top of page

EU Data Act is Adopted by the Council of the European Union!

Kemal Kumkumoğlu

Selin Çetin Kumkumoğlu

The Council of the European Union announced the adoption of the Data Act on 27 November 2023. According to its adoption by the Council, the Data Act will enter into force 20 days following its publication in the Official Journal of the European Union (“EU” or “Union“)[1]. The EU Data Act aims to increase access to data in general and to ensure a fair environment for the use of data. It is expected to have a significant impact on many of the companies operating in the EU.

What is the Objective and Scope of the Act?

The EU Data Act sets out the conditions for the right of access to product and service data generated by connected products and related services. It also sets out the circumstances in which EU public authorities may have access to said data[2]. At the same time, the EU Data Act aims to ensure adequate protection of trade secrets and intellectual property rights and safeguards against possible abusive behavior.

To Whom Will It Apply?

EU Data Act applies to:

  • Manufacturers of connected products placed on the market in the Union and providers of related services, irrespective of the place of establishment of those manufacturers and providers;

  • Users in the Union of connected products or related services;

  • Data holders, irrespective of their place of establishment, that make data available to data recipients in the Union;

  • Data recipients in the Union to whom data are made available;

  • Public sector bodies, the Commission, the European Central Bank and Union bodies that request data holders to make data available where there is an exceptional need for those data for the performance of a specific task carried out in the public interest and to the data holders that provide those data in response to such request;

  • Providers of data processing services, irrespective of their place of establishment, providing such services to customers in the Union;

  • Participants in data spaces and vendors of applications using smart contracts and persons whose trade, business or profession involves the deployment of smart contracts for others in the context of executing an agreement.

Which Data Types Does the Act Covers?

The Act covers both personal and non-personal data such as data concerning the performance, use and environment of connected products and related services, any non-personal data held in the Union by providers of data processing services, any private sector data accessed and used on the basis of contract between enterprises.

Which Obligations and Mechanisms Are Envisaged?

A number of the obligations and mechanisms foreseen under the Act are listed below[3]:

  • Measures that allow users of connected devices to access data generated by those devices and services related to those devices

  • Mechanisms for public sector bodies to access and use data held by the private sector when enforcing a legal mandate in times of public emergencies, such as floods and wildfires, or when the required data is not readily available by other means

  • Measures to ensure protection from unilaterally applied unfair contractual terms

  • New rules giving customers the freedom to switch between various cloud data processing service providers

  • Measures to encourage the development of interoperability standards for data sharing and data processing in line with the EU Standardization Strategy

Under the Regulation, even though they are incorporated in Türkiye, manufacturers of IoT (Internet of Things) devices and providers of related services placed on the market in the Union, are required to design their products and services in accordance with the data accessibility obligations. We will continue to follow developments in this area and keep you informed on new updates.


[1] Most of the provisions of the EU Data Act will apply 20 months from the date of its entry into force. The obligation to design connected products/related services in a way that product and related service data is accessible by default will start to apply 32 months after the date of its entry into force.

[3] European Commission, Data Act: Commission welcomes political agreement on rules for a fair and innovative data economy,


Commenting has been turned off.
bottom of page