The relationship of Data Act and personal data

The provisions of the General Data Protection Regulation (GDPR), the Regulation on the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies and the free flow of such data, and the ePrivacy Directive will apply first. In the event of a conflict between the described Regulation and the aforementioned acts or a national law adopted in accordance with such Union law, the EU or national data protection or privacy legislation shall apply.

Change of data processing service provider

The regulation will have an impact on providers of “data processing services.”
including cloud computing providers. As defined in the regulation, a “data processing service” means a digital service provided to a customer that enables ubiquitous on-demand network access to a shared set of configurable, scalable and flexible computing resources of a centralized, distributed or highly distributed nature that can be rapidly allocated and released with minimal effort in terms of management or interaction with the service provider. The regulation specifies that data processing service providers
may not erect pre-commercial, commercial, technical, contractual and organizational obstacles if they hinder customers from, among other things, terminating a data processing service contract after the maximum notice period and successfully finalizing the switching process, or entering into new contracts with another data processing service provider covering services of the same type. If such obstacles arise, providers should remove them.

Obligation to share data

The data from the linked product and service, including the relevant metadata necessary for the interpretation and use of the data, shall by default be easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format and, where applicable and technically feasible, directly accessible to the user. In the event that the user cannot directly access the data from the connected product or from the connected service, the data holders shall make the data readily available to the user without undue delay, in an easy and secure manner, free of charge. This is done on the basis of a simple request made electronically when technical capabilities allow it.

Responsibilities of data holders

When, in business-to-business relations, the data holder is obliged to make the data available to the recipient, it should make appropriate arrangements with the recipient in this regard. The provision of data should be made on a fair, reasonable and non-discriminatory basis and in a transparent manner. As part of the arrangements, compensation may also be stipulated for the costs incurred in connection with the release of data. Such agreed compensation should be non-discriminatory, reasonable, and may include a mark-up.

Unfair contractual provisions

The regulation considers a contractual provision to be unfair if it is characterized by the fact that its application grossly deviates from good business practice in terms of access to and use of data, contrary to the principle of good faith and fair dealing. However, a stipulation has been added that a contractual provision is not considered unfair if it reflects mandatory provisions of Union law that would apply if the matter in question were not governed by the contractual provisions. In addition, the regulations stipulate that a provision imposed unilaterally on another company is not binding on that other company if it is unfair and concerning access to and use of data or liability and remedies for breach or waiver of data obligations.

Interoperability

The regulation also regulates essential requirements for data interoperability, data sharing mechanisms and services, and common European data spaces.

Implementation and enforcement of the Data Act

The commencement of the Data Act’s provisions, subject to a few exceptions, begins on September 25, 2025. The regulations stipulate that member states may establish one or more new bodies or rely on existing bodies to enforce obligations under the regulation. It is left to member states to establish a catalog of penalties applicable to violations of the regulation and to take all necessary measures to ensure its enforcement. The regulations stipulate that such penalties are to be effective, proportionate and dissuasive.