EU Data Act

CLX Legal advises on the EU Data Act.

We assist businesses that need structure around data from connected products and related services, user rights, data sharing, contractual terms, switching between data-processing services, and the interaction with personal data, trade secrets, and security requirements.

Connected productsData sharing and contractsCloud switching and governance

Connected products and related services

The Data Act is cross-sectoral and, among other things, addresses data generated through the use of connected products and related services.

Roles, access, and third parties

The framework concerns users, data holders, and sharing with third parties, and sets requirements around how access to data should be requested and made available.

Contracts, cloud, and protected interests

In practice, questions often arise around contractual terms, switching between data-processing services, personal data, trade secrets, and security requirements.

Advisory scope

Questions we often help structure in Data Act matters.

Scope and in-scope data

High-level assessment of whether the matter concerns a connected product or related service, and whether it involves raw or pre-processed data that is readily available to the data holder.

Roles, responsibility, and contracts

Analysis of how the roles of user, data holder, and third party can be described in the concrete setup, and how contracts should be reviewed against the rights and limitations reflected in the framework.

Access, information, and sharing

Support on how users should be informed about the data generated, how access can be requested through a simple process, and how sharing with a third party can be structured.

Cloud services and switching

High-level advice on questions around switching between providers of data-processing services and whether contractual terms or practical dependencies need to be revisited.

GDPR and mixed datasets

Review of situations where data contains both personal and non-personal data, and where access or sharing needs to be assessed together with a valid legal basis.

Trade secrets, security, and restrictions

Assessment of when trade-secret safeguards or security requirements may become relevant, and how decisions to limit, withhold, or suspend sharing should be handled.

Approach

How we usually approach Data Act questions.

Most matters begin with a mismatch between the product, the service, the data flow, and the contracts. We therefore tend to start with the actual use case and responsibility chain before locking legal positions.

1. Mapping

We review which product or service is used, which data is generated, which roles exist, and what the commercial setup looks like.

2. Rules and risk picture

We identify which questions need closer assessment around access, contractual terms, switching between data-processing services, personal data, trade secrets, and security.

3. Action plan

You receive a clearer basis for the next step: contract review, internal governance, a data-access request, supplier dialogue, or continued legal support.

When advice often matters

Situations where legal analysis often becomes particularly valuable.

When you manufacture, supply, or use connected products or related services in the EU and need to understand what is actually within scope.

When you want to prepare contractual terms or internal processes for data access, sharing with third parties, or user-facing information.

When switching data-processing services, interoperability, or vendor lock-in has become a commercial or regulatory issue.

When personal data, trade secrets, or security requirements mean the matter cannot be handled as a pure technology or procurement question.

Common questions

Careful clarification before the work moves forward.

What data is typically within scope under the Data Act?

According to the Commission’s overview, Chapter II covers raw and pre-processed data generated through the use of a connected product or related service that is readily available to the data holder. Inferred or highly enriched data, and the content itself, typically fall outside that scope. The concrete assessment still needs to be made case by case.

Can a user have data shared with a third party?

Yes. The framework is built around the user being able to access the data and also ask the data holder to share it with a chosen third party. The exact rights position is still shaped by the roles, the contracts, and any relevant limits in the regulation.

How does the Data Act interact with GDPR and trade secrets?

The Data Act applies alongside data-protection rules. Where the requested data contains personal data and the user is not the data subject, a valid legal basis is needed. Trade-secret safeguards and security requirements may also justify protective measures or limits, which often require careful assessment.

When did the Data Act take effect, and who is the competent authority in Sweden?

The Regulation entered into force on 11 January 2024 and became applicable on 12 September 2025. In Sweden, PTS has been designated as the competent authority.

When the Data Act becomes practical

The Data Act is often a product, contract, and governance issue at the same time.

We help translate a broad EU framework into a more concrete basis for decisions for manufacturers, service providers, and business users.

Mapping whether a connected product or related service is within scope and which data flows actually matter.

Review of roles, user terms, and processes for access, sharing, and instructions to third parties.

Assessment of intersections with GDPR, trade secrets, security, and commercial risk.

Want to send a service inquiry?

Leave your email and we will get back to you shortly.

Need an initial legal work-up?

Briefly describe the product, service, or data-sharing issue that needs assessment and we will revert on the most suitable next legal step.