BI, Guide
EUROPEAN DATA ACT COMPLIANCE CHECKLIST: 10 KEY STEPS
WHAT IS THE DATA ACT?
The Data Act is a comprehensive regulatory framework established by the European Union to govern the sharing, access, and use of data, both personal and non-personal, within the digital economy. It aims to facilitate data-sharing among businesses, public sector bodies, and research organizations while ensuring fairness, transparency, and compliance with data protection regulations such as the GDPR. The Data Act introduces rules and guidelines for business-to-business data-sharing, interoperability, enforcement mechanisms, and protection against unlawful access by third-country governments.
WHEN WILL THE DATA ACT COME INTO EFFECT?
The Data Act is set to become applicable on 12 September 2025. This date marks the beginning of the enforcement and implementation of the regulatory provisions outlined in the Data Act. From this point onwards, businesses, public sector bodies, and other relevant stakeholders must ensure their data-sharing practices, contractual agreements, and operational procedures align with the requirements and obligations specified in the Data Act to maintain compliance.
WHO DOES THE DATA ACT APPLY TO?
The Data Act applies to data originating from a connected product or a related service. It obliges data holders to provide data to users and data recipients. Therefore, a wide range of stakeholders will be involved in data-sharing activities within the European Union. This includes businesses of all sizes, public sector bodies, research organizations, data processing service providers, and other entities engaged in generating, collecting, processing, or accessing data. Data holders, which comprise entities responsible for generating, collecting, or possessing data within their operational purview, have the responsibility of upholding compliance with the Data Act’s directives concerning data-sharing, access, and safeguarding. The regulatory obligations outlined in the Data Act are designed to promote fair, reasonable, and non-discriminatory data-sharing practices while safeguarding privacy, intellectual property rights, and national security interests.
WHERE TO FIND MORE INFORMATION?
Read more about the European Data Act in our Blog Article and register for the Free Webinar to learn how to implement compliant data platforms.
EUROPEAN DATA ACT COMPLIANCE CHECKLIST: 10 KEY STEPS © SCALEFREE INTERNATIONAL GMBH 2024
2/13
1.
DEFINE YOUR ROLE
Clarify your position as a data holder within the framework of the Data Act, understanding your rights and responsibilities.
Clearly delineate your position as a data holder within the framework of the Data Act to understand your rights and responsibilities comprehensively. Identify and document your role as the entity responsible for collecting, processing, and storing data generated from connected products or related services. This entails comprehensive obligations to make product data and related service data accessible to the user, together with security measures, and compliance with interoperability standards. In particular, connected products must be designed and manufactured, and related services shall be designed and provided in a manner that data is directly accessible to the user. By default, such access must be easy, secure, free of charge, and the data must be in a comprehensive, structured, commonly used and machine-readable format. Therefore, data holders should already begin to design or update their connected products and related services to make them ready for compliance with the Data Act. Understanding your role and the requirements of the Data Act will not only ensure adherence to regulatory requirements but also facilitate effective communication with stakeholders, including users, data recipients, and regulatory authorities.
EUROPEAN DATA ACT COMPLIANCE CHECKLIST: 10 KEY STEPS © SCALEFREE INTERNATIONAL GMBH 2024
3/13
2.
UNDERSTAND YOUR DATA
Clearly comprehend the types of data generated, collected, and processed by your connected products or related services.
Gain a comprehensive understanding of the types of data generated, collected, and processed by your connected products or related services. Conduct a thorough inventory of the data produced or accessed by your products and services, including both raw and pre-processed data. Categorize the data according to its nature, such as personal or non-personal, and its relevance to the Data Act requirements. This includes all raw and pre-processed data generated from the use of a connected product or a related service that is readily available to the data holder, and making the data accessible to the user and/or data recipients.
Furthermore, identify any sensitive or proprietary data elements and implement appropriate safeguards to protect them from unauthorized access or disclosure.
EUROPEAN DATA ACT COMPLIANCE CHECKLIST: 10 KEY STEPS © SCALEFREE INTERNATIONAL GMBH 2024
4/13
3.
REVIEW EXISTING CONTRACTS
Evaluate and amend or update contracts with users to ensure that - if you are a data holder - you have the right to still use readily available data. Define clear terms regarding data access, use, and sharing, in compliance with the Data Act’s fairness principles.
The Data Act prohibits data holders to use readily available (non-personal) data without the user’s permission in a contract. You should therefore conduct a comprehensive review of all contracts with users to ensure that - if you are a data holder - you have the right to use readily available data. Evaluate existing agreements to ascertain whether they adequately define clear terms regarding data access, use, and sharing, in accordance with the fairness principles mandated by the Data Act. Verify that contracts explicitly specify the rights and obligations of both parties regarding the use of data generated, collected, or processed through connected products or related services. Ensure that users are granted appropriate access to the data they generate, while also verifying that you in the role of a data holder may use the data for your own purposes. Further, establish safeguards to protect proprietary information, i.e., trade secrets. Assess whether contractual provisions pertaining to data-sharing adhere to the non- discriminatory requirements outlined in the Data Act. Verify that users are not subjected to unfair contractual terms that may impede their ability to access or utilize the data effectively. Where necessary, amend existing contracts to align them with the provisions of the Data Act, ensuring transparency, fairness, and legal compliance. Seek legal counsel or regulatory guidance to address any ambiguities or discrepancies in contractual language and facilitate a smooth transition to Data Act compliance.
EUROPEAN DATA ACT COMPLIANCE CHECKLIST: 10 KEY STEPS © SCALEFREE INTERNATIONAL GMBH 2024
5/13
ELIMINATE UNFAIR CONTRACTUAL TERMS
4.
Scrutinize contracts for any unilateral terms that may unfairly restrict data-sharing, removing or renegotiating them to uphold fairness.
Conduct a thorough examination of all contracts to identify any unilateral terms that could potentially impede fair and equitable data-sharing practices, as mandated by the Data Act. Scrutinize contractual provisions that may disproportionately favor one party over another, particularly with regard to data access, use, and sharing. Identify and assess any clauses that impose non-negotiable terms, commonly known as “take-it-or-leave-it” clauses, which may hinder the ability of users to access or utilize the data generated through connected products or related services. Evaluate the fairness of contractual terms in light of the Data Act’s principles of transparency, reasonableness, and non-discrimination. Take proactive steps to eliminate or renegotiate unfair contractual terms to ensure compliance with the Data Act and promote a level playing field for all parties involved. Consider revising contractual language to establish mutual agreement on data access and usage rights, fostering a collaborative and equitable data-sharing environment.
EUROPEAN DATA ACT COMPLIANCE CHECKLIST: 10 KEY STEPS © SCALEFREE INTERNATIONAL GMBH 2024
6/13
PREPARE FOR ACCESS REQUESTS FROM PUBLIC SECTOR BODIES
5.
Anticipate and prepare for requests from public sector bodies for data-sharing, ensuring they align with legal obligations while safeguarding trade secrets and security requirements.
Proactively anticipate and prepare for potential requests from public sector bodies seeking access to data under the provisions of the Data Act. Familiarize yourself with the legal obligations outlined in the Data Act pertaining to data-sharing with public entities, ensuring compliance while safeguarding sensitive information such as trade secrets and security requirements. Establish clear protocols and procedures within your organization to handle access requests from public sector bodies in a timely and efficient manner. Designate responsible personnel or teams tasked with evaluating and processing such requests, ensuring adherence to legal requirements and procedural guidelines outlined in the Data Act. Collaborate closely with legal advisors or compliance experts to ensure that access requests are handled in accordance with the Data Act and other relevant regulatory frameworks. Conduct regular training sessions for employees involved in processing access requests to enhance awareness of legal obligations and best practices for data- sharing with public sector entities. Maintain accurate records of all access requests, including details of the requesting entity, the purpose of the request, and any measures taken to safeguard sensitive information. Monitor and review access request procedures periodically to identify areas for improvement and ensure ongoing compliance with evolving regulatory requirements.
EUROPEAN DATA ACT COMPLIANCE CHECKLIST: 10 KEY STEPS © SCALEFREE INTERNATIONAL GMBH 2024
7/13
6.
SAFEGUARD INTELLECTUAL PROPERTY
Implement measures to protect intellectual property rights and trade secrets during data-sharing, including confidentiality agreements with data recipients.
Prioritize the protection of intellectual property rights and trade secrets when engaging in data-sharing activities under the provisions of the Data Act. Implement robust measures to safeguard sensitive information and proprietary data assets, ensuring compliance with legal requirements and best practices for intellectual property protection. Develop comprehensive policies and procedures for safeguarding intellectual property rights and trade secrets during data-sharing activities. Clearly define the scope and nature of proprietary information that is subject to protection, including data generated, collected, or processed by connected products or related services covered by the Data Act. Identify the data protected as a trade secret, including relevant metadata, and agree with the user on appropriate technical and organizational measures necessary to maintain the confidentiality of the shared data. Establish model contractual terms, confidentiality agreements, and codes of conduct, and implement strict access protocols and technical standards to protect trade secrets. Require recipients of shared data to enter into confidentiality agreements or non- disclosure agreements that outline their obligations to protect intellectual property rights and maintain the confidentiality of proprietary information. Ensure that these agreements are legally enforceable and include provisions for remedies in the event of unauthorized disclosure or misuse of protected data. Collaborate with legal advisors or intellectual property experts to ensure that data- sharing agreements and confidentiality agreements comply with the provisions of the Data Act and other relevant legal frameworks. Seek legal counsel to assess the adequacy of intellectual property protections and mitigate potential risks associated with data- sharing activities. Educate employees and stakeholders on the importance of safeguarding intellectual property rights and trade secrets during data-sharing activities. Provide training and awareness programs to raise awareness of legal obligations, confidentiality requirements, and best practices for protecting proprietary information.
EUROPEAN DATA ACT COMPLIANCE CHECKLIST: 10 KEY STEPS © SCALEFREE INTERNATIONAL GMBH 2024
8/13
7.
ENSURE INTEROPERABILITY
Comply with essential requirements for interoperability, facilitating seamless data exchange within and between Common European Data Spaces and data processing services.
Adhere to essential requirements for interoperability outlined in the Data Act, facilitating seamless data exchange within and between Common European Data Spaces (CEDS) and data processing services. By ensuring interoperability, you enable efficient collaboration, innovation, and value creation across diverse data ecosystems while complying with regulatory mandates. Understand and comply with essential requirements specified in the Data Act for interoperability within and between CEDS. Familiarize yourself with standards, protocols, and technical specifications endorsed by the European Commission to promote interoperability and data exchange. Assess and enhance the interoperability of your data processing services, infrastructure, and systems to enable seamless integration and data exchange with other participants within CEDS and across different data spaces. Implement open standards, common data formats, and compatible interfaces to facilitate interoperability and data portability. Collaborate with industry stakeholders, standards bodies, and European standardization organizations to develop and adopt harmonized standards and interoperability specifications that align with the requirements of the Data Act. Engage in discussions and contribute to the development of interoperability frameworks and guidelines to promote cross-sectoral data exchange and integration. Regularly monitor and evaluate the effectiveness of interoperability measures implemented within your organization, seeking feedback from users, partners, and regulatory authorities. Continuously refine and improve interoperability solutions to address evolving business needs, technological advancements, and regulatory changes. Engage with the European Data Innovation Board (EDIB) and participate in initiatives aimed at promoting interoperability, sharing best practices, and addressing interoperability challenges across different sectors and domains. Leverage insights and recommendations from the EDIB to inform your interoperability strategy and implementation efforts.
EUROPEAN DATA ACT COMPLIANCE CHECKLIST: 10 KEY STEPS © SCALEFREE INTERNATIONAL GMBH 2024
9/13
COMPLY WITH DATA PROTECTION LAWS
8.
Ensure adherence to GDPR principles when providing access to personal data under the Data Act.
Prioritize compliance with the General Data Protection Regulation (GDPR) principles when processing personal data within the framework of the Data Act. Upholding GDPR standards is paramount to safeguarding individual privacy rights and fostering trust in data-sharing practices. Understand and adhere to the core principles of the GDPR, including lawfulness, fairness, and transparency in processing personal data. Ensure that all data processing activities, including sharing, are based on valid legal bases recognized by the GDPR, such as consent, contract necessity, legal obligation, vital interests, public task, or legitimate interests. Prioritize transparency by providing clear and accessible information to data subjects about the purposes, recipients, and legal bases for data-sharing, as required by the GDPR. Implement robust data protection measures, including pseudonymization, encryption, access controls, and data minimization techniques, to mitigate risks and protect the confidentiality, integrity, and availability of personal data shared under the Data Act. Adhere to GDPR requirements for data security and privacy by design and by default. Establish procedures and mechanisms to handle data subjects’ rights, such as the right to access, rectification, erasure, restriction of processing, data portability, and objection. Respond promptly and effectively to data subjects’ requests and inquiries, ensuring compliance with GDPR requirements for data subject rights. Regularly review and update data protection policies, procedures, and practices to reflect changes in regulatory requirements, business operations, and technological advancements. Conduct periodic data protection impact assessments (DPIAs) to evaluate and mitigate privacy risks associated with data-sharing activities. Promote a culture of data protection awareness and accountability among employees, contractors, and stakeholders involved in data-sharing processes. Provide training and guidance on GDPR compliance, privacy best practices, and ethical data handling to ensure responsible, lawful data-sharing practices.
EUROPEAN DATA ACT COMPLIANCE CHECKLIST: 10 KEY STEPS © SCALEFREE INTERNATIONAL GMBH 2024
10/13
PREPARE FOR ENFORCEMENT AND DISPUTE RESOLUTION
9.
Familiarize yourself with competent authorities and dispute settlement mechanisms for addressing Data Act-related issues and disputes promptly.
Identify the competent authorities designated by Member States responsible for enforcing the provisions of the Data Act within their jurisdictions. Understand their roles, responsibilities, and procedures for handling complaints, conducting investigations, and imposing penalties for non-compliance with Data Act requirements. If your business operates across multiple Member States, designate a data coordinator or liaison to serve as a central point of contact for engaging with competent authorities and coordinating Data Act-related activities. The data coordinator can facilitate communication, collaboration, and compliance efforts across different jurisdictions, streamlining the resolution of issues and disputes. Stay informed about certified dispute settlement bodies and their rules of procedure established by Member States to assist parties in resolving disputes related to fair, reasonable, and non-discriminatory terms for data-sharing. Explore the availability of alternative dispute resolution mechanisms, such as mediation or arbitration, to resolve conflicts efficiently and amicably. Establish internal procedures and protocols for handling Data Act-related complaints, inquiries, and disputes from users, customers, or regulatory authorities. Designate responsible personnel or teams tasked with addressing compliance issues, investigating complaints, and implementing corrective actions as necessary. Maintain detailed records of data-sharing agreements, transactions, and communications to support compliance efforts and facilitate dispute resolution processes. Document any changes, modifications, or amendments to contracts or terms of service to ensure transparency and accountability. Proactively monitor regulatory developments, updates, and guidance issued by competent authorities or industry bodies regarding Data Act compliance, enforcement, and dispute resolution. Stay abreast of best practices, case law, and precedents to inform your approach to compliance and risk management.
EUROPEAN DATA ACT COMPLIANCE CHECKLIST: 10 KEY STEPS © SCALEFREE INTERNATIONAL GMBH 2024
11/13
10.
STAY UPDATED AND ADAPT
Remain informed about developments, recommendations, and model contractual terms issued by the European Commission, adapting your practices to maintain compliance with the evolving Data Act regulations.
Regularly review official communications, guidelines, and publications issued by the European Commission related to the interpretation, implementation, and enforcement of the Data Act. Pay particular attention to updates on model contractual terms, standard clauses, or best practices designed to facilitate fair, reasonable, and non-discriminatory data-sharing. Participate in industry forums, workshops, or conferences convened by the European Commission, industry associations, or regulatory bodies to exchange insights, share experiences, and discuss emerging trends or challenges in Data Act compliance. Engage with peers, experts, and stakeholders to gain valuable perspectives and inform your approach to regulatory compliance. Establish internal mechanisms for disseminating and integrating relevant regulatory updates and guidance into your organizational policies, procedures, and practices. Designate responsible personnel or teams tasked with monitoring regulatory changes, conducting impact assessments, and implementing necessary adjustments to ensure ongoing compliance with Data Act requirements. Regularly assess the alignment of your data-sharing practices, contractual agreements, and operational processes with the latest Data Act provisions and recommendations. Conduct periodic reviews of existing contracts, terms of service, and data-sharing arrangements to identify areas for improvement, optimization, or revision in light of regulatory developments. Proactively engage with legal counsel, compliance officers, or regulatory advisors to seek guidance, clarification, or interpretation on complex Data Act requirements or compliance challenges. Leverage external expertise and resources to navigate regulatory uncertainties, mitigate risks, and enhance your compliance posture effectively. Maintain open communication channels with relevant stakeholders, including users, customers, partners, and regulatory authorities, to exchange information, address concerns, and foster collaborative approaches to Data Act compliance. Demonstrate a commitment to transparency, accountability, and ethical data stewardship in all your data-sharing activities.
EUROPEAN DATA ACT COMPLIANCE CHECKLIST: 10 KEY STEPS © SCALEFREE INTERNATIONAL GMBH 2024
12/13
Scalefree International GmbH Schützenallee 3 30519 Hannover Germany
P: +49 (511) 879 893 41 M:+49 (175) 811 0336 F: +49 (511) 879 893 49
info@scalefree.com www.scalefree.com
CEOs: Michael Olschimke & Christof Wenzeritt
Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13Powered by FlippingBook