of the associated service.

With the Data Act, the product user (company or individual) will be able to

  • Access data generated by your equipment;
  • Request their transfer to a third party (e.g., an independent maintenance provider);
  • No longer be held back by unfair contract terms.

Data Act and personal data protection: a complementary relationship

Unlike the GDPR, which protects individuals' personal data, the Data Act primarily targets the economic exploitation of data generated by connected objects.

In practice, the GDPR individuals, while the Data Act regulates the circulation and use of data.

When data from a connected object can be used to identify a person, it remains subject to GDPR, in addition to the rules of the Data Act.

2. Why was the Data Act adopted?

The Data Act is part of the European data strategy and pursues specific objectives:

  • Enabling companies to access the data they help generate;
  • Rebalance the relationship between manufacturers and users;
  • Reduce dependence on major cloud service providers;
  • Facilitating the change of provider (cloud switching).

It also aims to strengthen European competitiveness and secure business development in the data economy.

data act

3. What is the timeline for implementing the Data Act?

The Data Act is a European regulation that is directly applicable in all EU member states. However, not all of its provisions apply simultaneously: the text provides for gradual implementation.

Primary application

Most of the provisions of the Data Act have been in force since September 12, 2025.

From this date onwards, the companies concerned must now comply with new obligations, including:

  • Enable access to data generated by connected products;
  • Regulate the sharing of this data;
  • Adapt their contractual practices to the new requirements.

Bonds staggered over time

Certain obligations will come into effect at later dates:

  • September 2026: Manufacturers of connected products and providers of related services will be required to design their products and services in such a way that the data generated is directly accessible to users. This is a "by design" compliance approach, integrated from the product design stage onwards.
  • January 2027: Users of cloud computing services will be able to switch providers at no cost. This provision aims to combat vendor lock-in and promote data and service portability.
  • September 2027: The ban on unfair contract terms will also apply to contracts concluded before September 12, 2025. In other words, companies will have to review their existing contracts to ensure they comply with the new rules.

An evolving relationship with other European texts

It should also be noted that the European regulatory framework for data continues to evolve.

On November 19, 2025, the European Commission presented a proposal for a regulation that could amend certain provisions of the Data Act, in particular to improve its coordination with other European texts, such as the Data Governance Act (DGA).

This dynamic confirms that European data regulation is part of a global ecosystem comprising the GDPR, the Data Act, the DGA, and other sector-specific legislation.

4. What is the scope of the Data Act and who is affected by this European regulation?

The Data Act does not apply to all companies in general. It targets specific players involved in the production, storage, or use of data generated by connected products and related services.

The following are concerned, for all or part of the regulation:

Manufacturers and data holders

  • The manufacturer is the entity that designs or markets a connected object (connected vehicle, industrial machine, medical device, smart home object, etc.).
  • The data holder is the entity that technically and legally controls access to the data generated by the product (Article 2.13).

In practice, the manufacturer often holds the data, but this is not always the case.

For example: If a smartwatch manufacturer entrusts the management of the mobile application to a service provider that collects and controls data, that service provider may become a data controller.

Users

Users are all natural or legal persons (individuals, companies, public bodies) who own or use a connected product or associated service, even temporarily.

They have at their disposal:

  • The right to access the data generated;
  • The right to request their transfer to a third party;
  • Protection against certain unfair terms.

Several users may coexist for the same product (owner, renter, employee using a company vehicle, etc.).

Recipients of the data

Recipients are individuals or companies that receive data at the user's request, in a professional context.

They may only use the data for the purposes agreed with the user and may not exploit it to develop a competing product without specific agreement.

Cloud providers and processing services

Cloud computing service providers operating in the European Union are also affected, particularly with regard to rules on switching providers (cloud switching).

Public bodies

In exceptional situations (public emergency or mission of general interest), certain authorities may request access to data held by private companies, under strict conditions.

Thus, the Data Act targets all speaker players speaker the value chain of data from connected objects: production, control, sharing, and exploitation.

A single company may fulfill several roles (manufacturer, holder, service provider, Data recipient).

data act

5. What are the main rules and obligations of the Data Act?

The Data Act imposes several obligations designed to facilitate access to and sharing of data generated by connected products.

Enabling access to data from the outset

Manufacturers must design their products and services in such a way that users can easily access the data generated by their use.

This data must be:

  • Directly accessible when technically possible;
  • Provided free of charge;
  • Transmitted in a structured, understandable, and reusable format;
  • Securely accessible.

In practical terms, this means, for example, that a user of a smartwatch or connected vehicle must be able to retrieve the data generated by its use.

Make data available upon request

If direct access to the data is not technically possible, the data controller must provide the data to the user without undue delay, free of charge, and upon request.

Allow data sharing with a third party

The user may request that the data be transferred to a Data recipient their choice, for commercial or non-commercial purposes.

Sharing must be carried out as quickly as possible, free of charge for the user, with the same quality as that enjoyed by the holder and, where possible, continuously and in real time.

This right goes beyond the right to portability provided for in the GDPR, as it applies to all data generated, whether personal or not.

However, the regulation strictly regulates the use of data by the Data recipient in particular, they are prohibited from using it to develop a competing product or profile the user, unless this is necessary to provide the requested service.

Ensuring transparency before concluding the contract

Before purchasing or renting a connected product, users must be informed:

  • The type of data generated;
  • The use to which it will be put;
  • The identity of the data holder;
  • How to exercise your rights.

When personal data is involved, the requirements of GDPR in addition.

Making it easier to switch cloud providers

The Data Act strengthens the rules governing cloud computing services. Providers must allow users to switch providers without excessive technical obstacles.

The goal is to limit vendor lock-in situations and promote interoperability.

Healthcare & GDPR 9 best practices for compliance in 2025

Sensitive data, hosting providers, DPOs, consent... This practical guide helps healthcare professionals anticipate GDPR requirements.
Download

6. How to comply with the Data Act (and coordinate this process with the GDPR)?

As you will have understood, the Data Act does not replace the GDPR it supplements it. For companies, this means that it is no longer enough to ensure the protection of personal data alone.

We now need to establish comprehensive data governance, covering both personal data (GDPR) and non-personal and industrial data (Data Act).

Mapping data flows generated by connected products

As with the GDPR, the first step is to identify:

  • Which products or services generate data?
  • What categories of data are involved (technical, usage, mixed, etc.)?
  • Who controls access to this data (manufacturer, service provider, subsidiary, etc.)?
  • Which third parties may receive it?

This mapping makes it possible to determine whether the company is a manufacturer, data holder, related service provider, Data recipient several of these at once.

Check compliance with the GDPR

Some data from connected objects may contain personal data.

In this case, the GDPR to apply (legal basis, information, individual rights, security). The Data Act provides a parallel framework for access to and economic sharing of this data.

Compliance must therefore be approached in a coordinated manner to avoid contractual or technical contradictions.

Adapt contracts

The Data Act requires a thorough review of existing contracts. In particular, companies must adapt clauses relating to access to data generated by connected products, remove provisions that could be considered unfair, and precisely define the conditions under which recipients may use the data.

It is also becoming essential to incorporate clear mechanisms allowing for a change of cloud service provider, in order to avoid any contractual or technical lock-in situations.

In practical terms, all contracts related to data use must be reviewed: contracts with clients, agreements with technology partners, commitments with cloud providers, and relationships with processors.

This contractual update is a key lever for compliance with the Data Act and requires a coordinated approach between legal, technical, and operational teams.

Adapting products and services (compliance by design)

Starting in 2026, products will have to be designed to make data directly accessible.

This often involves technical adaptations, consideration of system architecture, and anticipation during the design phase for future products.

Implement unified data governance

The real challenge for companies is not only legal, but organizational.

It is becoming necessary to structure a data governance policy, coordination between legal, IT, and business teams, and regulatory monitoring of all European texts (GDPR, Data Act, DGA, etc.). Furthermore, this development also offers the opportunity to transform compliance into a strategic advantage.

data act

Conclusion: the Data Act, a new step in data regulation

The Data Act marks a new step in the development of a coherent European framework for data. While the GDPR individuals, the Data Act organizes the data economy and promotes the controlled circulation of data.

For businesses, the real challenge is no longer just protecting personal data, but implementing comprehensive data governance that incorporates GDPR, the Data Act, and other European regulations.

Anticipating these developments not only limits legal risks, but also transforms compliance into a strategic lever.

Samia Rahammia
Samia Rahammia

IT and Data Lawyer and Marketing Project Manager