EU Data Act 2026, Practical Compliance Guide for Austrian Companies (GDPR & DSG Interaction)

The EU Data Act, Regulation (EU) 2023/2854, became directly applicable across all Member States on 12 September 2025, creating the most significant new data-access framework since the GDPR entered force in 2018. For companies operating in Austria, the regulation introduces enforceable rights and obligations around access to product-generated data, B2B data sharing, and public-authority data requests, all of which must now be reconciled with the General Data Protection Regulation and Austria’s national Datenschutzgesetz (DSG). This guide distils the practical compliance steps that Austrian in-house counsel, Data Protection Officers, and technology vendors need to take in 2026, from initial data mapping through to contractual updates and IoT data governance.

Whether your organisation manufactures connected products, holds large volumes of machine-generated data, or receives data as a service provider, the EU Data Act Austria obligations demand prompt and structured action.

Executive Summary, What Austrian Readers Must Know Now

The EU Data Act creates a horizontal, directly applicable set of rules governing who may access and use data generated by connected products and related services. Unlike a directive, it requires no transposition into Austrian law, it applies automatically alongside existing GDPR and DSG obligations. The practical effect for Austrian businesses is twofold: they must now facilitate data access for users and third-party recipients, and they must do so without breaching their data-protection duties under the GDPR and Austria’s DSG.

Industry observers expect the most immediate pressure to fall on IoT product manufacturers, industrial-equipment vendors, and B2B service providers that generate or store significant volumes of product data. Companies that have already invested in GDPR compliance Austria programmes have a head start, but the Data Act introduces concepts (data holder, data user, data recipient) and access rights that go well beyond what the GDPR ever required.

The five actions every Austrian organisation should take now:

• Map your data inventory. Identify all product-generated and service-related data, classifying each dataset as personal, non-personal, or mixed.
• Classify your role. Determine whether you are a data holder, data user, data recipient, or product manufacturer under the Data Act definitions.
• Audit existing contracts. Review B2B agreements, terms of service, and data processing agreements for compliance gaps.
• Assess GDPR/DSG interaction. For every data-access scenario, confirm that a lawful basis exists under the GDPR/DSG before sharing personal data.
• Brief your DPO and board. Ensure governance structures and escalation paths are in place for data-access requests and public-authority demands.

What the EU Data Act Covers, Scope and Key Definitions

Regulation (EU) 2023/2854 establishes harmonised rules on fair access to and use of data. It applies to manufacturers of connected products, providers of related services, data holders, data recipients, and public-sector bodies across the EU. The regulation covers data generated by the use of connected products, from smart industrial machinery and fleet-management sensors to consumer IoT devices, and the related digital services that collect or produce such data.

Scope, B2B vs B2C

The Data Act applies to both B2B and B2C relationships. In the B2C context, consumers have a right to access data generated by their connected products. In the B2B context, business users may request that data holders share product-generated data with them or with third-party recipients. The regulation also imposes fairness controls on contractual terms in B2B data-sharing agreements, targeting clauses that are considered unfair under a one-sided-imposition test analogous to consumer-protection principles.

Exemptions, Trade Secrets and Intellectual Property

The Data Act acknowledges the need to protect trade secrets and intellectual property. Data holders may take proportionate technical and organisational measures to preserve trade secrets when making data available. However, a blanket refusal to share data solely on trade-secret grounds is not permitted, the regulation requires a case-by-case balancing exercise. Where the data holder and recipient cannot agree on protective measures, disputes may be referred to a certified dispute-settlement body.

Timeline and Key Dates for the EU Data Act Austria

Understanding the regulatory timeline is essential for compliance planning. The Data Act follows a phased structure, though its core provisions are already in force.

Early indications suggest that Austrian regulators, including the Austrian Data Protection Authority (Datenschutzbehörde) and the RTR (Rundfunk und Telekom Regulierungs-GmbH), are monitoring compliance readiness but have not yet issued sector-specific enforcement guidance. The Austrian Economic Chamber (WKO) has published preliminary guidance for businesses navigating Data Act obligations.

How the EU Data Act Interacts with GDPR and Austria’s DSG

The interaction between the Data Act, the GDPR (Regulation (EU) 2016/679), and Austria’s DSG is the single most critical legal question for Austrian compliance teams. The Data Act explicitly states that it does not affect the application of EU and national data-protection law. Where product-generated data includes personal data, every access, sharing, or processing operation must satisfy both the Data Act’s access framework and the GDPR/DSG’s protective requirements. In practice, this means the Data Act cannot be used to circumvent data-protection obligations.

The likely practical effect is a dual-compliance model: organisations must first assess whether a dataset contains personal data and, if so, ensure a valid GDPR lawful basis exists before honouring a Data Act access request. Austria’s DSG adds a further layer. The Austrian Data Protection Act supplements the GDPR with national-specific provisions, for instance, regarding data processing for scientific research purposes, the rights of deceased persons’ data, and specific processing operations by public authorities. Any data-access request that involves personal data must therefore be evaluated against both the GDPR and the DSG.

Personal Data, Anonymisation, and Pseudonymisation

Where product-generated data is purely non-personal (e.g., machine performance metrics with no link to an identifiable person), the GDPR/DSG analysis is not triggered and the Data Act access rights apply without data-protection constraints. However, in practice, many IoT datasets contain mixed data, combining technical readings with user identifiers, location data, or usage patterns that qualify as personal data.

Austrian organisations should consider the following decision flow when responding to a Data Act access request:

1. Step 1, Classify the data. Does the dataset contain any personal data (including pseudonymised data that can be re-identified)?
2. Step 2, If personal data is present, identify the lawful basis under GDPR Article 6 (and, where applicable, Article 9 for special categories). Assess whether the DSG imposes any additional restrictions.
3. Step 3, Can the personal data be effectively anonymised or separated? If so, share only the non-personal component and document the anonymisation methodology.
4. Step 4, If sharing of personal data is unavoidable, ensure a data processing agreement or appropriate contractual safeguard is in place with the recipient, document the access in the records of processing activities, and complete a Data Protection Impact Assessment (DPIA) if the sharing presents a high risk.
5. Step 5, Log and audit. Record the access request, the legal basis relied upon, and the data shared. Maintain this record for supervisory review by the Datenschutzbehörde.

Controller vs Processor Under Dual Regimes

The Data Act’s concepts of data holder, data user, and data recipient do not map neatly onto the GDPR’s controller/processor distinction. A data holder that determines the purposes and means of processing personal data is a controller under the GDPR. A data recipient that processes personal data only on behalf of the data user may be a processor. Austrian firms must conduct a role-mapping exercise for each data-sharing arrangement to ensure correct GDPR role allocation, and to put appropriate contractual provisions in place. This is particularly important because the DSG subjects controllers established in Austria to the supervisory jurisdiction of the Datenschutzbehörde, with distinct procedural rules for complaints and enforcement.

Public-Authority Access and Third-Party Requests, What Austrian Firms Must Prepare

Chapter V of the Data Act grants public-sector bodies and EU institutions the right to access data held by businesses in cases of exceptional need, such as responding to a public emergency or where the data is necessary for an official task and cannot reasonably be obtained by other means. This framework is designed to be limited and proportionate, but it requires Austrian companies to have response processes in place.

Public-authority access under the Data Act is subject to the following safeguards:

Austrian companies should establish an internal procedure for receiving, validating, and responding to public-authority access requests. The likely practical effect of these provisions is that organisations need a dedicated point of contact (often the DPO or legal department) authorised to evaluate incoming requests against the Data Act’s criteria and to escalate complex or contested requests to external counsel.

Practical Compliance Steps for Austrian Companies, 2026 DPO Checklist

Translating the EU Data Act Austria requirements into day-to-day operations requires a phased approach. The checklist below assigns responsibilities across legal, IT, procurement, and product teams, structured by urgency.

Immediate Actions (0–3 Months)

• Data inventory and classification. Legal and IT teams jointly catalogue all product-generated and service-related data. Classify each dataset as personal, non-personal, or mixed. Document the basis for each classification.
• Role mapping. Determine whether the organisation is a data holder, data user, data recipient, or manufacturer for each product line. Map these roles to GDPR controller/processor designations.
• Governance structure. Appoint a cross-functional Data Act compliance lead. Ensure the DPO is formally included in the decision-making chain for data-access requests.
• Gap analysis of existing contracts. Review all B2B contracts, terms of service, and data processing agreements. Flag clauses that conflict with Data Act access rights or fairness standards.
• Board briefing. Prepare a concise management summary of Data Act obligations, risks, and resource requirements.

Medium-Term Actions (3–9 Months)

• Contractual updates. Renegotiate or amend B2B data-sharing agreements to incorporate Data Act access rights, permitted purposes, liability allocation, trade-secret protections, and dispute-resolution mechanisms.
• Technical implementation. Deploy or upgrade APIs, data-export tools, and access-logging systems to enable compliant data sharing. Ensure anonymisation and pseudonymisation capabilities are available.
• DPIA for high-risk sharing. Conduct Data Protection Impact Assessments for data-sharing arrangements that involve large-scale personal data or sensitive product data.
• Training programme. Roll out training for legal, procurement, product, and customer-service teams covering Data Act rights, request-handling procedures, and GDPR/DSG interaction.
• Public-authority response process. Establish a documented internal procedure for evaluating and responding to public-authority access requests, including template response letters and escalation protocols.

Long-Term Actions (9–18 Months)

• Design-by-default for new products. Ensure all connected products placed on the market from 12 September 2026 are designed to allow users to access product-generated data easily and securely.
• Interoperability review. Assess cloud-service contracts and switching provisions ahead of the 12 September 2027 deadline for full cloud-switching and interoperability compliance.
• Monitoring and audit cycle. Integrate Data Act compliance checks into the existing GDPR/DSG audit programme. Schedule annual reviews of data-sharing agreements, access logs, and technical controls.
• Dispute-resolution readiness. Identify certified dispute-settlement bodies and establish internal escalation paths for contested data-access or trade-secret disputes.

DPO Checklist, Download Template Outline

The following template can be adapted as a downloadable DPO checklist for internal use:

• ☐ Data inventory completed and datasets classified (personal / non-personal / mixed)
• ☐ Organisational roles mapped (data holder / data user / data recipient / manufacturer)
• ☐ GDPR controller/processor mapping aligned with Data Act roles
• ☐ Existing B2B contracts reviewed and gaps documented
• ☐ Data-access request handling procedure drafted and approved
• ☐ Public-authority access response protocol in place
• ☐ Technical measures (APIs, logging, anonymisation) deployed or scheduled
• ☐ DPIA completed for high-risk data-sharing arrangements
• ☐ Staff training delivered to all relevant departments
• ☐ Board/management briefing completed and resources allocated
• ☐ Audit schedule established and integrated with GDPR/DSG programme

Contractual and Commercial Implications, B2B Data-Sharing Templates

The Data Act imposes fairness requirements on B2B data-sharing contracts and creates new access rights that must be reflected in commercial agreements. Austrian businesses that currently share product-generated data under bespoke terms will need to review those arrangements for compliance with the regulation’s fairness test, which voids contractual terms that are manifestly unfair where they have been unilaterally imposed on a micro, small, or medium enterprise.

Data Processing Agreement vs Data Act Data-Sharing Clause

A GDPR data processing agreement (DPA) and a Data Act data-sharing clause serve different purposes. The DPA governs the processing of personal data on behalf of a controller. A Data Act data-sharing clause governs the access, use, and conditions under which product-generated data (which may or may not include personal data) is made available. Where personal data is involved, both instruments are needed, the DPA for GDPR/DSG compliance and the data-sharing clause for Data Act compliance. The two should be drafted to work in tandem, with cross-references ensuring consistency.

Recommended Contract Language

The following sample clause elements should be incorporated into B2B data-sharing agreements:

• Scope of data access. “The Data Holder shall make available to the Data Recipient all product-generated data specified in Schedule [X], in a commonly used, machine-readable format, without undue delay following a valid access request.”
• Permitted purposes. “The Data Recipient shall process the data exclusively for the purposes specified in this Agreement and shall not use the data for profiling of natural persons or for purposes that compete directly with the Data Holder’s core product.”
• Trade-secret protection. “Where data includes information qualifying as a trade secret, the Data Recipient shall implement the technical and organisational measures set out in Annex [Y] and shall not disclose such information to any third party.”
• Liability and indemnification. “Each party shall be liable for damages arising from its breach of this Agreement or of applicable data-protection law. The Data Recipient shall indemnify the Data Holder against claims arising from the Data Recipient’s unauthorised use or disclosure of data.”
• Dispute resolution. “Disputes arising under this Agreement shall first be referred to [certified dispute-settlement body]. If unresolved within [30] days, either party may initiate proceedings before the competent Austrian courts.”

Technical and Organisational Measures, IoT Data Governance

The Data Act’s access and sharing requirements demand robust technical infrastructure, particularly for organisations involved in IoT data governance. Connected products must be capable of making data available in a structured, commonly used, and machine-readable format. Austrian companies should focus on the following technical safeguards:

• Standardised APIs. Deploy open or well-documented APIs that allow authorised users and recipients to retrieve data programmatically. Ensure APIs support authentication, rate limiting, and logging.
• Access logging and audit trails. Implement granular logging of every data-access event, who accessed what data, when, for what stated purpose, and under which legal basis.
• Anonymisation and pseudonymisation tools. Maintain validated tools capable of separating personal from non-personal data or anonymising datasets before sharing, consistent with GDPR standards.
• Encryption and secure transfer. Use end-to-end encryption for data in transit and at rest. Apply TLS 1.3 or equivalent for API communications.
• Role-based access controls. Ensure that internal and external access to data repositories is governed by least-privilege principles, with regular access reviews.
• Patch and update management. Maintain firmware and software update policies for connected products to address security vulnerabilities that could compromise data integrity or availability.

Industry guidance from organisations such as TÜV SÜD and the TÜV Akademie provides useful reference points for Austrian manufacturers implementing these technical requirements alongside existing product-safety and cybersecurity standards.

Cross-Border Data Access and Transfers, Schrems and Third-Country Concerns

When data shared under the Data Act includes personal data and involves a transfer to a third country outside the EEA, GDPR transfer rules apply in full. Austrian companies must verify that one of the recognised transfer mechanisms is in place, an adequacy decision, Standard Contractual Clauses (SCCs), binding corporate rules, or an applicable derogation. The Data Act does not create any new exemption from these requirements.

Cross-border data access within the EU is generally straightforward under the Data Act’s framework, as the regulation applies uniformly across Member States. However, complications arise when data holders or recipients are established outside the EU, or when cloud infrastructure routes data through third-country servers. The EDPB’s guidance on supplementary measures following the Schrems II decision remains directly relevant for Austrian organisations assessing whether technical measures can bridge any gap in third-country protection.

When to Consult Privacy and Compliance Counsel

Austrian firms should seek specialist legal advice whenever a Data Act access request involves cross-border data access to or from a third country, where datasets contain special categories of personal data, or where the intersection of the DSG, GDPR, and Data Act creates uncertainty about controller/processor roles or lawful bases. Early engagement with counsel is significantly less costly than retrospective remediation after a complaint to the Datenschutzbehörde.

Quick-Reference Comparison Table, Obligations and First Actions by Entity Type

Next Steps and Resources

The EU Data Act Austria compliance landscape will continue to evolve as the European Commission issues delegated and implementing acts, and as Austrian regulators, including the Datenschutzbehörde, develop enforcement practice. Organisations that invest in structured compliance programmes now will be best positioned to manage access requests efficiently, avoid regulatory scrutiny, and turn data-sharing obligations into a commercial advantage.

To support your implementation efforts:

• Use the DPO checklist template above as a starting point for your internal compliance programme.
• Adapt the sample B2B data-sharing contract clauses to your specific commercial relationships, with input from qualified Austrian data-protection counsel.
• Monitor guidance from the Austrian Data Protection Authority, the WKO, and the European Data Innovation Board for updates on enforcement priorities and interoperability standards.
• Consider commissioning a dedicated Data Protection Impact Assessment for high-volume or high-risk data-sharing arrangements involving personal data.

Data-protection compliance in Austria now operates on two parallel tracks, the established GDPR/DSG framework and the new EU Data Act access regime. Organisations that treat these as integrated rather than separate obligations will achieve more resilient, more defensible compliance outcomes. Professional legal review remains essential before finalising any data-sharing arrangement, public-authority response protocol, or technical-access architecture under the EU Data Act Austria framework.

Sources

1. EUR-Lex, Regulation (EU) 2023/2854 (Data Act)
2. Austrian Data Protection Authority (Datenschutzbehörde)
3. Austrian Federal Ministry of Finance, Data Protection
4. WKO (Austrian Economic Chamber), Data Act Detail Page
5. European Commission, Data Strategy
6. European Data Protection Board (EDPB)
7. DLA Piper Data Protection, Austria Country Guide