Five steps to ensure Data Act compliance for IoT products and services within the MedTech sector

In December 2023, the new regulation on harmonized rules on fair access to and use of data (2023/2854; the “Data Act”) was published in the Official Journal of the European Union, with most of the new requirements becoming applicable later this summer, on 12 September 2025. The new regulation aims to foster a competitive data market by making data, especially industrial data, more accessible. It will have an impact on many businesses, not least those within the MedTech sector.

The Data Act imposes design and manufacturing obligations on IoT products and services to ensure users have access by default to relevant data. It specifies when, how and on what terms data must be shared with users and other businesses. Additionally, it includes transparency requirements by mandating the pre-contractual provision of information to users about the data generated by connected products or related services.

Five essential steps to consider as part of your Data Act compliance project are described below.

Step 1 – Conduct a product and service inventory

Evaluate your business to identify which of your products and services could be classified as connected products and related services, thereby falling within the scope of the Data Act. For a product to be considered a connected product, it must be capable of obtaining, generating or collecting data concerning its use or environment and it must be able to communicate such data via, for example, the Internet or a cable. Examples of such products include a smart insulin pump or an asthma inhaler that collects data about its usage and can transmit this data over the Internet.

It is important to note that for a service, such as a mobile application, to be classified as a related service under the Data Act, it must have functions that have an impact on the operation of a connected product. For example, an application that merely displays statistics and an overview of the product’s functioning, such as battery status, without controlling the product’s operation, would not be classified as a related service under the Data Act.

Step 2 – Start mapping and categorising the data

Not all data needs to be shared. To determine which data falls under the requirements for sharing, a data holder should map and classify the data generated by, or in connection with, a connected product and a related service. In the case of connected products, data sharing requirements apply to product data generated through the use of the product and designed by the manufacturer to be retrievable. Data that is not retrievable, such as data immediately deleted upon creation for product functionality, typically does not need to be shared. In the example of a smart insulin pump, the historical records of insulin dosages administered by the user, including the specific time and date of each dose, could be classified as product data subject to data sharing requirements.

Additionally, the level of data refinement affects sharing requirements. Only raw or source data and pre-processed data (i.e., data processed to make it usable or understandable) must be shared. “Inferred or derived data” (e.g. data refined through advanced processing or analytics) is generally exempt from sharing.

Step 3 – Prepare for sharing

It is advisable to begin evaluating the various options for enabling access to data based on the preferred setup for a specific product and to document all considerations for the purpose of being able to demonstrate this to a supervisory authority. The data holder should then establish routines and policies for managing data access requests from both users and third parties. A connected product or related service should ideally be designed to allow direct access to product and service data, including metadata. If direct access is not feasible, the data holder must provide ‘readily available data’ upon the user’s request. ‘Readily available data’ refers to data that the data holder can lawfully obtain without excessive effort. While direct accessibility is preferred by the legislator, it is not mandatory. Manufacturers or service providers can decide, on the basis of technical feasibility, costs, protection of trade secrets or intellectual property, and security maintenance, whether their products or services should be designed with access by default. If direct access is not possible, indirect access must be provided by making data available upon request. In the case of indirect access, the Data Act requires simplicity for the user. Wherever possible, requests should be enabled electronically, and data should be shared without undue delay and free of charge. Although the Data Act does not specify a timeline, the one-month limit stipulated in the GDPR might generally be used as a rule of thumb.

Step 4 – Transparency measures

The Data Act mandates the provision of pre-contractual information regarding data usage for connected products and related services. As regards connected products, the obligation lies with the seller, renter or lessor, who must provide information on, for example, the estimated volume of product data to be generated and the location of data storage. This information  may be delivered via a stable URL, web link or QR code. In the case of related services, an equivalent obligation lies with the service provider.

The transparency obligations stipulated in the Data Act do not override the GDPR obligations for data controllers to inform data subjects about personal data processing. Both sets of obligations must be applied concurrently. Any changes in the information during the product’s lifetime or the contract period must be communicated to the user. To ensure timely compliance, it is recommended to start preparing the necessary pre-contractual information, focusing on both content and format to meet the standards required by the Data Act.

Step 5 – Contract inventory

The Data Act states that a data holder’s right to use any readily available product and related service data must be agreed upon in a contract with the user. Consequently, contracts must be prepared for such data usage. Additionally, contracts are needed for third-party recipients of data, which a data holder must share upon a user’s request. Such contracts must include fair, reasonable and non-discriminatory (FRAND) terms. It is also advisable to review and update existing supplier or distributor contracts to ensure back-to-back terms are in place and that the responsibility for providing pre-contractual information is assigned to the party directly in contact with the user.

To aid compliance with the Data Act, the EU Commission is creating and recommending non-binding model contractual terms (MCTs). While these MCTs are voluntary, they are intended to set a “best practice” standard. Data holders may use the MCTs as a foundation but should tailor them to meet specific needs.