Iwona Aleksandrowicz-Strus for Dziennik Gazeta Prawna: “The Data Act changes the rules of the game in digital business and enforces a new approach to data”

Who must comply with the Data Act

The Data Act is directly applicable, with no need for transposition into national law. It covers IoT device manufacturers, sellers, intermediaries, and providers of digital services (SaaS, PaaS, IaaS). Micro and small enterprises benefit from certain exemptions – though mainly hardware manufacturers – while digital service providers must comply with all obligations regardless of size.

Data Act vs GDPR – two different worlds

Importantly, the Data Act does not replace the GDPR but operates alongside it. While the GDPR focuses on personal data protection, the Data Act regulates access to all types of data – both personal and non-personal – to foster innovation and competition. Businesses must therefore implement both regimes in parallel.

When access to data can be denied

Manufacturers may refuse access to data in strictly defined situations – for instance, where trade secrets are at risk, user safety is threatened, or legal obligations require such refusal. Digital service providers, however, enjoy far less discretion, as the regulation’s objective is to counteract vendor lock-in.

A chance for new business models

The Data Act also creates opportunities – unlocking access to data previously “closed” within the ecosystems of large companies and removing barriers to data portability between providers. This requires courage and readiness to operate in an open and transparent business model. Companies ignoring these changes may soon face significant competitive disadvantages.

Who exactly must comply with the Data Act and what exemptions exist? Does GDPR compliance suffice to meet Data Act requirements? When can a manufacturer deny access to data, and do digital service providers enjoy similar rights?

Iwona Aleksandrowicz-Strus addresses these and many other questions in her article published in Dziennik Gazeta Prawna.