The Updated EU Data Act FAQs: What Changed in Version 1.3

This Essential Guide is part of Orrick’s Cybersecurity & Privacy Compass Series. The Cybersecurity & Privacy Compass is your global guide to the evolving cybersecurity and privacy regulatory landscape.

The European Commission has published non-binding FAQs to provide detailed information about how the Data Act is to be interpreted and implemented. In this Essentials update, we summarize what’s new in the European Commission’s Data Act FAQs (Version 1.3, 12 September 2025) compared with Version 1.2 (3 February 2025), focusing on practical clarifications for providers of connected devices and software as well as data processing services (cloud and SaaS) and their customers.

Key takeaways

• The September 2025 FAQs introduce a range of new sub-questions and expand on existing ones, providing more nuanced and practical guidance for stakeholders on issues such as edge processing, GDPR compliance, SaaS/cloud switching and the scope of unfair contract terms.
• The updated version provides clearer and more explicit technical expectations for data access, including requirements for data format, timeliness, latency, usability and security, thereby helping data holders and users better understand what is required for compliance.
• References throughout the FAQs have been updated to reflect the latest implementation developments, including the adoption of the European Trusted Data Framework and the publication of the Expert Group’s final report on model contractual terms. These updates provide stakeholders with up-to-date information on available resources and next steps.

What’s new in Version 1.3

Relevant additions and clarifications from Version 1.2 include:

1. Edge Processing:

• In question 5a, the new version addresses how the Data Act applies to IoT data processed at the edge. It clarifies that if data is processed exclusively locally, without being stored, retrieved or transmitted externally at any time, the obligations set out in Chapter II regarding business-to-consumer and business-to-business data sharing are not triggered.

2. Anonymization and Data Linkage:

• Question 13a of the new version addresses the use of privacy-enhancing technologies (PETs) and anonymization, emphasizing that these tools should not be used to avoid data-sharing obligations. Users must be given a reasonable opportunity to access relevant data before any anonymization or severing of the link between the data and the connected product occurs.

3. Technical and Practical Requirements:

• In question 22a, the new FAQs provide a more detailed breakdown of what is expected from data holders, typically manufacturers of connected products (IoT devices), when granting access to data. This includes clear requirements regarding the format, quality, timeliness, latency, convenience, usability and security of the data, offering concrete guidance to ensure compliance with the Data Act.

4. GDPR Legal Bases and Accountability:

• Question 25a asks what GDPR legal bases the data holder could rely on when replying to a request for data. In such a situation, different scenarios must be distinguished. If the user is the data subject, their request for access to their data or for their data to be portable under the Data Act is like a GDPR data subject request (Articles 15 and 20). However, if the user is not the data subject, the Data Act does not provide a legal basis for sharing personal data. In this case, the data holder must either assess the appropriate legal grounds or provide anonymized data.
• Question 25b asks whether the data holder should verify that the user or third party has a valid legal basis under the GDPR before transmitting the data. Not very surprising, the FAQ clarifies that each data controller must ensure they have a valid legal basis under the GDPR before transmitting data, and that they are able to demonstrate compliance. Controllers should cooperate with each other and share only the information strictly necessary to support compliance.

5. Historical Data and Data Erasure:

• Question 32 provides clarification regarding the users’ rights with respect to accessing historical data. Users can request access to historical data stored by a data holder, including data from previous users. However, it is essential to respect the rights of former users and the “reasonable retention policy” outlined in Recital 24 of the Data Act, which means that access may be limited in certain cases.
• Question 33 centers on the contractual nature of non-personal data erasure, introducing the concepts of “user’s removable data” and “residual data” in line with forthcoming Model Contractual Terms. It has also been suggested that the Data Act does not give users the right to request the deletion of non-personal data prior to the sale of a product. Contractual agreements regarding data deletion are possible, though product-specific laws or the interests of future users may require certain data to be retained.

6. Contractual Terms and Unfairness Control:

• Questions 42a and 42b elaborate on the scope of unfairness control in Article 13 of the Data Act in contracts, specifying that it applies to any contractual term concerning data access, use or data-related liability, even if data is not the primary subject of the contract. It also clarifies that the Data Act applies to all agreements concluded after 12 September 2025, and for pre-existing contracts starting 12 September 2027. This gives parties time to renegotiate such contracts.

7. Cloud Services and SaaS:

• Question 58a explains that the Data Act applies to all SaaS that meet the definition of a data processing service. The Data Act defines “data processing services” in Article (2)(8) broadly, encompassing cloud computing models such as IaaS, PaaS and SaaS. SaaS falls within this scope if it enables customers to access configurable, scalable and elastic computing resources on demand, with minimal management effort, and is provided under a contractual relationship.
• Question 58b clarifies that the source provider is not responsible for assisting the customer in rebuilding their service within the destination provider’s ecosystem. Their obligations are limited to facilitating switching within their own service environment, such as providing open interfaces, exporting data in standard formats and ensuring compatibility with harmonized standards. The Data Act explicitly does not require source providers to develop or rebuild services in the infrastructure of other providers.

8. Model Contractual Terms and Standard Clauses (Questions 58, 74):

• The updated FAQs reference the publication of the Expert Group’s final report and the anticipated Commission Recommendation for standard contractual terms, providing stakeholders with up-to-date information on the availability and status of model terms and standard contractual clauses. However, the FAQs do not specify a timeframe for when to expect the recommendations of the European Commission.

9. Structural and Organizational Changes

• Versions 1.2 and 1.3 both maintain a similar overall structure, with sections addressing interaction with other EU laws, the scope of data, obligations for users and data holders, protections for trade secrets, technical requirements, enforcement and next steps. However, the updated version introduces several refinements:
• Numbering and Sub-Questions: Introduction of sub-questions (e.g., 5a, 13a, 22a, 25a, 25b, 34a, 42a, 42b, 58a, 58b), indicating a more nuanced and detailed approach.
• Updated References: Introduction of the latest developments, such as the adoption of the European Trusted Data Framework and the publication of the Expert Group’s final report on model contractual terms.

Bottom Line

Version 1.3 of the Data Act FAQs represents a significant practical refinement, offering more granular and detailed guidance for stakeholders. The new edition provides sharper technical and legal explanations of topics such as edge processing, SaaS, GDPR legal bases and unfair contract terms, while also incorporating the latest implementation references, including the Trusted Data Framework and outputs from the Expert Group. Importantly, the FAQs now move from future-oriented planning to actionable, concrete direction for businesses and other stakeholders. Although the FAQs provide sensible guidance in practice, unanswered questions remain, including how to calculate early termination penalties and how companies should comply with their information obligations.

Want to learn more about the Data Act? Find further materials and articles below:

• European Data Act: The EU Data Act is in Force — What Should Businesses Do?
• The European Data Act: 5 Things Cloud Services Provider Should Know
• European Data Act: Harmonised Rules on Fair Access to and Use of Data