Providers of related services for connected products must provide users at least the following information before entering into a contract with users to provide related services:

• The nature, estimated volume and collection frequency of product data that the prospective data holder is expected to obtain
• Where relevant, the arrangements for the user to access or retrieve such data, including the prospective data holder’s data storage arrangements and the duration of retention
• The nature and estimated volume of related service data to be generated, as well as the arrangements for the user to access or retrieve such data, including the prospective data holder’s data storage arrangements and the duration of retention
• Whether the prospective data holder expects to use readily available data itself and the purposes for which those data are to be used, and whether it intends to allow one or more third parties to use the data for purposes agreed upon with the user
• The identity of the prospective data holder (such as its trading name and the geographical address at which it is established) and, where applicable, the identity of other data processing parties
• The means of communication for quickly contacting the prospective data holder and communicating with the data holder efficiently
• How the user can request that the data be shared with a third party and, where applicable, end the data sharing
• The user’s right to lodge a complaint alleging an infringement of the Data Act
• Whether the prospective data holder has trade secrets contained in the data accessible from the connected product or generated during the provision of a related service (and where the prospective data holder is not the trade secret holder, the identity of the trade secret holder)
• The duration of the contract between the user and the prospective data holder, as well as the arrangements for terminating the contract.

The Data Act requires this information to be provided to users in a clear and comprehensible manner.

What do you have to do?

In practice, for entities selling or renting connected products to users, as well as providers of related services, to be in a position to comply with these aspects of the Data Act, they will at least have to:

• Identify the products and services covered by the obligations under the Data Act
• Identify the information that they must provide to the user with respect to each connected product or related service, in light of their intended purpose and the technical aspects of their operation
• Draw up understandable information clauses for each connected or related service, containing the information required by the Data Act
• Develop and implement a method for providing users with the information required by the Data Act, prior to entering into contracts with them.

Requirements and restrictions on use of data by data holders

What do the new obligations apply to?

Under the Data Act, a data holder may use readily available data from a connected product which is non-personal data only on the basis of a contract with the user.

As explained in the preamble, “Such a contract could be part of an agreement for the provision of the related service, which could be concluded together with the purchase, rent or lease agreement relating to the connected product.”

As the preamble further states, “Any contractual term stipulating that the data holder may use product data or related service data should be transparent to the user, including regarding the purposes for which the data holder intends to use the data. Such purposes could include improving the functioning of the connected product or related services, developing new products or services, or aggregating data with the aim of making available the resulting derived data to third parties, provided that such derived data do not allow the identification of specific data transmitted to the data holder from the connected product, or allow a third party to derive those data from the dataset. Any change of the contract should depend on the informed agreement of the user.”

Moreover, under the Data Act, “data holders should not use any readily available data that is non-personal data in order to derive insights about the economic situation of the user or its assets or production methods or about such use by the user in any other manner that could undermine the commercial position of that user on the markets in which it is active.”

Further, under the act, data holders must not make non-personal data from a connected product available to third parties for commercial or non-commercial purposes other than the fulfilment of their contract with the user. In other words, as a rule, data holders (e.g. product manufacturers) can provide non-personal data derived from a connected product to third parties only when necessary to carry out the data holder’s contract with the user, and only to the extent required.

It is not entirely clear, however, whether a data holder may indicate in its contract with the user that one of the purposes for use of the data is to pass the data on to third parties for purposes other than fulfilment of their contract with the user (e.g. for analytical purposes). But the European Commission implies that this solution is permissible in the document “Frequently Asked Questions. Data Act, 12 September 2025, Version 1.3” (which states, “Article 4(14) addresses the specific aspect of data usage by the data holder that involves the sharing of non-personal data with third parties, which should only take place if contractually agreed with the user (in line with Article 4(13))”).

And as the Data Act further states, “Where relevant, data holders should contractually bind third parties not to further share data received from them.”

What do you need to do?

If a data holder intends to use non-personal data from a connected product for its own purposes, the contract with the user must provide for the possibility of using the data in this way. These provisions must be transparent for the user and expressly identify the purposes of the processing. An analysis of these purposes in terms of the restrictions on use under the Data Act would also be indicated.

Consequently, data holders should examine:

• The contract forms they use (and revise them accordingly)
• Existing contracts and practices for obtaining and using data from connected products or related services which are binding on users (and where necessary, propose contract amendments to users).

Data holders should also analyse third-party flows of data they obtain from connected products. As a rule, data holders should limit such flows to situations where they are necessary to perform their contract with the user, and only to the necessary extent.

Providing data to users and data recipients

What do the new obligations apply to?

Under the Data Act, when data cannot be directly accessed by the user from the connected product or related service, data holders shall make readily available data accessible to the user, at the user’s request. Where technically feasible, a simple request through electronic means should suffice for this purpose.

The data should be made accessible along with the relevant metadata necessary to interpret and use the data, without undue delay—easily, securely, and free of charge. The data accessible to the user must be of the same quality as is available to the data holder, “in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time.”

However, under the Data Act, “Users and data holders may contractually restrict or prohibit accessing, using or further sharing data, if such processing could undermine security requirements of the connected product, as laid down by Union or national law, resulting in a serious adverse effect on the health, safety or security of natural persons.”

The Data Act also has provisions for protecting trade secrets when complying with users’ requests for access to data. The act requires the data holder (or the trade secret holder, if it is a different person) to identify the data that are protected as trade secrets, including in the relevant metadata, and then to agree with the user on “proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data, in particular in relation to third parties.”

Under the act, at the request of a user or a party acting on behalf of the user, the data holder shall also provide a third party with access to readily available data. This should be done without undue delay, easily, securely and free of charge to the user. Again, the data to be made available should be of the same quality as available to the data holder, “in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time.”

As in the case of data made available to the user, when making data available to a third party, complying with the request should not, as a rule, infringe trade secrets. The data holder, or the trade secret holder if they are not the same person, must identify the data that are protected as trade secrets, including in the relevant metadata, and agree with the third party all proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data.

Significantly, when the request involves personal data, and the user is not the data subject, any personal data generated as a result of use of a connected product or related service can be provided by the data holder to a third party only when there is a valid legal basis for processing the personal data under Art. 6 of the General Data Protection Regulation, or, when relevant, the conditions set forth in Art. 9 GDPR and Art. 5(3) of Directive 2002/58/EC are met.

What do you need to do?

In light of the requirements under the Data Act, it is recommended that data holders:

• Verify whether the connected products or related services they offer have the appropriate technical functionality enabling access to the data by users or third parties in compliance with the Data Act, directly from the product or service—and if not, whether introducing such functions is technically and economically feasible
• Verify whether, and to what extent, providing access to data from the connected product or related service they offer might impinge on protected trade secrets, and if so, take appropriate steps to protect the trade secrets (e.g. by appropriate designation), suited to the type of product or service, and
• If the data cannot be made accessible directly from the connected product or related service, introduce internal procedures for handling requests for access to the data, taking into account not only the requirements of the Data Act but also the GDPR and trade secret issues. If such internal procedures are not in place, it may be harder for the data holder to respond to the request timely and appropriately.

Providing data requested by public authorities

What do the new obligations apply to?

The Data Act provides that if a public-sector body, the European Commission, the European Central Bank or other EU body demonstrates an “exceptional need” to use certain data—including the relevant metadata necessary to interpret and use those data—to carry out its statutory duties in the public interest, data holders that are legal persons shall make them available upon a duly reasoned request.

According to the act, such “exceptional need” exists only in the following circumstances:

• Where the data requested is necessary to respond to a public emergency, and the authority is unable to obtain such data by alternative means in a timely and effective manner under equivalent conditions
• In other circumstances, and only with respect to non-personal data, where:
  • The authority is acting on the basis of EU or national law and has identified specific data the lack of which prevents it from fulfilling a specific task in the public interest explicitly provided for by law, such as producing official statistics, or mitigating or recovering from a public emergency, and
  • The authority has exhausted all other means at its disposal to obtain such data (including purchasing non-personal data on the market at market rates, relying on existing obligations to make data available, or adoption of new legislative measures that could guarantee the timely availability of the data).

Importantly, a data holder requested by an authority to provide data has the right to decline the request or seek modification of the request, in particular if the request does not meet the conditions provided in the act. But the data holder must exercise this right without undue delay, and in any event no later than:

• 5 working days after receipt of a request for data necessary to respond to a public emergency, or
• 30 working days in other cases of exceptional need.

The Data Act also entitles the data holder to receive fair compensation for providing data requested by an authority in certain circumstances. The compensation should cover the technical and organisational costs incurred to comply with the request, such as costs of anonymisation, pseudonymisation, aggregation or technical adaptation, plus a reasonable margin. If requested by the authority, the data holder must provide information on the basis for calculation of the costs and the reasonable margin.

What do you need to do?

The Data Act does not impose any particular obligations to be prepared to comply with these new requirements. Nonetheless, in light of these provisions, it would be recommended for data holders to reflect in their internal procedures that public authorities may request them to make data available under the Data Act. The procedures might, for example, designate a person responsible for examining such request and taking related actions. If there are no such internal arrangements in place, it may be more difficult for the data holder to respond timely to a request, particularly if the data holder wishes to challenge the grounds for the request.

***

It should be apparent that the requirements and restrictions under the Data Act can pose a major challenge for companies in the sector of the internet of things and related services, requiring them to take procedural steps as well as technical and operational measures. To minimise the risk of violating the Data Act and protect their own interests, entities covered by the Data Act need to allocate sufficient resources (including personnel) to implement the steps needed to effectively adjust their operations to the demands of the new legal environment.

Łukasz Rutkowski