The EU Data Act: Rights of Access to Data

The EU Data Act (the "Act"), which entered into force on 11 January 2024, is a comprehensive piece of legislation aimed at fostering a fair and competitive digital environment in the European Union. It focuses on ensuring that data is shared more effectively, while protecting the rights of individuals and businesses.

In this article, we do a deeper dive into the right of access users have in relation to in-scope data.

What are the access rights under the EU Data Act?

The Act mandates that connected products must be designed and manufactured, and related services must be provided, in such a way that data generated by these products and services is directly accessible to users (Article 3). If data cannot be made directly accessible, it must be made available on request without undue delay (Article 4).

There is an exemption to making data directly accessible or available on request, where to do so would undermine the security of the connected product, resulting in a serious adverse effect on the health, safety or security of natural persons.

What data needs to be directly accessible or made available?

Under Articles 3 and 4 of the Act, the data that needs to be directly accessible or made available on request includes:

product data, which is data generated by the use of the connected product that is designed to be retrievable via an electronic communications service (e.g., near-field communication networks), physical connection or on-device access;
related service data, which is data representing the digitisation of a user's actions (including in-actions) and events related to the connected product, in each case that are recorded intentionally by the user or generated as a by-product of the user's actions; and
metadata that is necessary to interpret the above categories of data.

Although it is not explicitly set out in the Act, guidance from the European Commission says that such data need only be directly accessible or made available on request where to do so does not require disproportionate effort. This means that raw and pre-processed data falls in scope, but derived and inferred data does not.

If trade secrets form part of the data, these can only be disclosed if the user takes all necessary measures to preserve their confidentiality. If the user does not agree to take such measures, data need not be disclosed. Further, if the holder of the trade secrets can demonstrate that it is highly likely to suffer serious economic damage as a result of the disclosure (even with the necessary measures), the data may be withheld. However, in both cases the data holder must notify the competent authority.

Finally, it is worth noting that the above categories of data include both personal and non-personal data.

Who does the obligation to make data directly accessible or available apply to?

Again, although not explicit in the Act, the obligation to make data directly accessible is likely to apply to manufacturers of connected products, designers of connected products and providers of related services. However, it may also apply to companies that subcontract any of these functions.

The obligation to make data available on request applies to "data holders", which is a term that is poorly defined but essentially means one of the above actors (designer, manufacturer or service provider) to the extent they generate or are able to retrieve the data. Guidance from the European Commission says that this will typically be the company that makes the connected product or provides the related service.

However, the European Commission's guidance also says that the data holder must have a contract with the user. This implies that the obligation to make data available on request will not apply to a manufacturer where the connected product or related service is sold, leased or provided via a third party (e.g. a retailer or car hire company). Even if this is the case, sellers, rentors, lessors and providers of related services are required to provide users with certain information about the data prior to the conclusion of a sale, rent or lease of a connected product or provision of a related service.

Microenterprise, small enterprise, and companies that have only been a medium enterprise for less than one year, are all exempt from the obligations in Articles 3 and 4 of the Act.

The Recitals to the Act (which are not legally binding) suggest that the obligation to make data accessible on request does not apply to "processors", as defined under the General Data Protection Regulation. However, it is unclear how this will work in practice (e.g., whether it only relates to a personal data processed by the processor but not non-personal data).

How does the data need to be made directly accessible or available?

The data needs to be directly accessible or made available easily, securely and free of charge in a comprehensive, structured, commonly used and machine-readable format. In the case of data that must be made available on request, the data must also be made available continuously and in real time, on the basis of a simple request through electronic means (where technically feasible).

How do the access rights under the Act interplay with the GDPR?

Data subject rights under GDPR must continue to be respected.

The Act does not provide a lawful basis to share data with third parties. As such, data that is "personal data", as defined under the GDPR, shall only be made directly accessible or available if the user is the data subject. If the user is not the data subject, data can only be accessible or made available if there is a valid legal basis for providing such data under Article 6 GDPR (and an Article 9 exemption applies in the case of data that is special category).

Important dates

The obligation to make data directly accessible (Article 3) applies to connected products placed on the market after 12 September 2026 and the obligation to make data available on request (Article 4) applies from 12 September 2025.

Practical steps for compliance

Any business involved with connected products or related services, should think about taking the following practical steps:

Scoping: Assess to what extent the requirements to make data accessible or available on request under the Act apply to you.
Data mapping and categorisation: Conduct an inventory of the data you collect and process to determine what falls under the scope of the Act. This includes distinguishing between personal and non-personal data.
Redesign: Consider if your connected products or related services need to be re-designed in order to meet the requirements of the Act (e.g., to segregate data generated by each user).
Implement secure technical data access mechanisms: Establish secure and standardised mechanisms for accessing data generated by your connected products or related services. This could involve developing APIs or other interfaces that allow for the seamless secure transfer of data to users.
Lawful basis assessment: For personal data, businesses must ensure that they have a valid legal basis to allow the data to be accessed.
Transparency and documentation: Prepare notices to users that contain the information that needs to be provided under the Act relating to the data generated by a connected product or related service.