[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fk8GgpcGntPvYA3aADEOiauEoj-sR0uUChDSYB_DX1aI":3},{"sections":4,"resultAnalysis":876,"id":895,"version":896,"newVersion":30,"label":897,"isPinned":30,"isShared":44,"sharingToken":898,"isRevision":30,"isBlockAnalysisShared":30,"nbReferences":899,"referenceId":900,"nbResponses":11,"parentId":9,"revisionDescription":896,"logoUrl":901,"description":902,"scheduleIntervalDays":9,"versionNumber":37,"dateCreation":903,"dateUpdate":904,"dateArchived":9,"archived":30,"type":905,"typeIndex":37,"typeColor":9,"typeIcon":9,"typeText":906,"creator":907,"objectType":915,"objectTypeIndex":227,"objectTypeColor":916,"objectTypeIcon":917,"objectTypeText":918,"defaultOwners":919,"tags":921,"privacyHubs":9,"nbQuestions":922,"nbQuestionsRequired":923,"nbDatas":11,"deadLineDays":9},[5,16,197,810],{"id":6,"slug":7,"label":8,"emoji":9,"type":10,"typeIndex":11,"typeColor":9,"typeIcon":9,"typeText":12,"descriptionHtml":13,"questions":14,"sections":15},"e95fa96c-02e0-41f5-847c-96a179183b6c","intro","Intro",null,"Default",0,"SectionType_Default","\u003Cp>The \u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng\">\u003Cstrong>Regulation (EU) 2023/2854, \u003C/strong>named\u003Cstrong> \u003C/strong>Data Act,\u003C/a> came into force on September 12, 2025. It imposes new obligations in terms of data sharing, access, governance and contractualization. It governs the following:\u003C/p>\u003Cul>\u003Cli>\u003Cp>the making available of product data and related service data to the user of the connected product or related service;\u003C/p>\u003C/li>\u003Cli>\u003Cp>the making available of data by data holders to data recipients;\u003C/p>\u003C/li>\u003Cli>\u003Cp>the making available of data by data holders to public sector bodies for the performance of a specific task carried out in the public interest;\u003C/p>\u003C/li>\u003Cli>\u003Cp>facilitating switching between data processing services;\u003C/p>\u003C/li>\u003Cli>\u003Cp>introducing safeguards against unlawful third-party access to non-personal data; and\u003C/p>\u003C/li>\u003Cli>\u003Cp>the development of interoperability standards for data to be accessed, transferred and used.\u003C/p>\u003C/li>\u003C/ul>\u003Cp>These notions will be explained throughout the questionnaire.\u003C/p>\u003Cp>The \u003Cstrong>EU Data Act\u003C/strong> covers many aspects of data use and sharing, but two areas are particularly important for most companies:\u003Cbr>1️⃣ The rules on \u003Cstrong>collecting, using, and granting access to data generated by connected products and related services (IoT data)\u003C/strong>.\u003Cbr>2️⃣ The obligations around \u003Cstrong>switching between cloud and data processing service providers\u003C/strong>.\u003C/p>\u003Cp>This questionnaire is designed to help you \u003Cstrong>assess your organization’s readiness\u003C/strong>, \u003Cstrong>identify compliance gaps\u003C/strong>, and \u003Cstrong>set priorities\u003C/strong> for adapting to these two key pillars of the Data Act.\u003C/p>\u003Cp>To better understand the Data Act\u003Ca href=\"https://www.dastra.eu/en/article/the-data-act-goes-live-what-now/59584\">, read our article here. \u003C/a>As well as th\u003Ca href=\"https://digital-strategy.ec.europa.eu/en/library/commission-publishes-frequently-asked-questions-about-data-act\">e European Commission's FAQ on the Data Act. \u003C/a>The Commission’s upcoming model contractual clauses will also provide further guidance.\u003C/p>\u003Cp>\u003Cem>Disclaimer: This questionnaire is provided for information purposes only and does not constitute legal advice. The results should be used to guide your internal processes and do not replace consultation with a legal advisor or compliance expert.\u003C/em>\u003C/p>\u003Cp>Click on \"next\" or \"next section\" to start the questionnaire.\u003C/p>",[],[],{"id":17,"slug":18,"label":19,"emoji":9,"type":10,"typeIndex":11,"typeColor":9,"typeIcon":9,"typeText":12,"descriptionHtml":20,"questions":21,"sections":196},"9e6a8ba4-8793-4f16-b24e-07c4bee2f1ff","initial","Eligibility","\u003Cp>This section is related to eligibility which allows you to know whether the Data Act is applicable to you or not, as provided by\u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_1\"> Article 1, paragraph 3 of the Data Act.\u003C/a>\u003C/p>",[22,45,58,82,101,114,127,154,176],{"id":23,"slug":24,"label":25,"tooltipHtml":9,"descriptionHtml":26,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":31,"displayConditions":9,"answers":32,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"bc02b799-aa6b-4bf1-95cd-e598d44da968","d5fa350c-f825-4103-84b6-6e0af6d40572","Does your company manufacture connected products?","\u003Cp>\u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_1\">As provided by Article 1(3)(a) of the Data Act,\u003C/a> the regulation applies to manufacturers of connected products placed on the market in the Union,\u003Cstrong> irrespective of the place of establishment of those manufacturers.\u003C/strong>\u003C/p>\u003Cp>Legal definition (\u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_2\">Article 2(5) of the Data Act\u003C/a>) : a \u003Cem>‘connected product’ means an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user;\u003C/em>\u003C/p>\u003Cp>\u003Cstrong>In other words, connected products are physical items that generate, collect or obtain data concerning its use or environment & can communicate\u003C/strong> it via a connection (WiFi, Bluetooth, USB, etc.), on-device access, or via an electronic communications service \u003Cbr>\u003Cbr>\u003Cu>Examples \u003C/u>of connected products include smart vehicles, wearable health trackers, MRI scanners, industrial robots, household appliances like smart refrigerators or washing machines, and connected energy meters. This also includes virtual assistants insofar as they interact with a connected product or related service \u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_1\">(Article 1.4 of the Data Act).\u003C/a>\u003C/p>\u003Cp>\u003C/p>","Radio",7,"Unique choice list",false,[],[33,39],{"id":34,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":38},"12b81766-a704-434c-aad5-4887c804fcc8","#1ab586","Yes",1,[],{"id":40,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":43},"4b619e5a-f3d7-4f8b-915c-e6a4e4834375","#dc3545","No",[],true,{"id":46,"slug":47,"label":48,"tooltipHtml":9,"descriptionHtml":49,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":50,"displayConditions":9,"answers":51,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"63373d42-6ac7-4fe2-b34b-1b8e84ce1fd9","ec3ed36a-23bd-455d-9ce3-6840a9789c6c","Does your company offer related services that are in connection with the connected product?","\u003Cp>As provided by \u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_1\">Article 1(3)(a) of the Data Act,\u003C/a> the regulation applies to \u003Cstrong>providers of related services to connected products, irrespective of the place of establishment of those manufacturers.\u003C/strong>\u003C/p>\u003Cp>\u003Cstrong>Legal definition:\u003C/strong> a related service is \u003Cem>any digital service installed on the product, and can be connected with the product \u003Cu>at the time\u003C/u> of the purchase, rent or lease in such a way \u003C/em>\u003Cstrong>\u003Cem>that its absence would prevent the connected product from performing one or more of its functions,\u003C/em>\u003C/strong>\u003Cem> or which is \u003Cu>subsequently connected \u003C/u>to the product by the manufacturer or a third party to\u003C/em>\u003Cstrong>\u003Cem> add to, update or adapt the functions \u003C/em>\u003C/strong>\u003Cem>of the connected product\u003C/em> \u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_2\">(Article 2(6) of the Data Act)\u003C/a>.\u003C/p>\u003Cp>Two basic conditions must be satisfied for a digital service to be considered as a related service:\u003C/p>\u003Cul>\u003Cli>\u003Cp>there must be a two-way/bidirectional exchange of data between the connected product and the service provider; and\u003C/p>\u003C/li>\u003Cli>\u003Cp>the service must affect the connected product’s functions, behaviour, or operation\u003C/p>\u003C/li>\u003C/ul>\u003Cp>\u003Cstrong>In other words,\u003C/strong> related services are those that \u003Cstrong>allow the product to operate in a specific way or enhance its functionality. \u003C/strong>It is essential for the intended use of the product or adds functionalities to it. To offer a related service, \u003Cstrong>a provider must first receive product data. \u003C/strong>Once a \u003Cstrong>contractual relationship\u003C/strong> is established between the user and the provider and a related service is rendered that leads to the creation of data, the provider\u003Cstrong> becomes a data holder.\u003C/strong>\u003C/p>\u003Cp>\u003Cu>For example, \u003C/u>a mobile app to control home lighting, software that adjusts irrigation levels in smart farming equipment, or a platform that monitors and optimizes the performance of wind turbines. This also includes virtual assistants insofar as they interact with a connected product or related service \u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_1\">(Article 1(4) of the Data Act).\u003C/a>\u003C/p>\u003Cp>The following digital services cannot be considered as related services: connectivity, power supply and aftermarket services (e.g. auxiliary consulting, analytics and financial services, and regular repair and maintenance) (cf. Recital 17)\u003C/p>",[],[52,55],{"id":53,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":54},"0c06c4fd-333c-4a27-931a-e09ad1aed0ca",[],{"id":56,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":57},"06676edd-d197-4704-ae99-85eb0447de03",[],{"id":59,"slug":60,"label":61,"tooltipHtml":9,"descriptionHtml":62,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":63,"displayConditions":64,"answers":75,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"255cf665-1416-4d5b-a3d7-9eb3659327d4","d2d48c43-5909-4b55-ab43-6de0c033bbf5","Is your connected product or related service placed on the market in the Union? ","\u003Cp>\u003Cstrong>For a connected product to fall in scope of the Data Act, it should be placed on the Union market\u003C/strong>, which means the first making available of a product on the Union market \u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_2\">(Article 2(22) of the Data Act)\u003C/a>. It is placed on the market only once. This refers to each individual product, not to a type of product. All subsequent actions are considered as \"making available on the market\". There should be a transfer of ownership, possession or any other property right between two economic actors that occurs after the manufacturing stage. \u003Cbr>\u003Cbr>For instance, if the product is manufactured in a Member state only to export it to a third country, the product is not considered to be placed on the market. And, the mere circulation of a connected product on EU territory is not sufficient to be considered as having been placed on the EU market because there has been no transfer of ownership.\u003C/p>\u003Cp>For comprehensive guidance on the subject, refer to the\u003Ca href=\"https://single-market-economy.ec.europa.eu/news/blue-guide-implementation-product-rules-2022-published-2022-06-29_en\"> Blue Guide on the implementation of the product rules 2022 of the European Commission. \u003C/a>\u003C/p>\u003Cp>The Data Act does not require the manufacturer or related service provider to be established in the EU. The Data Act establishes a right for users in the EU to access, use and share the readily available data they are entitled to. All connected products and related services placed in the EU must therefore be designed in such a way that this right can be exercised\u003C/p>",[],{"id":65,"separator":66,"field":9,"operator":67,"value":9,"rules":68},"855b587e-7024-4b2d-878f-64a57b4ec29d","Or","equal",[69,72],{"id":70,"separator":9,"field":46,"operator":67,"value":53,"rules":71},"8ddbafd4-96ba-409b-8c63-9076bdfdd91d",[],{"id":73,"separator":9,"field":23,"operator":67,"value":34,"rules":74},"651b82bf-a1be-4bbc-8848-fc986a8ef11c",[],[76,79],{"id":77,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":78},"f18659e2-4910-493e-907c-ab8bbdfc2a19",[],{"id":80,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":81},"578ccd4a-6c79-4359-8462-65fc0dcd1d15",[],{"id":83,"slug":84,"label":85,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":86,"displayConditions":87,"answers":94,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"bfe69ee2-2773-489b-8c9a-49025a546a08","1be9bcbc-5f5c-4b2c-93ff-24eb0028c570","For organisations established outside the EU that make connected products available or otherwise offer related services within the EU, did you appoint an EU representative? ",[],{"id":88,"separator":89,"field":9,"operator":67,"value":9,"rules":90},"c51959f3-e963-495f-9d93-07a81bb4bad1","And",[91],{"id":92,"separator":9,"field":59,"operator":67,"value":77,"rules":93},"5a56d8c4-8c23-4739-a2e4-9f88ef2cbc1e",[],[95,98],{"id":96,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":97},"0389f3a1-f041-4fc7-a737-68bf38ea5b69",[],{"id":99,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":100},"1119f5cb-d3fe-4376-992b-678368d2c742",[],{"id":102,"slug":103,"label":104,"tooltipHtml":9,"descriptionHtml":105,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":106,"displayConditions":9,"answers":107,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"d367bc0a-7fb5-4928-9ffa-111dc01d64ae","aaceb456-81ba-4f66-8ebc-bba8cec7cdd0","Are you a data holder that makes data available to data recipients in the Union? ","\u003Cp>Pursuant to Article 1(2)(c) of the Data Act, the regulation applies to data holders, irrespective of their place of establishment, that make data available to data recipients in the Union;\u003C/p>\u003Cp>\u003Cstrong>‘data holder’\u003C/strong> means a natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service;\u003C/p>\u003Cp>Even though manufacturers will typically be data holders, this is not always the case. The Data Act allows an entity to ’outsource’ the role of ‘data holder’. For example, a manufacturer may contract out to another entity the role of ‘data holder’ for all or part of the manufacturer’s connected products.\u003C/p>\u003Cp>In addition, a data holder who is not a manufacturer might be a company that provides a related service linked to a connected product. This means that the business offering the related service might be a data holder and be different from the company that actually made the connected product.\u003C/p>\u003Cp>\u003Cstrong>Determining who the data holder is does not depend on who produced the hardware or software, but on who controls access to the readily available data. See the flowchart below for an example of role distribution.\u003C/strong>\u003C/p>\u003Cp>The flowchart illustrates a situation where a user enters into two contracts (e.g. for the sale of the connected product and for the provision of the related service) that establish a legal relationship (in red) between the user and three separate data holders (circled in blue). The user must always be informed of the identity of the data holder(s) before signing such contracts.\u003C/p>\u003Cp>if a user acquires a connected product where the data are stored directly on the device or transferred from the device to the user’s computer, and the manufacturer does not have access to any of the data. In this scenario there is no data holder, since only the user has access to the data\u003C/p>\u003Cp>\u003Cimg src=\"https://static.dastra.eu/tenant-3/richtext/b4bu59JfoUaBtT/image.png\">A company \u003Cu>can be both a user and a data holde\u003C/u>r with respect to different connected products or related services. For example, a manufacturing company can be both a ‘user’ of the robots used in its factory, and a ‘data holder’ for the connected products it manufactures. A company cannot simultaneously be a user and a data holder for the same data, and a user sharing data with a third party should not be considered a data holder for that third party.\u003C/p>",[],[108,111],{"id":109,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":110},"aab8248c-19c9-4074-80f3-bab3cb35fe0d",[],{"id":112,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":113},"317f0363-c285-4b27-8eae-d91fddb9afea",[],{"id":115,"slug":116,"label":117,"tooltipHtml":9,"descriptionHtml":118,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":119,"displayConditions":9,"answers":120,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"44662c2e-9ac3-4461-8305-910eec888538","a1888dd0-19d0-4237-a1ee-950fe6d017b9","Are you a provider of data processing services to customers in the Union? (i.e cloud)","\u003Cp>\u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_2\">Article 2.8 of the Data Ac\u003C/a>t: ‘data processing service’ means a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction;\u003C/p>\u003Cp>\u003C/p>\u003Cp>If your company \u003Cstrong>offers any service that lets customers upload or host data in the cloud\u003C/strong>, the rules apply to you — \u003Cstrong>even if you rely on another provider’s infrastructure\u003C/strong>. Providers of IaaS, PaaS, SaaS, and other models (Google Cloud, OVH Cloud, Azure...).\u003C/p>\u003Cp>\u003C/p>",[],[121,124],{"id":122,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":123},"5968a820-ecef-48da-9f5b-d1b7bb8b198a",[],{"id":125,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":126},"d62e2f6e-bd9c-40f9-b268-409bdc26efd3",[],{"id":128,"slug":129,"label":130,"tooltipHtml":9,"descriptionHtml":131,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":132,"displayConditions":133,"answers":148,"listQuestions":9,"required":44,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"e7f325a3-45a8-48c2-b166-7b2222daf8b1","edac8ee0-1b3a-4c79-980c-4e51edded802","The Data Act does not apply to my organisation","\u003Cp>You don't meet the criteria of scope pursuant to Article 1 of the Data Act. \u003C/p>",[],{"id":134,"separator":89,"field":9,"operator":67,"value":9,"rules":135},"137c8b62-4d72-4e07-88ea-69105fa26c86",[136,139,142,145],{"id":137,"separator":9,"field":23,"operator":67,"value":40,"rules":138},"4cda4f32-5bde-499c-885d-2399e59da8da",[],{"id":140,"separator":9,"field":46,"operator":67,"value":56,"rules":141},"486fab94-82e6-479b-8312-edec0c16c2db",[],{"id":143,"separator":9,"field":102,"operator":67,"value":112,"rules":144},"2750d76f-d856-4115-986f-5d41acce48e2",[],{"id":146,"separator":9,"field":115,"operator":67,"value":125,"rules":147},"7503832c-ae30-4fd4-831a-84d186df15c9",[],[149],{"id":150,"color":35,"rangeValue":9,"label":151,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":152,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":153},"1e25d581-e24f-4d5b-aec7-c95a15e7f9a7","Ok! You don't have to go trough the rest of this questionnaire.","But you can take a look if you are curious :) ",[],{"id":155,"slug":156,"label":130,"tooltipHtml":9,"descriptionHtml":157,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":158,"displayConditions":159,"answers":172,"listQuestions":9,"required":44,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"fafa8c8d-16c4-4868-aa8e-679f33368758","fe3b727f-40dc-44bf-8244-0b28e8964bf8","\u003Cp>The Data Act only applies to connected products or related services placed on the Union market pursuant to Article 1. Refer to Question number 3 for more information on the notion of \"placed on the market\". \u003C/p>",[],{"id":134,"separator":89,"field":9,"operator":67,"value":9,"rules":160},[161,163,165,167,169],{"id":137,"separator":9,"field":23,"operator":67,"value":34,"rules":162},[],{"id":140,"separator":9,"field":46,"operator":67,"value":56,"rules":164},[],{"id":143,"separator":9,"field":59,"operator":67,"value":80,"rules":166},[],{"id":146,"separator":9,"field":115,"operator":67,"value":125,"rules":168},[],{"id":170,"separator":9,"field":102,"operator":67,"value":112,"rules":171},"9dc1f088-fad6-42e3-a091-cd6244557e08",[],[173],{"id":174,"color":35,"rangeValue":9,"label":151,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":152,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":175},"b46460da-0de4-4d8e-ae86-7c5bb2fd8b93",[],{"id":177,"slug":178,"label":130,"tooltipHtml":9,"descriptionHtml":157,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":179,"displayConditions":180,"answers":192,"listQuestions":9,"required":44,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"9b1d156d-21a2-4823-8ea4-513cccd43704","086e9396-d63f-499e-8c97-f573194f00eb",[],{"id":134,"separator":89,"field":9,"operator":67,"value":9,"rules":181},[182,184,186,188,190],{"id":137,"separator":9,"field":23,"operator":67,"value":40,"rules":183},[],{"id":140,"separator":9,"field":46,"operator":67,"value":53,"rules":185},[],{"id":143,"separator":9,"field":59,"operator":67,"value":80,"rules":187},[],{"id":146,"separator":9,"field":115,"operator":67,"value":125,"rules":189},[],{"id":170,"separator":9,"field":102,"operator":67,"value":112,"rules":191},[],[193],{"id":194,"color":35,"rangeValue":9,"label":151,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":152,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":195},"b53e6f75-0f51-48f2-b581-f877030e7128",[],[],{"id":198,"slug":199,"label":200,"emoji":9,"type":10,"typeIndex":11,"typeColor":9,"typeIcon":9,"typeText":12,"descriptionHtml":201,"questions":202,"sections":203},"782b297f-8b88-4757-913b-8e1f93de8da1","access-to-data","Acces & data-sharing obligations","\u003Cp>The Chapter II of the Data Act (entitled \"BUSINESS TO CONSUMER AND BUSINESS TO BUSINESS DATA SHARING\") imposes \u003Cstrong>new data access & sharing obligations irrespective of the nature of the relationship (B2B or B2C).\u003C/strong>\u003C/p>\u003Cp>\u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_7\">Pursuant to its Article 7,\u003C/a> The Data Act exempts \u003Cstrong>\u003Cu>micro and small enterprises (SMEs)\u003C/u>\u003C/strong>\u003Cu> \u003C/u>from the data-sharing obligations set out in this Chapter, but only under specific conditions. These obligations \u003Cstrong>do not apply\u003C/strong> if:\u003C/p>\u003Cul>\u003Cli>\u003Cp>The connected product or related service was \u003Cstrong>manufactured, designed, or provided\u003C/strong> by a \u003Cstrong>micro or small enterprise\u003C/strong>, and\u003C/p>\u003C/li>\u003Cli>\u003Cp>That enterprise \u003Cstrong>is not linked\u003C/strong> to or \u003Cstrong>partnered with\u003C/strong> a larger company (as defined under EU Recommendation 2003/361/EC), and\u003C/p>\u003C/li>\u003Cli>\u003Cp>The enterprise \u003Cstrong>is not acting as a subcontractor\u003C/strong> for a larger company to design, manufacture, or provide the product or service.\u003C/p>\u003C/li>\u003C/ul>\u003Cp>→ In other words, \u003Cstrong>true micro and small businesses operating independently\u003C/strong> are exempt.\u003Cbr>\u003C/p>\u003Cp>Additionally,\u003Cu> \u003C/u>\u003Cstrong>\u003Cu>medium-sized enterprises\u003C/u>\u003C/strong> benefit from a \u003Cstrong>grace period\u003C/strong> (according to \u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_7\">Article 7 of the Data Act)\u003C/a>\u003C/p>\u003Cul>\u003Cli>\u003Cp>If the company has only recently become a medium-sized enterprise (within the last year),\u003C/p>\u003C/li>\u003Cli>\u003Cp>Or if the connected products were placed on the market within one year after the company reached medium-size status,\u003C/p>\u003C/li>\u003C/ul>\u003Cp>→ Then those products and services \u003Cstrong>remain exempt from data-sharing obligations for one year\u003C/strong>.\u003C/p>\u003Cp>\u003Cstrong>\u003Cimg src=\"https://static.dastra.eu/tenant-3/richtext/u4voCv6ODrFJDV/image.png\">\u003C/strong>Click on next. \u003C/p>",[],[204,234,259,342,520,641,667],{"id":205,"slug":206,"label":207,"emoji":9,"type":10,"typeIndex":11,"typeColor":9,"typeIcon":9,"typeText":12,"descriptionHtml":208,"questions":209,"sections":233},"5424c486-c451-4195-82f6-0e861fdcefbb","identify-the-data-in-scope","Identify the data in scope","\u003Cp>\u003Cstrong>What data is in scope?\u003C/strong>\u003C/p>\u003Cp>The Data Act covers \u003Cstrong>personal and non-personal data.\u003C/strong>\u003C/p>\u003Cp>The mandatory data-sharing obligations that are regulated by Chapter II apply to raw and pre-processed data concerning the performance, use and environment of connected products and related services & that are readily available to a data holder (\u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_1\">Article 2(1)(a) of the Data Act \u003C/a>).\u003C/p>\u003Cul>\u003Cli>\u003Cp>Article 2(15) defines product data as such: data generated by the use of a connected product that the manufacturer designed to be retrievable, via an electronic communications service, physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturer;\u003C/p>\u003C/li>\u003Cli>\u003Cp>Article 2(16) defines ‘related service data’ as such: data representing the digitisation of user actions or of events related to the connected product, recorded intentionally by the user or generated as a by-product of the user’s action during the provision of a related service by the provider;\u003C/p>\u003C/li>\u003C/ul>\u003Cp>This also includes metadata which is relevant to understand conditions (like the location, weather or time) under which the data was collected or generated\u003Cbr>\u003Cbr>\u003Cstrong>With the exception of:\u003C/strong>\u003C/p>\u003Cul>\u003Cli>\u003Cp>(i) content: result of a creative process destined for human consumption, of textual audio or audiovisual nature and often convered by intellectual property rights (Recital 16 Data Act); and\u003C/p>\u003Cul>\u003Cli>\u003Cp>Example: data holders of digital cameras are required to share readily available data such as usage patterns, timestamps and location but are not obliged to share the audiovisual content itself.\u003C/p>\u003C/li>\u003C/ul>\u003C/li>\u003Cli>\u003Cp>(ii) highly enriched data (inferred or derived data): passed a certain level of enrichment (e.g. substantial modification and investments in cleaning and transforming the data) the data becomes out of scope because it constitues new, value-added insights going beyond the nature of information represented by the source data.\u003C/p>\u003C/li>\u003C/ul>\u003Cp>To better understand the data covered by the data access rights provided for in Articles 3, 4 and 5 of the Data Act, please refer to the following table \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/library/commission-publishes-frequently-asked-questions-about-data-act\">(extract of the European Commission's FAQ on the Data Act):\u003C/a>\u003C/p>\u003Cp>\u003Cimg src=\"https://static.dastra.eu/tenant-3/richtext/75hxhI10UBXdwH/image.png\">\u003C/p>",[210],{"id":211,"slug":212,"label":213,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":214,"displayConditions":9,"answers":215,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"ccb2f4ca-cea7-48ce-8660-a6ca76cb4969","6da1386d-20d6-4a74-a452-ff1f4746d3ca","Have you mapped the data that must be shared in accordance with the Data Act as explained above?",[],[216,219,229],{"id":217,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":218},"68b816f3-b22c-4e8d-a190-0fb35d85dd9a",[],{"id":220,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":221},"e7593997-053e-433b-913f-37fceb5de906",[222],{"id":223,"label":224,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"316abefd-7f1d-4466-8e20-e111fec7715b","Map all datasets subject to sharing obligations under the Data Act.","","Medium",2,"#ffc107",{"id":230,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":232},"2c710261-eff9-4fd8-95e6-0fbdcf106977","N/A",[],[],{"id":235,"slug":236,"label":237,"emoji":9,"type":10,"typeIndex":11,"typeColor":9,"typeIcon":9,"typeText":12,"descriptionHtml":238,"questions":239,"sections":258},"94f786b8-1daa-44ee-9f74-21b4ba53389c","identify-your-users","Identify your users","\u003Cp>\u003Cstrong>Who is considered to be a user?\u003C/strong>\u003C/p>\u003Cp>‘User’ means a \"\u003Cem>natural or legal person that\u003C/em>\u003Cstrong>\u003Cem> owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives related services\"\u003C/em>\u003C/strong>\u003Cem>;\u003C/em>\u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_2\">\u003Cem> (Article 2(12) of the Data Act).\u003C/em>\u003C/a>\u003C/p>\u003Cp>This implies the user has to \u003Cstrong>have a stable right on the connected product\u003C/strong> (e.g. ownership, or a right from a rent or lease contract) that pertains to the object. Such a user has a legal right under the Data Act over the data being generated by the connected product. Where the use of a connected product (e.g. use of an airplane as a passenger) is included in a service contract (plane ticket) that does not transfer property-type of rights on the object itself, the person using the connected product (plane passenger) is not a ‘user’ according to the Data Act.\u003C/p>\u003Cp>The Data Act \u003Cstrong>does not require the manufacturer or related service provider to be established in the EU\u003C/strong>. However, according to Article 1(3)(b) of the Data Act, a \u003Cstrong>user must be established in the EU.\u003C/strong>\u003C/p>\u003Cp>The Data Act\u003Cstrong> establishes a right for users in the EU to access, use and share the readily available data they are entitled to (please refer to the introduction of this section to understand the data in scope).\u003C/strong>\u003C/p>\u003Cp>All connected products and related services placed in the EU must therefore \u003Cstrong>be designed in such a way that this right can be exercised.\u003C/strong>\u003C/p>\u003Cp>A user may request \u003Cstrong>access to data on the basis of the Data Act, irrespective of whether the data are stored inside or outside the EU & irrespective of the nature of the relationship \u003C/strong>whether it is business-to-consumer or business-to-business \u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_1\">(Article 1(3) of the Data Act).\u003C/a>\u003C/p>\u003Cp>Insofar as users are data subjects, the rights laid down in Chapter II of this Regulation shall \u003Cstrong>complement \u003C/strong>the rights of access by data subjects and rights to data portability under\u003Cstrong> Articles 15 and 20 of the GDPR.\u003C/strong> In the event of a \u003Cstrong>conflict between this Regulation and the GDPR, the latter shall prevail.\u003C/strong>\u003C/p>\u003Cp>\u003Cstrong>If the right to access and use data is not properly exercised, several options are available for those who seek to enforce their rights under the Data Act:\u003C/strong>\u003C/p>\u003Cul>\u003Cli>\u003Cp>Users can lodge a complaint with the relevant competent authority. If they are unsure about which competent authority to address in their specific case, they should first contact the data coordinator in their Member State (the Commission will make their names and contact details publicly available online.)\u003C/p>\u003C/li>\u003Cli>\u003Cp>Users can initiate legal proceedings.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Users who are consumers can use the instruments available to them under EU consumer protection legislation. They can in particular lodge a complaint with the European Consumer Centres Network in 17 the event that the data holder is established in a Member State other than that in which the consumer resides\u003C/p>\u003C/li>\u003Cli>\u003Cp>Users who are data subjects can contact the relevant DPA regarding all issues concerning the processing of personal data\u003C/p>\u003C/li>\u003C/ul>",[240],{"id":241,"slug":242,"label":243,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":244,"displayConditions":9,"answers":245,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"ea5be2d4-d99e-464b-8b40-c21231ec481e","f37c33aa-9882-4f3e-9d1d-a057f66f45e3","Have you identified your users as explained above? ",[],[246,249,255],{"id":247,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":248},"4aad9939-e084-441d-acac-ad9ee0050b5c",[],{"id":250,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":251},"915fd0ac-b218-43e9-bf07-52956252bbc3",[252],{"id":253,"label":254,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"bbcd1cfc-aba5-4d49-8146-7cfd357ecda1","Identify your users entitled to access shared data.",{"id":256,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":257},"9eaaee5a-0dd6-4e3b-8b9c-3b725d48896e",[],[],{"id":260,"slug":261,"label":262,"emoji":9,"type":10,"typeIndex":11,"typeColor":9,"typeIcon":9,"typeText":12,"descriptionHtml":263,"questions":264,"sections":341},"3d0e6ab2-70eb-4bae-ac83-ddaf8e2062a4","pre-contractual-transparency","Pre-contractual transparency","\u003Cp>Before signing contracts with your users, make sure to respect the pre-contractual transparency obligations of the Data Act. In essence: before purchase or lease, tell users what data will be generated, its format and frequency, how it will be stored, and any third-party access arrangements. \u003C/p>",[265,285,304,322],{"id":266,"slug":267,"label":268,"tooltipHtml":9,"descriptionHtml":269,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":270,"displayConditions":9,"answers":271,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"97e0238f-c8d0-4187-b14a-79b8dd666bde","258eeb7e-49ad-461f-93fc-f78625c923cd","Connected products: Do you provide users with all required information before they purchase, rent, or lease a connected product? ","\u003Cp>A \u003Cstrong>data holder\u003C/strong> is required to enter into a contract with the user (for example, a sales or rental agreement) which must define the user’s rights concerning the \u003Cstrong>access, use, and sharing of data\u003C/strong> generated by the connected product.\u003Cbr>\u003Cbr>Pursuant to \u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_3\">Article 3(2) of the Data Act, \u003C/a>and in a pre-sales transparency objective, business must inform users about the following before selling or leasing a connected product:\u003C/p>\u003Cul>\u003Cli>\u003Cp>(a) the \u003Cstrong>type, format and estimated volume \u003C/strong>of product data which the connected product is capable of generating;\u003C/p>\u003C/li>\u003Cli>\u003Cp>(b) whether the connected product is capable of generating data \u003Cstrong>continuously and in real-time;\u003C/strong>\u003C/p>\u003C/li>\u003Cli>\u003Cp>(c) whether the connected product is capable of \u003Cstrong>storing data on-device or on a remote server, including, where applicable, the intended duration of retention;\u003C/strong>\u003C/p>\u003C/li>\u003Cli>\u003Cp>(d) how the user may\u003Cstrong> access, retrieve or, where relevant, erase the data, \u003C/strong>including the technical means to do so, as well as their terms of use and quality of service.\u003C/p>\u003C/li>\u003C/ul>\u003Cp>In this context, EU consumer protection law continues to apply, in particular \u003Cstrong>Directive 93/13/EEC on unfair terms in consumer contracts\u003C/strong> and \u003Cstrong>Directive 2005/29/EC on unfair commercial practices\u003C/strong>, ensuring that users are protected against unfair contractual provisions.\u003C/p>",[],[272,275,282],{"id":273,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":274},"5ea7bc83-5ed6-4645-908f-5632bbc35450",[],{"id":276,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":277},"3e484b63-c434-4435-aae5-3a0c7aa6013f",[278],{"id":279,"label":280,"userId":9,"color":9,"description":281,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"7f842b04-142c-4b9f-8f31-222a2de93b4b","Provide clear pre-contractual information to users ","\u003Cp>Provide the necessary pre-contractual information to users before any purchase, rental, or lease of a connected product.\u003C/p>",{"id":283,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":284},"b1ff9786-dd11-431a-9cde-a6d071ef2f67",[],{"id":286,"slug":287,"label":288,"tooltipHtml":9,"descriptionHtml":289,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":290,"displayConditions":9,"answers":291,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"a13c1dac-8460-48f4-8e0b-16b08d17844c","38252ea4-7ef6-464b-9d38-6ab594e29beb","Related service:  Do you provide users with all required information before concluding a contract for the provision of a related service?","\u003Cp>Pursuant to \u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_3\">Article 3(3) of the Data Act,\u003C/a> and in a pre-sales transparency objective, the provider of the related service must inform users about the following before concluding a contract for the provision of the related service (ex a user service agreement): \u003C/p>\u003Cul>\u003Cli>\u003Cp>(a) the nature, estimated volume and collection frequency of product data that the prospective data holder is expected to obtain and, where relevant, the arrangements for the user to access or retrieve such data, including the prospective data holder’s data storage arrangements and the duration of retention;\u003Cbr>\u003C/p>\u003C/li>\u003Cli>\u003Cp>(b) the nature and estimated volume of related service data to be generated, as well as the arrangements for the user to access or retrieve such data, including the prospective data holder’s data storage arrangements and the duration of retention;\u003Cbr>\u003C/p>\u003C/li>\u003Cli>\u003Cp>(c) whether the prospective data holder expects to use readily available data itself and the purposes for which those data are to be used, and whether it intends to allow one or more third parties to use the data for purposes agreed upon with the user;\u003Cbr>\u003C/p>\u003C/li>\u003Cli>\u003Cp>(d) the identity of the prospective data holder, such as its trading name and the geographical address at which it is established and, where applicable, of other data processing parties;\u003Cbr>\u003C/p>\u003C/li>\u003Cli>\u003Cp>(e) the means of communication which make it possible to contact the prospective data holder quickly and communicate with that data holder efficiently;\u003Cbr>\u003C/p>\u003C/li>\u003Cli>\u003Cp>(f) how the user can request that the data are shared with a third party and, where applicable, end the data sharing;\u003Cbr>\u003C/p>\u003C/li>\u003Cli>\u003Cp>(g) the user’s right to lodge a complaint alleging an infringement of any of the provisions of this Chapter with the competent authority designated pursuant to Article 37;\u003Cbr>\u003C/p>\u003C/li>\u003Cli>\u003Cp>(h) whether a prospective data holder is the holder of trade secrets contained in the data that is accessible from the connected product or generated during the provision of a related service, and, where the prospective data holder is not the trade secret holder, the identity of the trade secret holder;\u003Cbr>\u003C/p>\u003C/li>\u003Cli>\u003Cp>(i) the duration of the contract between the user and the prospective data holder, as well as the arrangements for terminating such a contract.\u003C/p>\u003C/li>\u003C/ul>",[],[292,295,301],{"id":293,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":294},"18f86ff7-ed31-48e7-a367-aa218978b062",[],{"id":296,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":297},"14b4346f-5270-44d6-b06b-403df66dc3e8",[298],{"id":299,"label":300,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"953b319e-f8ca-40ad-9900-953fc5a79ff1","Ensure users receive all mandatory information before entering into a contract",{"id":302,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":303},"e1a7f4c0-3070-4140-b0ca-99eb362e9da1",[],{"id":305,"slug":306,"label":307,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":308,"displayConditions":9,"answers":309,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"1ecd421a-3d48-49aa-8fc0-349d1f23fa24","822291ba-cff6-404c-8564-b86ca508b8da","If users are contractually allowed to delete their data, do you clearly inform them how to do so?",[],[310,313,319],{"id":311,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":312},"c7fca5d1-2efe-45d4-a0dd-4b718b586c4e",[],{"id":314,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":315},"470fdf13-d31b-4351-8cd6-6c430406b545",[316],{"id":317,"label":318,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"66fc2970-acd4-4b5f-8726-88a1d949b5d5","Inform users of their right & way to delete data when contractually permitted",{"id":320,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":321},"06ab68b7-ccf5-4ca2-bd28-5168f5c1ce32",[],{"id":323,"slug":324,"label":325,"tooltipHtml":9,"descriptionHtml":326,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":327,"displayConditions":9,"answers":328,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"0d3c4499-55f7-473d-a4f0-67a54045de78","9b427ae1-aee9-4569-82a4-cba7f5a480ef","Does your company use the product data for its own purposes? ","\u003Cp>Any use of data generated by a connected product or related service (for example, for analytics, business intelligence, or advertising) is permitted only with the explicit consent of the user, formalised in a contract. Such contracts must include detailed clauses specifying the permitted uses of the data and the safeguards in place to protect it.\u003C/p>\u003Cp>Ensure such data is not transferred to foreign authorities without appropriate judicial safeguards. \u003C/p>\u003Cul>\u003Cli>\u003Cp>\u003Cstrong>New contracts\u003C/strong>: must comply by \u003Cstrong>12 September 2025\u003C/strong>.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cstrong>Existing contracts\u003C/strong>: must be brought into compliance by \u003Cstrong>12 September 2027\u003C/strong>, where they are either of \u003Cstrong>indefinite duration\u003C/strong> or set to \u003Cstrong>expire after 11 January 2034\u003C/strong>.\u003C/p>\u003C/li>\u003C/ul>",[],[329,332,338],{"id":330,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":331},"e00d9185-8d29-4684-8f05-b4e8f78de355",[],{"id":333,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":334},"9a1232e0-b2c6-4364-ab12-742966ea40d1",[335],{"id":336,"label":337,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"e4f84f72-374c-4474-977c-782fc3fe6ecf","Ensure this is contractually agreed upon.",{"id":339,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":340},"95e10f78-d646-444b-813b-627a996e1a4c",[],[],{"id":343,"slug":199,"label":344,"emoji":9,"type":10,"typeIndex":11,"typeColor":9,"typeIcon":9,"typeText":12,"descriptionHtml":345,"questions":346,"sections":519},"8fdd8fcd-230a-479c-8330-a9acdab0179c","Access & data-sharing to users","\u003Cp>\u003Cstrong>The obligation to make product data and related service data accessible to the user is governed by Articles 3 & 4 of the Data Act.\u003C/strong>\u003C/p>\u003Cp>\u003Cstrong>Data holders should enable user access to data: provide users with free and machine-readable access to all data generated by their use of the product or service, ensuring it is readily available.\u003C/strong>\u003C/p>\u003Cp>Pursuant to \u003Cu>Article 3(1) of the Data Act,\u003C/u> connected products and related services shall be\u003Cstrong> designed and provided in such a manner that product data and related service data are accessible to the user\u003C/strong>, including the relevant metadata necessary to interpret and use those data.\u003C/p>\u003Cp>Platforms designated as \u003Cstrong>gatekeepers \u003C/strong>under the meaning of the Digital Markets Act, do not benefit from the rights.\u003Cbr>\u003Cbr>The access should be easy, secure, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and where technically feasible, direcly accessible by the user.\u003C/p>\u003Cp>As stated in Article 4(13), data holders will need to have a contract in place with users to use readily available data from 12 September 2025.\u003C/p>\u003Cp>The obligation resulting from Article 3(1) shall apply to connected products and the services related to them placed on the market after 12 September 2026.\u003C/p>",[347,366,385,405,424,443,462,481,500],{"id":348,"slug":349,"label":350,"tooltipHtml":9,"descriptionHtml":351,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":352,"displayConditions":9,"answers":353,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"9ae108fd-d23e-408e-8c24-41a7efdb5c7e","c7f11443-ab83-439e-82f1-c6aa8637aa4f","Did you ensure that all existing or new contracts with users clearly define your rights to use the data generated by connected products or related services?","\u003Cp>This obligation applies to connected products placed on the market both before and after 12 September 2025. Data holders who can identify the users of their connected products placed on the market before 12 September 2025 therefore need to either:\u003C/p>\u003Cul>\u003Cli>\u003Cp>conclude a contract that secures the user’s agreement to their use of the data, if they were doing so without a contractual basis, or\u003C/p>\u003C/li>\u003Cli>\u003Cp>check if an existing contract (e.g. a sales contract, a contract for the provision of related services or any other contract) needs to be adapted to include the user’s agreement to their use of the data.\u003C/p>\u003C/li>\u003C/ul>\u003Cp>Article 4(13) states that the data holder can use the non-personal data for any purpose, provided that (i) this is agreed with the user; and (ii) the data holder does not derive insights about the economic situation, assets and production methods of the user in any other manner that could undermine the commercial position of that user on the markets on which the user is active\u003Cbr>\u003Cbr>Recital 25 further explains that any contractual term regarding the data holder’s intended use of data should be transparent to the user. Possible purposes of data usage by the data holder include the improving of the functioning of the connected product or related service or making aggregated data available to a third party, provided that these data do not allow identification of granular data. The user is the sole source of access to granular non-personal data from the connected product or related service.\u003C/p>\u003Cp>For B2B data sharing, use the following \u003Ca href=\"https://ec.europa.eu/transparency/expert-groups-register/core/api/front/document/116180/download\">model contractual terms \u003C/a>of the Expert Group where appropriate. In 2022 the Commission set up the\u003Ca href=\"https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupID=3840\"> Expert group on B2B data sharing and cloud computing contract\u003C/a>s to assist it with the development of the terms and clauses.\u003C/p>",[],[354,357,363],{"id":355,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":356},"100d584a-40ac-42e6-ace5-0d52b83662c8",[],{"id":358,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":359},"91ac8b4c-f737-4c71-9fda-b9fd16599cab",[360],{"id":361,"label":362,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"7992f355-8aee-4cf0-b45b-11eba9c8cbfa","Review and update all user contracts to clearly define the rights to use data.",{"id":364,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":365},"c17dd797-e82d-4d0e-9a67-650ea7bd8379",[],{"id":367,"slug":368,"label":369,"tooltipHtml":9,"descriptionHtml":370,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":371,"displayConditions":9,"answers":372,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"e7a6e774-6080-47fe-a465-391a8308e91d","73400ead-b8a1-4492-8325-a6c5f3125aad","Does your connected product or related service allow users to access product data? ","\u003Cp>\u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_3\">Pursuant to Article 3(1) of the Data Act, \u003C/a>connected products and related services shall be\u003Cstrong> designed and provided in such a manner that product data and related service data are accessible to the user\u003C/strong>, including the relevant metadata necessary to interpret and use those data.\u003C/p>\u003Cp>The principle is simple: if a connected product or related services generates data, the user (natural or legal person) must be able to access it:\u003C/p>\u003Cp>By the date of entry into application of the Data Act (12 September 2025), products already on the market and new products (when placed on the market) must allow for data to be accessed by the user.\u003C/p>\u003Cp>By this date, data holders have to decide \u003Cstrong>whether such access will be made:\u003C/strong>\u003C/p>\u003Cul>\u003Cli>\u003Cp>\u003Cstrong>directly \u003C/strong>in the product or the related application, or in a structured, machine-readable format (Article 3(1)).\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cstrong>or indirectly \u003C/strong>(Article 4(1)). This shall be done on the basis of a simple request through electronic means where technically feasible.\u003C/p>\u003C/li>\u003C/ul>\u003Cp>Different configurations are possible (for instance, part of the data could be made available directly, and the rest could be made available indirectly).\u003C/p>\u003Cp>Article 3(1) of the Data Act does not oblige manufacturers to grant direct access to data in all situations and for all connected products. Data should be ‘directly accessible’ to the user ’where relevant and technically feasible’\u003C/p>\u003Cp>The formulation ‘where relevant and technically feasible’ is meant to reinforce the manufacturers’ discretion to decide whether to design a connected product in a way that provides users with ‘uncontrolled’ access (i.e. without any intervention by any other party) or in a way that provides access with additional controls (typically via a remote server) (FAQ of the European Commission)\u003C/p>\u003Cp>When making this choice, the protection of trade secrets or the security of the connected product can be a consideration, especially since, in a direct access situation, the manufacturer will be less involved (or not at all) than in an indirect access situation in how a user will exercise their access rights.\u003C/p>",[],[373,376,382],{"id":374,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":375},"23fe92fe-80e2-44a2-96c4-275e4ee58d93",[],{"id":377,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":378},"103ab3a6-f93c-429d-b550-047208fcb220",[379],{"id":380,"label":381,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"efa4b56f-ec7a-454b-a2d9-dade494bb8bb","Enable users to access product/service data directly or indirectly.  ",{"id":383,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":384},"08115289-0f01-43bb-9200-2f616132df8e",[],{"id":386,"slug":387,"label":388,"tooltipHtml":9,"descriptionHtml":389,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":390,"displayConditions":9,"answers":391,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"5fbbbd1b-c43d-46e0-af55-a1305d4cd59b","bc82eb43-a0d8-4b82-a983-b9f6dda0f04e","Can your mechanisms in place, manage data access rights for several users of the same connected product?","\u003Cp>Various actors may have a legal right based on the contractual arrangements related to the use of a connected product. It is therefore entirely possible for multiple persons to be users of the same connected product. In such a situation, data holders should have mechanisms in place to ensure that each user can access the data to which they are entitled. Users might also conclude separate agreements (e.g. a user\u0002to-user sub-lease of a connected product \u003C/p>\u003Cp>\u003Cimg src=\"https://static.dastra.eu/tenant-3/richtext/DZo0ZbMB8YwyoD/image.png\">\u003Cimg src=\"https://static.dastra.eu/tenant-3/richtext/LVaBQA6vqmAgqS/image.png\">\u003C/p>",[],[392,395,402],{"id":393,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":394},"f7c5d879-e67e-4efc-b07d-0589bbf19e38",[],{"id":396,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":397},"81236485-0ac5-49bb-9d21-dcfb1d424d84",[398],{"id":399,"label":400,"userId":9,"color":9,"description":401,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"f44af3e7-37fd-4f88-b6dd-b32852a93c60","Implement mechanisms to manage and differentiate data access rights of all","\u003Cp>Implement mechanisms to manage and differentiate data access rights among multiple users of the same connected product.\u003C/p>",{"id":403,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":404},"c0d75921-e864-4e51-87ec-bdfdfa53fe58",[],{"id":406,"slug":407,"label":408,"tooltipHtml":9,"descriptionHtml":409,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":410,"displayConditions":9,"answers":411,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"12556417-2a64-4c48-b320-1058b8ae9a73","b5bbabd5-75e4-43c5-8b03-fa179decb5a3","Do you have mechanisms in place to verify the identity? ","\u003Cp>For the purpose of verifying whether a natural or legal person qualifies as a user, a data holder shall not require that person to provide any information beyond what is necessary. Data holders shall not keep any information, in particular log data, on the user’s access to the data requested beyond what is necessary for the sound execution of the user’s access request and for the security and maintenance of the data infrastructure.\u003C/p>",[],[412,415,421],{"id":413,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":414},"5c52b3db-8d4e-429a-8c96-1ea10b79663b",[],{"id":416,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":417},"c88df7ae-1df6-4763-ae77-1cb6d5d82428",[418],{"id":419,"label":420,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"cf330d4d-77a7-4195-bdfe-23f39a1fcee6","Establish reasonable & secure identity verification processes for users",{"id":422,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":423},"f3fc2e25-7c9d-4e10-bde5-a1fd6d96a5dc",[],{"id":425,"slug":426,"label":427,"tooltipHtml":9,"descriptionHtml":428,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":429,"displayConditions":9,"answers":430,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"c78c8797-505f-4684-9a0a-450585bfbe07","33a6c454-525a-43b0-b871-e672e2df1fb1","Is the access granted easily? ","\u003Cp>Data holders must grant access to data “easily”. This requires implementing mechanisms that streamline and simplify data sharing and avoid unnecessary complexities or barriers. Where access is limited to on-site or specific tools are required, it must not involve unreasonable complications for users or third parties, such as restrictive locations, time slots, or disproportionate costs.\u003C/p>\u003Cp>Data holders shall not make the exercise of choices or rights under this Article by the user unduly difficult, including by offering choices to the user in a non-neutral manner or by subverting or impairing the autonomy, decision-making or choices of the user via the structure, design, function or manner of operation of a user digital interface or a part thereof\u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_4\"> (Article 4(4) of the Data Act)\u003C/a>. \u003C/p>",[],[431,434,440],{"id":432,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":433},"4d344826-2765-4108-a543-c25a791a48c3",[],{"id":435,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":436},"1e6db1b9-7537-46c2-b764-209784c69cf0",[437],{"id":438,"label":439,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"0bbead8c-2c5a-44e6-be02-412624f96816","Ensure users can access product data through simple, user-friendly procedures.",{"id":441,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":442},"897ea6e9-4f48-433f-b1c4-766eac6b18a5",[],{"id":444,"slug":445,"label":446,"tooltipHtml":9,"descriptionHtml":447,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":448,"displayConditions":9,"answers":449,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"79c4133f-126e-4a8e-99d7-98d0c7741db7","da30e78d-ed8e-4afe-99e9-5b523e554863","Do you make the data available “in a comprehensive, structured, commonly used and machine-readable format”?","\u003Cp>Data holders must make data available “in a comprehensive, structured, commonly used and machine-readable format” to ensure interoperability and facilitate reuse. Modelled after GDPR Art 20 (Data portability), this requirement establishes the minimum conditions for data portability. Data holders, as the entities responsible for the design of the data at the source, must provide data in an interoperable format (e.g. XML, JSON, CSV). Formats subject to licensing constraints are not considered “commonly used”. While industry is encouraged to develop common formats for certain data, no obligation to develop those flows from the Data Act\u003C/p>",[],[450,453,459],{"id":451,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":452},"df0321b9-3bec-4066-b5b2-afa88ed471cc",[],{"id":454,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":455},"f13e4129-6e6c-494d-9218-9ce8d2939095",[456],{"id":457,"label":458,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"02a4eb29-b74c-4bf7-a159-4dff1393c7c2","Provide data in a comprehensive, structured, commonly used, and machine-readable",{"id":460,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":461},"c26bffea-65e1-4e05-b783-26a4cbd75cd0",[],{"id":463,"slug":464,"label":465,"tooltipHtml":9,"descriptionHtml":466,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":467,"displayConditions":9,"answers":468,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"0b88e676-ca63-4108-abd4-58c67e39650b","a4f8fc03-e975-4e19-8ba5-03982901151f","Do you share data of the same quality as you make available to yourself? ","\u003Cp>The data holder is required to share data “of the same quality” as it makes available to itself. This implies that the data should be shared in a format and quality consistent with how it would be shared with another subsidiary within the same corporate group or in a manner that aligns with industry standards or practices within a specific industry\u003C/p>\u003Cp>Full product and service data must be made available, not curated extracts. Either directly. Access must be easy, timely, free of charge, and in real time where feasible\u003C/p>",[],[469,472,478],{"id":470,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":471},"847ab859-79ed-4bb0-8291-46fd09101adb",[],{"id":473,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":474},"de69fcbb-1871-4b01-aa06-a187cdd461e3",[475],{"id":476,"label":477,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"3bace9ed-5f08-480d-92e0-44aebcdfb2b7","Guarantee that shared data matches the same quality as internally",{"id":479,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":480},"9c528565-fd68-48f2-8655-b582ace9aca9",[],{"id":482,"slug":483,"label":484,"tooltipHtml":9,"descriptionHtml":485,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":486,"displayConditions":9,"answers":487,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"9184fed0-c73a-4963-bfec-9d3fbf1816b7","ac605b9a-fd07-432d-b561-bede956fb4c4","Do you provide the data \"without undue delay” upon user or third-party request?","\u003Cp>Articles 4(1) and 5(1) require data holders to provide data “without undue delay” upon user or third-party request. This means data should be made available in a prompt, timely and responsive manner. Data holders must proactively implement solutions such as automation, streamlined and structured request procedures, self-service portals, and clear organisation policies to minimise administrative bottlenecks and reduce reliance on manual intervention (c.f. Recital 21). Delays can be justified based on security, technical, or legal constraints, and must remain proportionate to the request\u003C/p>",[],[488,491,497],{"id":489,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":490},"6c169b03-8ecc-4501-baa1-97220709e43e",[],{"id":492,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":493},"6c68376d-db62-4df2-b3c6-475af529a50c",[494],{"id":495,"label":496,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"bc96c79e-4544-4453-8b4b-499d75fdc6a3","Ensure your processes cover the provision of requested data promptly",{"id":498,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":499},"ba758bd8-087f-4c82-a99a-86a31ec85562",[],{"id":501,"slug":502,"label":503,"tooltipHtml":9,"descriptionHtml":504,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":505,"displayConditions":9,"answers":506,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"790abced-4e6e-4db8-8236-26c12e83fea7","7a5f6f70-c95f-448d-a7a6-35358656f38e","Do you ensure that data is made available securely and in line with recognized industry standards?","\u003Cp>Data must be made available “securely”, ensuring protection against unauthorised access or use. Such mechanisms should align with industry standards and relevant legal frameworks, such as those related to cybersecurity. \u003C/p>",[],[507,510,516],{"id":508,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":509},"b9dfc7cd-6af6-4678-bd80-59581c43054d",[],{"id":511,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":512},"65f1fa99-ee37-47b9-bb76-4a2fb872307e",[513],{"id":514,"label":515,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"373038a0-859d-47a0-82d2-00bd39ea5296","Ensure all shared data is transferred securely & in accordance with standards",{"id":517,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":518},"9b00ff5d-5e80-44e1-87a5-ff8c5078232b",[],[],{"id":521,"slug":522,"label":523,"emoji":9,"type":10,"typeIndex":11,"typeColor":9,"typeIcon":9,"typeText":12,"descriptionHtml":524,"questions":525,"sections":640},"217363f4-9fa1-4967-9439-818193e01236","access-and-sharing-to-third-parties","Access & data-sharing to third parties","\u003Cp>Access & data-sharing to third parties is governed by Articles 5 & 6 of the Data Act.\u003C/p>\u003Cp>The Data Act grants the users the right to share data with third parties. When the latter receive data at the request of the user, they have certain obligations.\u003C/p>\u003Cp>In essence, third-party sharing shoud be facilitaed: Allow users to transmit their data to third parties on request without delay, discrimination, or unnecessary restrictions.\u003C/p>\u003Cp>\u003C/p>",[526,544,563,581,601,620],{"id":527,"slug":528,"label":529,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":530,"displayConditions":9,"answers":531,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"1c2b65a6-ac8a-4a57-a2ca-f360cf4a710c","9221084d-ad47-4328-9a5d-dbbad86d7601","Does your company share any of the product data with third parties?",[],[532,535,541],{"id":533,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":534},"b9148284-caf1-4a85-97c7-aab43481ebfe",[],{"id":536,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":537},"0be6512a-6c0e-4ab7-b030-b7d04d81cc62",[538],{"id":539,"label":540,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"2e3154de-38f3-419e-9b00-0436cbfc6424","Identify and document instances where product data is shared with third parties",{"id":542,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":543},"3e27f05f-e18a-4852-9988-4d5e1dfa9392",[],{"id":545,"slug":546,"label":547,"tooltipHtml":9,"descriptionHtml":548,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":549,"displayConditions":9,"answers":550,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"b8475a46-a2b2-41a3-8965-d7d6c19f9150","fdff9ee5-4732-4c2b-881c-474165edb731","Is it possible for users to request to grant third parties access to their data? ","\u003Cp>Users may share data with \u003Cstrong>third parties of their choice\u003C/strong> directly or can ask the data holder to do so (with only limited compensation allowed for substantial investments in a B2B setting).\u003C/p>\u003Cp> Assess under which conditions the disclosure can be rejected & on which grounds. \u003C/p>",[],[551,554,560],{"id":552,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":553},"0abd28f0-b374-4561-94ff-1e7059828d54",[],{"id":555,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":556},"e1ffb832-8803-4a8f-aa74-ecdcc2bb61cc",[557],{"id":558,"label":559,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"bd598a3c-8ee0-45b1-924d-24ff0bf7332e","Implement procedures allowing users to authorize third-party access ",{"id":561,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":562},"03c202c4-2c34-4ebf-a830-3c770e4847da",[],{"id":564,"slug":565,"label":566,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":567,"displayConditions":9,"answers":568,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"a1bd1118-e526-4488-b892-07eef35985e2","afcb83c7-75d7-4d87-b6c1-a0ae6facd8b4","Are third-party data requests documented and tracked?",[],[569,572,578],{"id":570,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":571},"009d59a7-64b1-4231-bd14-963526d677ea",[],{"id":573,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":574},"cbbb191c-1f8e-42f6-a36b-434d51b4ec98",[575],{"id":576,"label":577,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"649e9cca-0d72-4c56-ba90-82fe636f9506","Record and monitor all third-party data access requests to ensure traceability",{"id":579,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":580},"7cf57070-ac84-42fa-8b7d-522eb763285e",[],{"id":582,"slug":583,"label":584,"tooltipHtml":9,"descriptionHtml":585,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":586,"displayConditions":9,"answers":587,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"7b354f5e-5876-4b29-9009-34af9a1a7ced","3b4d4e96-d89d-48cb-95ad-dbd73dca63da","Do you have contractual safeguards in place to prevent third parties from using or further sharing non-personal data beyond the agreed scope?","\u003Cp>Article 4(14) addresses the specific aspect of data usage by the data holder that involves the sharing of non-personal data with third parties, which should only take place if contractually agreed with the user (in line with Article 4(13)).\u003C/p>\u003Cp>\u003Cem>Article 4(14): Data holders shall not make available non-personal product data to third parties for commercial or non-commercial purposes other than the fulfilment of their contract with the user. Where relevant, data holders shall contractually bind third parties not to further share data received from them.\u003C/em>\u003C/p>\u003Cp>The general principle, according to Article 6(1) of the Data Act, is that a third party can use the data for purposes that were agreed with the user (usually in the context of providing a service to the user). Article 6(2) includes a closed list of actions which are prohibited for the third party. This list includes using data to develop a competing product and sharing the data with a gatekeeper (as defined under the Digital Markets Act).\u003C/p>",[],[588,591,598],{"id":589,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":590},"f2c3e9f6-f82c-495b-a98d-3e06c9428369",[],{"id":592,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":593},"748ef8d3-3722-477f-917b-d528681499b2",[594],{"id":595,"label":596,"userId":9,"color":9,"description":597,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"3daa2366-c05c-4163-8fc5-12c9e791ec15","Include contractual clauses restricting third-party use","\u003Cp>\u003Cstrong>I\u003C/strong>nclude contractual clauses restricting third-party use or redistribution of non-personal data beyond the agreed purpose.\u003C/p>",{"id":599,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":600},"87b4c1e3-54a1-46e9-afcb-4392125ece1e",[],{"id":602,"slug":603,"label":604,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":605,"displayConditions":9,"answers":606,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"61921daa-55fe-464f-b90f-362216c7feae","968c5e28-ffec-4984-9777-3d5de853837b","Does your company have security and verification measures in place to ensure that all data exchanges are protected and safeguarded against misuse?",[],[607,610,617],{"id":608,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":609},"2f01926a-f407-404b-a1e9-38d2d1b0ea80",[],{"id":611,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":612},"6e8f44ad-c1d3-4afb-a98b-fe926ee5aa25",[613],{"id":614,"label":615,"userId":9,"color":9,"description":616,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"dbd8fc2d-f403-4d07-b285-0b655fd12414","Implement robust security and verification controls","\u003Cp>Implement robust security and verification controls to protect data exchanges from unauthorized access or misuse.\u003C/p>",{"id":618,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":619},"4355a186-bf9b-4acf-a493-1b7a6f4e997a",[],{"id":621,"slug":622,"label":623,"tooltipHtml":9,"descriptionHtml":624,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":625,"displayConditions":9,"answers":626,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"a9316e16-20f3-4d90-b463-4ae26964d74b","9c410d48-5013-4c25-b409-81ec176fd523","Do you have safeguards in place to ensure that data is shared only with entities and individuals located within the European Union?","\u003Cp>The scope of the Chapter II data-sharing obligation on data holders is limited to entities and persons, including consumers, in the Union (cf. Articles 1(3)(b), 1(3)(d) and 2(14) of the Data Act). Giving data access to operators that do not have a presence in the EU cannot be justified based on the Data Act. Irrespective of its place of establishment, a data holder has a legal obligation to share data with an EU\u0002based entity or person at the request of an EU user. A user may ask a data holder to share data with an entity or person that is not established in the EU, but the data holder is not obliged to grant that access\u003C/p>",[],[627,630,633],{"id":628,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":629},"2f25048e-d48e-4e26-b901-78594dbb6943",[],{"id":631,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":632},"0015c356-b3fd-4416-ba54-b3abd140b2e8",[],{"id":634,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":635},"f899c60d-7069-4e9e-b123-a8eea41c9201",[636],{"id":637,"label":638,"userId":9,"color":9,"description":639,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"f811314a-9d09-4555-87ad-22ee93cf0c3d","Etablish safeguards to ensure that shared data remains within the EU","\u003Cp>\u003Cstrong>E\u003C/strong>stablish safeguards to ensure that shared data remains within the European Union unless compliant transfer mechanisms are in place.\u003C/p>",[],{"id":642,"slug":643,"label":644,"emoji":9,"type":10,"typeIndex":11,"typeColor":9,"typeIcon":9,"typeText":12,"descriptionHtml":645,"questions":646,"sections":666},"192a8ef6-14ab-46be-bacc-21ec12bd78bb","gdpr","Alignement with GDPR\n","\u003Cp>Article 1(5) of the Data Act clarifies the relationship between the Data Act and the GDPR, namely that Articles 4 and 5 of the Data Act (right to access and share data from IoT devices) complements Articles 15 and 20 of the GDPR (right to access and port personal data). Recital 35 of the Data Act further clarifies this interaction.\u003C/p>\u003Cp>So\u003Cstrong>, the Data Act complements the data portability right established under Article 20 of the GDPR\u003C/strong>. Under the GDPR, only data subjects can exercise such a right and only when the personal data are processed\u003Cstrong> under certain legal bases \u003C/strong>(consent or contract) and where technically feasible. \u003Cstrong>The Data Act creates an enhanced portability right specifically for the IoT context.\u003C/strong>\u003C/p>\u003Cp>\u003Cstrong>Thanks to the Data Act, users (e.g. data subjects and businesses) can access and port any data (both personal and non-personal) generated by the use of a connected product or related servic\u003C/strong>e. They can do so independently of the legal basis and, where applicable, in real time. Data subjects are therefore able to move their personal data between controllers (e.g. entities offering repair and maintenance services) more easily.\u003C/p>\u003Cp>In case\u003Cstrong> of personal data, the user's rights provided by the Data Act have to be exercised in compliance with the GDPR\u003C/strong>. If the user is \u003Cstrong>neither a data subject nor a data holder, they must have a valid legal basis under Article 6\u003C/strong> of the GDPR for processing personal data.\u003C/p>",[647],{"id":648,"slug":649,"label":650,"tooltipHtml":9,"descriptionHtml":651,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":652,"displayConditions":9,"answers":653,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"53509b59-93e5-4509-91cf-05918767fd97","23cb1519-fd9b-49ce-85cd-fcecabac327e","If the data in scope includes personal data, do you ensure that a valid legal basis under the GDPR is in place before sharing it?","\u003Cp>\u003Cu>Different scenarios and different processing operations need to be distinguished.\u003C/u>\u003C/p>\u003Col>\u003Cli>\u003Cp>\u003Cu>The user is the data subject in relation to the data in question \u003C/u>\u003Cbr>Article 1(5) specifies that Data Act complements the rights of access by data subjects and rights to data portability under Articles 15 and 20 of Regulation (EU) 2016/679. This means that where the user is the data subject and requests the data under Article 4 of the Data Act for themselves, the\u003Cstrong> situation is comparable to a data subject access request under Article 15 GDPR. \u003C/strong>Where the user asks data to be ported to a third party under Article 5 of the Data Act,\u003Cstrong> the situation is comparable with Article 20 of the GDPR. \u003C/strong>The fact that the request to port the data is received via another actor does not change that assessment.\u003Cbr>\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cu>The user is not the data subject in relation to the data in question\u003C/u> \u003C/p>\u003Cp>\u003C/p>\u003Cp>Article 4(12)\u003Cem>: Where the user is not the data subject whose personal data is requested, any personal data generated by the use of a connected product or related service shall be made available by the data holder to the user only where there is a valid legal basis for processing under Article 6 of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of that Regulation and of Article 5(3) of Directive 2002/58/EC are fulfilled.\u003C/em>\u003C/p>\u003Cp>\u003Cbr>As specified in Recital 7, where the user is not the data subject, the \u003Cstrong>Data Act was not intended as a legal basis for providing access or for making personal data available to a third party \u003C/strong>in the sense of Article 6(1) GDPR, including 6(1)(c). The intention was to protect data subjects in multi-user situations (either multiple users at the same level – co-ownership of a connected product – or layered user situations with owners and lessees). \u003Cbr>This means that the data holder will have to \u003Cstrong>make an assessment on an appropriate legal basis for providing access or for making personal data available – or alternatively it will have to provide anonymised data. \u003C/strong>\u003Cbr>Depending on the circumstances of the request, the controller could explore whether \u003Cstrong>providing the data is necessary for the performance of the contract with the data subject or service legitimate interest of data holder or a third party.\u003C/strong>\u003C/p>\u003C/li>\u003C/ol>\u003Cp>Recital 34 recalls that users that are data subjects can always access personal data concerning themselves. It also clarifies that users who are not data subjects are controllers under the GDPR and must comply with their obligations under the GDPR when requesting personal data from IoT devices.\u003C/p>",[],[654,657,663],{"id":655,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":656},"12c75df5-5ab8-4594-a118-5830d13f8d9c",[],{"id":658,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":659},"11580369-5a0d-4675-80d9-7e4354cb1c8c",[660],{"id":661,"label":662,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"5cc47d67-7935-4756-a965-16cbc864bcea","Verify & document a valid GDPR legal basis before sharing any personal data ",{"id":664,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":665},"74293fa3-e9ec-4222-9995-a880b7b82149",[],[],{"id":668,"slug":669,"label":670,"emoji":9,"type":10,"typeIndex":11,"typeColor":9,"typeIcon":9,"typeText":12,"descriptionHtml":671,"questions":672,"sections":809},"6c509a75-e0ec-4972-af1d-a1faa2e4056a","exceptions-1","Exceptions & limits ","\u003Cp>The access right is subject to limits and safeguards: users do not have an absolute right to access.\u003C/p>\u003Cp>Access may be withheld when disclosure would compromise \u003Cstrong>trade secrets (referred to as the \"trade s\u003Cem>e\u003C/em>crets handbrake\" (Articles 4.6 and 5.9 and Recital 31) or safety, referred to as the safety and security handbrake (Article 4(2),\u003C/strong> but such refusals must be \u003Cstrong>justified in writing\u003C/strong> and are subject to oversight and dispute resolution.\u003C/p>\u003Cp>In essence: data holders should justify refusals and provide a written explanation to the user & the competent authority when declining to share data, citing legitimate reasons such as trade secrets, confidentiality, or security risks.\u003C/p>\u003Cul>\u003Cli>\u003Cp>\u003Cstrong>Safety & security handbrake\u003C/strong>: Pursuant to Article 4(2) of the Data Act, Users and data holders may contractually restrict or prohibit accessing, using or further sharing data, if such processing could undermine security requirements of the connected product, as laid down by Union or national law, resulting in a serious adverse effect on the health, safety or security of natural persons. Sectoral authorities may provide users and data holders with technical expertise in that context. Where the data holder refuses to share data pursuant to this Article, it shall notify the competent authority designated pursuant to Article 37.\u003C/p>\u003Cp>\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cstrong>Trade secrets handbrake:\u003C/strong> Trade secrets shall be preserved and shall be disclosed only where the data holder and the user take all necessary measures prior to the disclosure to preserve their confidentiality in particular regarding third parties.\u003C/p>\u003C/li>\u003C/ul>\u003Cp>Note that applying anonymisation, encryption, or storage techniques does not automatically exempt data holders from their data sharing obligations.\u003C/p>",[673,691,710,730,750,769,789],{"id":674,"slug":675,"label":676,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":677,"displayConditions":9,"answers":678,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"bde15afe-4026-4d18-89e4-2152973105d7","475edfbf-e4ab-47ef-81da-13bbd6421cdf","Do you document exceptions to the access to data? ",[],[679,682,688],{"id":680,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":681},"11178460-48fd-4e09-9cff-af3dfcff6a11",[],{"id":683,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":684},"35859e55-4d36-4a19-8bdd-8eefb896727d",[685],{"id":686,"label":687,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"e248d8e3-151b-4ae6-b4e5-988e06dbc2d9","Record and justify all exceptions to data access in line with legal requirements",{"id":689,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":690},"62d4e13e-1daf-405a-a5bd-fbfec413ebb9",[],{"id":692,"slug":693,"label":694,"tooltipHtml":9,"descriptionHtml":9,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":695,"displayConditions":9,"answers":696,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"012d1a69-7c73-49be-bf2a-b3c1f04bd827","aff0653c-ccc9-4fc0-bf2e-0067336ad11a","Do you have processes in place to ensure that refusals to share data are justified solely on legally approved grounds (e.g., trade secrets, safety concerns)?",[],[697,700,707],{"id":698,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":699},"6e4bade8-4cf3-436a-b7b6-d2e1eb514fcc",[],{"id":701,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":702},"84e1744a-9a7f-4027-9a1f-fcaa27ef287f",[703],{"id":704,"label":705,"userId":9,"color":9,"description":706,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"7df8f100-7b8a-4f21-9ca0-2dc054b9b209","Implement procedures ensuring refusals to share data are solely legally based ","\u003Cp>Implement procedures ensuring refusals to share data are based only on legally permitted grounds.\u003C/p>",{"id":708,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":709},"e8393eb0-2755-468f-9862-518e2aea70cb",[],{"id":711,"slug":712,"label":713,"tooltipHtml":9,"descriptionHtml":714,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":715,"displayConditions":9,"answers":716,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"c3df2f1c-a341-4c9c-917c-fda60f1b741e","85bbb124-829e-4ea7-a403-32ee15a6100d","Are there safeguards in place prior to the sharing of data to protect trade secrets? ","\u003Cp>When a data holder receives a request to access data, it must identify the trade secrets that need to be shared and agree with the user/third party on the necessary measures to preserve their confidentiality (Articles 4(6) and 5(7) of the Data Act). These safeguards need to be in place prior to the sharing of data.\u003C/p>\u003Cp>Possible measures could include model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.\u003C/p>\u003Cp>The data holder may withhold or suspend the sharing of trade secrets if there is no agreement, if the user or third party does not implement the agreed measures, or if the confidentiality of the trade secrets is undermined (Articles 4(7) and 5(10) of the Data Act).\u003C/p>\u003Cp>In exceptional circumstances, the data holder may refuse to share trade secrets if it can demonstrate, on the basis of objective evidence, that it is highly likely that serious economic damage would result from the disclosure of trade secrets (Articles 4(8) and 5(11) of the Data Act). ‘Serious economic damage’ means serious and irreparable economic loss. Such decisions need to be made on a case-by-case basis.\u003C/p>",[],[717,720,727],{"id":718,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":719},"535c9f02-8578-434a-af29-9df1b7aefe60",[],{"id":721,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":722},"2e49f051-e8ac-46ef-ab9b-f6ed78c01b2e",[723],{"id":724,"label":725,"userId":9,"color":9,"description":726,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"6bf62f26-b04f-425f-93f4-d39c6311828d","Establish safeguards to protect trade secrets before sharing data","\u003Cp>Establish safeguards to protect trade secrets before sharing data with external parties.\u003C/p>",{"id":728,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":729},"acb454bd-f1aa-47c8-bc47-0f5ecd822697",[],{"id":731,"slug":732,"label":733,"tooltipHtml":9,"descriptionHtml":734,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":735,"displayConditions":9,"answers":736,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"5811fe80-62ab-4480-a7f4-20b68f4188c5","6e39c273-273c-47b5-8a39-612809c107ad","If you consider that you must withhold, suspend or refuse to share data, do you communicate the reasoning behind the decision to the user or third party without undue delay?","\u003Cp>If the data holder considers that it must withhold, suspend, or refuse to share data (in the cases explained previously), it must communicate the reasoning behind the decision to the user or third party without undue delay.\u003Cbr>\u003Cbr>The decision of the data holder \u003Cstrong>shall be duly substantiated and provided in writing to the user without undue delay.\u003C/strong>\u003C/p>",[],[737,740,747],{"id":738,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":739},"5732a1f8-01ca-42b1-acab-148dd5287413",[],{"id":741,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":742},"030e54a9-bd11-43d9-a5de-c5f6e5707074",[743],{"id":744,"label":745,"userId":9,"color":9,"description":746,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"ec7094f6-000c-40c8-b6e5-c02b3f368890","Communicate promptly to users or third parties the reasons for withholding data","\u003Cp>Communicate promptly to users or third parties the reasons for any decision to withhold, suspend, or refuse data sharing.\u003C/p>",{"id":748,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":749},"18fbf2f2-235e-4707-b114-50bb0695516f",[],{"id":751,"slug":752,"label":753,"tooltipHtml":9,"descriptionHtml":754,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":755,"displayConditions":9,"answers":756,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"340e3137-c48c-44c4-9f3e-42c4c44289f5","835d4245-7e23-4838-aa1a-d30af7ccca6e","Do you inform your users of the possibility to seek redress? ","\u003Cp>According to Article 4(3) : without prejudice to the user’s right to seek redress at any stage before a court or tribunal of a Member State, the user may, in relation to any dispute with the data holder concerning the contractual restrictions or prohibitions referred to in paragraph 2:\u003C/p>\u003Cp>(a) lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority; or\u003C/p>\u003Cp>(b) agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1).\u003C/p>\u003Cp>Therefore, the user or third party can seek redress and challenge the data holder’s decision before a court or tribunal of a Member State or agree with the data holder to refer the matter to a dispute settlement body. The user or third party can also lodge a complaint with the competent authority. \u003C/p>\u003Cp>The competent authority should, without undue delay, decide whether and under which conditions data sharing should start or resume (Articles 4(9) and 5(12) of the Data Act. \u003C/p>",[],[757,760,766],{"id":758,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":759},"99c36755-5434-45c6-ab9c-0825fe3eb347",[],{"id":761,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":762},"10f186f0-7bbf-436a-8834-74578913bf1a",[763],{"id":764,"label":765,"userId":9,"color":9,"description":225,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"c87aab96-f246-4794-95b8-f734c369bb62","Inform users of their right to seek redress in cases of restriction to access",{"id":767,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":768},"ee431a79-1142-4485-8c52-5606c45e3d82",[],{"id":770,"slug":771,"label":772,"tooltipHtml":9,"descriptionHtml":773,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":774,"displayConditions":9,"answers":775,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"4cde20c0-71f2-4f61-806e-5fdfb5d65d40","58392f6f-5406-45e0-95a7-3aed8abe7d7f","Do you notify the competent authority of your respective Member State if you consider that you must withhold, suspend or refuse to share data? ","\u003Cp>Under the conditions explained previously, if the data holder intends to activate the said handbrakes, it must notify the competent authority of the respective member state designated pursuant to \u003Ca href=\"https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng#art_37\">Article 37 of the Data Act.\u003C/a>\u003C/p>",[],[776,779,786],{"id":777,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":778},"7a872f0d-f8b8-4a9b-9390-9f2956a9accf",[],{"id":780,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":781},"35f7294a-bcfd-4d33-86ce-8aed359b45f2",[782],{"id":783,"label":784,"userId":9,"color":9,"description":785,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"d77d88f5-d99b-402b-a214-d60a3bdc1dd2","Notify the competent national authority when restricting data access.","\u003Cp>Notify the competent national authority when withholding, suspending, or refusing to share data under the Data Act.\u003C/p>",{"id":787,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":788},"2e8f9cb8-4c63-4003-900c-72e309c628d0",[],{"id":790,"slug":791,"label":792,"tooltipHtml":9,"descriptionHtml":793,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":794,"displayConditions":9,"answers":795,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"e89070f0-4fe6-4382-941e-f6e4f172e756","627873e8-52ea-46ca-a852-a87eebbb3d62","Do you have contractual safeguards in place to prevent data recipients from using the data obtained to develop a competing product? ","\u003Cp>The data obtained cannot be used to develop a \u003Cstrong>competing connected product\u003C/strong>. The user shall not use the data obtained pursuant to a request referred to in paragraph 1 to develop a connected product that competes with the connected product from which the data originate, nor share the data with a third party with that intent and shall not use such data to derive insights about the economic situation, assets and production methods of the manufacturer or, where applicable the data holder.\u003C/p>",[],[796,799,806],{"id":797,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":798},"261efabf-4cda-47ee-a916-c886b32231a1",[],{"id":800,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":801},"bed6e292-f0a0-4e89-8c88-cd59cdc5f7f0",[802],{"id":803,"label":804,"userId":9,"color":9,"description":805,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"93a88fa8-e06d-4bf1-952a-8bafe590f750","Include contractual clause to prevent use to develop competing products","\u003Cp>Include contractual clauses preventing data recipients from using shared data to develop competing products.\u003C/p>",{"id":807,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":808},"ba83d52e-f1c7-4884-9c22-99e77a576775",[],[],{"id":811,"slug":812,"label":813,"emoji":9,"type":10,"typeIndex":11,"typeColor":9,"typeIcon":9,"typeText":12,"descriptionHtml":814,"questions":815,"sections":875},"a5c3107f-0dff-4caa-8fb1-54ffeceab906","for-cloud-storage-or-cloud-service-providers","Cloud storage or cloud service providers","\u003Cp>This section applies to providers of data processing services (mainly cloud). \u003C/p>\u003Cp>Articles 23-32 and 34-35 of the Data Act apply to providers of data processing services. The definition of a data processing service is laid down in Article 2(8) and mirrors common definitions of cloud computing services. The concept is designed to cover the popular delivery models - Infrastructure as a Service (IaaS), Platform as a service (PaaS) and Software as a Service (SaaS) - while also remaining open to technological innovation.\u003C/p>\u003Cp>To promote a \u003Cstrong>competitive digital market within the EU\u003C/strong>, customers of data processing services, including cloud and edge computing, must be able to \u003Cstrong>switch providers seamlessly\u003C/strong>. At present, such switching is often hindered by significant obstacles, such as \u003Cstrong>excessive egress fees, lengthy and complex procedures, and insufficient interoperability\u003C/strong> between providers, which can lead to the loss of data or applications.\u003C/p>\u003Cp>The \u003Cstrong>Data Act\u003C/strong> addresses these issues.\u003C/p>\u003Cp>\u003Cstrong>In essence: providers of data processing services should enable cloud switching and interoperability by including mandatory portability clauses in service contracts, so customers can switch cloud providers easily and without penalty & making the switching easy and technically feasible.\u003C/strong>\u003C/p>\u003Cp>The European Commission will soon publish standard contractual clauses for cloud computing contracts cover elements related to switching & exit, term & termination, non-dispersion, non-amendment, security & business continuity and to liability.\u003C/p>\u003Cp>For cloud-computing contracts, use the following \u003Ca href=\"https://ec.europa.eu/transparency/expert-groups-register/core/api/front/document/116180/download\">model contractual terms \u003C/a>of the Expert Group where appropriate. In 2022 the Commission set up the\u003Ca href=\"https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupID=3840\"> Expert group on B2B data sharing and cloud computing contract\u003C/a>s to assist it with the development of the terms and clauses.\u003C/p>",[816,836,855],{"id":817,"slug":818,"label":819,"tooltipHtml":9,"descriptionHtml":820,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":821,"displayConditions":9,"answers":822,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"d7304d86-783d-4731-897a-21ceafbaac59","92c3cbd7-5fc2-4a8c-ae88-ec1f8b2891d2","Does your company enable customers to migrate to another service provider or replace the service with an on-premises solution?","\u003Cp>By requiring that switching be \u003Cstrong>free of charge, efficient, and technically smooth\u003C/strong>, the framework strengthens customer choice by enabling them to select the services that best meet their needs, while also fostering competition by expanding the potential customer base available to providers.\u003C/p>",[],[823,826,833],{"id":824,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":825},"e8ea3589-08ca-434f-962e-5ed76cb7c8f8",[],{"id":827,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":828},"62f14c8e-87d0-4376-a9d7-f557d77859ec",[829],{"id":830,"label":831,"userId":9,"color":9,"description":832,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"dd27a566-126f-4374-9ff4-470da014a10a","Ensure the switching to another provider or on-premise solution is possible","\u003Cp>Ensure technical and contractual arrangements allow customers to migrate data to another provider or on-premises solution.\u003C/p>\u003Cul>\u003Cli>\u003Cp>Must \u003Cstrong>remove obstacles to switching to another provider or to an on-premise infrastructure\u003C/strong>, including technical and contractual barriers.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Contracts must include \u003Cstrong>switching rights\u003C/strong>, short \u003Cstrong>notice periods\u003C/strong> (max. two months), \u003Cstrong>data portability conditions\u003C/strong> & data transfer methods.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Set up\u003Cstrong> technical infrastructure for data transfer\u003C/strong> and ensure compatibility with interoperability standards.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Support \u003Cstrong>migration\u003C/strong>, maintain \u003Cstrong>businesss continuity,\u003C/strong> functional \u003Cstrong>equivalence \u003C/strong>and secure data transfers within 30 days. Data retrieval under 30 days.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Implement \u003Cstrong>transparency measures \u003C/strong>such as making available information on the switching procedure.\u003C/p>\u003C/li>\u003C/ul>",{"id":834,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":835},"6d67c225-1b77-45de-9544-a0171a054170",[],{"id":837,"slug":838,"label":839,"tooltipHtml":9,"descriptionHtml":840,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":841,"displayConditions":9,"answers":842,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"31eeccf4-0052-4386-9708-1fb47ddf3a3a","471bdcad-bb0d-4f5e-a0a2-27f62749bb7a","Does your company charge fees for migrating customer data to another service provider or an on-premises solution?","\u003Cp>Pursuant to Article 29(2) of the Data Act, providers of data processing services must reduce any switching charges (including egress charges) from 11 January 2024 onwards. Concretely, they must limit any switching charges to the costs that they incur in order to make the respective switching operation happen. \u003C/p>\u003Cp>From 12 January 2027 onwards, providers will no longer be allowed to charge for switching (including data egress). \u003C/p>\u003Cp>A special rule applies when a customer does not switch but instead asks a provider to provide services in parallel with other services, (e.g. in a multi-cloud deployment model). In such cases of in-parallel use, the 38 provider may still bill the customer for the costs incurred for data egress, even after 12 January 2027. This is because a multi-cloud deployment may imply a constant data egress as opposed to the one-off data egress that can be expected for a switching operation\u003C/p>\u003Cp>Article 23(c) of the Data Act clarifies that customers who have benefited from a free-tier offering can also benefit from switching. A free-tier offering (sometimes referred to as cloud credits) is a free offer of data processing services from a provider to a customer. Free-tier offerings are intended to allow customers to test a data processing service or to assist start-up companies.\u003C/p>",[],[843,846,852],{"id":844,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":845},"590ba4b7-8529-45c3-82e6-1b95dcb8a6a4",[],{"id":847,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":848},"031c4094-62db-4493-82c2-cacddd655059",[849],{"id":850,"label":851,"userId":9,"color":9,"description":9,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"54dfd12e-a3ff-4bbf-883f-9b82ec5cd64c","Phase out exit fees by January 2027, after which only cost-based charges remain.",{"id":853,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":854},"b974bbc1-2d42-4acc-b921-c5fec8d8c081",[],{"id":856,"slug":857,"label":858,"tooltipHtml":9,"descriptionHtml":859,"badResponseCommentHtml":9,"goodResponseCommentHtml":9,"placeholder":9,"min":9,"max":9,"regex":9,"unit":9,"type":27,"typeIndex":28,"typeColor":9,"typeIcon":9,"typeText":29,"dynamicSelectType":9,"editableOptions":30,"complianceRules":860,"displayConditions":9,"answers":861,"listQuestions":9,"required":30,"requiredJustification":30,"suggestTask":30,"riskEnabled":44,"native":30},"48cbb59c-6ed0-4a39-99ad-b2cf18cdddbc","f0af4a81-dc1d-4925-8f6a-c7edf808f83f","Do you respect the notice & transition period of the switching? ","\u003Cp>Article 25 of the Data Act provides that the notice period begins once the customer notifies the provider of data processing services of their desire to switch to another provider or to an on-premises ICT infrastructure. Switching should be completed by the end of the transition period, which starts after the end of the notice period (maximum 2 months). \u003C/p>\u003Cp>During the transition period (maximum 30 calendar days), the provider must carry out the actions needed to enable the customer’s switching – in close cooperation with the customer themselves and, where applicable, with the customer’s new provider. The customer has the right to replace the 30-day transition period with a longer period. The provider can only extend the transition period if the provider can, within 14 days during the notice period, prove that a transition period of maximum 30 days would be technically unfeasible. In this case, the transition period can last a maximum of 7 months.\u003C/p>",[],[862,865,872],{"id":863,"color":35,"rangeValue":9,"label":36,"slug":9,"description":9,"score":37,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":864},"64a631f2-cbd9-47b0-948b-1c2070349f7c",[],{"id":866,"color":41,"rangeValue":9,"label":42,"slug":9,"description":9,"score":11,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":867},"bbf87a7d-4b02-48ab-9454-6102f7edabdd",[868],{"id":869,"label":870,"userId":9,"color":9,"description":871,"priority":226,"priorityIndex":227,"priorityColor":228,"priorityIcon":9,"priorityText":226},"e683b159-ea05-4ca1-8232-e52bcde8248d","Establish and document clear procedures in respect with timelines","\u003Cp>Establish and document clear procedures for managing customer switching requests in compliance with Article 25 of the Data Act. Ensure that:\u003C/p>\u003Cul>\u003Cli>\u003Cp>The \u003Cstrong>notice period\u003C/strong> begins upon receipt of a customer’s switching request.\u003C/p>\u003C/li>\u003Cli>\u003Cp>The \u003Cstrong>transition period\u003C/strong> (normally up to 30 days) enables full cooperation with the customer and, if applicable, the new provider to complete the switch.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Any \u003Cstrong>extension of the transition period\u003C/strong> is justified within 14 days of the notice period and supported by documented proof of technical unfeasibility.\u003C/p>\u003C/li>\u003Cli>\u003Cp>The entire switching process, including timelines, communications, and evidence of cooperation — is \u003Cstrong>tracked and auditable\u003C/strong> to demonstrate compliance.\u003C/p>\u003C/li>\u003C/ul>",{"id":873,"color":9,"rangeValue":9,"label":231,"slug":9,"description":9,"score":9,"nonApplicable":30,"tooltip":9,"goodAnswer":30,"redFlag":30,"impact":9,"probability":9,"taskSuggestions":874},"3c85ebcd-6e1a-4d3f-a210-20a393865bfc",[],[],[877],{"id":878,"label":879,"variant":880,"variantIndex":227,"variantColor":228,"variantIcon":881,"variantText":880,"contentHtml":882,"displayConditions":883},"9b90836c-961a-4b6a-ab30-5fac334507a8","You have to comply with the Data Act","Warning","icon-alert-circle","\u003Cp>The Data Act applies to you. Go through this questionnaire to assess your readiness.\u003C/p>",{"id":884,"separator":66,"field":9,"operator":67,"value":9,"rules":885},"99ef5b5b-f81d-480a-8601-8ff0de25d2f3",[886,889,892],{"id":887,"separator":9,"field":59,"operator":67,"value":77,"rules":888},"a8b35249-afb6-44f6-9ea7-5b2013ccfb7e",[],{"id":890,"separator":9,"field":102,"operator":67,"value":109,"rules":891},"85cb9013-0f06-4e4a-8880-7bb57cfd99ca",[],{"id":893,"separator":9,"field":115,"operator":67,"value":122,"rules":894},"e8463fce-2205-492c-aa25-503d5f181507",[],"58e076e4-fd2e-4cdf-aede-f8a34b4bc60a","1.0","Data Act Readiness Assessment","tB9OEHX27e8ZxHE9A89BwQGg3MN1wlrxD3OuLKZ1lIWTvS0r9aKrKz4PF9jj",4,"6f30c647-e600-44fb-e353-08ddf439357e","https://static.dastra.eu/tenant-3/audit/zBXUrVj3jZmOsY/questionnaires-150.jpg","Are you Data Act ready? Take this quick self-assessment to see how prepared your organization is for the new rules on data sharing, portability, and cloud switching. Find out where you’re strong, and where action is needed before regulators, or your clients, ask the same question.\n\nhttps://www.dastra.eu/fr/audit/referential?page=1","2025-10-21T09:53:55.9253555","2025-10-21T13:11:18.2979321","Compliance","Cyver compliance",{"id":908,"displayName":909,"familyName":910,"givenName":911,"email":912,"active":44,"color":913,"avatarUrl":914,"tenantId":11},20352,"Leïla Sayssa","Sayssa","Leïla","leila.sayssa@dastra.eu","#87753B","https://static.dastra.eu/tenant-3/avatar/20352/TDYeY3C8Rz1lLE/dpo-avatar-h01-150.png","DataProcessing","#E7630A","ds-icon-data-processing","Processing activity",[920],{"id":908,"displayName":909,"familyName":910,"givenName":911,"email":912,"active":44,"color":913,"avatarUrl":914,"tenantId":11},[],41,3]