Data Act: New obligations for data disclosure apply from September 12

The Data Act is a central component of the European data strategy. September 11, 2025, marks the end of the transition period that began when the regulation came into effect in January 2024. However, many companies have failed to adapt their internal processes, contracts, and technical systems to the new requirements over the past 20 months – yet the essential obligations of the Data Act must be implemented by September 12. Companies that have not yet regulated their data access and usage rights risk not only fines, but also considerable legal uncertainty and reputational damage if they are unable to disclose data to their customers. The following section outlines which actors fall within the scope of the regulation and what obligations are associated with it.

I. Scope of application

The most important thing is to check whether you are affected, because in our experience, many companies are not even aware that their data – both personal and non-personal – is affected by the Data Act. The material scope of the Act focuses primarily on data generated in the context of the Internet of Things (IoT). This refers to networked products and associated services that generate, collect, or transmit data during use. The regulation is therefore not only aimed at traditional IT companies, but also at a wide range of industries in which digital interfaces and networked technologies have long been part of everyday life.

1. Manufacturers of connected products

Manufacturers within the meaning of the Data Act are all companies that bring products to market that generate data during operation. This starts with car manufacturers whose vehicles are equipped with telematics systems, driver assistance functions, and numerous sensors that generate data on speed, engine performance, fuel consumption, or location. Manufacturers of construction machinery or even forklift trucks are also affected. These are no longer just mechanical devices, but collect valuable information about operation and use through digital controls and networked platforms. Numerous products in the consumer goods industry also fall within the scope of application: smart household appliances such as washing machines, refrigerators, and robot vacuum cleaners log running times and energy consumption; consumer electronics such as smart TVs and game consoles analyze usage data; and fitness trackers and smartwatches continuously collect health and movement data. In addition, there are machines and systems in industrial environments where manufacturers use embedded software to document usage and control data flows via cloud interfaces.

2. Data owners

In addition to manufacturers, the focus is on so-called data owners, i. e., actors who are legally entitled or obliged to use or provide the generated data – whereby the manufacturer can also be the data owner. These include platform operators who bundle data from a variety of devices and make it available for smart services, for example in smart home ecosystems or industrial IoT platforms. Retailers and leasing companies are also typical data owners if they only provide products to customers on a temporary basis but reserve the right to evaluate the information generated in the process, for example, in the context of car-sharing or rental models. Service providers who create complementary digital offerings around a product also regularly act as data owners. For example, a provider of fleet management solutions can access vehicle operating data without being a manufacturer itself. Similarly, a provider of predictive maintenance services evaluates machine data to predict maintenance intervals.

Finally, group companies that act as central data hubs within a corporate group can also be data controllers within the meaning of the Data Act, even if production takes place in another company. This means that the circle of affected companies is much larger than traditional manufacturers and extends to trading, leasing, service, and platform models.

3. Data processing services

Another group covered by the Data Act is data processing services. This primarily affects providers of cloud services, data centers, and other infrastructure services that store, process, and make data accessible for their customers. The spectrum ranges from international hyperscalers that operate huge cloud platforms to specialized providers of industry-specific cloud solutions and regional IT service providers that support small and medium-sized enterprises in secure data processing. This affects both traditional infrastructure-as-a-service providers, who provide computing power and storage, as well as platform operators in the platform-as-a-service sector and providers of software-as-a-service solutions, who process data directly as part of their services. Providers of edge computing services, which enable data processing close to the point of origin, and operators of industry-specific data rooms, such as those found in healthcare or manufacturing, also fall into this category.

4. Data recipients

Finally, data recipients also play an important role. These are all companies that receive data generated during the use of a product from a data owner on the basis of a request from the user. A large number of companies can be considered data recipients – typical examples include suppliers or maintenance companies that can better prepare repairs or order spare parts in good time based on usage data, or service providers that rely on data-driven business models, such as insurance or financing providers.

II. Obligations

The Data Act contains a wide range of obligations for the above-mentioned actors. Only micro and small enterprises with fewer than 50 employees and an annual turnover or balance sheet total of less than €10 million are largely exempt from the requirements.

Data owners have comprehensive information and transparency obligations towards users of networked products and services. Even before concluding a contract, they must disclose what data a product generates, how it is stored, and how users can access it. In addition, direct access to the data generated by the product must be ensured either directly via the device or, if this is not possible, via a free, machine-readable, and timely provision. The data may only be passed on or used if the user has given their consent. In addition, the standards of the GDPR continue to apply to personal data. At the same time, the data owner may not restrict access in an abusive manner, but may only withhold certain data in exceptional cases, such as to protect trade secrets.

Data recipients, i. e., third parties to whom users grant access to data, are also subject to specific rules. They may only use the data received for the agreed purposes and may not pass it on to other third parties without consent. Exclusive control over the data should be prevented, as should contractual clauses that restrict users in their disclosure. Personal data may only be processed on the legal basis of the GDPR.

In addition, the Data Act obliges data owners and data recipients to grant access on a fair, reasonable, and non-discriminatory basis. Prices may only be based on actual costs. Access is free of charge for small and medium-sized enterprises. Technical and organizational protective measures are permissible, but may not be used as a pretext to prevent the legally prescribed access to data. Another focus is on the requirements for contract design in the B2B sector. Unfair contract terms that unilaterally disadvantage weaker market participants are invalid. This is intended to create a fair balance between the contracting parties and limit the market power of individual players.

Finally, data processing services are also being held accountable. They must facilitate switching options, ensure interoperability, and guarantee the use of standardized interfaces – and all of this must also be reflected in contracts. Excessive or hidden switching fees are to be abolished so that, by 2027 at the latest, users will be able to switch providers completely free of charge. The Data Act thus pursues the goal of making the data economy more transparent, fair, and competitive.

III. National implementation

The national legislative process for the Data Act is currently still in the draft stage. On February 5, 2025, the Federal Ministry for Economic Affairs and Climate Protection and the Federal Ministry of Digital and Transport presented a draft bill for a Data Act Implementation Act (DA-DG).

The key points of the draft are the designation of the Federal Network Agency as the central supervisory authority, which will coordinate all issues relating to the enforcement of the Data Act in Germany in the future. In addition, a – highly controversial – special responsibility will be created for the Federal Commissioner for Data Protection and Freedom of Information (BfDI) to ensure that data protection issues are taken into account in the enforcement process. The draft also contains detailed provisions on complaint procedures, the approval of private dispute resolution bodies, cooperation with other authorities, and a catalog of fines to sanction violations of the Data Act and the Implementation Act. Penalties of up to €10 million and fines of up to four percent of annual turnover are envisaged.

The draft also stipulates that the Federal Network Agency should not only process complaints and sanction violations, but also publish recommendations for action, summarize proceedings (model proceedings), and regularly inform the public.

The draft has not yet been approved by the Federal Cabinet and is still being coordinated between ministries and associations. It is currently unclear when the parliamentary process will begin and when the law will actually be passed. However, even if national implementation is still unclear, the European obligations of the Data Act remain binding and apply immediately. There is therefore no risk of a "regulatory gap," but there is a certain degree of legal uncertainty regarding supervisory practice and sanctions at the national level.

IV. Conclusion

The Data Act is entering its decisive phase. From September 12, 2025, companies must have organized their data flows, contracts, and business processes in such a way that they comply with the new requirements – if this has not yet been done, the implementation process should be started urgently. The most important measures that need to be implemented in the short term relate to pre-contractual information obligations and the adaptation of contracts. The modalities of data disclosure must be described in detail here. If the company also plans to use the data itself – for example, to use sensor data from leased cars to develop new vehicles – this must also be reflected in the contract. On a technical level, the companies concerned must ensure that they are able to disclose the data of their product – and do so without significant delay. This allows legal risks to be avoided and, at the same time, opportunities to be exploited that arise from the transparent and legally compliant handling of data.

This article was created in collaboration with our student employee Emily Bernklau.