Data Act 101: What Just Became Mandatory?
Introduction
As part of the 2020 European Data Strategy, the Regulation on harmonized rules on fair access to and use of data (Data Act or Act) aims to boost the European Union’s (EU) data economy by maximizing data access and data use in a competitive and fair environment. The Act introduces a comprehensive set of rules for all actors, who may access data or generate value from it, and seeks in particular to unlock the untapped potential of data generated by the Internet of Things by establishing a trustworthy environment for data sharing. Designed as a horizontal framework, the Act clarifies who may access and use data generated by connected products and related digital services, and under what conditions. The Act applies broadly to manufacturers of connected products, providers of related digital services, data holders, cloud and edge providers and certain public sector bodies, regardless of their place of establishment, where their products or services are made available in the EU, as well as to users of connected products or related services and data recipients located in the Union.
Understanding the scope of these obligations first requires clarity on how the Act defines the products and services within its remit. For the purposes of the Act, connected products are items that obtain, generate or collect data concerning their performance, use or environment, and that can communicate such data via an electronic communications service, a physical connection or on-device access. Related services include digital services, such as applications or dashboards, needed to use the product or process the data it generates. Together, these definitions cover a wide range of consumer and industrial devices, from vehicles, smart-home appliances and wearables to machinery, sensors and agricultural equipment.
At its core, the Data Act enhances users’ ability to access and share the data they help generate, while imposing safeguards to protect trade secrets, security and privacy. It interacts closely with existing frameworks such as the GDPR and ePrivacy rules and introduces new mechanisms governing public sector access, interoperability and cloud switching.
A key milestone arrived on 12 September 2025, when most of the Act’s substantive provisions became applicable across the Union. What follows is an overview of the obligations now in force.
Provisions Applicable as of 12 September 2025
Even though the Act entered into force on 11 January 2024, a grace period was granted until 12 September 2025. While certain obligations (notably design-by-default requirements for new products and the full regime on cloud switching fees), will follow a staged timeline, the framework governing user data access, data sharing, trade secret protection, unfair contract terms and public sector access has now been fully operational since 12 September 2025. Organisations active in the EU market should therefore ensure that their existing data governance, contractual arrangements and technical systems align with this new landscape.
User Access to Data Generated by Connected Products and Related Services
One of the most immediate shifts brought by the Data Act is the strengthened right of users to access the data they help generate when using a connected product or a related digital service. As of 12 September 2025, users located in the EU who own, rent or lease a connected product or who receive a related digital service may request access to data that is readily available to the manufacturer or service provider. This encompasses operational and usage-based information produced during normal use of the product, including sensor-based measurements such as temperature, pressure, location, speed or similar operating parameters, as well as relevant metadata. By contrast, inferred or derived data, enriched analytics outputs or audiovisual content fall outside the scope of this entitlement.
Users may access the data directly or ask the data holder to make it available to a third party of their choice. Data must be provided free of charge and through a simple, secure and non-discriminatory process. To facilitate the exercise of this right, data holders must inform users prior to purchase or conclusion of the contract about the type, volume and nature of the data that will be generated and how it can be accessed.
The Act also incorporates safeguards to balance these rights with legitimate commercial and security interests. Data obtained under the Act cannot be used to develop competing connected products, although competition in aftermarket and ancillary services remains permitted. Appropriate measures must be taken to protect trade secrets, and data sharing may be suspended or refused only where disclosure would be highly likely to cause serious economic harm or compromise safety. Where personal data is involved, the GDPR continues to apply, requiring a valid legal basis and ensuring that the rights of third parties are not adversely affected particularly important given that co-generated datasets often contain both personal and non-personal elements.
Mandatory Business-to-Business Data Sharing
Where EU or national law obliges a business (data holder) to make data available to another business (data recipient), the Data Act requires that such sharing take place under fair, reasonable, non-discriminatory (FRAND) and transparent conditions. These obligations apply regardless of whether the data in question is personal or non-personal.
In such cases, data holders may request reasonable and non-discriminatory compensation, which may include a margin and must consider the costs and investments associated with making the data available. However, micro and small enterprises (SMEs), as well as non-profit research organizations, benefit from a lighter cost regime.
The Act also introduces remedies to address unlawful use or disclosure of data obtained under a mandatory sharing obligation. This ensures that sector-specific regimes remain intact while establishing a general FRAND-based standard for future legislation.
Unfair Contract Terms in Data-Sharing Agreements
The Data Act introduces a targeted regime to prevent unfair terms in data-sharing agreements, particularly where one party unilaterally imposes “take-it-or-leave-it” provisions on another. Terms that exclude liability for intentional acts or gross negligence, restrict the other party’s remedies, or give the imposing party unilateral interpretative authority are deemed unfair and therefore not binding. Other clauses, such as those limiting access to a party’s own data, impeding reasonable termination, or enabling unilateral changes to key conditions, are presumed to be unfair. Importantly, only the unfair term is severed, ensuring contractual continuity. The regime applies only to non-negotiated terms; freely negotiated agreements fall outside their scope. Businesses should therefore revisit template contracts, standard terms and procurement processes to ensure compliance.
Business-to-Government Access in Situations of Exceptional Need
The Data Act allows public sector bodies and certain EU institutions to request access to data held by private entities where there is an exceptional need, including public emergencies or other legally mandated tasks in the public interest. In emergencies, authorities may request non-personal data and, only if strictly necessary, personal data subject to anonymization where possible. Outside emergency scenarios, access is limited to non-personal data and only where the data cannot be obtained through other means.
Requests must be specific, proportionate and transparent, with appropriate safeguards for trade secrets. Compensation rules vary depending on the nature of the request and the size of the business, while the “once-only” principle prevents duplicate requests. Data obtained under such requests must be deleted once the purpose has been fulfilled.
Switching Between Data Processing Services
The Data Act’s cloud provisions aim to reduce vendor lock-in in the cloud market by ensuring that customers can move between data processing service providers, or use several providers simultaneously, without disproportionate technical or contractual barriers. Providers must support switching through transparent terms, interoperable interfaces and the ability to export data in standard, machine-readable formats. For Infrastructure-as-a-Service (IaaS) offerings, the Act also introduces the concept of “functional equivalence,” requiring that customers achieve materially comparable results when switching to a similar service.
The Data Act gradually eliminates switching charges, including data-egress fees, and imposes obligations on providers to remove practices that hinder portability or multi-cloud use.
Safeguards Against Unlawful Third Country Access
The Data Act introduces a set of safeguards to ensure that non-personal data stored in the EU is not subject to unlawful access by foreign authorities. Where no international agreement applies, data may only be disclosed if the request satisfies strict EU-level conditions, including necessity, proportionality and adequate protection of fundamental rights. Providers must publish the technical and organizational measures they use to prevent unauthorized foreign access. Whenever feasible, customers should be informed before any disclosure.
Interoperability
The Data Act establishes the basic interoperability requirements that European data spaces and related technical environments must meet. Participants in data spaces are expected to document data formats, structures and vocabularies in a transparent manner and to support mechanisms, such as smart contracts, that enable interoperable and secure data-sharing arrangements.
Conclusion
The Data Act marks a decisive shift in how data is governed, accessed and leveraged across the European Union. With many of its obligations now in force as of 12 September 2025, businesses operating in or targeting the EU market face a substantially transformed regulatory landscape. The new rules affect not only manufacturers of connected products and providers of data-driven services, but also any organization that shares, receives or processes data within complex value chains.
From expanded user access rights and FRAND-based data-sharing obligations to restrictions on unfair contract terms, exceptional-need access for the public sector, cloud switching rules and interoperability requirements, the Act introduces a multilayered framework that blends legal, technical and commercial considerations. Compliance therefore cannot be approached as a purely legal exercise; it demands coordinated adaptation across product design, contract management, data governance and IT architecture.
While some provisions will continue to phase in over the coming years, organizations should not wait. The Act interacts closely with existing regimes including the GDPR, sector-specific legislation and long-standing B2B contractual practices, and its operational impact will vary significantly depending on a company’s role in the data ecosystem. A proactive assessment of data flows, product capabilities, contractual templates and cloud strategies is essential to minimize regulatory risk and capture the opportunities emerging from Europe’s evolving data economy.
As the Commission continues to issue guidance and supporting instruments, the practical contours of the Data Act are becoming clearer. Most recently, the Commission published Model Contractual Terms for access to IoT data and Standard Contractual Clauses for cloud switching, both of which, although formally non-binding, are expected to operate as de facto standards for compliance, particularly in relation to user data access and cloud portability. These developments signal the beginning of a more structured implementation phase, during which organizations will need to closely track emerging standards and adjust their practices accordingly.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
On September 2025, the Court of Justice of the European Union (“CJEU”) delivered its judgment in Single Resolution Board (SRB) v. European Data Protection Supervisor (EDPS), providing some clarification on the identifiability of data under the EU data protection regime. The case examined whether information that...
In Türkiye, it has recently become increasingly common, especially in retail stores, to send verification codes to data subjects by SMS during the provision of goods and services and to process personal data in this way. In the complaints submitted to the Personal Data Protection Board (“Board”), it has been...
In contemporary workplaces, employers frequently implement surveillance systems for reasons such as ensuring occupational health and safety, maintaining workplace order, operating internal control mechanisms, and preventing potential misconduct. However, such monitoring practices often raise significant...
Although the Turkish Personal Data Protection Law No. 6698 (KVKK) stipulates certain rules on cross-border personal data transfer, the effective functioning of the transfer rules was limited over time due to some difficulties in practice. In particular, until late 2024, the application process for permission to transfer...
Personal Data Protection Law numbered 6698 (“PDPL”) was first drafted based on the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals about the processing of personal data and on the free movement of such data, and entered into force in 2016...
Typically, when an employee departs, their corporate email account remains active and accessible to the employer for a period of time. During this time, the email archive and new incoming messages are forwarded to the employee's manager or another colleague...
In today's world, we now have the opportunity to purchase many products and services through e-commerce platforms with a single click from wherever we are. During these purchases, our personal data are collected and used through the websites or mobile applications of e-commerce platforms for various...
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
