Have you heard of the Data Regulation or the AI Act?
If you are not familiar with it, note that the European Union Data Act, approved on 13 December 2023 and effective from 11 January 2024, came into force on 12 September 2025. This legislation marks a turning point in the access and use of data generated by connected devices.
The primary objective of the Data Act is to facilitate the exchange and reuse of data among various actors within the Digital Single Market. Accordingly, connected products must be designed and manufactured to allow users to access, use, and share their data easily and securely, with the specific features outlined below.
What does the Data Act regulate?
To understand its scope, we must first define what constitutes a connected device is what is meant by the Digital Single Market.
A connected device is any physical equipment (such as a smart car, digital watch, Wi-Fi-enabled appliance or industrial machine) that, through sensors or software, collects, generates, and transmits data via the Internet or other communication networks. The Data Act regulates the access to and use of data generated by these devices, promoting fair, secure, and transparent use for both users and businesses.
The Digital Single Market is an EU strategy aimed at ensuring the free access, circulation, and use of goods, services, people, and capital within the digital environment. It removes barriers between member states and creates a common space for the European digital economy. Its purpose is to foster innovation, competition, and the protection of user and consumer rights.
Other relevant regulations, such as the Digital Markets Act (DMA) and the Digital Services Act (DSA), also apply within this digital environment and are worth familiarising oneself with.
It is important to note that the Data Act applies to both personal and non-personal data, with the GDPR remaining the primary framework for protecting user privacy.
Who is affected by the Data Act?
The regulation primarily affects:
- Manufacturers of connected products and providers of related services (automotive, appliances, and industrial machinery), regardless of where they operate.
- Users in the EU of such products or services.
- Data holders who make data available to recipients in the EU.
- Data recipients located in the EU.
- EU public bodies and authorities that require data in exceptional cases.
- Data processing service providers operating with EU clients.
- Participants in data spaces and application providers using smart contracts.
Exceptions
- Micro and small enterprises: generally and continuously exempted from these obligations, provided they are not part of a larger corporate group and do not act as subcontractors in the manufacture or design of connected devices or in the provision of related services.
- Medium-sized enterprises: those that have acquired this status within the past 12 months are exempt during their first year.
Impact of the Data Act on the market
The Data Act not only establishes legal obligations but also opens new opportunities and recognises rights for companies and users to manage and leverage data more efficiently. It aims to foster a fairer, more competitive, and more innovative data ecosystem within the European Digital Single Market.
For businesses:
- Data identification and classification: companies must implement procedures to distinguish between personal and non-personal data and to classify data according to its origin and legal framework. The goal is to ensure lawful and secure data usage in compliance with applicable regulations.
- Security and governance: shared data must be protected, responsibilities defined, and GDPR compliance ensured.
- Interoperability and data portability: facilitate the transfer and reuse of data across platforms, avoiding technological dependencies.
- Fair contracts and agreements: the Data Act introduces rules to prevent contractual imbalances that hinder user access to their data. A contractual clause is deemed abusive if it deviates from good commercial practice, breaches good faith or undermines professional loyalty.
- User information: companies must clearly inform users about the data generated by devices and how it can be accessed and shared.
- Confidentiality: the regulation sets out safeguards to protect trade secrets. If disclosure is likely to cause significant economic harm, a company may refuse requests to access data deemed confidential.
- Cloud service interoperability: providers remove technical barriers to facilitate switching between cloud service providers or using multiple providers simultaneously. This enables the transfer of exportable data and digital assets between platforms or to local infrastructure, improving interoperability across the European data ecosystem.
For users:
- Access to generated data: the right to access data generated by their devices free of charge. This access must be easy, secure, in a structured, machine-readable format, and, where possible, in real time and continuously.
- Controlled data sharing: users can decide with whom to share their data, fostering a more open and competitive market.
- Portability and traceability: data must be transferable to other platforms or services, ensuring continuity of use and preventing blocking by original manufacturers or providers.
- Transparency: companies must clearly explain how they use, share and process data. They must also specify the conditions under which third parties can access it.
- Protection against unfair use: users and authorised third parties may not use the data to develop connected products that directly compete with the original device.
It is essential to emphasise that no provision of the Data Act may be interpreted as limiting the right to personal data protection or the confidentiality of communications. In the event of a conflict, the GDPR will always prevail.
Legal advice on the Data Act
At AGM Abogados, we help identify and manage legal risks arising from the access, use, and sharing of data generated by your connected products or digital services. Our Technology, Media, and Telecommunications (TMT) experts provide guidance on compliance with the Data Act, interoperability, data portability, and all matters relating to personal data protection.
We offer tailored legal solutions to enable your company to leverage data securely and strategically, comply with regulations, protect your innovation, and strengthen customer relationships.
Contact AGM Abogados and adapt your company to the Data Act in a safe, efficient, and competitive manner!
