The Regulation EU 2023 2854 Data Act entered into force on 11 January 2024 and applies from 12 September 2025, with additional phases in 2026 2027. It does not replace the GDPR, it operates “without prejudice” to the GDPR and does not create a new legal basis for processing personal data. Whenever personal data is involved, the GDPR prevails. JD Supra

This guide serves practitioners working across the data act gdpr iot ultimate secure landscape for 2025 and aligns with expert search intent around contracts interoperability and governance.

Roadmap dates that matter

12 Sep 2025: rights of access sharing of connected product data, B2C transparency and B2B rules for access and compensation. European Digital Strategy

12 Sep 2026: obligation of “access by design” for connected products and services placed on the market from that date onwards. Direct access to data where technically feasible. Arthur Cox LLP

12 Jan 2027: complete ban on exit charges for switching data processing service providers cloud switching. scl.org

12 Sep 2027: extension of unfair terms rules to certain pre existing long term contracts. Sourcing Speak

For specialists planning migrations and renegotiations, this section supports a data act gdpr iot secure roadmap focused on 2025 readiness.

What data is really covered

The Data Act focuses on data generated through the use of connected products and related services. It includes both personal and non personal data, but the obligation is limited to “readily available” data; enriched or derived data is not subject to mandatory access. Sourcing Speak

In practice: raw telemetry, sensor readings, usage logs, operational metrics. You are not obliged to hand over complex inferences or internal analytical models.

These scoping lines help teams build a data act gdpr iot ultimate secure playbook for inventories and access models.

Interaction with GDPR: conflict rules

Prevalence: the Data Act is complementary and “without prejudice” to the GDPR. If the required access sharing exposes personal data without a valid legal basis or exceeds GDPR principles, it must be limited or denied. Osborne Clarke

Legal basis: the Data Act does not in itself legitimise processing. You must rely on Art 6 GDPR and, where applicable, Art 9. wilmerhale.com

Principles: data minimisation, purpose limitation, accuracy and security apply before sharing. wilmerhale.com

Roles: under the Data Act the roles of user, data holder and data recipient apply; under the GDPR, controller processor. A mapping of roles per data flow should be documented in contracts. Latham and Watkins

Compliance leaders can use this mapping to deliver a data act gdpr iot secure operating model with clear accountability.

User rights and technical limits

Free and simple access to product service data, preferably direct and real time where feasible. Otherwise available on request without undue delay in a structured and machine readable format. Latham and Watkins

The user may order transfer to a third party. This raises compensation and trade secret protection rules. Ypog

Exclusions and security: access sharing may be restricted if it would compromise product safety requirements causing serious harm. Stephenson Harwood

Compensation: who pays and when

To the user: always free. You cannot charge for giving them their own data. Skadden

To a third party recipient: in B2B you may charge reasonable, non discriminatory compensation; margin may be included except where the recipient is an SME or non profit research entity, in which case only direct costs apply. You must explain the calculation basis. eu data act dot com

Operational tip: publish FRAND tariffs and a transparent formula based on volume format nature of the data to avoid disputes. Kemp IT Law

B2B unfair terms: black and grey lists

The Data Act introduces a three level unfairness test and lists of terms that are void or presumed unfair when imposed unilaterally. Review liability exclusions for wilful misconduct gross negligence, unilateral decisions on data conformity, or disproportionate waivers. Freshfields

Cloud switching: counterweight to vendor lock in

The Data Act pushes portability and interoperability in data processing services. From 2025 obligations for provider switching apply, and from 12 Jan 2027 exit fees disappear, requiring contractual and technical decoupling plans. Greenberg Traurig

Commission MCTs: reference templates

The Commission has issued draft Model Contractual Terms MCTs non binding for data access use and standard clauses for cloud contracts. The EDPB published Statement 4 2025 on these drafts. Use them as a baseline for negotiation and to demonstrate diligence. EDPB and Skadden

Typical contractual risks in IoT

Trade secrets: protect know how and designs. You may refuse disclosure if you demonstrate serious economic harm. Require technical legal measures and robust NDAs with recipients. Oxera

Ownership control: avoid claiming “absolute ownership” of usage data. Recognise user rights and define licences for internal use and aggregated analytics. Latham and Watkins

Sub processors: extend Data Act GDPR obligations across the chain. Prior consent for changes and audit rights. orrick dot com

Format API: specify schemas, latency, SLAs and migration procedures. Access must be structured and machine readable. Latham and Watkins

Derived data: clarify what you do not share as derived enriched data outside the mandatory scope. Taylor Wessing

Recommended clause template extract

Definitions and scope
“Product data” “Related service data”, “User”, “Data holder”, “Data recipient”, mapped to Controller Processor under GDPR per flow. Latham and Watkins

Access and format
Free user access, direct and real time where feasible; otherwise on request without delay, in structured and machine readable format. Latham and Watkins

Third party sharing
User instruction mechanism, identity validation, filtering pseudonymisation as required by GDPR, and access logs. wilmerhale.com

B2B compensation
FRAND direct cost formula; margin only when the recipient is not an SME non profit; transparency on calculation. Kemp IT Law

Trade secrets
Segmentation, pre disclosure reviews, restrictions against competitive use, and right to deny where serious harm arises. Oxera

Security and exceptions
Cases where access use is restricted due to product safety and serious risk. Stephenson Harwood

Sub processors and chain
Notification and prior approval, full flow down of Data Act GDPR, audit and remediation rights. orrick dot com

Deletion and retention
Deletion at end of contract or valid request, including copies and backups with certificate of destruction where applicable. wilmerhale.com

Interoperability and migration
Documented APIs, formats, migration windows, export SLAs, portability tests. Greenberg Traurig

Unfair terms
Express declaration excluding black grey list terms and review mechanism if challenged. Freshfields

Governing law and dispute resolution
Express reference to Data Act GDPR; accelerated injunctive mechanism for access disruption. JD Supra

Practical cases and design decisions

1 Connected vehicle
Data: GPS, telemetry, diagnostics, safety events.
Obligation: free access for user and transfer to garage insurer if ordered. Filter anonymise data not necessary for the third party. Latham and Watkins
Contract keys: limited licences, access logs, delivery SLA, exclusion of derived data for example internal predictive models. Taylor Wessing

2 Health wearable
Data: heart rate, sleep, activity special category.
Obligation: free access; sharing with nutrition app or coach only with proper GDPR basis explicit consent or sectoral rule. wilmerhale.com
Keys: reinforced cloud DPA, default pseudonymisation, segregated flows, granular consent records. orrick dot com

3 Smart home
Data: thermostat, presence, consumption; may infer personal habits.
Obligation: allow portability to external energy auditor; restrict video audio if safety or GDPR requires. Stephenson Harwood
Keys: household access profiles, exclusion of derived data, encryption in transit at rest, SLA for API outages. Taylor Wessing

Cloud migration: exit checklist 2025 2027

Workload inventory and IoT linked data with mapping of data holders recipients. Greenberg Traurig

Switching clause: windows, steps, responsibilities, support by outgoing provider, and no fees from Jan 2027. scl.org

Formats and interoperability: exportable, documented, restoration tests at destination. Greenberg Traurig

Governance and transparency: what the user must see

Pre contractual information: types volumes of data, retention, access means, expected latency. Arthur Cox LLP

Data portal: self service download APIs with strong authentication; pay attention to low auth devices. Taylor Wessing

Traceability: verifiable logs of who accessed, when, under which instruction. Stephenson Harwood

Errors to avoid

Charging the user for their own data. Prohibited. Skadden

Assuming the Data Act itself authorises personal data processing. It does not. wilmerhale.com

Unilateral clauses limiting liability for wilful misconduct gross negligence or reserving sole decision on data conformity. Risk of nullity. Freshfields

Treating derived data as “product data”. Not allowed. Taylor Wessing

Compliance roadmap in 10 moves

Diagnosis: identify connected devices services generating readily available data and exclude derived data. Taylor Wessing

Role matrix: User Data holder Data recipient ↔ Controller Processor for each flow. Latham and Watkins

Contract rewrite: free user access, FRAND, Art 9 compensation, secrets, derived data, security, audit, sub processors. Kemp IT Law

Third party policy: procedure for user instructions, identity validation, minimisation and GDPR basis. wilmerhale.com

Portal API: interface design and SLA; real time tests where feasible. Latham and Watkins

Access by design: product backlog for launches after 12 Sep 2026. Arthur Cox LLP

Switching plan: migration annexes, export formats and multi cloud failover tests. No fees from 2027. scl.org

Fair terms: purge black grey list clauses; internal review committee. Freshfields

Adopt MCTs: integrate Model Contractual Terms and adapt to your sector. Skadden

Training and internal audit: legal, product and engineering under one Data Act GDPR playbook. European Digital Strategy

The Data Act opens IoT data, the GDPR disciplines it. Contract and architecture are the levers. If you specify what you share, with whom, in what format, at what cost and with which safeguards, you reduce regulatory friction and strengthen defence before authorities and litigation.