EU Data Act User Access Rights and Portability

Start with the Chapter II data categories. Product data is data generated by the use of a connected product that was designed to be retrievable through an electronic communications service, physical connection, or on-device access. Related service data is data representing user actions or events connected with the product during the related service.

The practical access package is narrower than all data a company holds. It focuses on readily available data: product data and related service data that the data holder lawfully obtains or can lawfully obtain without disproportionate effort beyond a simple operation. The package should include relevant metadata needed to interpret and use the data.

Article 3 requires connected products and related services to be designed so that product data and related service data are, by default, easily and securely accessible to the user, free of charge, in a structured, commonly used, machine-readable format, and directly accessible where relevant and technically feasible.

When the user cannot directly access the data from the product or related service, Article 4 requires the data holder to provide readily available data and necessary metadata without undue delay, at the same quality available to the data holder, free of charge, and through a simple electronic request where technically feasible.

The Data Act access workflow starts before the user asks for data. For connected products, the seller, rentor, or lessor must tell the user the type, format, and estimated volume of product data the product can generate, whether it can generate data continuously and in real time, whether data is stored on-device or on a remote server, the intended retention duration where applicable, and how the user may access, retrieve, or erase the data where relevant.

For related services, the provider must give comparable information about product data it expects to obtain and related-service data it expects to generate. The service disclosure also needs the identity and contact route for the prospective data holder, whether the data holder expects to use readily available data itself, whether third-party use is intended for purposes agreed with the user, and how the user can request or end third-party sharing.

Article 5 gives the user the right to ask the data holder to make readily available data and necessary metadata available to a third party. The transfer must be without undue delay, of the same quality available to the data holder, easy, secure, free of charge to the user, and in a comprehensive, structured, commonly used, machine-readable format. Where relevant and technically feasible, it should support continuous and real-time availability.

Third-party sharing is not limited to situations where the user lacks direct access. Commission FAQs state that a user can still request transfer to a third party even when the user already has direct access, provided there is a data holder with readily available data.

The access right is not a right to misuse data. A user may not use Article 4 data to develop a connected product that competes with the product from which the data originates, share the data with a third party for that purpose, or use the data to derive insights about the manufacturer's or data holder's economic situation, assets, or production methods.

A third party that receives data under Article 5 may process it only for the purposes and conditions agreed with the user and subject to data protection law where personal data is involved. Article 6 also prohibits specific conduct, including manipulative user interfaces, unnecessary profiling, onward sharing without the required contract and safeguards, sharing with DMA gatekeepers, competing-product development, security-harming use, and undermining agreed trade-secret measures.

The Data Act preserves trade-secret protection but makes it procedural. For user access under Article 4, and third-party transmission under Article 5, the data holder or trade-secret holder must identify protected data, including protected metadata, and agree proportionate technical and organizational measures before disclosure.

Withholding, suspension, or refusal should be exceptional and documented. If agreed measures are missing, not implemented, or confidentiality is undermined, the data holder may withhold or suspend the sharing of identified trade-secret data and must provide a substantiated written decision without undue delay. A case-by-case refusal is available only in exceptional circumstances where serious economic damage is highly likely despite the measures taken, and the competent authority must be notified.

The Data Act complements data protection law; it does not supersede it or create a new GDPR legal basis. The Commission FAQs state that the GDPR applies to all personal data processing under the Data Act and prevails in the event of conflict.

When the user is not the data subject whose personal data is requested, the data holder may make personal data available to the user or third party only where there is a valid legal basis under Article 6 GDPR and, where relevant, the conditions for special-category data and terminal-equipment access are fulfilled. Users that are not data subjects, such as enterprises requesting personal data from IoT devices, may themselves be controllers and must meet GDPR obligations.

A useful Data Act access record connects the legal trigger to the dataset, actor, channel, safeguards, and outcome. It should be specific enough to show why a user received data, why a third party was authorized, why a field was excluded, or why sharing was suspended or refused.

The record should also support future portability. If telemetry, account structure, retention, APIs, or related-service contracts change, the access package and user-facing disclosures should be reviewed against the same source rules.