The Data Act, a proposed regulation of the European Union, establishes a comprehensive legal framework for the sharing of data - personal and non-personal - generated by the use of products and related services (e.g. vehicles, household appliances, consumer goods, medical and health products). In particular, the Data Act regulates the relationship between data owners (mostly product manufacturers), users of the products and data recipients (third parties). Other goals of the Data Act are to simplify the switching of data processing services and to improve the interoperability of data.

The central element of the Data Act is the obligation of the data owner to make generated data available to the user, a third party designated by the user or public bodies. This is flanked by the obligation to design and manufacture products in such a way that the data generated during their use are by default easily, securely and directly accessible to the user, and to inform users before the conclusion of a contract about the type and scope of the data likely to be generated by the product and how to access the data.

Of particular practical relevance is the interplay between the obligation to create data access for users and third parties and its limitation due to data protection and the protection of trade secrets and intellectual property rights.

Businesses face a number of challenges that could be difficult to overcome, especially for SMEs:

• Examination of whether they are affected by the Data Act: Companies must examine whether they fall within the factual and personal scope of application of the Data Act or whether an exception to the obligation to create data access can be justified with reference to trade secrets and/or intellectual property rights.
• Product design requirements/information obligations: Affected companies must already observe the requirements of the Data Act when designing and creating their products. In the context of sales, additional information obligations must be fulfilled in the future with regard to the data that can be generated by the products and access to it.
• Draw up additional contractual conditions/data licence agreements: Contractual conditions must be drawn up to regulate data access, which must comply with the requirements of FRAND (Fair, Reasonable and Non-Discriminatory). In addition, the use of the generated non-personal data by the data owner (producer) itself may only take place on the basis of a data licence agreement to be concluded.
• Reviewing and asserting data access claims: The implementation of new technologies and tools to ensure data protection may be required.
• Cooperation with supervisory authorities: Closer dialogue with supervisory authorities is necessary to ensure that all requirements of the Data Act (for example, also with regard to the implementation of consumers' and entrepreneurs' right to complain) are met.