Update
Date:
This article was written by
Lawyer | Certified IT law specialist
Many companies are still unaware of the EU Data Act even though it came into effect on 12 September 2025. Through the following example, we would like to draw your attention to the significant implications the Act entails, for example, regarding maintenance contracts for high-value assets:
An energy company, as owner of a wind turbine, receives a letter from a turbine manufacturer. The letter states that the EU Data Act (Regulation EU/2023/2854) makes it necessary to amend the maintenance contract to allow the manufacturer access to the turbine’s data. The manufacturer asks for an explicit right to use this data.
The provision proposed by the manufacturer reads as follows:
‘We may collect, export, and use non-personal data generated during the operation of your turbine to develop services, products, and solutions, perform analyses, provide maintenance and other services, and for other legitimate purposes. We may also share the data with third parties for these purposes.’
The letter goes on to state that the energy company would not need to take any active steps; the services and other contractual terms were to remain unchanged. The new contractual provision will automatically apply from 12 September 2025, unless the operator objects in writing within 30 days.
Our clients are currently receiving this type of letter, or similar, not only in the field of energy generation, but also relating to products in the fields of property technology (e.g. lifts or heating technology) or public transport services. In some cases, these letters are accompanied by the blatant threat that the relevant service will no longer be available within a few days if the new terms are not agreed to.
With the EU Data Act, the EU intends to leverage data from “connected products”. This term refers to products that are designed by the manufacturer in such a way that the data generated by their use is accessible, e.g. via USB connection, cable, Wi-Fi or 5G. Thus, the scope of application is broad, ranging from consumer goods (Bluetooth-capable toothbrushes or washing machines) to high-value investment goods (such as trucks, airplanes, lifts, or as in our example, wind turbines).
However, as data access is effectively controlled by the manufacturer, owners, renters, or lessees (users) have so far had little or no access to data from their device. To them, the product is a “black box”. Manufacturers typically use data to improve products or provide additional services, such as maintenance services under service contracts as in our example above. So far, some such data use had been processed “without asking” the user.
The EU saw several risks in this exclusive use of data by manufacturers, including that of “vendor lock-in”, i.e. that either (data fuelled) services (e.g. maintenance) can only be provided by the manufacturer or that device data remains unused. For this reason, the EU Data Act fundamentally revises the legal regime for data from these connected products.
The EU Data Act now puts the user of the product at the centre. Firstly, users will be able to access the data they generate through their use of the respective products, secondly, they will also be able to decide whether and to what extent manufacturers can use the data.
According to Article 4 (13) of the EU Data Act, the data holder – typically the manufacturer – may only use the data received from the product “on the basis of a contract” with the user. According to Article 4 (14), such data may only be transferred to third parties “for the performance of their contract”. This is precisely the contractual basis that the equipment manufacturer in our example wants to create by amending its contract.
In actual fact, the manufacturer in our example would not need to amend the contract in order to continue providing its maintenance services.
This is because the maintenance contract itself already provides a sufficient contractual basis. Unlike the GDPR for consent in relation to personal data (Article 4(11) and Article 7 GDPR), the EU Data Act does not formulate any specific requirements to the contract but instead refers to a contractual “basis” or “for the performance of the contract”. This means that data received, for example, by a technician for the purpose of performing maintenance or by the manufacturer's software for error monitoring, can continue to be used after 12 September 2025 for that purpose without the need for a formal contract.
The scope of data use must be transparent for the user, as Recital 25 of the EU Data Act clarifies and the manufacturer is subject to a purpose limitation, yet it is not as strict as in data protection law.
With its intended contract amendment, the wind turbine manufacturer wants to make the data generated in the product available for its own continued use and for possible transfer to third parties, beyond the scope of the maintenance contract. The wording chosen is extremely broad, referring to the development of services, products and solutions, analyses, other services, or other legitimate purposes. The same applies to the possibilities of disclosure to third parties.
The concept of contractual freedom generally applies to data use agreements. However, the EU Data Act also introduces new mandatory contractual restrictions, including in the B2B sector. According to Article 7 (2) of the EU Data Act, provisions that deprive the user of their rights under the EU Data Act or deviate from it are not binding. Article 13 of the EU Data Act even contains a provision on unfair contract terms, not unlike some member states’ (e.g. Germany) laws on general terms and conditions.
Whether the clause in our above example is actually valid is doubtful, at least with regard to broad wording such as “for other lawful purposes” or “disclosure to” – unspecified – “third parties”, as this is not transparent in terms of the intended use or the recipients. In order to ensure that specific uses and transfers to third parties are legally permissible, the plant manufacturer should be more specific in the light of Article 7 (2).
The method chosen by the manufacturer for the modification of the contract is also questionable. The plant manufacturer wants the change to apply automatically unless the owner objects to the change within a set period. This form of unilateral contract amendment is not without its problems. It presupposes that the plant manufacturer has reserved the right to make such a contract amendment in the original maintenance contract as, normally, silence has no effect in contract law. And even if there is such a provision in the maintenance contract, it is often invalid under German law governing general terms and conditions.
Even short deadlines of only a few days with the threat of termination of services are ineffective as untimely terminations. Article 4 (4) of the EU Data Act explicitly protects the right of the user to free choice and autonomy.
The user has a strong position under the EU Data Act. From 12 September 2025, they will be able to request access to “readily available” data. This is the data generated in the product and transmitted to the data owner (i.e. the turbine manufacturer in our example). This right pertains to raw data such as status messages, measured values or interactions with the plant, as transmitted to the plant manufacturer.
It is this data that must be made available to the user free of charge. It must be provided easily, securely, in a comprehensive, common, and machine-readable format, in the same quality as for the data holder and, where relevant and technically feasible, continuously and in real time. Data Access must be provided together with the metadata necessary for interpretation and use of data.
The communication from the turbine manufacturer in our example does not even address this important aspect.
Users (i.e. the energy company in our example) can use the data independently in a variety of ways, for example to optimise turbine utilisation, obtain alternative maintenance services or improve the financing or insurability of the equipment based on a better technical and economic assessment.
In principle, the turbine manufacturer in our example is doing the right thing by seeking to obtain a new contractual basis for the use of machine data beyond the performance of the maintenance agreement. Manufacturers should urgently consider what data they need from the equipment, for what purposes and whether a contractual basis is necessary.
However, as stated above there are considerable doubts about the turbine manufacturers specific approach, both due to the provisions of the Data Act and due to local member state law.
Once the member states have implementing acts in place, the manufacturer may even face fines for violating Data Act obligations. Where products generate personal data, the data protection authorities will already be competent from 12 September 2025 and may impose GDPR-like fines if necessary (see the announcement by the HamBfDI on 9 September 2025 [in German]).
For the user (in our case the energy company), the attempt by the turbine manufacturer is a good call to action to investigate the opportunities offered by the Data Act. The best response for a user to such a request for contract amendment is to first object to the adjustment demanded by the manufacturer and to make it clear that data use for the purpose of agreed maintenance will continue to be permitted in the future. However, the user should also, in their own interest, consider the need for the manufacturer to use data e.g. for product optimisation.
In addition, the user should ask the manufacturer how the data access granted by the Data Act will be implemented from 12 September 2025 onwards.
Both sides must also address issues such as the protection of their trade secrets and the protection of personal data.
In short, there is a lot to do...