The Data Act entered into force on 12 September 2025, and in the Netherlands its national Implementation Act (Dataverordening, Dv) followed on 21 November 2025. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) published a newsletter this week explaining what the Data Act means in practice, particularly for organisations that work with data from connected products or related services.
In this article, we summarise the AP’s key points below and explain what your organisation should start preparing for.
1. The Data Act Applies to Organisations Working with Connected Products and Services
The Data Act introduces harmonised rules for fair access to and use of data generated by connected (“smart”) devices and related services.
This includes both personal and non-personal data.
In the Netherlands:
- The Authority for Consumers and Markets (ACM) is the main supervisor and national data coordinator.
- The AP supervises the GDPR-related provisions of the Data Act.
2. Inventory of Your Organisation’s Data Flows
The AP advises organisations to map out:
- Whether you fall under the Data Act, because you use or provide connected devices or related services.
- What user data and product data these devices generate.
- Whether these data include personal data, in which case the GDPR applies in parallel.
A complete data-flow inventory is the foundation for demonstrating compliance later.
3. Prepare for Data-Access and Transparency Obligations
The AP stresses that organisations must allow users to access the data they generate via connected products.
This means your organisation must ensure:
- Clear user information about what data is collected, why, with whom, and how it is shared.
- A valid legal basis for any processing of personal data (such as consent or contract performance).
- Compliance with GDPR principles like transparency, lawfulness and purpose limitation.
4. Consider Data Act Requirements When Switching Cloud Providers
Under Article 23 Data Act and following, cloud service providers must allow customers to migrate between services. The AP notes that organisations must ensure GDPR principles remain intact during such migrations.
If your organisation anticipates a cloud switch, we will help assess the privacy implications and ensure alignment with GDPR requirements.
5. Review Data-Sharing Agreements and Safeguards
The Data Act sets requirements for fair contractual conditions between data holders and data users.
The AP recommends that organisations:
- Evaluate contractual and technical safeguards.
- Ensure appropriate security and data-protection measures when sharing data.
6. Be Ready for Data-Access and Data-Sharing Requests
The AP notes that organisations must be able to provide data to users (and in some cases to third parties) under the Data Act. Your organisation must therefore ensure:
- Technical and organisational readiness to handle such requests.
- That each request meets the Data Act conditions.
- That requests remain compatible with GDPR.
Clear internal workflows will be crucial to meet these new obligations.
7. If the GDPR and the Data Act Conflict, GDPR Prevails
The AP emphasises that the Data Act must not reduce the level of protection offered by the GDPR. If a request violates the GDPR, your organisation should deny it.
The AP also advises documenting each assessment carefully.
Robust documentation will support accountability toward regulators and internal stakeholders.
Conclusion
The AP notes that the Data Act marks a shift toward a more data-driven European economy, with increased user control and transparency. For your organisation, this might mean new operational duties.
FIRST PRIVACY can support your organisation in identifying affected data flows, aligning processes with the AP’s expectations, and reviewing user-facing information and documentation to ensure compliance with both the Data Act and the GDPR.