Eu Data Act Requirements for Providers of IoT Products and Data Processing Services

Are you manufacturing connected products that collect usage related data or providing data processing services? If yes, many obligations of the EU Data Act that will enter into force after 12 September 2025 may apply to your operations. Now it is a good time to check whether these obligations apply and take them into account in your contract terms and practises. There are also exceptions for micro and small enterprises which can be evaluated on a case by case.

Connected product data to users

After 12 September, data holders (such as companies manufacturing connected products, e.g. connected cars or medical or fitness devices) must provide users of such products with access to the data that is generated by the use of the product and designed to be retrievable from the product. This could be, for example, usage logs, sensor readings, or service interaction records. The data holder must provide data of the same quality as is available to the data holder, easily, securely, free of charge to the user, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. In this case ‘user’ means, for example a company or consumer that owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives related services.

Before concluding a contract for the purchase, rent or lease of a connected product, the seller, rentor or lessor, which may be the manufacturer, needs to provide mandatory information specified in the Data Act to the user.

Under the new rules, manufacturers may also use the data collected from their products for purposes like product development only if a contract with the user permits it. Data holders may not either make available the product data to third parties for commercial or non-commercial purposes other than the fulfilment of their contract with the user.

Connected product data to third parties on user’s request

Upon request by a user, data holders must make available readily available data and relevant metadata to a third party. The third party may not use the data for developing a competing connected product.

The B2B contract terms on data sharing must be fair, reasonable, and non-discriminatory where they are unilaterally imposed on the recipient. There is a list of contract terms that are presumed to be unfair. The rules on unfair contractual terms apply actually to all contracts related to data access and use between entities.

Data holders are entitled to request a reasonable compensation for making the data available. The data holder may also refuse to provide the data, for example to protect trade secrets.

Data processing services

The Data Act applies also to a “data processing service”. Its definition is quite complex. It means a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralized, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction. The data processing services could include for example Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) solutions.

The Data Act does not state that all SaaS would be considered a data processing service, but there is not yet clear interpretation practice. Therefore, all SaaS providers should evaluate if their service can qualify as a “data processing service”.

For example, it is notable that providers of data processing services may not impose obstacles, which inhibit customers from effectively switching the service provider.

Also, the customers will have the right to terminate the data processing service with two months’ notice, after which the switching process must be concluded within 30 days.

Currently any switching charges shall not exceed the costs incurred by the provider that are directly linked to the switching process. After 12 January 2027, no switching charges shall be imposed on the customer.

The rights and obligations of parties in relation to switching between providers (or to an on-premises ICT infrastructure), as well as the standard service fees, switching charges and early termination penalties, need to be set out in the contract. The provider must also give mandatory information to the customer regarding e.g. the switching procedure.

This benefits customers but may reduce revenue for service providers, as long-term contracts or extended notice periods may no longer apply as intended. However, the Data Act does not prevent the parties from agreeing on contracts of a fixed duration, including proportionate early termination penalties to cover the early termination of such contracts. Therefore, the service providers should consider including such early termination penalties in the contracts.

Related Services

Privacy & Personal Data
Commercial Contracts

Latest News

Eu Data Act Requirements for Providers of IoT Products and Data Processing Services2025-04-16T09:57:37+03:00

Eu Data Act Requirements for Providers of IoT Products and Data Processing Services

Reforms to the Monitoring Act expected for reinforcing national security2025-04-16T09:53:35+03:00

Reforms to the Monitoring Act expected for reinforcing national security

The Omnibus Package Released – How It Affects Sustainability Reporting2025-04-04T10:34:40+03:00

The Omnibus Package Released – How It Affects Sustainability Reporting

What is LOI and why is it important?2025-04-04T10:34:53+03:00

What is LOI and why is it important?

Matias Forss has been invited to join Kalliolaw Attorneys Ltd’s partnership2025-04-04T10:35:04+03:00

Matias Forss has been invited to join Kalliolaw Attorneys Ltd’s partnership

How to prepare for due diligence2025-04-04T10:35:18+03:00

How to prepare for due diligence

New blog post from Attorney-at-Law Johanna Maria Kajaste2025-04-04T10:35:30+03:00

New blog post from Attorney-at-Law Johanna Maria Kajaste

Blog text from our expert Taina Metso2025-04-04T10:35:48+03:00

Blog text from our expert Taina Metso

Kalliolaw experts serve as authors of the Getting the Deal Through: Panoramic Q&A – Mining 20242025-04-04T10:36:15+03:00

Kalliolaw experts serve as authors of the Getting the Deal Through: Panoramic Q&A – Mining 2024

, ,
New blog post from Attorney-at-Law Sonja Kurki2025-04-04T10:36:27+03:00

New blog post from Attorney-at-Law Sonja Kurki

Eu Data Act Requirements for Providers of IoT Products and Data Processing Services2025-04-16T09:57:37+03:00

Eu Data Act Requirements for Providers of IoT Products and Data Processing Services

Reforms to the Monitoring Act expected for reinforcing national security2025-04-16T09:53:35+03:00

Reforms to the Monitoring Act expected for reinforcing national security

The Omnibus Package Released – How It Affects Sustainability Reporting2025-04-04T10:34:40+03:00

The Omnibus Package Released – How It Affects Sustainability Reporting

What is LOI and why is it important?2025-04-04T10:34:53+03:00

What is LOI and why is it important?

Matias Forss has been invited to join Kalliolaw Attorneys Ltd’s partnership2025-04-04T10:35:04+03:00

Matias Forss has been invited to join Kalliolaw Attorneys Ltd’s partnership

How to prepare for due diligence2025-04-04T10:35:18+03:00

How to prepare for due diligence

New blog post from Attorney-at-Law Johanna Maria Kajaste2025-04-04T10:35:30+03:00

New blog post from Attorney-at-Law Johanna Maria Kajaste

Blog text from our expert Taina Metso2025-04-04T10:35:48+03:00

Blog text from our expert Taina Metso

Kalliolaw experts serve as authors of the Getting the Deal Through: Panoramic Q&A – Mining 20242025-04-04T10:36:15+03:00

Kalliolaw experts serve as authors of the Getting the Deal Through: Panoramic Q&A – Mining 2024

, ,
New blog post from Attorney-at-Law Sonja Kurki2025-04-04T10:36:27+03:00

New blog post from Attorney-at-Law Sonja Kurki