Garrigues Digital_

Legal innovation in Industry 4.0

 

Garrigues

ELIGE TU PAÍS / ESCOLHA O SEU PAÍS / CHOOSE YOUR COUNTRY / WYBIERZ SWÓJ KRAJ / 选择您的国家

The Data Act and regulated access to data: the essentials

Begoña González Otero, of counsel of Industrial and Intellectual Property at Garrigues and expert in digital law.

The European regulation recognizes that users frequently depend technologically on the manufacturer or provider when accessing data. In this context, we analyze the rights of users and the obligations of the data holders, as well as the necessary balances and limits, the potential risks and all that this implies for businesses. 

The «Regulation on harmonized rules on fair access to and use of data» (EU) 2023/2854 (Data Act) became applicable on September 12, 2025. At its core lies a regime for regulated access to data generated by connected products and related services (IoT). If you manufacture or sell connected devices, provide associated services, use data generated by these products, or are a user of any of these, this affects you directly.

The regulation is not based on the logic of “data ownership”, but rather on access control, and recognizes that users often depend technologically on the manufacturer or provider. The Data Act seeks to correct this asymmetry through a clear ser of rights for users and obligations for data holders, encouraging a fairer, interoperable and competitive environment.

What changes: users’ rights and the obligations of data holders

The core of the regime lies in articles 4 and 5 of the Data Act:

  • Access and use by users (article 4): users of a connected product or service — i.e., an individual or legal entity that is entitled to legally use the product or service, be it as owner, lessee, borrower or any other valid legal instrument — is entitled to access and use the data generated by the use of that product or service, where they do not have direct access to such data. 

    This right covers both the data introduced intentionally, such as data generated indirectly by the use of the product, i.e., data on the environment, performance, consumption or interactions of the device. Observed and pre-processed data are included, that is, data that the product obtains, generates or collects without making a substantial investment in cleaning, aggregating or transforming them. Inferred or derived data are not covered, such as analytical results, predictive assessments or modeling generated by the manufacturer or operator through subsequent processing. The data holder (usually the manufacturer or provider of the product) must provide those data free of charge to users without undue delay, in a structured, commonly used and machine-readable format. The conditions must be fair, reasonable, transparent and non-discriminatory, and access should respect the necessary safeguards to protect trade secrets, third-party intellectual property rights and personal data.
  • Sharing with third parties (article 5): users may designate a third party — an individual or a legal entity — to receive the data generated by the use of the connected product or service. In such event, the data holder, (the manufacturer, for example) must facilitate such transfer, without undue delay, in a structured, commonly used and machine-readable format. This right may only be limited in specific, justified cases (for example, to protect trade secrets or to comply with other applicable laws). 

    The data holder may not impose technical, contractual or economic conditions that unduly hinder the effective exercise of this right. 

    It should be underscored that the regulation expressly excludes the so-called ‘gatekeepers’ designated under the Digital Markets Act (DMA), even if they are indicted by the user. This exclusion is due to the need to avoid undue concentrations of economic power in the digital ecosystem and safeguard fair competition.

This combination (access and sharing) is supplemented with an item which is often overlooked and which changes the contractual game:

  • Additional contract for the use of non-personal data (articles 4.13 and 4.14): the Data Act allows data holders to use the non-personal data generated by the product or service, but always under two conditions: (i) there must be a transparent agreement with the user that defines the purposes of use, and (ii) such use may not undermine the commercial position of that user in its market. The legitimate purposes include, for example, the improvement of the functioning of the product or service or the aggregation of data in order to make the resulting derived data available to third parties, provided that they cannot be identified. However, non-personal data may only be disclosed to third parties (article 4.14) if it is expressly envisaged in the contract with the user. As a result, the regulation makes users the real “guardians” of the secondary use of their data, while also fostering an opening of markets through licenses under fair, reasonable and non-discriminatory conditions (articles 8 and 9). 

    Example: An agricultural cooperative uses a fleet of connected intelligent tractors that register data on engine use, soil humidity, speed of operation and fuel consumption. These data are stored in the cloud of the tractor's manufacturer. 

    One of the members of the cooperative, a farmer responsible for a specific plot, requires access to the data of their tractor, in accordance with article 4 of the Data Act, since it cannot be accessed directly via an interface. The manufacturer, as owner of the data, must provide those data at no cost, in a structured, machine-readable format, without delays or excessive identification requirements. 

    Subsequently, the same member decides to designate a local agricultural analysis company to optimize the performance of land based on these data. In accordance with article 5, the manufacturer must transfer the data directly to this company, without imposing undue technical or contractual conditions. 

    However, if the member of the cooperative wants to send the data to a company that provides central platform services and has been designated a gatekeeper under the DMA, the manufacturer is legally authorized to reject this transfer. 

    The manufacturer may also wish to use the data generated by the tractors to improve the design of future models or to prepare usage statistics that it will subsequently aggregate and make available to third parties. To do this it must have a transparent contract with the cooperative or with each user, specifying these purposes. The regulation allows such use, provided that granular information is not extracted that may affect the competitive position of the cooperative or each farmer. Data may only be disclosed to third parties if it too is envisaged in the contract.

In addition to these contractual rights, the Data Act strengthens the legal framework with a far-reaching technical requirement; the accessibility of the data by design and by default (article 3). It makes it necessary to design products and services so that the data — and necessary metadata — are accessible, by default, easily, securely, free of charge and in machine-readable format.  This obligation is applicable to products and services placed on the market after September 12, 2026.

Principles of balance and limitations

The regime seeks to balance the opening with the protection of investment incentives. It therefore provides for:

  • Limitations in connection with trade secrets and IP rights: access cannot reveal protected know-how; technical measures can be imposed to avoid unauthorized use, provided that they are proportional.
  • Reasonable compensation (FRAND terms): where applicable, making available can involve remuneration on fair, reasonable, and non-discriminatory terms, avoiding hidden consideration.
  • Coordination with the GDPR: the Data Act is horizontal (it includes personal and non-personal data). In the case of personal data, the processing must comply strictly with the GDPR; the Data Act does not create a new legal base. Moreover, its rights supplement the right to portability set out in article 20 of the GDPR and the right of access provided in article 15 of the GDPR (article 1.5 of the Data Act).
  • Unfair terms B2B (article 13): if a company unilaterally imposes terms that distort the balance (i.e. disproportionate exclusions of liability or unconditional waivers of rights), they could be deemed not to have been included. It is a contractual “handbrake” to safeguard the pro-competitive purpose of the regime.

What does this mean for your business (manufacturers, providers)

  • Rethink the design and data architecture: make an inventory of what is generated, where it is stored, how it is labeled and with which metadata. Accessibility by design will require detailed data mapping, reliable APIs or extraction channels and clear documentation for users and third parties.
  • Put processes in place to attend to requests: article 4 grants users the right to access and use data and article 5 to share them with designated third parties. Businesses must define response periods, internal managers, applicant authentication and safeguard protocols. Where trade secrets or third-parties’ rights are involved, it is advisable to use secure access solutions or “clean rooms” and avoid a general negative response that may be considered disproportionate.
  • Negotiate and standardize additional contracts for non-personal data: articles 4.13 and 4.14 require data holders to only use the data on the basis of a contract with the user. This involves designing clear templates that define purposes of use, FRAND terms (where applicable), pseudonymization or aggregation measures and reversibility clauses. This additional contract becomes a strategic tool to generate secondary data markets controlled by the user.
  • Alignment legally, technically and in the business model: regulated access is not just compliance; it is a controlled opening strategy to facilitate after-sales services, ecosystems and secondary markets. Here it is crucial for the legal, technical and business teams to work hand in hand.

Typical risks and how to mitigate them

  • Confusing “inferred data” with “pre-processed data”: revise your pipelines; anything derived from models/algorithms may fall outside the right of access. Put criteria on record.
  • Secrets that are put into effect incorrectly: a negative response based on secrecy must be proportionate and justified; consider secure access solutions instead of a negative response across the board.
  • Opaque FRAND terms: prepare internal calculation methodologies and benchmarking in order to avoid allegations of discrimination.
  • Neglecting the GDPR: in the case of personal data, a valid legal basis, minimization, a DPIA where applicable and reidentification risks in derived datasets.
     

Spain, Germany, France and the application and execution of the regime

The effectiveness of this regime will largely depend on its supervisory and legal application. Chapter IX of the Data Act covers the competent authorities, penalties and alternative dispute resolution mechanisms, but its real effectiveness may vary from country to country. Spain has still not designated an authority or data coordinator, which could lead to more private execution and a probable increase in lawsuits initially. Germany has presented an implementation bill (Data Act-Durchführungsgesetz) which envisages designating the Bundesnetzagentur (BNetzA) as the central authority and the BfDI for data protection. However, the bill has not been approved yet, so the German institutional framework is still a proposal in the course of being resolved. France has in turn reinforced the institutional architecture through the SREN Law, which assigns a stronger role to authorities such as the CNILand ARCOM with a view to the application of European digital legislation. For businesses that operate in several countries, this means that they need to adapt their response processes, contracts and technical defense to the country in question until a more uniform interpretation is consolidated at a European level.

Express checklist (only access regime)

  • Inventory of IoT data (primary vs. pre-processed vs. inferred), metadata and location.
  • Access/transfer channels operational (APIs, legible formats, security).
  • Procedure and service level agreement (SLA) for requests by users and designated third parties.
  • Additional contract template for non-personal data (uses, FRAND, safeguards).
  • Trade secrets policy/DPI with technical protection measures (if necessary).
  • Matrix of compliance GDPR in mixed scenarios (bases, portability, DPIA).
  • Review of B2B contractual terms to detect and delete potentially unilateral unfair terms.
  • Accessibility plan by design (article 3) for new launches 2026–2027.

In short: the Data Act does not deliver “ownership” of the data to the user, but it does eliminate the blocking of access where there is technological dependence, creating technical, contractual and organizational obligations that pave the way to a more dynamic market. Get ready now — with an accessible design, adequate contracts and solid processes — this is what will mark the difference between reacting with a claim or being at the helm of your data ecosystem.