Data Act and powers of the Data Protection Ombudsman

The EU Data Act (DA) sets out how data generated by connected products can be shared. Most of the regulation became applicable on 12 September 2025. The Office of the Data Protection Ombudsman monitors compliance with the law on the protection of personal data, including in the application of the Data Act.

The aim of the Data Act is to make it easier to access and use data. The act applies broadly to data generated by the use of devices connected to the internet. Such devices may include sensors, smartwatches, electric vehicles or even paper machines or aircrafts. The range of data types collected by devises is very wide. If the data collected by a device can be connected to an individual it is considered personal data. For example, a smartwatch can collect data about the user’s health and an electric car of its location. The processing of personal data must comply with data protection legislation. 

What rights does a user have?

The Data Act requires device manufacturers to design their devices so that users can access the data they produce. If, for technical reasons, the data cannot be obtained directly from the device for example, the manufacturer must provide it for the user at the user's request. The user can also share this data with a third party, such as a company that provides maintenance or additional services. 

The user in the context of the Data Act can be an individual, a company or an entity (legal person). The user can therefore also be an organisation – not always the individual person who actually uses the device.

The Data Act also makes it easier is to switch between cloud service providers and move data from one system to another. In exceptional circumstances, such as natural disasters or pandemics, public authorities may also have access to data if there is an overriding public interest in having it.  

What should a data controller take into account?

A controller must be careful about what data generated by a device connected to the network constitutes personal data. Personal data is any information relating to an identified or identifiable natural person. Personal data must be processed in accordance with the requirements of data protection legislation, while the use of other types of data is more free. 

The processing of personal data also requires a legal basis. The Data Act itself does not create a legal basis of processing. This is particularly important in situations where the user of the device is, for example, a company or public organisation that collects personal data about the person who actually uses the device. If the user of the device is someone other than the person from whom the data is collected, the data can only be shared if there is a legal basis for doing so. Such a situation can arise, for example, if: 

  • The user is a company whose device collects data on the employee using it 
  • The user is a school whose borrowed computer collects data about the pupil 
  • The user is a car rental company whose rental car collects data about the driver 

The controller should also bear in mind the rights of the data subject and the related provisions when applying the Data Act. The controller must also provide data subjects with up-to-date and comprehensive information on the processing of personal data.

More information on the processing criteria: When is the processing of personal data permitted?
More information about the rights of the data subject: Rights of the data subject
More information on informing data subjects about processing: Inform data subjects about processing

Employers must be particularly careful

Particular care must be taken in situations where an employer uses devices that collect data that can be used to draw conclusions about the work or other behaviour of individual employees. In these situations, the employer must ensure the privacy of its employees. The employer must ensure that employees are not monitored by technical means in violation of the General Data Protection Regulation or the Act on the Protection of Privacy in Working Life (759/2004). 

Find out more about data protection in working life: Frequently asked questions about working life

Application and enforcement of the Data Act

National legislation is being prepared to divide the supervisory responsibilities of the Data Act between different authorities. Under the proposal, the main supervisory authority and data coordinator would be the Finnish Transport and Communications Agency (Traficom). The proposal was presented to the Finnish parliament on the 25th of September 2025. You can follow the progress of the regulatory proposal here Government proposal on the implementation of the EU Data Act.  

The Data Act entered into force on 11 January 2024. Most of the regulation became applicable on 12 September 2025, but certain obligations will not enter into force until 2026. 

When should you contact the Office of the Data Protection Ombudsman?

The Office of the Data Protection Ombudsman supervises compliance with the data protection legislation, including in the application of the Data Act. The Data Protection Ombudsman also enforces the rules of the GDPR when personal data and other types of data are inextricably linked. In addition, if a public authority or other public sector body requests data containing personal data from a company in the event of a societal emergency, the Data Protection Ombudsman must be informed. The Office of the Data Protection Ombudsman has no competence to monitor other issues related to the Data Act.  

You can contact the Office of the Data Protection Ombudsman if you believe that personal data protection legislation has been breached in the application of the Data Act. 

Further information: 

​​​​​​​Further information on the Data Act on the European Commission website 
The Data Act explained on the European Commission website
Obligations of data holders on the Traficom website
About the Data Act on the Traficom website