IT - legal aspects of new technologies

One of the main new institutions introduced by the EU’s Data Act is the user’s right to access data (including metadata necessary to interpret or use the data) derived from a connected product the person is using or a service related to a connected product.

The data which a user can access may have significant commercial value for the data holder (e.g. the manufacturer of a connected product). Therefore, it may be crucial from the data holder’s perspective to ensure that such data remain undisclosed, or that use of the data be restricted.

The internet of things and related services is one of the key industries affected by the EU’s Data Act. Businesses in this sector may have to make changes to bring their operations into compliance with the new requirements. In this article we examine the key obligations under the Data Act for IoT companies, and their operational implications.

Pre-contractual information obligations

What do these duties involve?

Entities that sell, rent or lease a connected product are required to provide at least the following information before entering into a contract with users:

• What data can be generated by the connected product (type, format, and estimated volume of data)
• Whether the connected product is capable of generating data continuously and in real time
• Whether the connected product is capable of storing data on the device or on a remote server, including, where applicable, the intended duration of data retention
• How the user may access, retrieve or, where relevant, erase the data, including the technical means to do so, as well as their terms of use and quality of service.

The Data Act became applicable on 12 September 2025. What do businesses need to pay attention to under this new EU-wide regulation?

Nature and purpose of the Data Act

The Data Act—Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)—is an EU regulation, and as such applies directly in Poland and all other EU member states. At the national level the Data Act will be supplemented by local regulations, but these will essentially govern only procedural issues (e.g. infringement proceedings), not substantive issues. In other words, substantively the Data Act will govern across the entire EU.

We wrote several months ago about the imposition of fines by the French data protection authority CNIL (Commission Nationale de l’Informatique et des Libertés) for data protection breaches. Recently CNIL has imposed more fines, including for violation of standards for secure processing of personal data on a website.

The case involved an auto insurance broker. On the broker’s website, users could request a calculation of insurance premiums, conclude an insurance contract, and log on to their account, where various types of personal data were accessible, such as bank statements and information about driving-licence suspensions or convictions for traffic violations.

The third post-hackathon interview: After InteliLex and DoxyChain, it’s time for bSure, the team that took third place in the Polish phase of the Global Legal Hackathon.

Justyna Zandberg-Malec: During the hackathon you worked on an application that points out to freelancers contractual provisions that are disadvantageous to them. Where did you get this idea?

Sabina Łobocka: A colleague who wasn’t taking part in the hackathon suggested it to me (and allowed us to use it). He was signing a contract with a residential real estate developer and didn’t entirely understand all the clauses. It took him a long time to check whether any of the clauses were unfavourable to him. That’s why we thought of an application that ordinary people could use to protect against irregularities and negative legal consequences for them.

An interview with Daniel Bigos, Gabriel Dymowski, Marcin Lorenc and Piotr Żelazko, members of the DoxyChain team (formerly DigiDocs), which took second place in the Polish phase of the Global Legal Hackathon.

Justyna Zandberg-Malec: Your project took second place in the Global Legal Hackathon. What is your solution all about?

Marcin Lorenc: We proposed basing powers of attorney for litigation, and in the future also other documents, on the secure blockchain technology. Using our application, which we are now perfecting, it will be possible to appoint or dismiss an attorney, as well as manage the circulation of powers of attorney and access the history of operations. The principal will know where his authorisation was used and who is the actual attorney in the given case. Lawyers in Poland use the right of substitution, passing on the representation of the principal to a colleague, which means that the principal doesn’t always know for sure who is actually representing him. In turn, the attorney may not remember all the cases where he was appointed to represent the client. Our solution comprehensively resolves the problem of such documents.