We already prepared insightful materials about the huge impact of the EU Data Act on internet-of-things businesses (see here our Deep Dive of Data Act). As a reminder, the Data Act will affect IoT providers that commercialize IoT products due to the new obligation to share the data obtained through IoT with the user of the IoT product (or related services) and with third parties at the request of the user. This means that data (personal and non-personal) that was only at the disposal of the IoT provider / manufacturer from 12 September 2025 will need to be shared upon request. The scenarios of application of the Data Act are quite broad: smart cars, medical devices, smart watches, smart TVs, planes, all kind of wearables, industrial machinery… Basically, any “smart” or “IoT” product can potentially trigger the sharing obligation.
However, there are limitations, requirements and not all types of data collected through IoT devices are in-scope of the sharing obligation. In addition there are potential defences to reduce the impact of the Data Act (e.g. contractual limitations, privacy considerations, competition restrictions…). Therefore, in order to be ready for the Data Act, the following actions should be carried out:
- Data Mapping: The first action should be the preparation of an “IoT data mapping”. The company should prepare an inventory with all IoT products and the different flows of data that can be collected through the connected product and related services. This is probably the most relevant task from a technical standpoint.
- Scoping: On the basis of the “data mapping”, the company should assess which is the data “in-scope” and the data that could be excluded from the application of the Data Act. This is probably the most relevant task from a legal standpoint as it will affect all of the following actions. The company should ascertain which data could be considered “raw”, “refined”, subject to trade secrets and, critically, if there is personal data involved. It should be noted that data “in-scope” is data that will need to be disclosed either to the user or to third parties.
- Data protection analysis: If there are personal data included in the “in-scope data”; the privacy team (and the data protection officer) should be involved to analyze the possibilities and conditions for sharing the personal data upon request. As the sharing obligation will apply in B2B and B2C environments, very different scenarios may apply (controller-to-controller, joint controllerships, sensitive data, etc.) If necessary, a data protection impact assessment shall be carried out, the privacy policy shall be updated, etc.
- Data Act governance program: A governance program should be created with the procedure to attend Data Act requests, the information that must be provided, the precautions from a privacy perspective, etc. Each request may be different and the relevant team should know what to answer and how to take action on it. Different stakeholders should be involved (at least initially) because requests may concern privacy laws, competition laws, etc.
- T&Cs for data users: All users of IoT products shall be informed of the collection of the IoT data by the data holder (i.e. the manufacturer or designer) as well as the use that the data holder will make of this data. The categories of collected IoT data will need to be disclosed as well as proper information on how to obtain the IoT data and how to make it available to third parties. Actually, the mandatory items to be disclosed to the user are quite broad and will be binding for the data holder. In addition, if there are personal data involved, specific privacy wording will need to be included as necessary under the GDPR.
- T&Cs for third party recipients of data: Under the Data Act the data user can instruct the data holder to share the IoT data with third parties (even competitors). However, a specific agreement (that should respect the core of the Data Act) shall be entered into between the data holder and the recipient of the IoT data. Therefore, data holders should have a template to be used with potential third-party recipients that should be as protective as possible with business secrets, provide cybersecurity protection, etc. In addition, if there are personal data involved, specific privacy wording will need to be included as necessary under the GDPR.
In addition (albeit further away), by 12 September 2026, IoT products shall be designed and manufactured in such a manner that IoT data, including the relevant metadata necessary to interpret and use those data, are, by default, easily, securely, free of charge, etc. directly accessible to the users.
Authored by Juan Ramón Robles.