{ "metadata": { "title": "Data Act — Compliance Assessment Tool", "version": "3.2.0", "date": "2026-03-14", "sources": [ "Regulation (EU) 2023/2854 (Data Act)", "Commission Guidelines on vehicle data under the Data Act (C/2025/5026)", "Commission Implementing Regulation on model contractual terms (forthcoming)", "Regulation (EU) 2016/679 (GDPR) — for mixed dataset interactions", "Directive (EU) 2016/943 (Trade Secrets Directive)", "Regulation (EU) 2022/1925 (Digital Markets Act) — gatekeeper restrictions", "EU Recommendation 2003/361/EC — SME classification", "Directive 2002/58/EC (ePrivacy Directive)" ], "flow_stages": [ "S1: Entity Profile", "S2: Chapter II — IoT Data Access & Sharing", "S3: Chapter III — Statutory Data Sharing", "S4: Chapter IV — Unfair Contractual Terms", "S5: Chapter V — Public Sector Access (B2G)", "S6: Chapter VI — Cloud Switching & Portability", "S7: Chapter VII — International Data Safeguards", "S8: Chapter VIII — Interoperability", "S9: Gap Assessment", "S10: Results" ], "verdicts": { "APPLICABLE": { "color": "red", "description": "Chapter obligations apply to this entity" }, "PARTIALLY_APPLICABLE": { "color": "orange", "description": "Some obligations apply (e.g., SME exemptions reduce scope)" }, "NOT_APPLICABLE": { "color": "green", "description": "Chapter does not apply to this entity" }, "CONSULT_EXPERT": { "color": "grey", "description": "Cannot determine automatically" } } }, "start_node": "p_010", "nodes": { "p_010": { "id": "p_010", "stage": "S1_PROFILE", "type": "question", "text": "Does your entity operate within the European Union or European Economic Area (EEA)?", "help": "The Data Act applies to: (1) manufacturers and providers placing connected products/services on the EU market, (2) data holders and data recipients in the EU, (3) data processing service providers offering services to EU customers, (4) public sector bodies. The EEA includes all EU Member States plus Norway, Iceland, and Liechtenstein.", "legal_ref": "Art. 1(3)", "edge_case": "Non-EU entities: If you manufacture connected products or provide data processing services offered to EU customers, the Data Act applies to you regardless of where you are established (Art. 1(2)).", "warning": [ "Non-EU entities placing connected products or providing data processing services on the EU market must designate an EU legal representative (see FAQ Q71)." ], "cross_ref": [ { "regulation": "GDPR", "articles": "Art. 3", "relevance": "Similar territorial scope — applies to entities processing data of EU residents" }, { "regulation": "Digital Markets Act", "articles": "Art. 1(2)", "relevance": "Gatekeeper obligations may interact with Data Act restrictions" } ], "options": [ { "id": "p_010_a", "label": "Yes, we are established in the EU/EEA", "value": "EU_EEA", "next": "p_020" }, { "id": "p_010_b", "label": "No, but we offer connected products/services on the EU market", "description": "Non-EU entities placing connected products or related services on the EU market fall within scope.", "value": "NON_EU_MARKET", "next": "p_020" }, { "id": "p_010_c", "label": "No, but we provide data processing services to EU customers", "description": "Non-EU data processing service providers (cloud, SaaS, etc.) serving EU customers fall within scope.", "value": "NON_EU_CLOUD", "next": "p_020" }, { "id": "p_010_d", "label": "No, we have no EU/EEA connection", "value": "NO_EU", "next": "r_out_jurisdiction" } ] }, "p_020": { "id": "p_020", "stage": "S1_PROFILE", "type": "multi_select", "text": "Which of the following roles describe your entity? Select all that apply.", "help": "A single entity can hold multiple roles under the Data Act. For example, a manufacturer of smart appliances who also operates a cloud platform is both a 'manufacturer' and a 'data processing service provider'. Selecting multiple roles will show you the combined obligations.", "legal_ref": "Art. 2", "edge_case": "Multi-role entities: If you are both a manufacturer and a cloud provider, both Chapter II and Chapter VI obligations apply. The tool will combine all applicable obligations in your final assessment.", "tip": [ "Most IoT manufacturers are also data holders — select both roles if you collect or access the data your products generate." ], "options": [ { "id": "p_020_a", "label": "Manufacturer of connected products", "value": "MANUFACTURER", "description": "You design, produce, or brand products that generate data (IoT devices, smart appliances, vehicles, industrial machinery, medical devices, etc.)" }, { "id": "p_020_b", "label": "Provider of related services", "value": "RELATED_SERVICE_PROVIDER", "description": "You provide digital services connected to a product that affect its functions (e.g., companion apps, firmware update services, remote monitoring)" }, { "id": "p_020_c", "label": "Data holder", "value": "DATA_HOLDER", "description": "You have the right or obligation to use and make available data generated by connected products or related services" }, { "id": "p_020_d", "label": "Data recipient", "value": "DATA_RECIPIENT", "description": "You receive data shared by data holders (e.g., aftermarket service providers, analytics companies, repair services)" }, { "id": "p_020_e", "label": "Data processing service provider", "value": "CLOUD_PROVIDER", "description": "You offer cloud computing, SaaS, PaaS, IaaS, or other data processing services" }, { "id": "p_020_f", "label": "Public sector body", "value": "PUBLIC_SECTOR", "description": "You are a government authority, agency, or Union body" }, { "id": "p_020_g", "label": "Smart contract developer/provider", "value": "SMART_CONTRACT", "description": "You develop or offer smart contracts used for data sharing agreements" }, { "id": "p_020_h", "label": "None of the above / Not sure", "value": "NONE", "next": "r_consult_role" } ], "multi_next": "p_030" }, "p_030": { "id": "p_030", "stage": "S1_PROFILE", "type": "question", "text": "What is the size of your entity?", "help": "Entity size affects certain exemptions under the Data Act. Microenterprises and small enterprises that manufacture connected products or provide related services are exempt from Chapter II obligations (Art. 7(1)), unless they have larger partner/linked enterprises. They are also exempt from some Chapter V obligations (Art. 15(2), non-emergency requests only). SME classification follows EU Recommendation 2003/361/EC.", "legal_ref": "Art. 2(25-26), Art. 7, Art. 15(2)", "tip": [ "If your entity is part of a larger group, the group-level headcount and financial thresholds may apply for SME classification purposes." ], "options": [ { "id": "p_030_a", "label": "Microenterprise (fewer than 10 employees AND turnover/balance sheet ≤ €2M)", "value": "MICRO", "next": "p_040" }, { "id": "p_030_b", "label": "Small enterprise (fewer than 50 employees AND turnover/balance sheet ≤ €10M)", "value": "SMALL", "next": "p_040" }, { "id": "p_030_c", "label": "Medium enterprise (fewer than 250 employees AND turnover ≤ €50M or balance sheet ≤ €43M)", "value": "MEDIUM", "next": "p_040" }, { "id": "p_030_d", "label": "Large enterprise (250+ employees OR turnover > €50M)", "value": "LARGE", "next": "p_040" }, { "id": "p_030_e", "label": "Not sure", "value": "UNSURE", "next": "p_040" } ] }, "p_040": { "id": "p_040", "stage": "S1_PROFILE", "type": "question", "text": "In which sector(s) does your entity primarily operate?", "help": "The Data Act applies horizontally across all sectors, but some sectors have specific guidance or sub-flows. Select your primary sector.", "legal_ref": "Art. 1 (horizontal regulation)", "options": [ { "id": "p_040_a", "label": "Automotive / Vehicles", "value": "AUTOMOTIVE", "next": "p_050" }, { "id": "p_040_b", "label": "Healthcare / Medical devices", "value": "HEALTH", "next": "p_050" }, { "id": "p_040_c", "label": "Energy / Utilities", "value": "ENERGY", "next": "p_050" }, { "id": "p_040_d", "label": "Agriculture / Farming equipment", "value": "AGRICULTURE", "next": "p_050" }, { "id": "p_040_e", "label": "Manufacturing / Industrial machinery", "value": "MANUFACTURING", "next": "p_050" }, { "id": "p_040_f", "label": "Consumer electronics / Smart home", "value": "CONSUMER_ELECTRONICS", "next": "p_050" }, { "id": "p_040_g", "label": "Financial services", "value": "FINANCE", "next": "p_050" }, { "id": "p_040_h", "label": "Telecommunications", "value": "TELECOM", "next": "p_050" }, { "id": "p_040_i", "label": "Cloud / IT services", "value": "CLOUD_IT", "next": "p_050" }, { "id": "p_040_j", "label": "Other", "value": "OTHER", "next": "p_050" } ] }, "p_050": { "id": "p_050", "stage": "S1_PROFILE", "type": "multi_select", "text": "What types of data does your entity handle in relation to connected products or data processing services?", "help": "The Data Act covers both personal and non-personal data. When both types are involved (mixed datasets), both the Data Act and GDPR apply simultaneously. Understanding your data types helps determine specific obligations.", "legal_ref": "Art. 1(2), Art. 1(5), Recital 7", "edge_case": "Mixed datasets: When personal and non-personal data are inextricably linked, the GDPR applies to the entire dataset. Data Act rights do not override GDPR protections (Art. 1(5)).", "warning": [ "If you handle personal data or mixed datasets, GDPR obligations apply in parallel throughout this assessment. Ensure you have a valid legal basis for processing personal data under GDPR Art. 6.", "IoT data is frequently personal data (e.g., usage patterns, location) even when it appears purely technical.", "When the user is not the data subject, the Data Act is not a legal basis under GDPR Art. 6(1)(c). A separate GDPR legal basis is required for making personal data available (FAQ Q25a). When the user IS the data subject, the situation is comparable to GDPR Art. 15/20 access/portability." ], "cross_ref": [ { "regulation": "GDPR", "articles": "Art. 6, Art. 9", "relevance": "Legal basis required for personal data processing; special categories require Art. 9 basis" }, { "regulation": "ePrivacy Directive", "articles": "Art. 5(3)", "relevance": "IoT devices qualify as terminal equipment — accessing stored data may require consent" } ], "options": [ { "id": "p_050_a", "label": "Non-personal data only (machine-generated, operational, environmental)", "value": "NON_PERSONAL" }, { "id": "p_050_b", "label": "Personal data only", "value": "PERSONAL" }, { "id": "p_050_c", "label": "Mixed datasets (both personal and non-personal data)", "value": "MIXED" }, { "id": "p_050_d", "label": "Not sure", "value": "DATA_UNSURE" } ], "multi_next": "router_roles" }, "router_roles": { "id": "router_roles", "stage": "S1_PROFILE", "type": "router", "text": "Routing to applicable chapters based on selected roles...", "help": "The tool now routes you through the applicable Data Act chapters based on the roles you selected.", "routing_rules": [ { "if_role": "MANUFACTURER", "goto": "ch2_010", "chapters": [ "CH2" ] }, { "if_role": "RELATED_SERVICE_PROVIDER", "goto": "ch2_010", "chapters": [ "CH2" ] }, { "if_role": "DATA_HOLDER", "goto": "ch2_010", "chapters": [ "CH2", "CH3", "CH4" ] }, { "if_role": "DATA_RECIPIENT", "goto": "ch2_010", "chapters": [ "CH2", "CH3" ] }, { "if_role": "CLOUD_PROVIDER", "goto": "ch4_010", "chapters": [ "CH4", "CH6", "CH7", "CH8" ] }, { "if_role": "PUBLIC_SECTOR", "goto": "ch5_010", "chapters": [ "CH5" ] }, { "if_role": "SMART_CONTRACT", "goto": "ch8_010", "chapters": [ "CH8" ] } ], "chapter_order": [ "ch2_010", "ch3_010", "ch4_010", "ch5_010", "ch6_010", "ch7_010", "ch8_010" ], "fallback_next": "gap_router" }, "ch2_010": { "id": "ch2_010", "stage": "S2_SCOPE_CH2", "type": "question", "text": "Does your entity manufacture, sell, rent, or lease connected products that generate data?", "help": "A 'connected product' is an item that obtains, generates, or collects data concerning its use or environment and that is able to communicate that data via electronic communication, physical connection, or on-device access. Examples: smart home appliances, industrial machines, vehicles, medical devices, wearables, agricultural equipment. Excluded: products whose primary function is storing, processing, or transmitting data on behalf of others (e.g., servers, routers).", "legal_ref": "Art. 2(5), Recital 14", "edge_case": "Products primarily designed for storing/processing/transmitting data (servers, routers, general-purpose computers) are excluded from the connected product definition. However, embedded IoT sensors in such products may still qualify.", "warning": [ "Products used abroad by EU users may still generate in-scope data if the product was placed on the EU market.", "Prototypes are excluded from the connected product definition (Recital 14).", "Micro/small enterprises manufacturing connected products or providing related services are exempt from Chapter II obligations (Art. 7(1)), unless they have partner/linked enterprises that are larger. Medium enterprises recently reclassified (less than 1 year) also have a transitional exemption." ], "example": [ { "label": "Infrastructure data", "text": "Railway wagon sensors (on the connected product) generate in-scope data; track-side sensors (infrastructure) do not fall under the connected product definition.", "source": "Recital 14" } ], "options": [ { "id": "ch2_010_a", "label": "Yes, we manufacture/place connected products on the EU market", "value": "CP_MANUFACTURER", "next": "ch2_015" }, { "id": "ch2_010_b", "label": "Yes, we sell/rent/lease connected products (but don't manufacture)", "value": "CP_SELLER", "next": "ch2_015" }, { "id": "ch2_010_c", "label": "No, but we provide related services for connected products", "value": "CP_SERVICE_ONLY", "next": "ch2_030" }, { "id": "ch2_010_d", "label": "No, but we hold/receive data from connected products", "value": "CP_DATA_ONLY", "next": "ch2_040" }, { "id": "ch2_010_e", "label": "No connected products involvement", "value": "CP_NONE", "next": "ch2_next_stage" } ] }, "ch2_015": { "id": "ch2_015", "stage": "S2_SCOPE_CH2", "type": "question", "text": "Were your connected products placed on the EU market before or after 12 September 2025?", "help": "The timing of market placement determines which obligations apply. Products placed on the market after 12 September 2026 must comply with Art. 3(1) design-by-default obligations. Products placed before that date are exempt from design obligations but data holders must still comply with Art. 4 access obligations. Note: Chapter II data access obligations (Art. 4-7) apply from 12 September 2025 regardless of when the product was placed on the market, but only to data generated after that date.", "legal_ref": "Art. 3(1), Art. 50", "warning": [ "Even for pre-existing products, data holder access contracts must be in place from 12 September 2025.", "Only data generated after 12 September 2025 falls within scope of Chapter II (FAQ Q4)." ], "options": [ { "id": "ch2_015_a", "label": "Before 12 September 2025 (existing products)", "value": "PRE_2025", "next": "ch2_020" }, { "id": "ch2_015_b", "label": "Between 12 September 2025 and 12 September 2026", "value": "MID_PERIOD", "next": "ch2_020" }, { "id": "ch2_015_c", "label": "After 12 September 2026 (new products)", "value": "POST_2026", "next": "ch2_020" }, { "id": "ch2_015_d", "label": "Both — we have products in multiple categories", "value": "MIXED_TIMING", "next": "ch2_020" } ] }, "ch2_020": { "id": "ch2_020", "stage": "S2_SCOPE_CH2", "type": "question", "text": "Are your connected products designed to make product data directly accessible to users?", "help": "Article 3 requires that connected products be designed and manufactured so that product data and related service data are, by default, easily and securely accessible to the user, free of charge, in a comprehensive, structured, commonly used and machine-readable format. This is a design obligation for manufacturers.", "legal_ref": "Art. 3(1)", "edge_case": "Products placed on the market before 12 September 2026 are not subject to the design obligation in Art. 3(1), but data holders must still comply with Art. 4 (making data available on request).", "warning": [ "Edge processing (data processed locally on the device before transmission) is still in scope — the obligation covers all readily available data, including pre-processed sensor data.", "Contracts for data access must be in place from 12 September 2025 even for pre-existing products.", "Anonymisation or pseudonymisation of data does not exclude it from Chapter II scope. Privacy-enhancing techniques do not make data \"derived\" (FAQ Q13)." ], "options": [ { "id": "ch2_020_a", "label": "Yes, data is directly accessible by design (on-device or via API)", "value": "ACCESSIBLE_YES", "next": "ch2_030" }, { "id": "ch2_020_b", "label": "Partially — some data is accessible, but not all readily available data", "value": "ACCESSIBLE_PARTIAL", "next": "ch2_030" }, { "id": "ch2_020_c", "label": "No, data is not directly accessible to users", "value": "ACCESSIBLE_NO", "next": "ch2_030" }, { "id": "ch2_020_d", "label": "Not sure", "value": "ACCESSIBLE_UNSURE", "next": "ch2_030" } ] }, "ch2_030": { "id": "ch2_030", "stage": "S2_SCOPE_CH2", "type": "question", "text": "Does your entity provide digital services connected to a product that affect its functions?", "help": "A 'related service' is a digital service (other than electronic communications) connected to a product at the time of purchase/rent/lease, or subsequently connected by the manufacturer or third party to add/update/adapt functions. Examples: companion mobile apps, remote monitoring dashboards, firmware update services, cloud-based analytics linked to the product. NOT related services: connectivity, power supply, standalone consulting, standalone repair.", "legal_ref": "Art. 2(6), Recital 17", "example": [ { "label": "Related service YES", "text": "A companion app that remotely locks/unlocks a smart door lock, or a cloud dashboard that controls heating settings.", "source": "Art. 2(6)" }, { "label": "Related service NO", "text": "A standalone insurance app that uses vehicle data but does not affect the vehicle's functions. A third-party repair manual website.", "source": "Recital 17" } ], "options": [ { "id": "ch2_030_a", "label": "Yes, we provide related services for connected products", "value": "RS_YES", "next": "ch2_040" }, { "id": "ch2_030_b", "label": "No", "value": "RS_NO", "next": "ch2_040" } ] }, "ch2_040": { "id": "ch2_040", "stage": "S2_SCOPE_CH2", "type": "question", "text": "Does your entity control or have access to data generated by connected products or related services?", "help": "A 'data holder' is a legal or natural person who has the right or obligation to use and make available data, including product data and related service data. If you are a manufacturer with access to the data your products generate, you are likely a data holder.", "legal_ref": "Art. 2(13)", "warning": [ "Data holder access contracts must be in place from 12 September 2025 even for pre-existing products." ], "options": [ { "id": "ch2_040_a", "label": "Yes, we control/access product or related service data", "value": "DH_YES", "next": "ch2_050" }, { "id": "ch2_040_b", "label": "No", "value": "DH_NO", "next": "ch2_070" } ], "cross_ref": [ { "regulation": "Database Directive 96/9/EC", "articles": "Art. 7", "relevance": "Sui generis database right does NOT apply to data from connected products under the Data Act (Art. 43)" } ] }, "ch2_050": { "id": "ch2_050", "stage": "S2_SCOPE_CH2", "type": "question", "text": "Do users of your products/services request that you share their data with third parties?", "help": "Under Article 5, users have the right to share data generated by their connected products with third parties of their choice. As a data holder, you must make this data available to the designated third party without undue delay, free of charge to the user, and at the same quality as available to you.", "legal_ref": "Art. 5", "options": [ { "id": "ch2_050_a", "label": "Yes, we receive such requests", "value": "TP_YES", "next": "ch2_060" }, { "id": "ch2_050_b", "label": "Not yet, but we expect to", "value": "TP_EXPECTED", "next": "ch2_060" }, { "id": "ch2_050_c", "label": "No", "value": "TP_NO", "next": "ch2_060" } ] }, "ch2_060": { "id": "ch2_060", "stage": "S2_SCOPE_CH2", "type": "question", "text": "Does the data you hold or share contain information that qualifies as trade secrets?", "help": "Trade secrets are protected under the Data Act. Data holders can take measures to preserve confidentiality before sharing, including requiring confidentiality agreements and technical protection. In exceptional cases, a data holder may withhold specific data if disclosure would cause serious economic damage, but must justify this on a case-by-case basis and notify the competent authority.", "legal_ref": "Art. 4(6-8), Art. 5(7), Art. 11, Directive (EU) 2016/943", "edge_case": "Data holders cannot use trade secret claims as a blanket refusal. Each refusal must be justified on a case-by-case basis with notification to the competent authority (Art. 4(7-8)).", "options": [ { "id": "ch2_060_a", "label": "Yes, some data contains trade secrets", "value": "TS_YES", "next": "ch2_070" }, { "id": "ch2_060_b", "label": "No", "value": "TS_NO", "next": "ch2_070" }, { "id": "ch2_060_c", "label": "Not sure", "value": "TS_UNSURE", "next": "ch2_070" } ] }, "ch2_070": { "id": "ch2_070", "stage": "S2_SCOPE_CH2", "type": "question", "text": "Does your entity provide a virtual assistant, or do users interact with your products via virtual assistants?", "help": "A 'virtual assistant' is software that can process demands, tasks, or questions, including those based on audio, written input, gestures, or motions, and that provides access to other services or controls connected products (Art. 2(31)). Virtual assistants are subject to specific transparency and data access obligations.", "legal_ref": "Art. 2(31), Recital 23", "example": [ { "label": "Virtual assistant", "text": "Voice-activated home assistants (e.g., smart speakers), in-car voice control systems, chatbots controlling smart home devices.", "source": "Recital 23" } ], "options": [ { "id": "ch2_070_a", "label": "Yes, we provide or integrate virtual assistants", "value": "VA_YES", "next": "ch2_sector_check" }, { "id": "ch2_070_b", "label": "No", "value": "VA_NO", "next": "ch2_sector_check" } ] }, "ch2_sector_check": { "id": "ch2_sector_check", "stage": "S2_SCOPE_CH2", "type": "router", "text": "Checking for sector-specific sub-flows...", "help": "Based on the sector you selected earlier, additional sector-specific questions may apply.", "routing_rules": [ { "if_sector": "AUTOMOTIVE", "goto": "ch2_auto_010" }, { "if_sector": "HEALTH", "goto": "ch2_health_010" }, { "if_sector": "ENERGY", "goto": "ch2_energy_010" } ], "fallback_next": "ch2_next_stage" }, "ch2_auto_010": { "id": "ch2_auto_010", "stage": "S2_SCOPE_CH2", "type": "question", "text": "What type of vehicle does your entity manufacture or provide services for?", "help": "The Commission has published specific guidance on vehicle data under the Data Act (C/2025/5026). This guidance relates to vehicles that constitute 'connected products' within the meaning of Art. 2(5). It is for the OEM or data holder to assess whether a vehicle qualifies.", "legal_ref": "Vehicle Data Guidance, para. 11-12", "options": [ { "id": "ch2_auto_010_a", "label": "Passenger cars / Light commercial vehicles", "value": "VEHICLE_PASSENGER", "next": "ch2_auto_020" }, { "id": "ch2_auto_010_b", "label": "Heavy-duty vehicles / Trucks / Buses", "value": "VEHICLE_HEAVY", "next": "ch2_auto_020" }, { "id": "ch2_auto_010_c", "label": "Two/three-wheeled vehicles / Motorcycles", "value": "VEHICLE_2WHEEL", "next": "ch2_auto_020" }, { "id": "ch2_auto_010_d", "label": "Agricultural/forestry vehicles", "value": "VEHICLE_AGRI", "next": "ch2_auto_020" }, { "id": "ch2_auto_010_e", "label": "Other motorized vehicles", "value": "VEHICLE_OTHER", "next": "ch2_auto_020" } ], "warning": [ "The Data Act does not affect the Type Approval Regulation (EU) 2018/858. OBD data access has its own legal regime. Sector-specific vehicle emissions data rules continue to apply (Vehicle Data Guidance, para. 5, 44, 47).", "Data holders cannot require users to purchase specialised tools at their own expense to access vehicle data (para. 44)." ], "cross_ref": [ { "regulation": "Type Approval Regulation (EU) 2018/858", "articles": "Various", "relevance": "OBD data access and vehicle emissions data rules are not affected by the Data Act (Art. 44)" } ] }, "ch2_auto_020": { "id": "ch2_auto_020", "stage": "S2_SCOPE_CH2", "type": "multi_select", "text": "What types of vehicle data does your entity collect or generate?", "help": "Vehicle data falling within scope includes: driving data (speed, acceleration, braking), diagnostic data (fault codes, component status), environmental sensor data (temperature, rain, road conditions), battery/energy data, location data, and usage patterns. Data from infotainment systems (music, phone calls, photos) may be 'content' and excluded.", "legal_ref": "Vehicle Data Guidance, para. 19-28", "edge_case": "Infotainment content (music playback, phone call logs, photos displayed) is generally excluded as 'content'. However, sensor imagery (collision cameras, parking cameras) with no creative purpose falls within scope.", "data_in_scope_examples": [ "Vehicle speed, acceleration, braking force", "Engine/motor parameters (RPM, temperature, torque)", "Battery state of charge, charging cycles, degradation data", "Tire pressure, brake pad wear indicators", "GPS/location data, route history", "Diagnostic trouble codes (DTCs), OBD data", "Environmental sensor readings (outside temperature, rain sensor, light sensor)", "Collision/parking camera imagery (no creative purpose)", "Door/window/seat position status", "HVAC system usage patterns" ], "data_out_scope_examples": [ "Music playlist and playback history (content)", "Phone call logs via Bluetooth (content)", "Photos displayed on infotainment screen (content)", "Downloaded apps and their data (content)", "Text messages displayed on screen (content)", "Inferred driver behaviour scores from proprietary algorithms (derived data)", "Predictive maintenance models (derived data)" ], "options": [ { "id": "ch2_auto_020_a", "label": "Driving/operational data (speed, acceleration, braking, steering)", "value": "VD_DRIVING" }, { "id": "ch2_auto_020_b", "label": "Diagnostic/maintenance data (fault codes, component status, mileage)", "value": "VD_DIAGNOSTIC" }, { "id": "ch2_auto_020_c", "label": "Environmental sensor data (temperature, rain, road conditions)", "value": "VD_ENVIRONMENT" }, { "id": "ch2_auto_020_d", "label": "Battery/energy consumption data", "value": "VD_ENERGY" }, { "id": "ch2_auto_020_e", "label": "Location/navigation data", "value": "VD_LOCATION" }, { "id": "ch2_auto_020_f", "label": "Infotainment/content data", "value": "VD_INFOTAINMENT" }, { "id": "ch2_auto_020_g", "label": "Camera/LIDAR/radar data", "value": "VD_CAMERA" } ], "multi_next": "ch2_next_stage", "tip": [ "Vehicle data taxonomy: Raw data (CAN bus signals, sensor readings) and pre-processed data (averaged temperatures, aggregated fuel consumption) are in scope. Inferred/derived data from proprietary algorithms (object detection, driver scores, crash severity analysis) is excluded. Basic math operations (addition, averaging) do not make data 'derived' (Vehicle Data Guidance, para. 24-35).", "In-vehicle direct access (Art. 3(1)) vs. indirect access via OEM backend (Art. 4(1)) — OEMs can choose the access method but must not discriminate against independent service providers in data quality (para. 37-42)." ] }, "ch2_health_010": { "id": "ch2_health_010", "stage": "S2_SCOPE_CH2", "type": "question", "text": "What type of connected medical device or health product does your entity deal with?", "help": "The Data Act applies to connected medical devices that generate data. However, sector-specific regulations (MDR 2017/745, IVDR 2017/746) may contain their own data access rules. Under Art. 44(2), sector-specific rules may complement the Data Act.", "legal_ref": "Art. 44(2), Recital 11", "edge_case": "For medical devices, GDPR applies to all patient data. The Data Act's data access rights must be balanced with patient safety requirements and medical device regulations.", "cross_ref": [ { "regulation": "MDR 2017/745", "articles": "Art. 10(9)", "relevance": "UDI system and device traceability requirements may overlap with Data Act transparency obligations" }, { "regulation": "GDPR", "articles": "Art. 9", "relevance": "Health data is a special category — additional protections apply" } ], "options": [ { "id": "ch2_health_010_a", "label": "Class I medical devices (low risk)", "value": "MD_CLASS1", "next": "ch2_next_stage" }, { "id": "ch2_health_010_b", "label": "Class II medical devices (moderate risk)", "value": "MD_CLASS2", "next": "ch2_next_stage" }, { "id": "ch2_health_010_c", "label": "Class III medical devices (high risk)", "value": "MD_CLASS3", "next": "ch2_next_stage" }, { "id": "ch2_health_010_d", "label": "In-vitro diagnostic devices", "value": "MD_IVD", "next": "ch2_next_stage" }, { "id": "ch2_health_010_e", "label": "Wellness/fitness devices (not regulated as medical devices)", "value": "MD_WELLNESS", "next": "ch2_next_stage" }, { "id": "ch2_health_010_f", "label": "Health-related IoT (smart scales, blood pressure monitors)", "value": "MD_HEALTH_IOT", "next": "ch2_next_stage" } ] }, "ch2_energy_010": { "id": "ch2_energy_010", "stage": "S2_SCOPE_CH2", "type": "question", "text": "What type of connected energy product or service does your entity deal with?", "help": "Energy sector products generating data include smart meters, solar inverters, EV charging stations, home energy management systems, battery storage, and smart grid components. Sector-specific rules (e.g., Electricity Directive 2019/944, Renewable Energy Directive 2023/2413) may apply alongside the Data Act.", "legal_ref": "Art. 44(2), Recital 11", "edge_case": "Smart meters may be subject to both the Data Act and energy sector-specific data access rules (e.g., Electricity Directive 2019/944). Art. 44 addresses overlaps — sector-specific laws entering into force before 11 Jan 2024 prevail.", "cross_ref": [ { "regulation": "Electricity Directive 2019/944", "articles": "Art. 23", "relevance": "Smart meter data access rules may take precedence under Art. 44" }, { "regulation": "Renewable Energy Directive 2023/2413", "articles": "Various", "relevance": "Energy data sharing obligations for renewables integration" } ], "options": [ { "id": "ch2_energy_010_a", "label": "Smart meters / Smart grid components", "value": "EN_SMART_METER", "next": "ch2_next_stage" }, { "id": "ch2_energy_010_b", "label": "Solar panels / Inverters", "value": "EN_SOLAR", "next": "ch2_next_stage" }, { "id": "ch2_energy_010_c", "label": "EV charging stations", "value": "EN_EV_CHARGING", "next": "ch2_next_stage" }, { "id": "ch2_energy_010_d", "label": "Battery storage systems", "value": "EN_BATTERY", "next": "ch2_next_stage" }, { "id": "ch2_energy_010_e", "label": "Home energy management systems", "value": "EN_HEMS", "next": "ch2_next_stage" }, { "id": "ch2_energy_010_f", "label": "Industrial energy monitoring", "value": "EN_INDUSTRIAL", "next": "ch2_next_stage" } ] }, "ch2_next_stage": { "id": "ch2_next_stage", "stage": "S2_SCOPE_CH2", "type": "router", "text": "Chapter II scoping complete. Routing to next applicable chapter...", "help": "Based on your roles, the tool will now check the next applicable chapter.", "routing_rules": [ { "if_role": "DATA_HOLDER", "goto": "ch3_010" }, { "if_role": "DATA_RECIPIENT", "goto": "ch3_010" } ], "fallback_next": "ch4_check" }, "ch3_010": { "id": "ch3_010", "stage": "S3_SCOPE_CH3", "type": "question", "text": "Is your entity obliged to make data available to data recipients — either at users' request under Art. 5 (Chapter II) or under other EU/national law?", "help": "Chapter III sets conditions for data sharing when a data holder is obliged to share data — whether under Article 5 of the Data Act itself (third-party sharing at user's request) or under other Union or national law. This chapter establishes FRAND terms, compensation rules, dispute settlement, and technical protection measures for such sharing.", "legal_ref": "Art. 8, Art. 12", "options": [ { "id": "ch3_010_a", "label": "Yes, we have legal obligations to share data under other EU/national laws", "value": "STATUTORY_YES", "next": "ch3_020" }, { "id": "ch3_010_b", "label": "We may be subject to such obligations but are unsure", "value": "STATUTORY_UNSURE", "next": "ch3_020" }, { "id": "ch3_010_c", "label": "No", "value": "STATUTORY_NO", "next": "ch4_check" } ], "warning": [ "Contractual terms that derogate from Chapter III to the detriment of either party or the user are not binding (Art. 12(2)).", "Chapter III applies only to data sharing obligations under laws entering into force after 12 September 2025 (Art. 50). Pre-existing legal obligations are governed by Art. 44(1)." ] }, "ch3_020": { "id": "ch3_020", "stage": "S3_SCOPE_CH3", "type": "question", "text": "Do you have compensation arrangements in place for making data available to data recipients?", "help": "Article 9 establishes that compensation for making data available must be fair, reasonable, non-discriminatory, and transparent (FRAND). For SME data recipients, compensation cannot exceed costs directly attributable to making the data available. The Commission has published model contractual terms to help structure such arrangements.", "legal_ref": "Art. 9", "options": [ { "id": "ch3_020_a", "label": "Yes, we have FRAND-compliant compensation terms", "value": "COMP_YES", "next": "ch4_check" }, { "id": "ch3_020_b", "label": "We have compensation terms but haven't verified FRAND compliance", "value": "COMP_PARTIAL", "next": "ch4_check" }, { "id": "ch3_020_c", "label": "No compensation arrangements in place", "value": "COMP_NO", "next": "ch4_check" } ] }, "ch4_check": { "id": "ch4_check", "stage": "S4_SCOPE_CH4", "type": "router", "text": "Checking Chapter IV applicability...", "help": "Chapter IV on unfair contractual terms applies to entities with B2B data sharing contracts.", "routing_rules": [ { "if_role": "DATA_HOLDER", "goto": "ch4_010" }, { "if_role": "DATA_RECIPIENT", "goto": "ch4_010" }, { "if_role": "MANUFACTURER", "goto": "ch4_010" }, { "if_role": "RELATED_SERVICE_PROVIDER", "goto": "ch4_010" }, { "if_role": "CLOUD_PROVIDER", "goto": "ch4_010" } ], "fallback_next": "ch5_check" }, "ch4_010": { "id": "ch4_010", "stage": "S4_SCOPE_CH4", "type": "question", "text": "Does your entity have business-to-business contracts that include terms relating to data access and use?", "help": "Chapter IV protects enterprises from unfair contractual terms unilaterally imposed in data sharing contracts. This applies to any B2B contract where one party unilaterally imposed terms regarding data access, use, sharing, or exploitation. It covers contracts concluded after 12 September 2025, and from 12 September 2027 also covers pre-existing contracts of indefinite duration or with 10+ years remaining.", "legal_ref": "Art. 13", "edge_case": "Pre-existing contracts: Contracts concluded before 12 September 2025 are not initially affected. However, from 12 September 2027, contracts of indefinite duration or with 10+ years remaining are also subject to Chapter IV.", "example": [ { "label": "Broad applicability", "text": "Chapter IV applies to data clauses in ANY B2B contract — including bank loans with data-sharing conditions, logistics contracts, advertising agreements, and supply chain data terms.", "source": "Art. 13(1)" } ], "options": [ { "id": "ch4_010_a", "label": "Yes, we impose data-related terms on business partners", "value": "UNFAIR_IMPOSER", "next": "ch4_020" }, { "id": "ch4_010_b", "label": "Yes, we are subject to data-related terms imposed by others", "value": "UNFAIR_SUBJECT", "next": "ch4_020" }, { "id": "ch4_010_c", "label": "Both — we impose and are subject to such terms", "value": "UNFAIR_BOTH", "next": "ch4_020" }, { "id": "ch4_010_d", "label": "No B2B data sharing contracts", "value": "UNFAIR_NO", "next": "ch5_check" } ] }, "ch4_020": { "id": "ch4_020", "stage": "S4_SCOPE_CH4", "type": "question", "text": "Have you reviewed your B2B data-sharing contracts against the Data Act's unfairness criteria?", "help": "Article 13 lists terms that are always unfair (Art. 13(4)(a-c): excluding liability for intentional acts, excluding remedies for non-performance, giving one party exclusive right to interpret contract terms) and terms that are presumed unfair (Art. 13(5)(a-g): inappropriately limiting liability, accessing data detrimentally, preventing data use, preventing termination, preventing data copy, unreasonably short notice, unilateral changes).", "legal_ref": "Art. 13(4-5)", "options": [ { "id": "ch4_020_a", "label": "Yes, contracts have been reviewed and are compliant", "value": "CONTRACT_OK", "next": "ch5_check" }, { "id": "ch4_020_b", "label": "Partially reviewed", "value": "CONTRACT_PARTIAL", "next": "ch5_check" }, { "id": "ch4_020_c", "label": "Not reviewed yet", "value": "CONTRACT_NOT_REVIEWED", "next": "ch5_check" } ], "warning": [ "Art. 13(8): Chapter IV does not apply to terms defining the main subject matter of the contract or to the adequacy of the price, as against the data supplied in exchange.", "Art. 13(9): Parties cannot contractually exclude or derogate from Chapter IV." ], "cross_ref": [ { "regulation": "Data Act", "articles": "Art. 41", "relevance": "Commission model contractual terms for B2B data sharing — use as a reference for fair terms" } ] }, "ch5_check": { "id": "ch5_check", "stage": "S5_SCOPE_CH5", "type": "router", "text": "Checking Chapter V applicability...", "help": "Chapter V on public sector access applies to entities that may receive B2G data requests.", "routing_rules": [ { "if_role": "PUBLIC_SECTOR", "goto": "ch5_010" }, { "if_role": "DATA_HOLDER", "goto": "ch5_010" }, { "if_role": "MANUFACTURER", "goto": "ch5_010" } ], "fallback_next": "ch6_check" }, "ch5_010": { "id": "ch5_010", "stage": "S5_SCOPE_CH5", "type": "question", "text": "Could your entity be subject to data requests from public sector bodies under exceptional need?", "help": "Chapter V allows public sector bodies, the Commission, the ECB, or Union bodies to request data from private entities when there is an 'exceptional need' — typically during public emergencies (pandemics, natural disasters) or when data is essential for a specific public interest task. Microenterprises and small enterprises are exempt from non-emergency requests only.", "legal_ref": "Art. 14-15", "edge_case": "If your entity is a microenterprise or small enterprise, you are exempt from non-emergency data requests (Art. 15(1)(b)), but you must still respond to public emergency requests under Art. 15(1)(a).", "example": [ { "label": "Priority principle", "text": "Public sector bodies must first try to obtain the data through market purchases or existing legal obligations before making an exceptional need request.", "source": "Art. 14(2)" } ], "options": [ { "id": "ch5_010_a", "label": "Yes, we hold data that could be requested in emergencies", "value": "B2G_YES", "next": "ch5_020" }, { "id": "ch5_010_b", "label": "Possibly, but we're a micro/small enterprise", "description": "Micro/small enterprises are exempt from non-emergency B2G requests (Art. 15(1)(b)) but remain subject to public emergency data requests under Art. 15(1)(a). You will now be assessed for emergency obligations only.", "value": "B2G_EXEMPT", "next": "ch5_020" }, { "id": "ch5_010_c", "label": "No, unlikely to receive such requests", "value": "B2G_NO", "next": "ch6_check" } ], "warning": [ "Micro/small enterprises are still subject to public emergency data requests under Art. 15(1)(a). The exemption only covers non-emergency requests." ] }, "ch5_020": { "id": "ch5_020", "stage": "S5_SCOPE_CH5", "type": "question", "text": "Do you have procedures in place to respond to public sector data requests under exceptional need?", "help": "When a public sector body makes a data request, you must comply within 5 working days (emergency) or 30 working days (non-emergency). The request must specify the data needed, demonstrate exceptional need, explain the purpose, and set a deadline. You can request modification or rejection of the request, but only on specific grounds (Art. 18).", "legal_ref": "Art. 17-18", "options": [ { "id": "ch5_020_a", "label": "Yes, we have response procedures", "value": "B2G_READY", "next": "ch6_check" }, { "id": "ch5_020_b", "label": "No, we don't have procedures yet", "value": "B2G_NOT_READY", "next": "ch6_check" } ] }, "ch6_check": { "id": "ch6_check", "stage": "S6_SCOPE_CH6", "type": "router", "text": "Checking Chapter VI applicability...", "help": "Chapter VI on cloud switching applies to data processing service providers.", "routing_rules": [ { "if_role": "CLOUD_PROVIDER", "goto": "ch6_010" } ], "fallback_next": "ch7_check" }, "ch6_010": { "id": "ch6_010", "stage": "S6_SCOPE_CH6", "type": "question", "text": "What type of data processing services does your entity provide?", "help": "Chapter VI applies to providers of 'data processing services' — digital services enabling on-demand access to a shared pool of configurable computing resources. This includes: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), SaaS (Software as a Service), and other cloud computing models, including edge computing nodes.", "legal_ref": "Art. 2(8), Art. 23", "options": [ { "id": "ch6_010_a", "label": "IaaS (Infrastructure as a Service)", "value": "CLOUD_IAAS", "next": "ch6_020" }, { "id": "ch6_010_b", "label": "PaaS (Platform as a Service)", "value": "CLOUD_PAAS", "next": "ch6_020" }, { "id": "ch6_010_c", "label": "SaaS (Software as a Service)", "value": "CLOUD_SAAS", "next": "ch6_020" }, { "id": "ch6_010_d", "label": "Multiple types (IaaS + PaaS + SaaS)", "value": "CLOUD_MULTI", "next": "ch6_020" }, { "id": "ch6_010_e", "label": "Edge computing services", "value": "CLOUD_EDGE", "next": "ch6_020" }, { "id": "ch6_010_f", "label": "Custom-built / bespoke services only", "value": "CLOUD_CUSTOM", "next": "ch6_025" }, { "id": "ch6_010_g", "label": "We don't provide data processing services", "value": "CLOUD_NONE", "next": "ch7_check" } ] }, "ch6_025": { "id": "ch6_025", "stage": "S6_SCOPE_CH6", "type": "question", "text": "Are your data processing services exclusively custom-built for individual customers, not offered at broad commercial scale?", "help": "Article 31 provides partial exemptions for custom-built services. If all components were developed for an individual customer and the service is not offered at broad commercial scale, certain switching obligations (functional equivalence, gradual charge withdrawal) do not apply. However, basic portability obligations still apply.", "legal_ref": "Art. 31", "edge_case": "Custom-built services are exempt from Art. 23(d) (functional equivalence), Art. 29 (switching charges), and Art. 30(1)/(3) (functional equivalence tools and standards compliance). Testing/beta versions are fully exempt (Art. 31(2)). Provider must inform customer which obligations don't apply (Art. 31(3)).", "options": [ { "id": "ch6_025_a", "label": "Yes, exclusively custom-built (not commercially scaled)", "value": "CUSTOM_YES", "next": "ch6_040" }, { "id": "ch6_025_b", "label": "No, we also offer standardized services", "value": "CUSTOM_NO", "next": "ch6_020" } ] }, "ch6_020": { "id": "ch6_020", "stage": "S6_SCOPE_CH6", "type": "question", "text": "Do your service contracts allow customers to switch to another provider or port their data?", "help": "Article 23 requires providers to remove all obstacles to effective switching. This includes: enabling contract termination after a maximum 2-month notice period, allowing data portability for all exportable data, maintaining functional equivalence, and providing at least 30 days post-termination for data retrieval.", "legal_ref": "Art. 23, Art. 25", "options": [ { "id": "ch6_020_a", "label": "Yes, switching and portability are fully supported", "value": "SWITCH_YES", "next": "ch6_030" }, { "id": "ch6_020_b", "label": "Partially — some support but gaps exist", "value": "SWITCH_PARTIAL", "next": "ch6_030" }, { "id": "ch6_020_c", "label": "No, switching is difficult or not supported", "value": "SWITCH_NO", "next": "ch6_030" } ] }, "ch6_030": { "id": "ch6_030", "stage": "S6_SCOPE_CH6", "type": "question", "text": "Do you charge fees for customers who switch to another provider?", "help": "The Data Act phases out switching charges: until 12 January 2027, only direct costs may be charged (reduced switching charges). From 12 January 2027 onward, switching charges must be zero. Standard service fees during the notice period are still allowed, but no penalty fees for early termination related to switching.", "legal_ref": "Art. 29", "warning": [ "Multi-cloud egress charges remain allowed even after the zero switching charge deadline of 12 January 2027 (Art. 34(2)). Only switching-specific charges must be eliminated." ], "options": [ { "id": "ch6_030_a", "label": "No switching charges", "value": "CHARGES_ZERO", "next": "ch6_040" }, { "id": "ch6_030_b", "label": "Reduced charges (direct costs only)", "value": "CHARGES_REDUCED", "next": "ch6_040" }, { "id": "ch6_030_c", "label": "Full switching charges still in place", "value": "CHARGES_FULL", "next": "ch6_040" } ] }, "ch6_040": { "id": "ch6_040", "stage": "S6_SCOPE_CH6", "type": "question", "text": "Do you publicly disclose the jurisdiction of your ICT infrastructure and the measures you take to prevent unlawful third-country governmental access?", "help": "Article 28 requires data processing service providers to disclose on their website and in contracts: (1) the jurisdictions where ICT infrastructure is located, (2) technical, organizational, and legal measures to prevent unlawful third-country governmental access. This is a transparency/disclosure obligation. The substantive safeguard requirements are in Art. 32 (Chapter VII).", "legal_ref": "Art. 28", "options": [ { "id": "ch6_040_a", "label": "Yes, fully disclosed in contracts and online", "value": "INTL_DISCLOSED", "next": "ch7_check" }, { "id": "ch6_040_b", "label": "Partially disclosed", "value": "INTL_PARTIAL", "next": "ch7_check" }, { "id": "ch6_040_c", "label": "Not disclosed", "value": "INTL_NOT_DISCLOSED", "next": "ch7_check" } ] }, "ch7_check": { "id": "ch7_check", "stage": "S7_SCOPE_CH7", "type": "router", "text": "Checking Chapter VII applicability...", "help": "Chapter VII on international data safeguards applies to data processing service providers.", "routing_rules": [ { "if_role": "CLOUD_PROVIDER", "goto": "ch7_010" } ], "fallback_next": "ch8_check" }, "ch7_010": { "id": "ch7_010", "stage": "S7_SCOPE_CH7", "type": "question", "text": "Does your entity provide data processing services that handle non-personal data?", "help": "Article 32 applies to ALL data processing service providers that handle non-personal data, not just those storing data outside the EU. Providers must take adequate measures to prevent unlawful third-country governmental access to non-personal data held in the EU. Third-country government requests for data can only be complied with if based on international agreements (MLAT) or if specific conditions are met.", "legal_ref": "Art. 32", "warning": [ "Art. 32 does NOT create data localisation requirements. It imposes safeguards against unlawful access, regardless of where data is stored.", "This applies to ALL data processing service providers handling non-personal data, not only those with infrastructure outside the EU." ], "options": [ { "id": "ch7_010_a", "label": "Yes, we handle non-personal data as a data processing service provider", "value": "INTL_YES", "next": "ch7_015" }, { "id": "ch7_010_b", "label": "No, we don't handle non-personal data", "value": "INTL_NO", "next": "ch8_check" } ] }, "ch7_015": { "id": "ch7_015", "stage": "S7_SCOPE_CH7", "type": "question", "text": "Do you store or process non-personal data in jurisdictions outside the EU/EEA?", "help": "While Art. 32 applies regardless of data location, storing data outside the EU/EEA increases the risk of third-country governmental access requests and may require additional safeguards.", "legal_ref": "Art. 32", "options": [ { "id": "ch7_015_a", "label": "Yes, we store/process data outside the EU/EEA", "value": "DATA_OUTSIDE_EU", "next": "ch7_020" }, { "id": "ch7_015_b", "label": "No, all data stays within EU/EEA", "value": "DATA_INSIDE_EU", "next": "ch7_020" } ] }, "ch7_020": { "id": "ch7_020", "stage": "S7_SCOPE_CH7", "type": "question", "text": "Have you received, or do you anticipate, requests from third-country governments to access non-personal data stored in the EU?", "help": "You may only comply with third-country government requests if they are based on an international agreement (MLAT, bilateral treaty) per Art. 32(2). In absence of such agreement, you may comply only if ALL three conditions of Art. 32(3) are met: (a) the third-country legal system requires reasoned, proportionate decisions, (b) the addressee's objection is subject to court review, (c) the reviewing court is empowered to consider EU legal interests. You may also consult national bodies on trade secrets and national security. You must inform the customer before compliance (unless prohibited by law enforcement).", "legal_ref": "Art. 32(1-3)", "options": [ { "id": "ch7_020_a", "label": "Yes, we have received such requests", "value": "GOV_REQUEST_YES", "next": "ch8_check" }, { "id": "ch7_020_b", "label": "Not yet, but we may in the future", "value": "GOV_REQUEST_POSSIBLE", "next": "ch8_check" }, { "id": "ch7_020_c", "label": "No, and unlikely", "value": "GOV_REQUEST_NO", "next": "ch8_check" } ] }, "ch8_check": { "id": "ch8_check", "stage": "S8_SCOPE_CH8", "type": "router", "text": "Checking Chapter VIII applicability...", "help": "Chapter VIII on interoperability applies to data space participants and smart contract providers.", "routing_rules": [ { "if_role": "CLOUD_PROVIDER", "goto": "ch8_010" }, { "if_role": "SMART_CONTRACT", "goto": "ch8_010" }, { "if_role": "DATA_HOLDER", "goto": "ch8_010" }, { "if_role": "DATA_RECIPIENT", "goto": "ch8_010" } ], "fallback_next": "gap_router" }, "ch8_010": { "id": "ch8_010", "stage": "S8_SCOPE_CH8", "type": "question", "text": "Does your entity participate in or plan to participate in European data spaces?", "help": "Chapter VIII establishes essential requirements for interoperability that participants in data spaces must comply with. These cover dataset descriptions, data structure documentation, API specifications, and means for automated data exchange.", "legal_ref": "Art. 33", "options": [ { "id": "ch8_010_a", "label": "Yes, we participate in data spaces", "value": "DS_YES", "next": "ch8_020" }, { "id": "ch8_010_b", "label": "We plan to in the future", "value": "DS_PLANNED", "next": "ch8_020" }, { "id": "ch8_010_c", "label": "No", "value": "DS_NO", "next": "ch8_020" } ] }, "ch8_020": { "id": "ch8_020", "stage": "S8_SCOPE_CH8", "type": "question", "text": "Does your entity use or provide smart contracts for executing data sharing agreements?", "help": "Article 36 sets essential requirements for smart contracts used in data sharing: safe termination/interruption mechanisms, archiving of transaction data, access control and robustness, continuity assurance, and reset/rollback capabilities.", "legal_ref": "Art. 36", "options": [ { "id": "ch8_020_a", "label": "Yes, we use/provide smart contracts for data sharing", "value": "SC_YES", "next": "gap_router" }, { "id": "ch8_020_b", "label": "No", "value": "SC_NO", "next": "gap_router" } ] }, "gap_router": { "id": "gap_router", "stage": "S9_GAP", "type": "router", "text": "Routing to gap assessment based on applicable chapters...", "help": "The gap assessment presents obligation checklists for each applicable chapter. Mark each obligation as Done, Partial, Not Done, or N/A.", "gap_order": [ "gap_ch2_design", "gap_ch2_transparency", "gap_ch2_transparency_rs", "gap_ch2_access", "gap_ch2_thirdparty", "gap_ch2_data_recipient", "gap_ch2_tradesecret", "gap_ch3", "gap_ch4", "gap_ch5_emergency", "gap_ch5", "gap_ch5_public", "gap_ch6", "gap_ch7", "gap_ch8_interop", "gap_ch8_smart" ], "fallback_next": "gap_ch2_design" }, "gap_ch2_design": { "id": "gap_ch2_design", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter II — Design Obligations (Manufacturers)", "applies_if": { "roles": [ "MANUFACTURER" ], "condition": "Products placed on market after 12 Sep 2026", "size_not": [ "MICRO", "SMALL" ] }, "items": [ { "id": "gap_ch2_001", "obligation": "Connected products designed to make data accessible by default", "article": "Art. 3(1)", "deadline": "12 Sep 2026 (new products)", "category": "design" }, { "id": "gap_ch2_002", "obligation": "Data accessible in structured, commonly used, machine-readable format", "article": "Art. 3(1)", "deadline": "12 Sep 2026", "category": "design" }, { "id": "gap_ch2_003", "obligation": "Data accessible securely and free of charge", "article": "Art. 3(1)", "deadline": "12 Sep 2026", "category": "design" }, { "id": "gap_ch2_004", "obligation": "Continuous and real-time access where technically feasible", "article": "Art. 3(1)", "deadline": "12 Sep 2026", "category": "design" }, { "id": "gap_ch2_005", "obligation": "No dark patterns or non-neutral choice architecture in data access interfaces", "article": "Art. 4(4)", "deadline": "12 Sep 2025", "category": "design" }, { "id": "gap_ch2_006", "obligation": "Minimisation of user identification requirements and log data collected for access", "article": "Art. 4(5)", "deadline": "12 Sep 2025", "category": "design" } ], "next": "gap_ch2_transparency" }, "gap_ch2_transparency": { "id": "gap_ch2_transparency", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter II — Pre-Contractual Transparency (Sellers/Manufacturers)", "applies_if": { "roles": [ "MANUFACTURER" ], "condition": "Entity manufactures, sells, rents, or leases connected products", "answers": { "ch2_010": [ "CP_MANUFACTURER", "CP_SELLER" ] }, "size_not": [ "MICRO", "SMALL" ] }, "items": [ { "id": "gap_ch2_007", "obligation": "Provide info on type, format, and estimated volume of data before sale", "article": "Art. 3(2)(a)", "deadline": "12 Sep 2025", "category": "transparency" }, { "id": "gap_ch2_008", "obligation": "Inform whether product generates data continuously and in real-time", "article": "Art. 3(2)(b)", "deadline": "12 Sep 2025", "category": "transparency" }, { "id": "gap_ch2_009", "obligation": "Inform on data storage (on-device or remote) and retention duration", "article": "Art. 3(2)(c)", "deadline": "12 Sep 2025", "category": "transparency" }, { "id": "gap_ch2_010", "obligation": "Explain how user can access, retrieve, or erase data", "article": "Art. 3(2)(d)", "deadline": "12 Sep 2025", "category": "transparency" } ], "next": "gap_ch2_transparency_rs" }, "gap_ch2_transparency_rs": { "id": "gap_ch2_transparency_rs", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter II — Pre-Contractual Transparency (Related Service Providers)", "applies_if": { "roles": [ "RELATED_SERVICE_PROVIDER" ], "condition": "Entity provides related services for connected products", "size_not": [ "MICRO", "SMALL" ] }, "items": [ { "id": "gap_ch2_011", "obligation": "Inform on nature, volume, and frequency of product data collected", "article": "Art. 3(3)(a)", "deadline": "12 Sep 2025", "category": "transparency" }, { "id": "gap_ch2_012", "obligation": "Inform on related service data generated and access arrangements", "article": "Art. 3(3)(b)", "deadline": "12 Sep 2025", "category": "transparency" }, { "id": "gap_ch2_013", "obligation": "Disclose whether data holder will use readily available data and purposes", "article": "Art. 3(3)(c)", "deadline": "12 Sep 2025", "category": "transparency" }, { "id": "gap_ch2_014", "obligation": "Provide data holder identity and contact information", "article": "Art. 3(3)(d-e)", "deadline": "12 Sep 2025", "category": "transparency" }, { "id": "gap_ch2_015", "obligation": "Explain how user can request data sharing with third parties", "article": "Art. 3(3)(f)", "deadline": "12 Sep 2025", "category": "transparency" }, { "id": "gap_ch2_016", "obligation": "Inform user of right to complain to competent authority", "article": "Art. 3(3)(g)", "deadline": "12 Sep 2025", "category": "transparency" }, { "id": "gap_ch2_017", "obligation": "Identify trade secret holder if different from data holder", "article": "Art. 3(3)(h)", "deadline": "12 Sep 2025", "category": "transparency" }, { "id": "gap_ch2_018", "obligation": "State contract duration and termination arrangements", "article": "Art. 3(3)(i)", "deadline": "12 Sep 2025", "category": "transparency" } ], "next": "gap_ch2_access" }, "gap_ch2_access": { "id": "gap_ch2_access", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter II — Data Access Obligations (Data Holders)", "applies_if": { "roles": [ "DATA_HOLDER" ], "condition": "Entity is a data holder" }, "items": [ { "id": "gap_ch2_019", "obligation": "Make readily available data accessible to user without undue delay", "article": "Art. 4(1)", "deadline": "12 Sep 2025", "category": "data_access" }, { "id": "gap_ch2_020", "obligation": "Same quality as available to data holder", "article": "Art. 4(1)", "deadline": "12 Sep 2025", "category": "data_access" }, { "id": "gap_ch2_021", "obligation": "Free of charge to user", "article": "Art. 4(1)", "deadline": "12 Sep 2025", "category": "data_access" }, { "id": "gap_ch2_022", "obligation": "Comprehensive, structured, commonly used, machine-readable format", "article": "Art. 4(1)", "deadline": "12 Sep 2025", "category": "data_access" }, { "id": "gap_ch2_023", "obligation": "Continuously and in real-time where technically feasible", "article": "Art. 4(1)", "deadline": "12 Sep 2025", "category": "data_access" }, { "id": "gap_ch2_024", "obligation": "Simple electronic request mechanism", "article": "Art. 4(1)", "deadline": "12 Sep 2025", "category": "data_access" }, { "id": "gap_ch2_025", "obligation": "Do not use data to undermine user's competitive position", "article": "Art. 4(13)", "deadline": "12 Sep 2025", "category": "data_access" }, { "id": "gap_ch2_026", "obligation": "Do not use data to derive insights about user's economic situation", "article": "Art. 4(13)", "deadline": "12 Sep 2025", "category": "data_access" }, { "id": "gap_ch2_027", "obligation": "GDPR legal basis required when user is not the data subject", "article": "Art. 4(12)", "deadline": "12 Sep 2025", "category": "data_access" }, { "id": "gap_ch2_028", "obligation": "Do not make non-personal product data available to third parties beyond contract scope", "article": "Art. 4(14)", "deadline": "12 Sep 2025", "category": "data_access" }, { "id": "gap_ch2_029", "obligation": "User rights under Chapter II cannot be contractually waived", "article": "Art. 7(2)", "deadline": "12 Sep 2025", "category": "data_access" }, { "id": "gap_ch2_029b", "obligation": "Procedures for security-based data sharing restrictions with competent authority notification", "article": "Art. 4(2)", "deadline": "12 Sep 2025", "category": "data_access" }, { "id": "gap_ch2_028b", "obligation": "Contractually bind third parties not to further share data received from you, where relevant", "article": "Art. 4(14)", "deadline": "12 Sep 2025", "category": "data_access" }, { "id": "gap_ch2_029c", "obligation": "Establish procedures to handle user disputes (complaint handling, dispute settlement body referral)", "article": "Art. 4(3), Art. 4(9)", "deadline": "12 Sep 2025", "category": "data_access" } ], "next": "gap_ch2_thirdparty" }, "gap_ch2_thirdparty": { "id": "gap_ch2_thirdparty", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter II — Third-Party Sharing (Data Holders)", "applies_if": { "roles": [ "DATA_HOLDER" ], "condition": "Entity is a data holder and third-party sharing applies" }, "items": [ { "id": "gap_ch2_030", "obligation": "Share data with user-designated third parties without undue delay", "article": "Art. 5(1)", "deadline": "12 Sep 2025", "category": "third_party_sharing" }, { "id": "gap_ch2_031", "obligation": "Same quality, format, and conditions as to user", "article": "Art. 5(1)", "deadline": "12 Sep 2025", "category": "third_party_sharing" }, { "id": "gap_ch2_032", "obligation": "Verify third party is not a DMA-designated gatekeeper before sharing", "article": "Art. 5(3)", "deadline": "12 Sep 2025", "category": "third_party_sharing" }, { "id": "gap_ch2_033", "obligation": "Reasonable compensation from third party (FRAND, cost-based for SMEs)", "article": "Art. 9", "deadline": "12 Sep 2025", "category": "third_party_sharing" }, { "id": "gap_ch2_034", "obligation": "Minimisation of third-party identification requirements", "article": "Art. 5(4)", "deadline": "12 Sep 2025", "category": "third_party_sharing" }, { "id": "gap_ch2_034b", "obligation": "Do not use shared data to derive insights about third party's economic situation", "article": "Art. 5(6)", "deadline": "12 Sep 2025", "category": "third_party_sharing" }, { "id": "gap_ch2_034c", "obligation": "GDPR legal basis required when sharing personal data with third parties and user is not the data subject", "article": "Art. 5(7)", "deadline": "12 Sep 2025", "category": "third_party_sharing" } ], "next": "gap_ch2_data_recipient" }, "gap_ch2_data_recipient": { "id": "gap_ch2_data_recipient", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter II — Data Recipient Obligations", "applies_if": { "roles": [ "DATA_RECIPIENT" ], "condition": "Entity receives data from data holders" }, "items": [ { "id": "gap_ch2_035", "obligation": "Process data only for the purposes agreed with the user", "article": "Art. 6(1)", "deadline": "12 Sep 2025", "category": "data_recipient" }, { "id": "gap_ch2_036", "obligation": "Erase data when no longer needed for the agreed purpose", "article": "Art. 6(1)", "deadline": "12 Sep 2025", "category": "data_recipient" }, { "id": "gap_ch2_036b", "obligation": "Do not make the exercise of user choices unduly difficult (no dark patterns, coercion, deception, or manipulation)", "article": "Art. 6(2)(a)", "deadline": "12 Sep 2025", "category": "data_recipient" }, { "id": "gap_ch2_037", "obligation": "Do not use data to develop a competing connected product", "article": "Art. 6(2)(e)", "deadline": "12 Sep 2025", "category": "data_recipient" }, { "id": "gap_ch2_038", "obligation": "Do not make data available to another third party unless on the basis of a contract with the user, with trade secret confidentiality preserved", "article": "Art. 6(2)(c)", "deadline": "12 Sep 2025", "category": "data_recipient" }, { "id": "gap_ch2_039", "obligation": "Do not use data to derive insights about data holder's economic situation, assets, or production methods", "article": "Art. 6(2)(e), second sentence", "deadline": "12 Sep 2025", "category": "data_recipient" }, { "id": "gap_ch2_040", "obligation": "Do not use data for profiling unless necessary to provide the service requested by the user", "article": "Art. 6(2)(b)", "deadline": "12 Sep 2025", "category": "data_recipient" }, { "id": "gap_ch2_041", "obligation": "Do not make received data available to a DMA-designated gatekeeper", "article": "Art. 6(2)(d)", "deadline": "12 Sep 2025", "category": "data_recipient" }, { "id": "gap_ch2_042", "obligation": "Do not use data in a manner that adversely impacts the security of the connected product or related service", "article": "Art. 6(2)(f)", "deadline": "12 Sep 2025", "category": "data_recipient" }, { "id": "gap_ch2_043", "obligation": "Do not disregard specific technical/organizational measures agreed with data holder", "article": "Art. 6(2)(g)", "deadline": "12 Sep 2025", "category": "data_recipient" }, { "id": "gap_ch2_044", "obligation": "Do not impede user's right to provide data to other third parties", "article": "Art. 6(2)(h)", "deadline": "12 Sep 2025", "category": "data_recipient" } ], "next": "gap_ch2_tradesecret" }, "gap_ch2_tradesecret": { "id": "gap_ch2_tradesecret", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter II — Trade Secret Protection", "applies_if": { "answers": { "ch2_060": [ "TS_YES", "TS_UNSURE" ] }, "condition": "Trade secrets are involved" }, "items": [ { "id": "gap_ch2_045", "obligation": "Identify data protected as trade secrets in metadata", "article": "Art. 4(6)", "deadline": "12 Sep 2025", "category": "trade_secrets" }, { "id": "gap_ch2_046", "obligation": "Agree proportionate technical/organizational measures before disclosure", "article": "Art. 4(6)", "deadline": "12 Sep 2025", "category": "trade_secrets" }, { "id": "gap_ch2_047b", "obligation": "Procedures for withholding/suspending/refusing trade secret data to users with competent authority notification", "article": "Art. 4(7-8)", "deadline": "12 Sep 2025", "category": "trade_secrets" }, { "id": "gap_ch2_047", "obligation": "Confidentiality agreements with data recipients", "article": "Art. 4(6)", "deadline": "12 Sep 2025", "category": "trade_secrets" }, { "id": "gap_ch2_048", "obligation": "Identify trade secrets and agree measures with third party before disclosure (third-party sharing context)", "article": "Art. 5(9)", "deadline": "12 Sep 2025", "category": "trade_secrets" }, { "id": "gap_ch2_049", "obligation": "Procedures for withholding/suspending/refusing trade secret data to third parties with competent authority notification", "article": "Art. 5(10-11)", "deadline": "12 Sep 2025", "category": "trade_secrets" } ], "next": "gap_ch3" }, "gap_ch3": { "id": "gap_ch3", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter III — Statutory Data Sharing", "applies_if": { "answers": { "ch3_010": [ "STATUTORY_YES", "STATUTORY_UNSURE" ] }, "condition": "Entity has legal obligations to share data under other EU/national law" }, "items": [ { "id": "gap_ch3_001", "obligation": "Make data available under FRAND conditions", "article": "Art. 8(1)", "deadline": "12 Sep 2025", "category": "statutory_sharing" }, { "id": "gap_ch3_002", "obligation": "Non-discrimination between comparable data recipient categories", "article": "Art. 8(3)", "deadline": "12 Sep 2025", "category": "statutory_sharing" }, { "id": "gap_ch3_003", "obligation": "No exclusive data access agreements without user request", "article": "Art. 8(4)", "deadline": "12 Sep 2025", "category": "statutory_sharing" }, { "id": "gap_ch3_004", "obligation": "Fair, transparent compensation terms", "article": "Art. 9", "deadline": "12 Sep 2025", "category": "statutory_sharing" }, { "id": "gap_ch3_005", "obligation": "Compensation does not exceed costs for SME recipients", "article": "Art. 9(4)", "deadline": "12 Sep 2025", "category": "statutory_sharing" }, { "id": "gap_ch3_006", "obligation": "SME discount includes not-for-profit research organisations", "article": "Art. 9(4)", "deadline": "12 Sep 2025", "category": "statutory_sharing" }, { "id": "gap_ch3_007", "obligation": "Provide calculation basis for compensation upon request", "article": "Art. 9(7)", "deadline": "12 Sep 2025", "category": "statutory_sharing" }, { "id": "gap_ch3_008", "obligation": "Dispute settlement mechanism available", "article": "Art. 10", "deadline": "12 Sep 2025", "category": "statutory_sharing" }, { "id": "gap_ch3_009", "obligation": "Technical protection measures against unauthorized use must not discriminate or hinder user rights", "article": "Art. 11(1)", "deadline": "12 Sep 2025", "category": "statutory_sharing" }, { "id": "gap_ch3_010", "obligation": "Remedies framework for data misuse: erasure, cease production of derived goods", "article": "Art. 11(2-3)", "deadline": "12 Sep 2025", "category": "statutory_sharing" }, { "id": "gap_ch3_011", "obligation": "Ensure no contractual terms derogate from Chapter III to the detriment of either party", "article": "Art. 12(2)", "deadline": "12 Sep 2025", "category": "statutory_sharing" } ], "next": "gap_ch4" }, "gap_ch4": { "id": "gap_ch4", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter IV — Unfair Contractual Terms", "applies_if": { "answers": { "ch4_010": [ "UNFAIR_IMPOSER", "UNFAIR_SUBJECT", "UNFAIR_BOTH" ] }, "condition": "Entity has B2B data sharing contracts" }, "items": [ { "id": "gap_ch4_000", "obligation": "Verify whether terms were unilaterally imposed (Art. 13(6)) — Chapter IV only applies to unilaterally imposed terms", "article": "Art. 13(6)", "deadline": "12 Sep 2025", "category": "unfair_terms" }, { "id": "gap_ch4_001", "obligation": "Review contracts for 'always unfair' terms (Art. 13(4))", "article": "Art. 13(4)", "deadline": "12 Sep 2025", "category": "unfair_terms" }, { "id": "gap_ch4_002", "obligation": "Review contracts for 'presumed unfair' terms (Art. 13(5))", "article": "Art. 13(5)", "deadline": "12 Sep 2025", "category": "unfair_terms" }, { "id": "gap_ch4_003", "obligation": "Ensure no exclusion of liability for intentional acts/gross negligence", "article": "Art. 13(4)(a)", "deadline": "12 Sep 2025", "category": "unfair_terms" }, { "id": "gap_ch4_004", "obligation": "Ensure no exclusion of remedies for non-performance", "article": "Art. 13(4)(b)", "deadline": "12 Sep 2025", "category": "unfair_terms" }, { "id": "gap_ch4_005", "obligation": "No exclusive right to interpret contract terms by one party", "article": "Art. 13(4)(c)", "deadline": "12 Sep 2025", "category": "unfair_terms" }, { "id": "gap_ch4_006", "obligation": "No inappropriately limiting liability of imposing party", "article": "Art. 13(5)(a)", "deadline": "12 Sep 2025", "category": "unfair_terms" }, { "id": "gap_ch4_007", "obligation": "No accessing/using other party's data in a way detrimental to them", "article": "Art. 13(5)(b)", "deadline": "12 Sep 2025", "category": "unfair_terms" }, { "id": "gap_ch4_008", "obligation": "No preventing data use/capture by the other party", "article": "Art. 13(5)(c)", "deadline": "12 Sep 2025", "category": "unfair_terms" }, { "id": "gap_ch4_009", "obligation": "No preventing reasonable contract termination", "article": "Art. 13(5)(d)", "deadline": "12 Sep 2025", "category": "unfair_terms" }, { "id": "gap_ch4_010", "obligation": "No preventing data copy after contract termination", "article": "Art. 13(5)(e)", "deadline": "12 Sep 2025", "category": "unfair_terms" }, { "id": "gap_ch4_011", "obligation": "No unreasonably short termination notice period", "article": "Art. 13(5)(f)", "deadline": "12 Sep 2025", "category": "unfair_terms" }, { "id": "gap_ch4_012", "obligation": "No unilateral price/condition changes without valid reason", "article": "Art. 13(5)(g)", "deadline": "12 Sep 2025", "category": "unfair_terms" }, { "id": "gap_ch4_013", "obligation": "Pre-existing contracts reviewed (if indefinite or 10+ years remaining)", "article": "Art. 50", "deadline": "12 Sep 2027", "category": "unfair_terms" } ], "next": "gap_ch5_emergency" }, "gap_ch5": { "id": "gap_ch5", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter V — Non-Emergency B2G Obligations (Medium/Large Only)", "applies_if": { "answers": { "ch5_010": [ "B2G_YES" ] }, "size_not": [ "MICRO", "SMALL" ], "condition": "Entity may receive B2G data requests and is not a micro/small enterprise" }, "items": [ { "id": "gap_ch5_001", "obligation": "Procedures to handle emergency data requests (5 working days)", "article": "Art. 18(2)", "deadline": "12 Sep 2025", "category": "b2g_access" }, { "id": "gap_ch5_002", "obligation": "Procedures to handle non-emergency data requests (30 working days)", "article": "Art. 18(2)", "deadline": "12 Sep 2025", "category": "b2g_access" }, { "id": "gap_ch5_003", "obligation": "Ability to identify and extract requested data", "article": "Art. 18(1)", "deadline": "12 Sep 2025", "category": "b2g_access" }, { "id": "gap_ch5_004", "obligation": "Security and confidentiality measures for shared data", "article": "Art. 19(1)(b)", "deadline": "12 Sep 2025", "category": "b2g_access" }, { "id": "gap_ch5_005", "obligation": "Awareness of grounds for declining/modifying B2G requests and Art. 16 exclusions", "article": "Art. 18(2), Art. 16", "deadline": "12 Sep 2025", "category": "b2g_access" }, { "id": "gap_ch5_006", "obligation": "Anonymisation/pseudonymisation before sharing personal data with public bodies", "article": "Art. 18(4)", "deadline": "12 Sep 2025", "category": "b2g_access" }, { "id": "gap_ch5_007", "obligation": "Erasure obligation and notification after data use by public body", "article": "Art. 19(1)(c)", "deadline": "12 Sep 2025", "category": "b2g_access" }, { "id": "gap_ch5_008", "obligation": "Free-of-charge for public emergency data requests", "article": "Art. 20(1)", "deadline": "12 Sep 2025", "category": "b2g_access" }, { "id": "gap_ch5_009", "obligation": "Compensation structure for non-emergency B2G data requests", "article": "Art. 20(2)", "deadline": "12 Sep 2025", "category": "b2g_access" } ], "next": "gap_ch5_public" }, "gap_ch6": { "id": "gap_ch6", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter VI — Cloud Switching & Portability", "applies_if": { "roles": [ "CLOUD_PROVIDER" ], "condition": "Entity is a data processing service provider" }, "items": [ { "id": "gap_ch6_001", "obligation": "Contracts include switching terms per Art. 25", "article": "Art. 25", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_002", "obligation": "Maximum 2-month notice period for termination", "article": "Art. 25(2)(d)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_003", "obligation": "Maximum 30-day transitional period (extendable to 7 months)", "article": "Art. 25(2)(a)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_003a", "obligation": "Reasonable assistance to customer during switching process", "article": "Art. 25(2)(a)(i)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_003b", "obligation": "Business continuity — continue service provision during transitional period", "article": "Art. 25(2)(a)(ii)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_003c", "obligation": "Provide clear information on known risks to service continuity during switching", "article": "Art. 25(2)(a)(iii)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_003d", "obligation": "Maintain high level of security throughout the switching process", "article": "Art. 25(2)(a)(iv)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_004", "obligation": "Minimum 30-day post-transition data retrieval period", "article": "Art. 25(2)(g)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_005", "obligation": "Full data erasure guarantee after retrieval period", "article": "Art. 25(2)(h)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_006", "obligation": "Exit strategy support documented in contracts", "article": "Art. 25(2)(b)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_007", "obligation": "Specification of portable data categories in contracts", "article": "Art. 25(2)(e)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_008", "obligation": "Specification of exempt data categories in contracts", "article": "Art. 25(2)(f)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_009", "obligation": "Data portability for all exportable data", "article": "Art. 23(c)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_010", "obligation": "Not obstructing new contracts with competitors", "article": "Art. 23(b)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_011", "obligation": "Functional equivalence maintained after switching", "article": "Art. 23(d)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_012", "obligation": "Unbundling capability (ability to switch individual service components)", "article": "Art. 23(e)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_013", "obligation": "Online register of data structures, formats, interoperability specs", "article": "Art. 26(b)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_014", "obligation": "Switching charges: reduced (direct costs only) until Jan 2027", "article": "Art. 29(2)", "deadline": "Until 12 Jan 2027", "category": "cloud_switching" }, { "id": "gap_ch6_015", "obligation": "Switching charges: zero from January 2027", "article": "Art. 29(1)", "deadline": "12 Jan 2027", "category": "cloud_switching" }, { "id": "gap_ch6_016", "obligation": "Pre-contractual disclosure of all fees (including switching/egress)", "article": "Art. 29(4)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_017", "obligation": "Disclose ICT infrastructure jurisdiction", "article": "Art. 28(1)(a)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_018", "obligation": "Describe measures against unlawful third-country access", "article": "Art. 28(1)(b)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_019", "obligation": "Functional equivalence tools and documentation (IaaS providers)", "article": "Art. 30(1)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_020", "obligation": "Open interfaces for non-IaaS services", "article": "Art. 30(2)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_021", "obligation": "Fallback: export in machine-readable format if equivalence not feasible", "article": "Art. 30(5)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_022", "obligation": "Contract includes clause on automatic termination upon switching completion or notice period end", "article": "Art. 25(2)(c)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_023", "obligation": "Contract allows customer to notify choice: switch to other provider, switch to on-premises, or erase data", "article": "Art. 25(3)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_024", "obligation": "Procedure to notify customer within 14 working days if 30-day transition is unfeasible (max 7-month alternative)", "article": "Art. 25(4)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_025", "obligation": "Provide customer with information on switching procedures, methods, formats, and known technical limitations", "article": "Art. 26(a)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_026", "obligation": "Cooperate in good faith with all parties during switching process", "article": "Art. 27", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_027", "obligation": "Website URLs for jurisdiction/safeguard disclosures listed in all service contracts", "article": "Art. 28(2)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_028", "obligation": "Inform customers of services involving highly complex or costly switching", "article": "Art. 29(5)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_029", "obligation": "Publicly available website section with switching charges and complexity information", "article": "Art. 29(6)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_030", "obligation": "Ensure compatibility with common specifications/harmonised standards within 12 months of publication in EU standards repository", "article": "Art. 30(3)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_031", "obligation": "Comply with applicable Chapter VI switching provisions for in-parallel/multi-cloud use scenarios; egress charges limited to incurred costs", "article": "Art. 34(1-2)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_032", "obligation": "Allow customer to extend transitional period once for a period they consider appropriate", "article": "Art. 25(5)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_033", "obligation": "Contract must include switching charges information per Art. 29", "article": "Art. 25(2)(i)", "deadline": "12 Sep 2025", "category": "cloud_switching" }, { "id": "gap_ch6_034", "obligation": "Update online register (Art. 26(b)) after complying with common specifications/harmonised standards", "article": "Art. 30(4)", "deadline": "12 Sep 2025", "category": "cloud_switching" } ], "next": "gap_ch7" }, "gap_ch7": { "id": "gap_ch7", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter VII — International Data Safeguards", "applies_if": { "roles": [ "CLOUD_PROVIDER" ], "answers": { "ch7_010": [ "INTL_YES" ] }, "condition": "Entity is a data processing service provider handling non-personal data" }, "items": [ { "id": "gap_ch7_001", "obligation": "Technical/organizational measures against unlawful third-country access", "article": "Art. 32(1)", "deadline": "12 Sep 2025", "category": "international_safeguards" }, { "id": "gap_ch7_002a", "obligation": "Procedure to verify existence of applicable international agreements (MLAT, bilateral treaty) for government requests", "article": "Art. 32(2)", "deadline": "12 Sep 2025", "category": "international_safeguards" }, { "id": "gap_ch7_002b", "obligation": "Assessment of Art. 32(3) conditions when no international agreement exists: (a) reasoned/proportionate decision, (b) addressee's objection subject to court review, (c) court empowered to consider EU legal interests", "article": "Art. 32(3)", "deadline": "12 Sep 2025", "category": "international_safeguards" }, { "id": "gap_ch7_002c", "obligation": "Procedure for consulting national bodies on trade secrets and national security implications (Art. 32(3) second subparagraph)", "article": "Art. 32(3)", "deadline": "12 Sep 2025", "category": "international_safeguards" }, { "id": "gap_ch7_003", "obligation": "Customer notification before complying with third-country request", "article": "Art. 32(5)", "deadline": "12 Sep 2025", "category": "international_safeguards" }, { "id": "gap_ch7_004", "obligation": "Provide only minimum data necessary for the request", "article": "Art. 32(4)", "deadline": "12 Sep 2025", "category": "international_safeguards" } ], "next": "gap_ch8_interop" }, "gap_ch8_interop": { "id": "gap_ch8_interop", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter VIII — Interoperability (Data Spaces)", "applies_if": { "answers": { "ch8_010": [ "DS_YES", "DS_PLANNED" ] }, "condition": "Entity participates in data spaces" }, "items": [ { "id": "gap_ch8_001", "obligation": "Dataset content descriptions in machine-readable format", "article": "Art. 33(1)(a)", "deadline": "12 Sep 2025", "category": "interoperability" }, { "id": "gap_ch8_002", "obligation": "Data structures publicly available and consistently described", "article": "Art. 33(1)(b)", "deadline": "12 Sep 2025", "category": "interoperability" }, { "id": "gap_ch8_003", "obligation": "API terms of use and technical specifications documented", "article": "Art. 33(1)(c)", "deadline": "12 Sep 2025", "category": "interoperability" }, { "id": "gap_ch8_004", "obligation": "Smart contract interoperability means described", "article": "Art. 33(1)(d)", "deadline": "12 Sep 2025", "category": "interoperability" }, { "id": "gap_ch8_013", "obligation": "Open interoperability specifications comply with Annex II of Regulation (EU) No 1025/2012", "article": "Art. 35(3)", "deadline": "12 Sep 2025", "category": "interoperability" }, { "id": "gap_ch8_014", "obligation": "Monitor and comply with harmonised standards/common specifications as published in EU standards repository (per Art. 30(3) compliance timeline)", "article": "Art. 35(1-2), Art. 30(3)", "deadline": "12 Sep 2025", "category": "interoperability" } ], "next": "gap_ch8_smart" }, "gap_ch8_smart": { "id": "gap_ch8_smart", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter VIII — Smart Contract Requirements", "applies_if": { "answers": { "ch8_020": [ "SC_YES" ] }, "condition": "Entity uses or provides smart contracts for data sharing" }, "items": [ { "id": "gap_ch8_006", "obligation": "Smart contracts: robustness and access control to avoid functional errors and withstand manipulation", "article": "Art. 36(1)(a)", "deadline": "12 Sep 2025", "category": "smart_contracts" }, { "id": "gap_ch8_007", "obligation": "Smart contracts: safe termination/interruption mechanism", "article": "Art. 36(1)(b)", "deadline": "12 Sep 2025", "category": "smart_contracts" }, { "id": "gap_ch8_008", "obligation": "Smart contracts: transaction data archiving", "article": "Art. 36(1)(c)", "deadline": "12 Sep 2025", "category": "smart_contracts" }, { "id": "gap_ch8_009", "obligation": "Smart contracts: rigorous access control specifically at governance and smart contract layers", "article": "Art. 36(1)(d)", "deadline": "12 Sep 2025", "category": "smart_contracts" }, { "id": "gap_ch8_010", "obligation": "Smart contracts: consistency with data sharing agreement", "article": "Art. 36(1)(e)", "deadline": "12 Sep 2025", "category": "smart_contracts" }, { "id": "gap_ch8_011", "obligation": "Smart contracts: reset/rollback capabilities (part of safe termination)", "article": "Art. 36(1)(b)", "deadline": "12 Sep 2025", "category": "smart_contracts" }, { "id": "gap_ch8_012", "obligation": "Smart contracts: conformity assessment and EU declaration", "article": "Art. 36(2)", "deadline": "12 Sep 2025", "category": "smart_contracts" } ], "next": "r_combined_result" }, "r_out_jurisdiction": { "id": "r_out_jurisdiction", "stage": "S10_RESULT", "type": "result", "scope_status": "NOT_APPLICABLE", "title": "Out of Scope — No EU/EEA Connection", "summary": "Based on your answers, your entity does not appear to fall within the territorial scope of the Data Act. The Data Act applies to entities established in the EU/EEA, entities placing connected products or related services on the EU market, and data processing service providers offering services to EU customers.", "classification": "OUT_OF_SCOPE", "obligations": [], "deadlines": [], "sanctions": { "summary": "Not applicable — entity is outside the scope of the Data Act.", "max_fine": "N/A" }, "legal_ref": "Art. 1(3)", "notes": [ "If your entity's situation changes (e.g., you start offering products or services in the EU), reassess your obligations under the Data Act.", "Non-EU entities manufacturing connected products or providing cloud services to EU customers are within scope even without an EU establishment." ], "next_steps": [ { "label": "Re-assess if your EU market involvement changes", "url": null }, { "label": "Consult Asphalia for further guidance", "url": "mailto:info@asphaliaconsulting.be" } ] }, "r_consult_role": { "id": "r_consult_role", "stage": "S10_RESULT", "type": "result", "scope_status": "CONSULT_EXPERT", "title": "Expert Consultation Recommended — Role Unclear", "summary": "Your entity's role under the Data Act could not be clearly determined. The Data Act defines several roles (manufacturer, data holder, data processing service provider, etc.) with distinct obligations. A legal expert can help identify which role(s) apply to your specific situation.", "classification": "CONSULT_EXPERT", "obligations": [], "deadlines": [ { "date": "12 Sep 2025", "description": "Core Data Act obligations apply from this date" } ], "sanctions": { "summary": "Penalties depend on which chapters apply. For personal data aspects of Chapters II, III, and V, DPAs may impose fines up to GDPR Art. 83(5) levels (Art. 40(4)). For other aspects, penalties are set by Member States.", "max_fine": "Determined by national law; up to EUR 20M or 4% of turnover for personal data aspects (via DPAs)" }, "legal_ref": "Art. 2", "notes": [ "Cannot determine applicable chapters without clear role identification.", "Multiple roles may apply simultaneously, each triggering different chapters." ], "next_steps": [ { "label": "Contact Asphalia for a tailored Data Act role assessment", "url": "mailto:info@asphaliaconsulting.be" }, { "label": "Read the Data Act full text", "url": "https://eur-lex.europa.eu/eli/reg/2023/2854/oj" }, { "label": "Review the Data Act role definitions (Art. 2)", "url": "https://eur-lex.europa.eu/eli/reg/2023/2854/oj" } ] }, "r_combined_result": { "id": "r_combined_result", "stage": "S10_RESULT", "type": "result", "scope_status": "DYNAMIC", "title": "Data Act Compliance Assessment — Combined Results", "summary": "Your assessment is complete. Below is a summary of applicable chapters, obligations, compliance status, and implementation timeline based on your entity profile and gap assessment.", "classification": "DYNAMIC", "chapter_results": [ { "chapter": "CH2", "title": "Chapter II — IoT Data Access & Sharing", "articles": "Art. 3-7", "description": "Obligations for making data from connected products and related services accessible to users and third parties.", "status_depends_on": [ "p_020", "ch2_010", "ch2_015", "ch2_020", "ch2_030", "ch2_040", "ch2_050", "ch2_060", "ch2_070" ], "gap_groups": [ "gap_ch2_design", "gap_ch2_transparency", "gap_ch2_transparency_rs", "gap_ch2_access", "gap_ch2_thirdparty", "gap_ch2_data_recipient", "gap_ch2_tradesecret" ] }, { "chapter": "CH3", "title": "Chapter III — Statutory Data Sharing", "articles": "Art. 8-12", "description": "Conditions for data sharing mandated by other EU or national laws (FRAND terms, compensation, dispute resolution).", "status_depends_on": [ "ch3_010", "ch3_020" ], "gap_groups": [ "gap_ch3" ] }, { "chapter": "CH4", "title": "Chapter IV — Unfair Contractual Terms", "articles": "Art. 13", "description": "Protection against unfair B2B contractual terms relating to data access and use.", "status_depends_on": [ "ch4_010", "ch4_020" ], "gap_groups": [ "gap_ch4" ] }, { "chapter": "CH5", "title": "Chapter V — Public Sector Access (B2G)", "articles": "Art. 14-22", "description": "Obligations to make data available to public sector bodies in cases of exceptional need.", "status_depends_on": [ "ch5_010", "ch5_020", "p_030" ], "gap_groups": [ "gap_ch5_emergency", "gap_ch5", "gap_ch5_public" ] }, { "chapter": "CH6", "title": "Chapter VI — Cloud Switching & Portability", "articles": "Art. 23-31", "description": "Obligations for data processing service providers regarding switching, portability, and interoperability.", "status_depends_on": [ "ch6_010", "ch6_020", "ch6_025", "ch6_030", "ch6_040" ], "gap_groups": [ "gap_ch6" ] }, { "chapter": "CH7", "title": "Chapter VII — International Data Safeguards", "articles": "Art. 32", "description": "Safeguards against unlawful third-country governmental access to non-personal data.", "status_depends_on": [ "ch7_010", "ch7_015", "ch7_020" ], "gap_groups": [ "gap_ch7" ] }, { "chapter": "CH8", "title": "Chapter VIII — Interoperability", "articles": "Art. 33-36", "description": "Essential requirements for data space interoperability and smart contracts.", "status_depends_on": [ "ch8_010", "ch8_020" ], "gap_groups": [ "gap_ch8_interop", "gap_ch8_smart" ] } ], "obligations": [], "deadlines": [ { "date": "12 Sep 2025", "phase": "Phase 1", "description": "Core Data Act obligations apply (Art. 3-7, Art. 8-12, Art. 13, Art. 14-22, Art. 23-28, Art. 32-36)" }, { "date": "12 Sep 2026", "phase": "Phase 2", "description": "New product design obligations — connected products placed on market must comply with Art. 3(1) accessibility-by-design" }, { "date": "12 Jan 2027", "phase": "Phase 3", "description": "Zero switching charges — data processing service providers must eliminate all switching charges (Art. 29(1))" }, { "date": "12 Sep 2027", "phase": "Phase 4", "description": "Retroactive unfair terms review — pre-existing B2B contracts of indefinite duration or with 10+ years remaining must be reviewed (Art. 13(2))" } ], "sanctions": { "summary": "Member States establish penalty rules (Art. 40(1)). For personal data aspects of Chapters II, III, V, DPAs may impose GDPR-level fines (Art. 40(4)).", "max_fine": "Determined by national law; up to EUR 20M or 4% of turnover for personal data aspects (via DPAs)", "details": [ { "chapters": "Chapters II, III, V (personal data aspects)", "fine": "DPAs may impose fines up to EUR 20M or 4% of global annual turnover (GDPR Art. 83(5) level) within their scope of competence for personal data matters", "legal_ref": "Art. 40(4)" }, { "chapters": "All chapters (general)", "fine": "Set by Member States — must be effective, proportionate, and dissuasive. No specific ceiling in the regulation.", "legal_ref": "Art. 40(1)" }, { "chapters": "Chapter V (EU institutions)", "fine": "EDPS may impose fines per Regulation 2018/1725 Art. 66(3)", "legal_ref": "Art. 40(5)" } ], "mitigating_factors": [ "Nature, gravity, scale, duration of infringement", "Actions taken to mitigate/remedy damage", "Previous infringements", "Financial benefits gained / losses avoided", "Annual turnover" ], "enforcement_bodies": [ "Data protection authorities (DPAs) for personal data aspects", "Other competent authorities designated by Member States", "Data coordinators for cross-border cooperation" ] }, "legal_ref": "Regulation (EU) 2023/2854", "notes": [ "This assessment is for guidance only and does not constitute legal advice.", "The Data Act applies alongside sector-specific legislation — check Art. 44 for potential overlaps.", "For mixed datasets (personal + non-personal data), GDPR obligations apply simultaneously.", "Member State implementing measures may introduce additional requirements." ], "next_steps": [ { "label": "Read the Data Act full text", "url": "https://eur-lex.europa.eu/eli/reg/2023/2854/oj" }, { "label": "Review the Commission guidelines on vehicle data", "url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:C_202505026" }, { "label": "Access model contractual terms for data sharing", "url": "https://digital-strategy.ec.europa.eu/en/policies/data-act" }, { "label": "Find your national data coordinator", "url": "https://digital-strategy.ec.europa.eu/en/policies/data-act" }, { "label": "Contact Asphalia for expert compliance support", "url": "mailto:info@asphaliaconsulting.be" }, { "label": "GDPR compliance assessment (for personal data)", "url": "https://ec.europa.eu/info/law/law-topic/data-protection_en" } ] }, "gap_ch5_emergency": { "id": "gap_ch5_emergency", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter V — Emergency B2G Obligations (All Sizes)", "applies_if": { "answers": { "ch5_010": [ "B2G_YES", "B2G_EXEMPT" ] }, "condition": "Entity may receive B2G data requests (emergency obligations apply to all sizes)" }, "items": [ { "id": "gap_ch5_e001", "obligation": "Procedures to handle emergency data requests (5 working days)", "article": "Art. 18(2)", "deadline": "12 Sep 2025", "category": "b2g_access" }, { "id": "gap_ch5_e002", "obligation": "Ability to identify and extract requested data for emergencies", "article": "Art. 18(1)", "deadline": "12 Sep 2025", "category": "b2g_access" }, { "id": "gap_ch5_e003", "obligation": "Security and confidentiality measures for shared data", "article": "Art. 19(1)(b)", "deadline": "12 Sep 2025", "category": "b2g_access" }, { "id": "gap_ch5_e004", "obligation": "Free-of-charge for public emergency data requests (except micro/small who can claim compensation per Art. 20(3))", "article": "Art. 20(1), Art. 20(3)", "deadline": "12 Sep 2025", "category": "b2g_access" }, { "id": "gap_ch5_e005", "obligation": "Ability to verify request validity against Art. 17(1-2) requirements", "article": "Art. 17", "deadline": "12 Sep 2025", "category": "b2g_access" } ], "next": "gap_ch5" }, "gap_ch5_public": { "id": "gap_ch5_public", "stage": "S9_GAP", "type": "gap_group", "title": "Chapter V — Public Sector Body Obligations", "applies_if": { "roles": [ "PUBLIC_SECTOR" ], "condition": "Entity is a public sector body making B2G data requests" }, "items": [ { "id": "gap_ch5_p001", "obligation": "Requests must specify data needed, demonstrate exceptional need, explain purpose, and set deadline (Art. 17(1) requirements)", "article": "Art. 17(1)", "deadline": "12 Sep 2025", "category": "b2g_public" }, { "id": "gap_ch5_p002", "obligation": "Requests must be written, specific, proportionate, and prefer non-personal data where possible", "article": "Art. 17(2)", "deadline": "12 Sep 2025", "category": "b2g_public" }, { "id": "gap_ch5_p003", "obligation": "Do not use received data incompatibly with stated purpose", "article": "Art. 19(1)(a)", "deadline": "12 Sep 2025", "category": "b2g_public" }, { "id": "gap_ch5_p004", "obligation": "Implement technical/organizational measures for confidentiality, integrity, security of received data", "article": "Art. 19(1)(b)", "deadline": "12 Sep 2025", "category": "b2g_public" }, { "id": "gap_ch5_p005", "obligation": "Erase data when no longer needed and inform data holder", "article": "Art. 19(1)(c)", "deadline": "12 Sep 2025", "category": "b2g_public" }, { "id": "gap_ch5_p006", "obligation": "Do not use data to develop competing connected products or share for that purpose", "article": "Art. 19(2)", "deadline": "12 Sep 2025", "category": "b2g_public" }, { "id": "gap_ch5_p007", "obligation": "Trade secret disclosure only if strictly necessary, with proportionate protective measures", "article": "Art. 19(3)", "deadline": "12 Sep 2025", "category": "b2g_public" }, { "id": "gap_ch5_p008", "obligation": "Notify data holder before sharing data with research organizations/statistical bodies (Art. 21)", "article": "Art. 21(5)", "deadline": "12 Sep 2025", "category": "b2g_public" } ], "next": "gap_ch6" } }, "edge_cases_index": [ { "id": "EC_01", "scenario": "Products placed on market before 12 Sep 2026", "guidance": "Design obligations (Art. 3(1)) do not apply to products placed on the market before 12 September 2026, but data holder access obligations (Art. 4) still apply from 12 September 2025.", "legal_ref": "Art. 3(1), Art. 50", "affected_nodes": [ "ch2_015", "ch2_020" ] }, { "id": "EC_02", "scenario": "Mixed personal/non-personal datasets", "guidance": "Both GDPR and Data Act apply; GDPR prevails in case of conflict (Art. 1(5)). The Data Act does not provide a legal basis for processing personal data.", "legal_ref": "Art. 1(5), Recital 7", "affected_nodes": [ "p_050" ] }, { "id": "EC_03", "scenario": "Entity is both manufacturer and data processing service provider", "guidance": "Both Ch. II and Ch. VI apply — combined obligations. The entity must comply with design/access obligations AND switching/portability obligations.", "legal_ref": "Art. 2", "affected_nodes": [ "p_020", "router_roles" ] }, { "id": "EC_04", "scenario": "Gatekeeper under DMA", "guidance": "Cannot be eligible third party under Art. 5; cannot receive user data shared under Data Act. Gatekeepers designated under the Digital Markets Act are excluded from receiving data that users request data holders to share.", "legal_ref": "Art. 5(3), Art. 6(2)(d)", "affected_nodes": [ "ch2_050" ] }, { "id": "EC_05", "scenario": "Open-source smart contracts", "guidance": "Art. 36 requirements still apply; vendor of application deploying smart contract bears responsibility. The entity making the smart contract available for use bears responsibility for compliance.", "legal_ref": "Art. 36", "affected_nodes": [ "ch8_020" ] }, { "id": "EC_06", "scenario": "Data holder refuses sharing — trade secret claim", "guidance": "Must justify on case-by-case basis, notify competent authority (Art. 4(7-8)). Blanket trade secret claims are not acceptable.", "legal_ref": "Art. 4(7-8), Art. 11", "affected_nodes": [ "ch2_060" ] }, { "id": "EC_07", "scenario": "Sector-specific legislation pre-empts Data Act", "guidance": "Art. 44 — sector laws entering into force on or before 11 Jan 2024 prevail; later laws should align with Data Act requirements.", "legal_ref": "Art. 44", "affected_nodes": [ "ch2_health_010", "ch2_energy_010", "ch2_auto_010" ] }, { "id": "EC_08", "scenario": "Multiple users of same connected product", "guidance": "Each user has independent access rights (Art. 2(12)); product design should enable separate accounts. Data holders must handle multiple access requests independently.", "legal_ref": "Art. 2(12), Art. 4", "affected_nodes": [ "ch2_040", "ch2_050" ] }, { "id": "EC_09", "scenario": "Custom-built cloud service partially exempted", "guidance": "Art. 31 — exempt from functional equivalence and gradual charge withdrawal, but basic portability applies. Only services exclusively built for individual customers and not commercially scaled qualify.", "legal_ref": "Art. 31", "affected_nodes": [ "ch6_025" ] }, { "id": "EC_10", "scenario": "Non-EU entity serving EU market", "guidance": "Data Act obligations apply to products/services placed on EU market regardless of entity location. Non-EU manufacturers placing connected products on the EU market must comply with all applicable chapters.", "legal_ref": "Art. 1(3)", "affected_nodes": [ "p_010" ] }, { "id": "EC_11", "scenario": "Prototypes excluded from connected product definition", "guidance": "Prototypes are not considered connected products and are excluded from Data Act obligations. Only products placed on the market or put into service fall within scope.", "legal_ref": "Recital 14", "affected_nodes": [ "ch2_010" ] }, { "id": "EC_12", "scenario": "Content exclusion — creative vs. sensor data", "guidance": "Textual, audio, and audiovisual data resulting from a creative process (music, films, video games, source code) are excluded as 'content'. However, sensor imagery without creative purpose (e.g., collision cameras, parking sensors) is included as product data.", "legal_ref": "Recital 16", "affected_nodes": [ "ch2_auto_020", "ch2_010" ] }, { "id": "EC_13", "scenario": "Inferred/derived data from proprietary algorithms excluded", "guidance": "Data inferred or derived through proprietary algorithms (e.g., predictive maintenance scores, driver behaviour ratings) is excluded from readily available data. However, pre-processed data (aggregated, filtered sensor readings) that does not involve proprietary algorithmic transformation remains in scope.", "legal_ref": "Recital 15", "affected_nodes": [ "ch2_020", "ch2_auto_020" ] }, { "id": "EC_14", "scenario": "Data stored/processed on behalf of third parties excluded", "guidance": "Data that is stored or processed on behalf of third parties (e.g., by a cloud provider hosting another company's data) is excluded from the connected product data definition. The data holder obligations apply to the entity that controls the connected product, not the hosting provider.", "legal_ref": "Recital 16", "affected_nodes": [ "ch2_040" ] }, { "id": "EC_15", "scenario": "ePrivacy applies — IoT as terminal equipment", "guidance": "Connected products (IoT devices) qualify as terminal equipment under the ePrivacy Directive. Accessing data stored on or generated by such devices may require user consent under Art. 5(3) of the ePrivacy Directive, in addition to Data Act obligations.", "legal_ref": "Recital 36, Directive 2002/58/EC Art. 5(3)", "affected_nodes": [ "ch2_010", "ch2_020", "p_050" ] }, { "id": "EC_16", "scenario": "Non-EU entities must designate EU legal representative", "guidance": "Non-EU entities placing connected products on the EU market or providing data processing services to EU customers must designate an EU legal representative to ensure compliance and serve as a point of contact for authorities.", "legal_ref": "FAQ Q71", "affected_nodes": [ "p_010" ] }, { "id": "EC_17", "scenario": "Only data generated after 12 Sep 2025 is in scope of Chapter II", "guidance": "Chapter II data access rights only apply to data generated by connected products after 12 September 2025 (the date of application). Historical data generated before that date is not covered.", "legal_ref": "FAQ Q4, Art. 50", "affected_nodes": [ "ch2_015", "ch2_020" ] }, { "id": "EC_18", "scenario": "Multi-cloud egress charges allowed after zero switching charge deadline", "guidance": "Even after 12 January 2027 when switching charges must be zero, providers may still charge egress fees for multi-cloud data transfers (i.e., when a customer uses multiple providers simultaneously). Only switching-specific charges are prohibited.", "legal_ref": "Art. 34(2)", "affected_nodes": [ "ch6_030" ] }, { "id": "EC_19", "scenario": "Art. 7(1) — Micro/small enterprise manufacturer exempt from Chapter II", "guidance": "Microenterprises and small enterprises manufacturing connected products or providing related services are exempt from ALL Chapter II obligations, unless they have partner/linked enterprises above the size threshold. Medium enterprises recently reclassified (less than 1 year) have a transitional exemption for products placed on market within 1 year of reclassification.", "legal_ref": "Art. 7(1)", "affected_nodes": [ "ch2_010", "p_030" ] }, { "id": "EC_20", "scenario": "Art. 5(2) — Testing/prototype data excluded from third-party sharing", "guidance": "Data from products/substances/processes still in testing and not yet placed on the market is excluded from the third-party sharing obligation under Art. 5(1), unless contractually permitted.", "legal_ref": "Art. 5(2)", "affected_nodes": [ "ch2_050" ] }, { "id": "EC_21", "scenario": "OBD-II access — data holders cannot require specialised tools", "guidance": "Vehicle data holders cannot require users to purchase specialised tools at their own expense to access vehicle data via the OBD-II port (Vehicle Data Guidance, para. 44).", "legal_ref": "Vehicle Data Guidance, para. 44", "affected_nodes": [ "ch2_auto_010", "ch2_auto_020" ] }, { "id": "EC_22", "scenario": "Edge-processed data immediately deleted after processing is excluded", "guidance": "Data processed entirely on-device and immediately deleted is excluded from the Data Act. However, OEMs are encouraged to consider aftermarket importance before excluding such data (Vehicle Data Guidance, para. 45).", "legal_ref": "Vehicle Data Guidance, para. 45", "affected_nodes": [ "ch2_auto_020" ] } ], "consult_expert_scenarios": [ { "id": "CE_01", "trigger": "User selects 'None of the above / Not sure' for role (p_020)", "why_expert_needed": "Cannot determine applicable chapters without clear role identification. A legal expert can analyze the entity's activities to map them to Data Act roles.", "leads_to": "r_consult_role" }, { "id": "CE_02", "trigger": "Complex multi-role entity with conflicting obligations", "why_expert_needed": "Need legal analysis of obligation interactions. For example, a manufacturer who is also a cloud provider faces overlapping requirements from Chapters II and VI that may require prioritization.", "leads_to": "r_combined_result" }, { "id": "CE_03", "trigger": "Sector-specific legislation overlap unclear", "why_expert_needed": "Art. 44 analysis requires legal expertise. Determining whether sector-specific laws pre-empt or complement Data Act obligations requires case-by-case legal assessment.", "leads_to": "r_combined_result" }, { "id": "CE_04", "trigger": "Trade secret assessment for data sharing", "why_expert_needed": "Legal assessment of what constitutes a trade secret and proportionate protection. The boundary between legitimate trade secret protection and improper data withholding requires expert judgment.", "leads_to": "r_combined_result" }, { "id": "CE_05", "trigger": "Third-country government request received", "why_expert_needed": "Requires legal analysis under Art. 32 and applicable international agreements (MLAT, bilateral treaties). Improper compliance or refusal can have significant legal consequences.", "leads_to": "r_combined_result" }, { "id": "CE_06", "trigger": "Data sharing refusal on safety/security grounds", "why_expert_needed": "Art. 4(2) requires objective assessment of security risks. Refusing data access on safety grounds requires documented justification and may be challenged.", "leads_to": "r_combined_result" }, { "id": "CE_07", "trigger": "Public sector body request relates to criminal/administrative investigation, customs, or taxation", "why_expert_needed": "Art. 16(2) excludes such activities from Chapter V. Legal assessment needed to determine whether a received B2G request falls under these exclusions.", "leads_to": "r_combined_result" } ] }