On 3 February 2025, the EU Commission published the latest version of Frequently Asked Questions (FAQ) on the Data Act (Regulation (EU) 2023/2854).
Although the FAQ is not legally binding, it serves as a practical guide to assist stakeholders in implementing the rights and obligations established under the Data Act. It also clarifies the scope of the Data Act in relation to applicable data and stakeholders, and how the regulation interacts with other legislation such as the GDPR.
Below we have outlined some of the clarifications provided by the FAQ. Click here to read it in its entirety.
Scope
At a general level, the Data Act applies to both personal and non-personal data. However, the Data Act distinguishes between different types of data, some of which is considered out of scope. As explained in the FAQ, descriptive data, such as that found in user manuals, is relevant only in the context of pre-contractual transparency obligations. In contrast, data that is generated by a connected product or a related service – including data on user action (and inaction), pre-processed data and to a certain extent metadata – is covered by the Data Act. Furthermore, in-scope data that is further processed (e.g. inferred, enriched or modified) as well as content (e.g. text, audio or video) that is often covered by intellectual property rights may fall outside the application of the Data Act.
The FAQ helps to clarify the relevant stakeholders pursuant to the Data Act (namely users, data holders and third parties). For example, data holders are determined by who controls access to the in-scope data which may not necessarily be the original manufacturer of a connected product. Thus, a data holder could be an outsourced entity or a related service provider, even if they are established outside the EU.
In-scope products and services (i.e. ‘connected products’ and ‘related services’) are also further clarified. Of note, the FAQ lists several elements that can help determine whether a service falls within scope of the Data Act, including user expectation, marketing, contractual negotiations, replicability of the service and whether the service is pre-installed on the connected product.
Data sharing
The Data Act allows data holders to limit their data sharing obligations on several grounds, including that the shared data is used to develop a competing connected product. The FAQ clarifies, amongst other things, that this right does not extend to data holders of related service providers. A non-compete clause introduced for a connected product does not apply to a related service. Additionally, data holders are not obligated pursuant to the Data Act to share data with third parties established outside the EU at the request of a user.
As for Business-to-Government data sharing, relevant factors to identify mitigation or recovery from a public emergency are likely to be laid down in national law, and such access should be limited to an exceptional need (i.e. a public sector body has been unable to obtain non-personal data in other ways). The FAQ also clarifies that pursuant to the Data Act, a public body in one Member State can request data from a data holder in a different Member State as such right is important in cases of cross-border emergencies (e.g. natural disasters).
Interaction between GDPR and the Data Act
The FAQ clarifies that GDPR applies to the processing of personal data within the framework of the Data Act, where Articles 4 and 5 of the Data Act (data sharing obligations) complements Articles 15 and 20 GDPR (data access and portability rights). The Data Act establishes horizontal data access rules that apply across sectors, allowing these rules to be supplemented by sector-specific legislation, provided that such additional measures remain consistent with the core principles of the Data Act.
Standard contractual clauses and guidelines
The FAQ states that standard contractual clauses for data sharing and cloud contracts are expected to be developed by 12 September 2025, with guidelines on reasonable compensation for sharing data to follow once the Data Act comes into effect.
