Executive Summary
The EU's sweeping Data Act is now in force. In this part of our series highlighting the Data Act's key issues, our Privacy, Cyber & Data Strategy Team highlights new obligations for companies whose connected products collect data on their use, performance, or environment.
- A 'connected product' has a broad definition and can include smart appliances, machinery, and connected vehicles
- The Data Act introduces new 'access by design' obligations and provides users with a new right of access and right to portability of their data
- Businesses that provide 'related services' also fall under the Data Act
This article is part of a series that summarises the key issues arising from the introduction of the Data Act. See:
On 12 September 2025, the obligations introduced under the EU's Data Act (Regulation 2023/2854) became applicable, including those related to connected products. Chapter II (Article 3 to Article 7) of the Data Act sets out provisions and obligations associated with connected products and/or related services.
| Key Definitions | |
|---|---|
| Connected product: | A product that obtains, generates, or collects data about its use, performance, or environment and which communicates via an electronic communication service (e.g. land-based telephone networks, television cables, and satellite-based networks), physical connection, or on-device access. |
| Data holders: | Entities that have the right to use and make available data generated from a connected product or related service. This could be the seller, renter, lessor, manufacturer, or any other third party providing a related service if they control access to data generated by a connected product. |
| Product data: | Data that has been obtained, generated, or collected in the use of a connected product. |
| Related service: | A digital service that is explicitly linked to the operation of a connected product with the ability to affect its functionality. |
| Related service data: | Data that represents user actions or events related to the connected product. |
| User: | A natural or legal person that owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives related services. |
1. The definition of 'connected product' is broad
The concept of a connected product is interpreted broadly by EU regulators and includes smart home appliances (e.g. TVs, fridges, thermostats), consumer electronics, industrial machinery, medical devices, smart phones, and connected vehicles (those with an inbuilt connected product).
A product that primarily stores, processes, or transmits data on behalf of a party other than the user (e.g. servers and routers) is not a connected product. Prototypes (i.e. products that are still in the manufacturing phase) are also out of scope of the data-sharing provisions of the Data Act.
2. There are new obligations for connected products and related services
At a high level, obligations under Chapter II of the Data Act relate to:
- Access by design of connected products and related services. When relevant and technically feasible, a connected product (and related services) must be designed and manufactured in a way that ensures product data and related service data are, by default, directly available to a user in an easy, secure, comprehensive, structured, and machine-readable format (including ensuring that data is available continuously and in real time). This access by design obligation applies to connected products and related services that are made available on the EU market after 12 September 2026.
- Transparency obligations. The seller, renter,
lessor, or manufacturer of a connected product or any
party providing a related service must provide certain information
to a user in a clear and comprehensible manner. This includes:
- Information about the data collected by a connected product or related service (including volume of data generated, whether data is generated continuously and in real time, and whether data is stored on the device).
- Whether third parties will have access to the data.
- The names and contact details of any data holder.
- How a user can request that data is shared with a third party.
- The user's right to lodge a complaint.
- The identity of the trade secret holder.
- The duration of the contract between the user and data holder and arrangements for terminating the contract.
- Right of access and right to portability of data. If data cannot be accessed directly by the user, data holders must make product data and related service data available to the user when requested. If technically feasible, this data should also be made available continuously and in real time, and data made available to a user should be provided free of charge. Users are also able to request that a data holder make their data available to a third party without undue delay. If a third party receives data from a data holder at the request of a user, it must comply with the obligations set out in Article 6.
3. Users have the right to access data generated from a connected product
Pursuant to Article 4(1), data holders are obliged to make data generated from a connected product or related service available to a user in an easy, secure, comprehensive, structured, and machine-readable format. If technically feasible, this data should also be made available continuously and in real time. Data made available to a user should be provided free of charge.
Users have a right to access product data and related service data. Both product data and related service data include data recorded intentionally or data which results indirectly from actions taken by a user. This also includes data generated by a connected product or related service during times of inaction by the user, e.g. when the user chooses not to use a connected product or related service. However, a data holder is only required to provide data that is readily available, i.e. data that a data holder can obtain without disproportionate effort.
|
Taking connected cars as an example, product data might include data relating to fuel levels, speed, tyre pressure, engine status, seat belt usage, and braking patterns. Related service data could include data obtained from apps installed on the vehicle's multimedia system, such as location data, car settings, and connected phone information. |
4. The Data Act applies to manufacturers of a connected product and any other data holders
There are two broad categories of obligations under the Data Act which apply to connected products.
Applicability of transparency obligations
The overarching transparency obligations under Article 3 apply to businesses that sell, rent, or lease a connected product to a user or those that provide a related service. A provider of a related service may be the manufacturer of a connected product or it may be a separate third party. If the provider is a third party, that third party will only be a data holder if it establishes a contractual relationship with the user and receives product data.
Transparency obligations under Article 3 could apply to the seller, renter, lessor, or manufacturer of a connected product, as well as any party providing a related service.
Applicability of right of access provisions
The right of access provisions set out in Chapter II apply to data holders. In many instances, the manufacturer of a connected product will be a data holder. However, the Data Act allows a company to outsource the role of data holder to a third party. It is therefore important for users to be informed of the identity of all data holders before they enter a contract for a connected product. There can, and often will be, more than one data holder associated with a connected product or related service.
|
The following example demonstrates the stakeholders and data holders that could be involved with connected vehicles, specifically connected cars:
|
It is also worthwhile to note that Article 6 also imposes obligations on third parties that receive data under the Data Act at the request of a user. When using data provided to it only for the agreed purpose, these obligations include:
- Making data available to gatekeepers as defined under the Digital Markets Act.
- Using data to develop a competing connected product.
5. Services that can be linked to the operation of a connected product may also be required to comply with the Data Act
Third parties that provide a related service for a connected product may also be required to comply with the Data Act. There are two parts to the European Commission's test for determining whether a digital service is a related service:
- There must be a two-way exchange of data between the connected product and the service provider.
- The service must affect the connected product's functions, behaviour, or operation.
The European Commission has stated that the function of a connected product will continue to evolve and that court interpretation will be important in distinguishing between services which are related services and those which are not. However, the following may be useful considerations:
- User expectations.
- Marketing accompanying the connected product and digital service.
- Contractual negotiations.
- Replaceability of the digital service.
- Pre-installation of the digital service on the connected product.
|
Using our connected car example, related services may include in-vehicle navigation systems, remote-control services (e.g. those that allow remote engine starts and door locking), and predictive maintenance services that provide alerts about future maintenance needs. |
6. A connected product falls within scope of the Data Act when it is made available on the market
A connected product will fall within the scope of the Data Act when it has been made 'available on the [EU] market'. A product will be available on the market if it has been supplied for distribution, consumption, or use in the EU in the course of a commercial activity (irrespective of whether payment is made). Guidance published by the European Commission suggests that a product is made available on the market:
- Upon completion of the manufacturing stage.
- When a transfer of ownership, possession, or other property right has occurred between two economic parties.
The Data Act may still apply if a connected product is manufactured outside the EU by a non-EU company (for example a company in the USA), but the connected product is sold in the EU. Therefore, it is important for international companies that sell connected products to ensure that they appropriately review their obligations under the Data Act and revise their compliance programmes as necessary to address data by design, transparency, rights of access, and rights of portability requirements.
|
Taking connected cars as an example, a car company has manufactured a car with an inbuilt connected product that is used for two purposes: (1) to monitor performance; and (2) to enhance user experience through the infotainment system. This car is purchased by a car hire company for use within the EU. Upon transfer of ownership, the car is made available on the market, and the car hire company becomes the user of the car with an inbuilt connected product. The car hire company rents the car with an inbuilt connected product to its customers. When a customer collects the car with an inbuilt connected product, they become the temporary user of the connected product Generally, registration of mobile connected products (e.g. ships, planes, trains, and cars) in the EU will suggest that they have been made available on the market. |
7. Data generated by a connected product outside the EU may fall within scope
In general, a connected product is likely to be used in the EU once it has been made available on the market. However, for some connected products such as mobile connected products, they may be made available on the market but used outside the EU. In these situations, data generated by a connected product both within and outside the EU must be made available to a user under the Data Act.
|
Applying our connected car example, a customer hires a car with an inbuilt connected product from a car hire company. The customer picks the car up in Greece, but during the car hire period, the customer travels to Türkiye. Because the car has been made available on the market, any data generated by the connected product during the car rental period (whether within Greece or Türkiye) must be made available to the customer. |
Conclusion
Entities with an interest in connected products should ensure they have assessed their positioning under the Data Act to accurately determine which obligations may apply. Depending on an entity's positioning, it may be required to: (1) change how it designs connected products; (2) update transparency notices; and (3) implement processes to enable users of a connected product or related service to access and port their data. Entities should also consider their contracts with other stakeholders in the connected product space to ensure that contractual provisions align with statutory obligations and correctly identify relevant data holders.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
