| |
Data (Use and Access) Act 2025
Part 1 “Access to Customer Data and Business Data” |
EU Data Act |
| Sharing (Chapters II - IV) |
Switching (Chapter VI) |
| Products/Services Concerned |
Not limited to any specific product or service category.
The law is sector-agnostic, but this may evolve as secondary legislation is introduced.
|
Connected products and related services (e.g., IoT devices and software connected to IoT devices) placed on the market in the EU. |
Data processing services (e.g., cloud services) provided to customers in the EU. |
| Relevant parties |
“Trader” is the person who supplies or provides goods, services or digital content in the course of business, whether acting personally or through another person acting in the trader’s name/on trader’s behalf.
“Customer” is (i) a person who has purchased goods, services or digital content supplied by the trader, or (ii) who has been supplied by the trader with goods, services or digital content purchased from the trader by another person, or (iii) has otherwise received goods, services or digital content for free from trader.
“Authorised person” is a person authorised by a customer to receive customer data.
“Data holder” means the trader, or the person who processes the data.
“Third-party recipient” is an authorized person of a specified description (in regulations).
“Interface bodies” are bodies created by regulation (set up by data holder or a third-party recipient), charged with carrying out tasks relating to customer data or business data.
|
“Manufacturer” of the connected product.
“Data holder” is the natural or legal person that has the right to use and make available the product or related service data.
“Data recipient” is a natural or legal person in the EU other than the user of a connected product or related service to whom the data holder makes data available, including a third party.
“User” is the person in the EU that owns a connected product or to whom temporary rights to use that connected product have been contractually transferred or that receives related services.
|
“Customers”
“Providers of data processing services”
|
| Obligations |
Subject to rules adopted by the Secretary of State of the Treasury:
- The data holder will be required to provide customer data to the customer or an authorized person on request.
- The data holder may be required to produce, collect or retain, or arrange for the production, collection or retention of customer data and/or make changes to customer data, including rectifying inaccurate information upon a customer’s or authorised person’s request.
- An authorised person may take action on the customer’s behalf in relation to goods, services or digital content.
- The regulations may contain provisions regarding processes and standards for the processing of customer data and the fulfillment of the required actions, including when a data holder may or must refuse to act on such a request.
- Similar powers are granted to the Secretary of State or the Treasury in relation to business data, namely to require that a data holder publish or otherwise make business data available or to provide business data to a customer of the trader or to another person, and the circumstances for such disclosure and circumstances in which approval is required for such disclosure and when it may be refused.
- Regulations may also require business data to be provided upon request (including circumstances in which a request may be refused).
- The regulations may establish interface bodies.
- Data holders may be required to pay a levy to cover expenses incurred by public authorities, interface bodies, enforcers, etc. in carrying out their duties.
|
From 12 September 2026, connected products and related services will be designed and provided to enable direct access to product data and related service data, free of charge.
Specified pre-contractual information will be made available by the seller or lessor.
By 12 September 2025, the data holder will make readily available data available to the user for free, if not directly accessible.
|
Providers of data processing services shall enable customers to switch to a data processing service provided by different provider(s), or to an on-premise ICT infrastructure, upon request and within specified time frames.
Provider must implement mandatory contractual clauses (including customer’s right to terminate the services before the end of the contract term) and transparency obligations.
|
| Covered Data Categories |
Business data (in relation to a trader) means (i) information about goods, services and digital content supplied or provided by a trader; (ii) information relating to the supply or provision of goods, services or digital content (including prices or other applicable terms, how they are used, performance quality); information relating to feedback; information relating to the provision of this information.
Customer data (in relation to a customer of a trader), information relating to goods, services and digital content supplied or provided by the trader to the customer or another person at the customer’s request, including: (i) price or other terms applicable to the supply of the goods/services/content; (ii) how they are used by the customer or the other person; (iii) their performance or quality when used by the customer or the other person; and (iv) information relating to the provision of this information.
Includes data relating to the purchase, supply, provision or receipt of goods, services or digital content before the Act takes effect.
|
Personal and non-personal data, including:
Product data means data generated by the use of a connected product or related service, designed to be retrievable.
Related service data means data representing the digitisation of user actions or of events related to the connected product recorded intentionally by the user or generated as a byproduct of the user’s action during the provision of a related service by the provider.
Metadata means a structured description of the contents or the use of data facilitating the discovery or use of that data.
Trade secrets (subject to protections, but disclosable).
|
Exportable data means input and output data, including metadata, directly or indirectly generated or cogenerated, by the customer’s use of the data processing service.
Digital assets are elements in digital form, including applications, for which the customer has the right of use, independently from the contractual relationship with the data processing service it intends to switch from.
|
| Excluded Data |
The regulations to be adopted under Part 1 may provide that information processing in accordance with those regulations do not breach confidentiality obligations by the processor or other restrictions. |
Manufacturer’s or data holder’s intellectual property.
Highly enriched data (inferred or derived data, i.e., not raw data).
Trade secrets under certain circumstances (presumption in favour of disclosure subject to safeguards).
|
Exempted data is any data or assets protected by intellectual property, of the service provider or third parties.
Trade secrets of the service provider or a third party.
|
| Relationship to GDPR /Data Protection Laws |
The regulations adopted under Part 1 do not authorise the processing of personal data in breach of data protection legislation. |
Rights under Data Act have to be exercised in compliance with the GDPR. |
| Third-Party Right to Access Data |
Yes, upon customer’s request or at the authorized person’s request. Will include authorized persons, interface bodies. |
Yes, upon request by the user. |
Yes, customer can request that data be switched to a new provider. |
| Limits/Exceptions on User and Third-Party Rights |
The regulations adopted by the Secretary of State or the Treasury may provide for data holders, interface bodies, enforcers, etc. to charge fees to other persons in connection with the performance of their duties.
Additional restrictions may be set out in regulations adopted by the Secretary of State or the Treasury.
|
Yes. No transfer for testing new products if no agreement on trade secrets protection can be reached. Additional restrictions against adverse use of data.
The data holder may apply technical protection measures to data (e.g., encryptions, smart contracts).
Neither user nor third party may use data to develop competitive product, nor use data to derive insights about business of data holder (but is not an exception to obligation to make data available).
|
Customised services subject to specific rules.
The requested switching must be to a data processing service that is of the same service type, or to the customer’s on-premise ICT infrastructure.
|
| Restrictions on Data Holder/Service Provider |
To be addressed in regulations made by the Secretary of State or the Treasury. |
Yes. No unfair contractual terms may be imposed on third parties; data holder may not use data to gain commercial insights into user or to undermine user.
Sui generis database rights are not applicable.
|
Provider of data processing services shall remove and shall not impose obstacles to data switching, contract termination, concluding new contracts with different providers.
Switching fees charged by data processing service provider to be phased out by 11 January 2027.
|
| Contractual Requirements |
Not explicitly in this Act. |
Yes. Between data holder and user if manufacturer wishes to use covered data, and between data holder and data recipient. Specific rules regarding terms and compensation.
European Commission has prepared model clauses (voluntary use).
|
Yes. Mandatory provisions to be included in data processing service agreements, and customer has a right to terminate the agreement with a notice period (no derogation possible).
European Commission has prepared model clauses (voluntary use).
|
| Treatment of SMEs |
Effect of regulations on small and micro-businesses to be taken into account by Secretary of State and the Treasury in deciding to adopt regulations in relation to customer data. |
Exemptions available. |
Not specified. |
| Interoperability/Access Standards |
Requirements may be specified by regulations adopted by the Secretary of State or the Treasury (e.g., the use of specified facilities, dashboard services, APIs, etc.). |
Requirements for participants in data spaces to facilitate interoperability. May be supplemented by delegated legislation.
Harmonised technical standards may be adopted.
|
| Enforcement |
To be addressed in regulations made by the Secretary of State or the Treasury. These regulations may cover investigative powers, powers to fine and provision for complaints. |
Competent authorities to be nominated by each Member State and a data coordinator if required.
Data protection supervisory authorities shall be responsible for monitoring the application of the regulation in relation to personal data.
Users/customers can lodge a complaint with the relevant competent authority (without prejudice to rights to seek remedies before the courts).
A dispute settlement regime will be established in relation to data sharing obligations.
Penalties will be set by the Member States.
Maximum penalties for breach of the data sharing obligations are aligned with the GDPR sanctions (€20m or 4% of global annual turnover).
|
| Date of Application |
DUA took effect on 19 June 2025, but specific obligations will not take effect until secondary regulations are adopted (no fixed date as of yet). |
Staggered application, but the bulk of the obligations relating to data sharing and data switching take effect on 12 September 2025. |
