undefined
Skip to main content
Netherlands|en-NL

Add a bookmark to get started

Bookmarks info
Global Site
Africa
MoroccoEnglish
South AfricaEnglish
Asia Pacific
AustraliaEnglish
ChinaEnglish简体中文
Hong Kong SAR ChinaEnglish简体中文
JapanEnglish日本語
KoreaEnglish
New ZealandEnglish
SingaporeEnglish
ThailandEnglish
Europe
AustriaEnglishDeutsch
BelgiumEnglish
Czech RepublicEnglish
DenmarkEnglishDansk
FinlandEnglishSuomi
FranceEnglishFrançais
GermanyEnglishDeutsch
HungaryEnglish
IrelandEnglish
ItalyEnglishItaliano
LuxembourgEnglish
NetherlandsEnglish
NorwayEnglishNorsk
PolandEnglish
PortugalEnglish
RomaniaEnglish
Slovak RepublicEnglish
SpainEnglishEspañol
SwedenEnglishSvenska
United KingdomEnglish
Latin America
ArgentinaEnglishEspañol
BrazilEnglish
ChileEnglishEspañol
MexicoEnglishEspañol
PeruEnglishEspañol
Puerto RicoEnglishEspañol
Middle East
BahrainEnglish
OmanEnglish
QatarEnglish
UAEEnglish
North America
CanadaEnglishFrançais
Puerto RicoEnglish
United StatesEnglish
OtherForMigration
  • Home
  • Insights
  • EU Data Act Update - German Draft for Data Act Implementation Bill
Man holding a smartphone
14 March 20254 minute read

EU Data Act Update - German Draft for Data Act Implementation Bill

Written by:Sylvia EbersbergerJan Geert MeentsRichard FalkHannah Kirner

As of 12 September 2025, most of the obligations of the EU Data Act (DA) will come into force. While the Data Act is directly applicable in all EU Member States, it leaves the enforcement of the obligations established to the Member States.

On 7 February 2025, the German Federal Ministry has published a draft bill for the implementation of the Data Act in Germany (Referentenentwurf, Draft Bill).

Here are some key takeaways:

Detailed sanctions list: The draft bill cascades the fines for violations of the obligations as follows:

  • Up to four percent of the annual turnover applies only to Gatekeepers for receiving or requesting data under the Data Act (Sec. 18 (5) Draft Bill).
    • Gatekeepers are currently Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft, Booking.
  • Up to EUR500.000 for several violations of high-profile obligations of other addressees (i.e. manufacturers, service providers, data holders) including inter alia the following cases:
    • The intentional or negligent violation of the obligation of the manufacturer to provide access to the data (Art. 3 (1) DA) (Sec. 18 (5) No. 2, (3) No. 1 Draft Bill).
    • The intentional or negligent violation of the obligation of the data holder to make the readily available data available to the user (Art. 4 (1) DA) and third parties (Art. 5 (1) DA) (Sec. 18 (5) No. 2, (3) No. 3 Draft Bill).
  • Up to EUR100.000 for several violations of mid-profile obligations including inter alia the following relevant case:
    • The intentional or negligent violation of the obligation of the data holder to only use data on the basis of a valid data licence agreement with the user (Sec. 4 (13) DA) (Sec. 18 (5) No. 3, (3) No. 13 Draft Bill).
  • Up to EUR50.000 for the remainder of the violations of the obligations listed in the, including inter alia the following relevant case:
    • The intentional or negligent violation of the obligation of the manufacturer to provide the pre-contractual information on the data capacities of the connected product or related service (Art. 3 (2), (3) DA) (Sec. 18 (5) No. 4, (3) No. 2 Draft Bill).
  • A warning can be applied to minor violations of the Data Act.
  • It appears that these fines should be applied on a case basis. I.e., fines should be applied per infringement of a single connected product or related service, or per user and could quickly add up.

Competent authority: The Federal Network Agency (Bundesnetzagentur, BNetzA) is to become the competent authority and monitors compliance with the obligations of the Data Act. The Federal Commissioner for Data Protection (Bundesbeauftragter für den Datenschutz) monitors compliance with the provisions of the GDPR and is involved in any assessment that involves the processing of personal data.

Investigation powers: The BNetzA is responsible for investigating complaints of violations of the Data Act but may also conduct ex officio investigations into possible violations (Sec. 7 (1) Draft Bill). For the purposes of the investigation, the BNetzA may require the addressee to provide information and business documents and may inspect the addressee's business premises (Sec. 9. (1) Draft Bill).

Remedial powers: If the BNetzA concludes that the obligations under the Data Protection Act have not been fulfilled, it may either demand the addressee to comment on the non-compliance or to remedy it (Sec. 7 (4) Draft Bill). If this is unsuccessful, the BNetzA may order the measures necessary to fulfil the obligations under the Data Act (Sec. 7 (5) Draft Bill).

 

Action Items

Manufacturers, service providers and data holders must ensure compliance with the Data Act along the value chain. This requires, in particular:

  • An analysis of the data processing operations relating to the connected product, related services and the data generated by each of them, to determine the scope of the required access options.
  • Implementation of technical and organisational measures to protect particularly sensitive data and the trade secrets contained therein.
  • Internal procedures for implementing the requirements of the Data Act and for dealing with data requests.
  • The early conclusion of contractual agreements for the data holder’s own use of the data in order to avoid the otherwise imminent obligation to delete the data.
  • Tracking and benchmarking legislative initiatives in the EU Member States and incorporating them into route-to-market considerations.
Print To PDFPrint

Related capabilities

IndustrialsTechnologyFinancial ServicesData, Privacy and Cybersecurity
Privacy policyLegal noticesCookie policyModern slaveryWhistleblowingFraud AlertSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2025 DLA Piper