Skip to main content

4. Which data are in scope?

Several factors determine which data are covered by the data access rights provided for in Articles 3, 4 and 5 of the Data Act. Generally speaking, raw and pre-processed data (simply put, ‘raw but usable’ data) that are readily available to a data holder as a result of the manufacturer’s technical design are subject to mandatory data-sharing obligations that are regulated by Chapter II.

Access and use of IoT data – Chapter II of the Data Act

  • Product data: Data obtained, generated, or collected by a connected product and which relates to its performance, use or environment. Purely descriptive data that accompanies the connected product (e.g. in user manuals or on the packaging) is not product data. The only situation in which information ‘about’ the connected product is relevant is the pre-contractual transparency obligation under Article 3. See Article 2(15), Recital 15.

  • Related service data: Data representing user action, inaction and events related to the connected product during the provision of a related service. See Article 2(16), Recitals 15 and 17.

  • Readily available data: Product data and related service data that a data holder can obtain without disproportionate effort going beyond a simple operation. The definition of 'readily available data' does not include a reference to the time of their generation or collection. Only data generated/collected after the entry into application of the Data Act should be considered as falling within the scope of Chapter II. See Article 2(17), Recitals 20 and 21.

  • Level of enrichment of the data: In scope: raw data and pre-processed data, accompanied by the necessary metadata to make it understandable and usable. For example, data collected from a single sensor or a connected group of sensors for the purpose of making the collected data comprehensible for wider use-cases by determining a physical quantity or quality or a change in a physical quantity (e.g. temperature, pressure, flow rate, audio, pH value, liquid level, position, acceleration, or speed). Out of scope: highly enriched data, meaning inferred or derived data or data that result from additional investments (including by way of proprietary, complex algorithms). In addition, content that is often covered by intellectual property rights (e.g. textual, audio, or audiovisual content). See Recital 15.

  • Personal vs non-personal data: Users are entitled to access all data generated by the connected product or related service, whether personal or non-personal. However, personal data processing is governed by GDPR rules, so Recitals 25 and the user’s rights provided by the Data Act have to be exercised in compliance with the GDPR. Users that are not data subjects or data holders must have a valid legal basis under Article 6 of the GDPR for processing personal data. Question 26 examines in further detail non-personal data access, use and sharing.

  • Trace secrets: The Data Act does not modify the relevant legal protections for protection of trade secrets. The 2016 Trade Secrets Directive, for example, continues to apply. The Data Act establishes a new mechanism to protect trade secrets. This mechanism is known as the ‘trade secrets handbrake’ and is explored further in Question 20. See Articles 4(6) and 5(9), Recital 31.