2 January 2025
The Data Act came into force on 11 January 2024 and is generally applicable from 12 September 2025. This also applies to the medical device sector.
As the basis for a data sharing economy in the EU, the Data Act regulates access to and fair use of data. The data generated by the use of networked devices and connected services should be usable by various players in order to strengthen the data economy and promote the development of new, innovative business models.
However, the new regulations also harbour risks for the affected companies in their role as data owners. In addition to the existing regulations, the Data Act now also applies, which in some cases may lead to overlaps and areas of conflict with existing legislation. The Data Act may also represent an additional economic burden for manufacturers of medical and health devices. The implementation of the new regulations should therefore be tackled at an early stage.
The Data Act relates to networked products, so-called IoT devices. According to Recital 14 of the Data Act, medical and health devices expressly fall within the scope of the Act. This includes medical devices that obtain, generate or collect data and transmit it, such as pacemakers, CGM devices (continuous glucose monitoring), smart insulin pens, as well as lifestyle devices such as fitness trackers, etc. The software associated with these networked devices, referred to as "connected services" in the Data Act, is also covered by the new regulations.
According to the Data Act, users, both natural and legal persons, are entitled to free access to the usage data, including the necessary metadata, insofar as this is "readily available", Art. 4 (1). Not "readily available" is data whose provision requires a disproportionate effort, e.g. because it is only processed for an intermediate step and is not stored by the product itself.
Information on the type, format, scope of the product data and other technical information must be provided to the user before the contract is concluded, Art. 3 (2) and (3).
In addition to the user's own right of access, the user also has the right to transfer the data to third parties, known as data recipients, Art. 5 (1). In the B2B area, this is also possible in return for a consideration on FRAND terms (fair, reasonable and non-discriminatory), Art. 8 (1), 9 GDPR.
The data controller itself may now only use non-personal product data on the basis of a corresponding contractual agreement with the user, for example for evaluation purposes, Art. 4 (13).
Other provisions of the Data Act relate to the provision of data to public bodies as well as data compatibility, interoperability and portability.
The right to pass on data to third parties means that companies run the risk of disclosing business secrets and losing valuable information to the competition.
At the same time, a wealth of existing standards must be observed, the application of which can lead to areas of conflict with the Data Act.
In the B2B environment, at least the circumstances of data transfer can be regulated contractually, for example through the use of general terms and conditions, Art. 8 (1).
Data owners should make use of this and thus define the exact conditions under which the data transfer takes place. In doing so, they should ensure that, as far as possible, the data transfer takes place within the framework of an orderly process that complies with all relevant legal requirements while safeguarding their own interests. The contractual freedom is limited, as unilaterally imposed contractual clauses relating to data access, data use, liability and the legal remedies set out in the Data Act are subject to a general terms and conditions control, according to which "unfair contractual terms" are not binding on the other party, Art. 8 (2) and 13 (1).
In general, Art. 13 (3) defines that a term is unfair "if its application constitutes a gross deviation from good business practice in relation to access to and use of data or is contrary to the requirement of good faith". However, this is only of limited help at present, as there is probably no good business practice in this regard, which is why the general clause offers little guidance for companies. More helpful are paragraphs 4 and 5 of Article 13, which list catalogs of examples, both on the part of the data recipient and the data controller, and specify the term "abusive".
The non-binding model contractual clauses and standard contractual clauses for data access and data use, including the conditions for appropriate remuneration and the protection of trade secrets, which are still to be drawn up by the European Commission by 12 September 2025 in accordance with Art. 41, should provide further guidance and assistance for the legally compliant drafting of such agreements.
However, the use of general terms and conditions only helps to a limited extent to protect trade secrets, as data access cannot be prevented in this way.
The Data Act itself recognizes that the disclosure of data can lead to a conflict of interest with the protection of trade secrets. In principle, however, the objectives of the Data Act enjoy a privileged position, although Art. 8 (6) clarifies that the obligation to disclose data to third parties does not oblige the data owner to disclose trade secrets.
It is therefore primarily intended that the data controller takes measures to protect its business secrets with the user or the third party, Art. 4 (6) and Art. 5 (9). Both technical and organizational measures can be taken if necessary. Examples listed in the Data Act itself include confidentiality agreements, model contract clauses, access controls, technical standards and codes of conduct.
However, if no agreement is reached on these measures or if the user or third party does not implement them, the data controller may refuse to disclose the data concerned, Art. 4 (7) and Art. 5 (10). However, this decision must be justified in writing and communicated to the competent authority in accordance with Art. 37. The user or third party may also contest the decision of refusal, Art. 4 (9) and Art. 5 (12).
Only in exceptional circumstances can the data owner refuse a data access request for the data concerned in individual cases, Art. 4 (8) and Art. 5 (11). However, this requires proof based on objective facts that even if measures to maintain secrecy were taken, there is a high probability that disclosure would result in serious economic damage. This may be the case if the protection of trade secrets cannot be enforced in third countries. Here too, notification to the competent authority is necessary.
The use of the data to manufacture competing products or the disclosure of the data to a third party to gain insight into the economic situation, assets and production methods is prohibited, Art. 4 (10) & Art. 6 (2) e). However, the problems here are likely to lie in proving the use of the data, especially if it is transferred abroad, so that this prohibition is unlikely to provide effective protection for trade secrets.
In the event of breaches of agreements or the use of data to develop a competing product, the data owner may demand that the third party or data recipient delete the data, destroy infringing goods and pay damages, Art. 11 (2).
In the case of mandatory interoperability for data processing services in accordance with Art. 23 et seq., which is intended to enable users to transfer data to other services of the same type, trade secrets are excluded from the outset, according to the definition in Art. 2 No. 38.
The Data Act itself gives precedence to the General Data Protection Regulation (GDPR) in Art. 1 (5). As data collected or generated by medical and health devices is often also personal data, particular caution is required here.
Unlawful data transfer can lead to high fines, especially if there is a discrepancy between the user as defined by the Data Act and the actual user of the device. The use of a smart medical device by a doctor or in a hospital that records a patient's data is conceivable here. It should be noted in particular that the data controller cannot invoke the Data Act as fulfillment of a legal obligation within the meaning of Art. 6 (1) c GDPR, as this explicitly does not constitute a basis for a claim under data protection law according to Recital 7 of the Data Act. In the case of health data, the legal basis is also to be found in Art. 9 (2) GDPR for the processing of special categories of personal data.
At the same time, an unlawful refusal to disclose data on the basis of the GDPR can lead to high fines under the Data Act. Companies should draw up processes in advance and clarify responsibilities as to how to proceed in cases of doubt, as the distinction between personal and non-personal (meta) data is often difficult to make.
Medical devices are already affected by a large number of regulations and laws due to the risks associated with their use. The EU regulations on medical devices (MDR) and in-vitro diagnostics (IVDR), among others, are highly relevant. Among other things, these contain requirements for the implementation of conformity assessment procedures and obligations to comply with certain safety standards.
Art. 3 (1) of the Data Act in particular has a major impact on medical devices. Networked products and connected services should already be designed in such a way that access to the data generated is simple, secure, free of charge and, where technically possible, direct. This obligation to "access by design" can, in case of doubt, lead to extensive changes to existing products. If such a change constitutes a "substantial change" according to the EU regulations on medical devices (MDR) and in-vitro diagnostics (IVDR), a new conformity assessment of the affected medical device is required. Experience has shown that such conformity assessment procedures are very lengthy and involve additional costs.
According to Art. 50, this obligation applies to connected products and the services associated with them that were placed on the market after 12 September 2026. Given the lead time for the research and development of new products, this is a tight timeframe. In this respect, the requirements of the Data Act should already be taken into account now.
The Data Act has a wide range of effects on medical and health devices and requires not only an adaptation of processes within the company, but possibly also of the products themselves. In the medical device sector in particular, however, such changes are costly and time-consuming, as the product may need to be re-certified. It is therefore important to act with foresight and adapt product development accordingly at an early stage so that all requirements are met by the time the relevant regulations become applicable.
With regard to the protection of business secrets, measures such as the drafting of corresponding clauses or general terms and conditions must be developed and defined in advance in order to use the contractual freedom limited by the Data Act in a legally compliant manner. In particular, the model contract clauses to be drawn up by the Commission before 12 September 2025 in accordance with Art. 41 must be kept in mind.
When processing and providing personal data under the Data Act, such as sensitive health data in particular, it is essential to comply with data protection laws. This includes in particular the identification of the relevant legal bases for data processing and the fulfillment of transparency obligations, such as the provision of data protection notices for users of medical and healthcare products.
Companies should also monitor developments in connection with the European Health Data Space, which is based on the elements of the Data Act, among other things.