The Data Act will regulate how companies in the EU are allowed to use data in the future. In our newsletter, we gave you an initial overview of the new regulations and in an article, we took a closer look at who the Data Act applies to. In this article, we explain what the Data Act means for the use of product data by manufacturers (and therefore also for users and buyers).

Current situation

To date, there is no comprehensive regulation on rights of use for product data. Regulations can only be found in certain areas, such as data protection law or copyright law. Otherwise, the principle applies that the party with access to the data is entitled to the rights to the data, unless contractual regulations (e.g. R&D projects, joint ventures or confidentiality agreements) exist. As a rule, the manufacturer of an IoT product has access to the product and usage data. Manufacturers can therefore analyze this data, for example to improve their products. 

How will manufacturers get access to data from IoT products in future?

The key new regulation on the use of product data by manufacturers can be found in Article 4 (13) Data Act. According to this, the data holder (i.e. the manufacturer) may only use readily available data, which is non-personal data, on the basis of a contract with the user (i.e. usually the owner of the product). Data holders may not use such data to collect information about the user. Readily available data is product data that the manufacturer obtains or can obtain from the connected product without disproportionate effort.

Contract between manufacturer and user

To use product data in the future, manufacturers must conclude a data usage agreement with the user. This poses challenges for manufacturers, particularly in supply chains. Currently, manufacturers of connected products often have no direct contractual relationship with the buyer of the products, for example if they are sold by intermediaries. In such cases, a contract can only be concluded with the user through a type of End User License Agreement (EULA). Manufacturers must ensure that the contract is concluded legally, documented and with the user (or with an authorized employee of the user). 

No personal data

Another practical problem for manufacturers is the exclusion of personal data from the regulation. The background to the exclusion is that the legal basis for the processing of personal data is regulated in the EU General Data Protection Regulation (GDPR). According to this, a contract with the user can only justify processing in accordance with Art. 6 para. 1 lit. b) GDPR if the user is also the data subject. In the B2B sector in particular, manufacturers therefore require a different legal basis for the processing of personal data. Manufacturers must analyze the extent to which the product data relates to an identified natural person. The current case law of the ECJ on the relative personal reference of vehicle identification numbers (C319/22) and of the EGC on the lack of personal reference for certain pseudonymized data (T-557/20) must be taken into account. If there is a (partial) personal reference, data holders require a further justification under the GDPR in addition to the contract, e.g. the protection of their legitimate interests.

Content review of contracts

Contractual provisions with which manufacturers try to secure access to product data are also subject to abuse control in accordance with Art. 13 of the Data Act. According to this, contractual clauses relating to data access are not binding if they are "unfair". According to Art. 13 para. 3 of the Data Act, this is the case in the event of a gross deviation from good commercial practice or a breach of good faith and fair dealing. The regulation further specifies this requirement by providing examples in paragraphs 4 and 5. The regulation is reminiscent of the control of general terms and conditions under German law and requires great care when drafting contracts. 

Model contract terms

In accordance with Art. 41 Data Act, the EU Commission will draft and publish model contractual terms on data access and use before September 12, 2025. The use of the model contractual terms is expressly non-binding (see recital 42). When using these model contractual terms, companies can be sure that they are not using unfair contractual terms according to Art. 13 Data Act. Companies should therefore carefully check the extent to which the model contract terms may be a useful option for them. 

Outlook and practical tips

The Data Act brings with it extensive new requirements for manufacturers of IoT products. Companies should analyze their options and make changes at an early stage, particularly when drafting and revising their contracts. This applies in particular to long-living products, as it is much more difficult to agree or amend contractual provisions with the user after a sale. The new regulations will also pose challenges for users of IoT products when they are confronted with new contracts.

If you have any questions about the Data Act or need support, please do not hesitate to contact our experts in the field of intellectual property, media and information technology. We will help you to analyze possible changes to your contracts and to implement the new regulations in the best possible way. At the beginning of the implementation, for example, we offer a short workshop in which we work with you to identify the specific requirements for your company and coordinate the necessary steps.