The European Data Act came into force on September 12, 2025

On September 12, 2025, the new Data Act on data access and sharing came into force. From this date, Member States must fully apply all obligations arising from the Regulation. The regulation is supplemented by other EU legal acts, in particular the Data Governance Act, which deals with voluntary data sharing regimes, and, of course, the GDPR, which regulates the protection of personal data.  

"Finding the line between personal and non-personal data will also be a big issue. In practice, we often work with combined data sets, and it is not easy to distinguish what still falls under the GDPR and what does not. Another challenge is the protection of trade secrets and intellectual property. On the one hand, legislation promotes openness and sharing, but on the other hand, we must protect innovation and companies' know-how. The area of sanctions also causes uncertainty—because they are set by individual member states, they may differ not only in the amount of fines but also in their interpretation. That is why it is important to monitor how exactly the Data Act will be reflected in Czech law. Finally, we must not forget the international implications – the Data Act will also affect companies outside the EU that operate in the European market, and they too must expect checks and possible sanctions." 

The Data Act is an important step towards making the EU not only an economic area of open data, but also a place where data sharing is regulated fairly, with regard to the protection of rights, innovation, and competition. For companies, this is both a challenge and an opportunity – those who manage the changes in time can gain a competitive advantage. Consumers should gain more rights, greater control, and a wider range of services. 
 

Let's take a closer look at the issue: 

WHAT ARE THE KEY ELEMENTS OF THE DATA ACT? 
  • Right to access data - Users of devices or services (e.g., smart appliances or industrial sensors) have the right to obtain the data generated by these devices. If the data is not available in real time, the manufacturer must provide it without undue delay and free of charge. 
  • Option to share data with third parties - Users can provide their data to other companies, such as independent service providers. This opens up opportunities for more services and fairer competition. 
  • Protection of small businesses - The smallest companies (micro and small enterprises) are exempt from the obligations so that the new costs do not jeopardize them. 
  • Compensation for data access - If data is used by a third party, its holder may receive fair and reasonable compensation. The rules are designed to prevent discrimination or abuse. 
  • Fair contract terms - The Data Act protects small and medium-sized enterprises from unfair contracts imposed on them by stronger partners. In addition, the EU is preparing model contract clauses. 
  • Sharing data with public institutions - In exceptional situations (e.g., natural disasters, pandemics), companies will be required to provide the necessary data to government authorities quickly and free of charge. 
  • Easier transition between cloud providers - Customers will be able to switch to another cloud service provider easily and without penalty, which should reduce vendor lock-in. 
  • Protection against unauthorized access from abroad - Strict rules are intended to prevent non-personal data stored in the EU from being disclosed to governments outside the EU in violation of European law. 
  • Revision of database rights - Databases created from data generated by IoT devices will not be protected by special sui generis rights - so that data can be better utilized. 
  • Balancing intellectual property and trade secrets - The Data Act does not change the rules on intellectual property or trade secret protection, but clearly states that the obligation to share data must not infringe these rights. 

WHAT PENALTIES CAN COMPANIES EXPECT IF THEY FAIL TO FULFILL THEIR OBLIGATIONS? 

Member States shall lay down their own rules on penalties. These must be effective, proportionate, and dissuasive. 

When imposing penalties, factors such as the following shall be taken into account: 

  • the nature, gravity, extent, and duration of the infringement 
  • the measures taken by the offender to mitigate or remedy the damage 
  • previous infringements 
  • financial benefits derived from the infringement or cost savings 
  • other mitigating or aggravating circumstances 
  • the offender's turnover for the previous financial year within the Union 

Each EU Member State must determine by September 12, 2025, what penalties will be applied for violations of the regulation in its country. 


WHAT IS THE CURRENT SITUATION REGARDING SANCTIONS RULES IN THE CZECH REPUBLIC? 
  • The Ministry of Industry and Trade states on its website that it is preparing to implement the Data Act 
  • The Office for Personal Data Protection (ÚOOÚ) should be involved in supervising compliance with the rules, especially in cases involving personal data 

WHAT HAS NOT YET BEEN SPECIFIED? 
  • No specific Czech law has yet been publicly announced that would define the exact facts of offenses under the Data Act or the amount of fines that would apply within the Czech Republic. 
  • No proposals have yet been published on how much the penalties in the Czech Republic could be for various types of violations, nor whether they will be defined as in the GDPR (e.g., a percentage of turnover), set at a fixed amount, or a combination of both. 
  • It is also unclear which Czech courts/authorities or inspection institutions will exercise supervision in specific areas, unless the matter concerns personal data. 

HOW DOES THE NEW REGULATION AFFECT ORGANIZATIONS AND CONSUMERS? 

Organizations should focus on the following areas: 

  • Contract review: Contracts for the sale, lease, or provision of IoT/connected products must clearly define who has access to what data, in what format, whether sharing with third parties is possible, and under what conditions. 
  • Technical readiness: It must be possible to extract (export) data, ensure interoperability, protect data and trade secrets, and ensure that products/services have interfaces (APIs) or other mechanisms that enable data access 
  • Security & protection (trade secrets, IP): When data is managed in connection with IoT and related services, it often contains information that is sensitive (for IP, know-how). Companies will need to prepare measures that protect trade secrets, but at the same time do not hinder the fulfillment of legal obligations 
  • Strategy for public requests: Be prepared to respond if public authorities request data in emergency situations or situations of public interest – including a process for determining whether the request is legitimate, in writing, with protection of rights (anonymization, minimization), etc. 
  • GDPR compliance: Personal data continues to fall under the GDPR – so if the Data Act requires access or sharing, organizations must also ensure that GDPR requirements are met (e.g., legal basis for processing, purpose, information to data subjects, etc.). 

"The Data Act imposes a whole range of new obligations on companies, for which they must be well prepared. Technically, it will be a complex process—data export and sharing, interoperability, APIs, and various formats will require investment in systems." 


CONSUMERS WILL BENEFIT FROM THE NEW LEGISLATION IN THE FOLLOWING WAYS: 
  • Greater control over your own data: If you have an Internet of Things (IoT) device, you will have rights to the data that the device generates—you can view it and share it with third parties of your choice. 
  • New service options: Repair shops, aftermarket service, analytical applications, or data-based services – consumers can benefit from a wider range of offers and competition 
  • More transparency: Terms and conditions will be clearer, contracts must state what you will receive, how and when you can switch to another service provider, what rights you have – fewer surprises 
  • Protection against unfair practices: E.g., when a stronger party (manufacturer, large company) imposes unilateral contractual terms that are disadvantageous to consumers – the Data Act establishes a framework for testing whether a contractual term is "unfair" and, if so, it may be invalid 

 

"The full impact of the Data Act will mainly be felt in new products and services launched on the market from 2026 onwards. Only then will we see how fundamentally it will affect the practices of manufacturers and service providers. The relationship with the US Cloud Act, which requires US companies to hand over data to government agencies even outside the US, remains a big unknown. It is unclear how the two pieces of legislation will be harmonized and whether there will be any legal conflicts."