The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has published a guide entitled “The Data Act as a challenge for data protection“. The guide provides an overview of the content of the Data Act, identifies the need for action and outlines the options for data protection authority supervision.
The Data Act (hereinafter – Data Act, DA) will enter into force on 12 September 2025.
It aims to break up existing monopolies on access to data from networked devices. Manufacturers of internet-enabled devices are then obliged to share the data sent by these devices with third parties. The focus is on the Internet of Things (IoT), which includes networked machines, vehicles, household appliances, televisions and medical and fitness equipment.
DA and GDPR (General Data Protection Regulation)
A central point of the guidance is the interaction between the DA and the GDPR.
The Data Act “applies without prejudice to the (…) law on the protection of personal data“.
This means that the GDPR remains unaffected and takes precedence in the event of an objection.
No access to data may be granted that is not covered as authorised data processing under the GDPR.
The centrepiece of the DA, the access rights, applies to non-personal and personal data (taking into account the GDPR). The clarification of the personal reference therefore plays a leading role.
Obligations under the Data Act
- Data access: Manufacturers are obliged to share the data sent by networked devices with third parties.
- Interfaces: Where “relevant and technically feasible” (Art. 3 (1) DA), access must be granted directly via an interface.
- Emergency regulations: In cases of exceptional necessity (e.g. natural disasters), the release of data could be required.
- Cloud switching: Implement measures to make it easier for users to switch to other providers.
- International data traffic: DA also subjects non-personal data to territorial borders. However, the logic here differs from the GDPR.
Key implementation activities for companies
- Checking the scope of application: Not all companies that process data are also subject to obligations under the DA.
- Creating a data overview: Anyone who is obliged to grant access to information should first get an overview of what data is available. The record of processing activities (Art. 30 GDPR) can be helpful for this.
- Clarification of the personal reference: It must be possible to state precisely whether a data item is non-personal and must therefore be disclosed, or whether it is personal and must therefore be withheld if necessary.
- Labelling of business secrets: Data protection is not the only possible obstacle to data access.
- Setting up interfaces: If “relevant and technically feasible, networked products should always be designed in such a way that users can easily access, use and share the data they generate.
- Prepare contracts (in particular licence agreements and, where applicable, consents): Anyone who is obliged to conclude licence agreements with users and data recipients in future should prepare appropriate templates.
- Ensuring transparency: DA contains information obligations, including when concluding a contract for a networked product, which are similar to the data protection information under Art. 13 GDPR.
The Data Act brings significant changes for companies. The interaction with the GDPR requires a precise assessment of the personal reference of data and the assurance of lawful data processing.
An early examination of the new obligations and the involvement of data protection officers in companies are crucial in order to guarantee both the requirements of the DPA and compliance with GDPR.
The ePrivacy team will be happy to support you in implementing the regulations from the Data Act.