Enterprises have until 12 September 2025 to implement the changes to ensure fair access to and use of data for users in accordance with the provisions of the Data Act .
In order to achieve a common market for data within the EU, the Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) entered into force on 11 January 2024.
The Regulation, which allows users to access data generated by connected devices and public sector bodies to access private sector resources, will apply in all Member States from 12 September 2025 after a transitional period.
To whom and what does the regulation apply?
The Data Act covers a wide range of affected parties, including:
- manufacturers of connected products (an object that obtains, generates or collects data about its use) placed on the market in the Union
- providers of related services (digital services that are connected to the product in such a way that the connected product could not perform one or more of its functions without them)
- providers of data processing service that offer such services
- Data recipients in the Union to whom data is provided.
The Regulation therefore applies not only to enterprises, but also to natural persons who are not business entities. The newly introduced rules particularly affect providers of cloud computing services such as Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). Providers of cloud computing services have been obliged to take measures that enable users to change their cloud service in an uncomplicated manner, which may include changing cloud providers or using several cloud providers at the same time.
Cloud computing service providers have been obliged to apply measures that will enable users to change cloud services in an uncomplicated manner, which may, inter alia, involve changing cloud providers or using several cloud providers simultaneously.
In addition, data holders, without undue delay, in an easy and secure manner, are obliged to make the data readily available to the user free of charge, together with the relevant metadata necessary to interpret and use the data, of the same quality as is available to the data holder, in a commonly used, machine-readable format and, where technically feasible, continuously and in real time.
Furthermore, providers of processing services have been prohibited from imposing organisational, commercial, contractual or technical obstacles on users, which impede, inter alia, the termination of the service contract and the change of provider, the transfer of data to another provider, the conclusion of new contracts with another service provider.
It is also worth noting that the rights of the customer and the obligations of the data processing service provider must be clearly set out in a written contract. The provider is obliged to make the contract available to the customer before signing in a way that allows the customer to keep and reproduce it.
Moreover, as of 12 January 2027, data processing service providers will be obliged to abolish the fees imposed so far for switching and, until then, providers are only obliged to apply reduced fees, which do not exceed the costs incurred by the provider, directly related to the respective switching process.
Application of the Regulation and GDPR
According to Article 1 sec. 5 of the Regulation, the provisions of the Data Act are without prejudice to Union law and national law on the protection of personal data. Thus, not only the mechanisms provided for in the Data Act, but also the general data protection provisions governed by the GDPR and the German Data Protection Act (Bundesdatenschutzgesetz) will apply to personal data processing activities. Where there is a conflict between the Regulation and either the GDPR or the German Data Protection Act, on the other hand, the applicable Union or national data protection law will take the priority.
Violations and their consequences
Certain penalties are provided for violations of the Data Act. As a rule, the fines are up to EUR 20,000,000 EUR or, in the case of an enterprise, up to 4% of its total global annual turnover in the previous financial year.
Grau Rechtsanwälte PartGmbB advises and supports companies in the area of distribution law, labor law and data protection, as an external data protection officer.
If you have any further questions, please contact our law firm on +49 (0) 40 180 364 020 or office@graulaw.eu.