13a. How does anonymisation or severing the link between stored data and its connected product impact compliance with the Data Act?

The Data Act ensures reasonable, clear and predictable access to data for both users and data holders. While data holders are not required to store data indefinitely (Recital 24), they may be legally required to retain certain data (e.g. for regulatory oversight or product safety). In such cases, PETs can mitigate certain risks, including those related to personal data protection or protection of trade secrets. However, applying PETs should not be used to circumvent data sharing obligations (see Question 13). Applying anonymisation, encryption, or storage techniques does not automatically exempt data holders from their data sharing obligations. This means, firstly, that in situations where data are being transferred from the device to the data holder’s backend server, users and third parties of their choice should be given a reasonable chance (see Question 5a, Recital 24) to obtain a copy of the data generated by a connected product before data are anonymised or encrypted.

Secondly, wherever there are reasonable means to relink data to a specific user or connected product without substantial system changes or costs, the data remain ‘readily available’ to be requested under Articles 4 and 5.