ARTICLE
21 November 2025

Data Act Guide

WF
William Fry

Contributor

William Fry logo
William Fry is a leading corporate law firm in Ireland, with over 350 legal and tax professionals and more than 500 staff. The firm's client-focused service combines technical excellence with commercial awareness and a practical, constructive approach to business issues. The firm advices leading domestic and international corporations, financial institutions and government organisations. It regularly acts on complex, multi-jurisdictional transactions and commercial disputes.
Explore Firm Details
The Data Act (Act) is a new European Union (EU) regulation and represents yet another aspect of the EU Digital Reforms package, which regulates the digital world we live and work in.
Ireland Privacy
Leo Moore,Rachel Hayes,John O'Connor
+5 Authors
 Your Author LinkedIn Connections
William Fry are most popular:
  • within Environment, Real Estate and Construction and Insolvency/Bankruptcy/Re-Structuring topic(s)
  • with readers working within the Insurance industries

1. Introduction

The Data Act (Act) is a new European Union (EU) regulation and represents yet another aspect of the EU Digital Reforms package, which regulates the digital world we live and work in.

The Act centres on 'data' and its primary goal is to make it easier and fairer for EU 'users' (i.e. residents and businesses) to access and share data generated by manufacturers and providers of connected products and smart objects. For example, smart devices, machines, vehicles, and apps that collect data when used.

These harmonised rules also aim to ensure fairness in the digital environment and stimulate competitiveness while safeguarding the interests of those who invest in data-generation technologies. Further information on the Act is available in the European Commission's FAQs document (FAQs).

With most of the Act's provisions applying from 12 September 2025, we address some important questions that you may have around the nature, scope and obligations for your business arising from the Act.

2. Is your organisation in-scope?

2.1 Definition of 'data' under the Act

The central plank of the Act is 'data', which means: "any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording".

2.2 Sources of in-scope data

Data will be generated by manufacturers or service providers of "connected products", "related services" and/or "virtual assistants" which are defined as follows:

  • Connected products also called the "Internet of Things," are products that generate, obtain, or collect data about their use, performance, or environment and can communicate this data via a cable-based or wireless connection. The primary function of a connected product (in scope of the Act) cannot be the storing, processing or transmitting data (Article 2(5) of the Act). Connected products include smart home appliances, consumer electronics, industrial machinery, medical devices, smartphones and TVs.
  • Related services means a digital service. There are two main requirements for a service to qualify as a related service: (1) a two-way data exchange between the related service and the connected product; and (2) the related service must affect the connected product's "functions, behaviour or operation". The FAQs give examples of services that transmit data or process commands to a product, such as an app to adjust the brightness of lights or to regulate the temperature of a fridge.
  • Virtual assistants is a software that can process demands, tasks or questions, including those based on audio, written input, gestures or motions, and that, based on those demands, tasks or questions, provides access to other services or controls the functions of connected products (Article 2(31) of the Act).

2.3 Data in-Scope of the Act

The type of data covered by the Act is wide-ranging; it includes raw and pre-processed data (i.e. raw but usable data) and specifically:

  • product data and related service data
  • readily available data
  • relevant metadata
  • personal and non-personal data (however, personal data remains subject to the GDPR).

The type of data informs the applicable obligations imposed on the data holder. For example, data holders must: (i) provide users with direct access to "product data and related service data" (Article 3 of the Act); and (ii) give indirect access to users or third parties to "readily available" data or "relevant metadata" (Articles 4 & 5 of the Act).

2.4 Data outside the scope of the Act

Not all data is within the scope of the Act. The Act excludes:

  • data that is inferred or derived from pre-processed data. For example, information inferred or derived from data arising from additional investments could include information derived by means of sensor fusion, which infers or derives data from multiple sensors, collected in the connected product, using proprietary, complex algorithms and which could be subject to intellectual property rights.
  • data produced by sensor-equipped products when users record, transmit, display, or play content.

2.5 Who is caught by the Act?

The Act applies to manufacturers, service providers, users, data holders, cloud service providers, third parties and government bodies. See the glossary of terms for more information (below). The key concepts under the Act are "data holders", "data processing service provider" and "users" as defined in Article 2 of the Act.

USER

Under the Act, users are given rights of use, access and data switching. Users are defined as any natural or legal person who owns a connected product or to whom temporary rights to use that connected product, have been contractually transferred, or that receives related services (Article 2(12) of the Act).
DATA HOLDER Data holders are obliged to comply with the Act's data access and sharing provisions. A "data holder" is a natural or legal person that has the right or obligation... to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service (Article 2(13) of the Act). As such, a key requirement to be a data holder is to have control over access to readily available data.
PROVIDERS OF A "DATA PROCESSING SERVICE"

Providers of data processing services will also be subject to the obligations of data switching and interoperability under the Act. The term data processing service means any digital service provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised or distributed nature that can be rapidly provisioned with minimal management effort or service provider interaction (Article 2(8) of the Act). The term is almost identical to the definition of "cloud-computing service" under the NIS2 Directive.

While organisations may be forgiven for assuming that the definition applies to cloud computing services only, the provisions of Chapter V of the Act make it clear that the concept is broad and can apply to services which are: (i) custom-built to the specific needs of a customer or developed for a customer; and (ii) which are not offered at broad commercial scale.

Therefore, SaaS providers may be caught as data processing service providers.

It is important to highlight that, as a general rule, a company cannot be a data holder and user of the same data.
THIRD PARTIES While not defined in the Act, a third party is a person who receives data from a data holder upon request of a user. Data holders are only obliged to share readily available data upon a user's request with a third party if that third party is located in the EU. According to the FAQ, non-EU operators do not come within the scope of being a data recipient (i.e. to receive data requested by a user).

2.6 What is the territorial scope of the Act?

The Act has an extra-territorial effect. Therefore, it applies to manufacturers and service providers who place connected products or related services on the market in the EU, irrespective of the place of establishment of those manufacturers or providers (Article 1(3)(a) of the Act). Additionally, data holders outside the EU that "make data available" to data recipients in the EU will be caught by the Act (Article 1(3)(c) of the Act). This reinforces the Act's market-oriented approach to addressing compliance throughout the entire lifecycle of a connected product or related service. It also aligns with elements of existing EU laws which govern the processing of data (such as the GDPR).

3. Data and access obligations for in-scope organisations

3.1 Core obligations of data holders to users

The central tenet of the Act is access to data in the digital economy. Organisations who are inscope "manufacturers" or "data holders" must comply with access and sharing obligations.

3.1.1 Data access

As a data holder, organisations may be required to provide data access to:

  • users on a business-to-business (B2B) or business-to-consumer basis (B2C) basis (Chapter II of the Act);
  • third parties on a B2B basis (Chapters II to IV of the Act); or
  • public sector bodies on a business-to-government (B2G) basis (Chapter V of the Act).
  • Under Chapter II, users may access data either by design (Article 3), meaning the data is directly accessible, or by request (Article 4) where direct access is not technically feasible.

For access by design, new products placed on the market after 12 September 2026 will need to be designed to allow access to product and related service data directly by the user (easily, securely and free of charge), in a comprehensive machine-readable format, where relevant and technically feasible. Conversely, to the extent that a user cannot obtain direct access, data holders must make "readily available data" and "relevant metadata" accessible to the user on the same conditions "without undue delay" and of the same quality as is available to the data holder and where relevant and technically feasible, continuously and in real time.

Organisations can, in certain circumstances, outsource their role as a data holder. For example, manufacturers may contract out to another entity the role of 'data holder' for all or part of that manufacturer's connected products.

Under the Act, the designation of a data holder is determined not by who manufactures the hardware or software, but by who controls access to the readily available data. This means a manufacturer is not automatically considered the data holder. Additionally, an organisation cannot simultaneously be both the user and the data holder for the same dataset. However, it may be a data holder for one connected product or related service, and as a user for another, depending on the specific context.

1708358a.jpg

3.1.2 Data sharing

In addition to data access rights, users have a right to request that data holders share "readily available data", as well as relevant metadata necessary to interpret and use those data, to third parties without undue delay (Article 5 of the Act). The provision of this data must meet specific standards which are similar to those set out in the data access provisions of the Act. The data must be of the same quality as is available to the data holder, and provided securely and free of charge. Additionally, the data must be delivered in a comprehensive, structured and commonly used, and machine-readable format. Where relevant and technically feasible, the data should also be made available continuously and in real time.

In the case of personal data, where the user is not a data subject whose personal data is requested, any personal data generated by the use of a connected product or related service must be made available by the data holder to the third party only where:

  • there is a valid legal basis for processing under Article 6 of the GDPR and,
  • if there is special category personal data, under the conditions of Article 9 of the GDPR.

Interestingly, the Act does not specify whose legal basis should be relied upon for the processing meaning the GDPR assessment of "who" is a controller will apply.

3.1.3 Organisations exempt from data sharing obligations

Small and medium-sized enterprises (SMEs) are exempt from the data sharing obligations in Article 5 of the Act (Article 7(1) of the Act). The category of SMEs is made up of businesses which employ fewer than 250 persons, and which have an annual turnover not exceeding €50,000,000, and/or an annual balance sheet total not exceeding €43,000,000. Additionally, companies are exempt from obligations to share data when the third party request is from organisations registered as "Gatekeepers" under the Digital Markets Act (Article 6(2) of the Act).

Data holders may also refuse access to data if sharing would unduly compromise the security of a connected product or related service (Article 4(2) and Article 6(2) of the Act), or if it would expose trade secrets (Article 8(6) of the Act) (see more on this below). Furthermore, prototypes are exempt from the scope of the Act because they are not placed on the market.

3.2 Trade secrets - balancing data access rights against the need to uphold legal prot

Data that can be identified as a trade secret is exempt from disclosure, unless all necessary measures to preserve the confidentiality of such data can be agreed and implemented (Article 5(9) – (11) of the Act).

The Act does not alter existing legal protections for trade secrets, such as the provisions of the Trade Secrets Directive 2016. The Act introduces a new mechanism for safeguarding trade secrets, referred to as the 'trade secrets handbrake'. The Act seeks to strike a careful balance between preventing illegitimate restrictions on the user's new data access rights and maintaining the legal protection of trade secrets.

Data Holders can protect their trade secrets whether or not they provide users with 'direct access' or 'indirect access'. For example, if an organisation is providing direct access, the data holder may contractually oblige the user to protect certain data that are made directly accessible. However, at a practical level, it may be easier for data holders to implement indirect access controls and monitor data which is disclosed to users.

3.3 Model contractual clauses

Lastly, organisations will need to consider what contractual provisions they need to implement in order to comply with the access and sharing obligations under the Act.

The European Commission set up an expert group on B2B Data Sharing and Cloud Computing Contracts (Expert Group) to simplify negotiations and ensure legal certainty in B2B arrangements. On 2 April 2025, the Expert Group published a set of model contractual terms (MCTs) (Access the MCTs here).

The MCTs are designed to help companies comply with the Act and establish fair, secure and transparent agreements for data sharing. They are structured across four typical data-sharing scenarios: (1) Data Holder to Data User, (2) User to Data Recipient; (3) Data Holder to Data Recipient; and (4) Voluntary Data Sharer to Data Recipient.

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Leo Moore
Leo Moore
Photo of Rachel Hayes
Rachel Hayes
Photo of Barry Scannell
Barry Scannell
Photo of John O'Connor
John O'Connor
Photo of David Cullen
David Cullen
Photo of Jordie Sattar
Jordie Sattar
Photo of Laura Casey
Laura Casey
Photo of India Delaney
India Delaney
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More