What is the Data Act?
The Data Act is an EU Law designed to regulate the growing data economy. In essence, it aims to prevent companies using data to lock you into their service. Importantly, this applies to data generated by organisations as well as individuals. This could make it truly transformative for startups who are often locked into the vendors who control their data.
What is the difference between GDPR and the Data Act?
The EU Data Act came into force in September 2025. It gives both businesses and consumers the right to access all data generated by connected products and services. While there’s some potential overlap with the GDPR, there are some key differences. Here’s the top 5:
- Scope of the act. The Data Act applies to both individuals and organisations. That’s a significant extension to GDPR.
- Data coverage. The act covers any data generated by connected products and services. In other words, all data related to IoT devices, SaaS products, streaming platforms, and more. By contrast, the GDPR only relates to personal data but in any form.
- Public sector access. The new act sets out rules relating to public sector data access. While the GDPR allows for data reuse for archiving or research, this is going much further.
- Facilitating service switching. The Data Act explicitly requires companies to make it easy to switch between providers. This extends the protections already provided by the GDPR for personal data.
- Obligations on manufacturers. The Data Act requires manufacturers (including SW companies) to make it easy for people and companies to access their data, and requires them to do this for free. This is another difference from the GDPR, where a small fee can be charged for data access in some circumstances.
The Data Act makes it clear that it extends the protections offered by the GDPR, rather than replacing them. For personal data, the GDPR will still take precedence. However, data that was previously out of scope is now also covered.
What does the Data Act cover?
The Data Act covers any data generated by a “connected product” that has been “placed on the market in the EU”. We need to explore both of these to understand the scope of the act.
Connected Products
The Data Act covers a huge range of products and services including:
- Any cloud, platform or SaaS service, even if it is only for B2B
- IoT devices such as smart devices
- Connected medical devices and sensors
- Embedded devices in vehicles or other products
However, not all data is in scope. For instance, if you “enrich” the data through the use of AI or other proprietary algorithms. In this case. you only need share the source data and any relevant metadata that makes it comprehensible. However, any data that is “co-generated” by the user must be shared.
(We expect the concept of enriched data to be one of the points of contention and legal discussion related to the Data Act).
“Placed on the market in the EU”
This is a really important phrase in the Act. It refers to any product sold in the EU for use in the EU. There are 2 key exceptions here: if a product is sold for immediate export from the EU it is out of scope. Also, if an individual buys a product in a 3rd country and imports it for use in the EU, that product is out of scope.
What about data generated outside the EU?
The Data Act applies to any product that is sold in the EU for use in the EU (e.g. not for immediate export). However, if the product was bought in the EU for use in the EU, and then subsequently used outside of the EU, the generated data still falls under the scope of the Data Act. The important thing is whether the product was “placed on the market” in the EU.
What does the Data Act mean for my startup?
If your company sells connected products for use in the EU, you’re subject to the Data Act. So, what do you need to do about it? Here’s a 5 step plan for you:
- Check whether you fall under the scope of the act. Many online services will be in scope, but only if they generate data. Many apps will fall into the scope if they are using instrumentation to collect data about a user’s device. (However, only that instrumentation data is covered by the act).
- List all the data you collect through “connected services” and work out how you would make it available on demand. As with the GDPR, the data needs to be in a suitable format. That can be as simple as a csv or it might be something like a YAML file.
- Put in place a mechanism for people to contact you to request their data. Remember, this applies to companies as well as individuals. The easiest thing is an email address they can contact. But if you expect many requests, you might just want to automate the entire process.
- Build the required systems to make it easy to provide the data when required. You may already do this for GDPR.
- Update your Terms of Service to reflect the way the Data Act affects your users. If you read the updated ToS for services you already use, you may well find inspiration.
What now?
We have years of experience helping companies of every size become GDPR compliant. Many of the tools, mechanisms, and tricks we recommend for GDPR compliance are directly transferrable to the Data Act. Contact us today and we will be happy to discuss your situation with you.
Streamline Your Compliance With Chino.io Today
Discover our
Templates
Read our Latest Industry Insights
Discover insights from our expert writers.
