Connected Product

A connected product is a physical item that collects data and communicates them via a network connection. Under the Data Act, the user has the right to data from their connected products, and the manufacturer is obliged to make data available.

Back to Dictionary

What is a connected product?

A connected product is a physical item that can obtain, generate or collect data about its own use or its surrounding environment. The product can communicate these data via an electronic communications service (e.g. internet, Bluetooth, mobile networks), a physical connection or direct on-device access.

The concept is central to the Data Act because the regulation governs who has the right to the data that connected products generate. Without connected products, there are no data to share and thus no Data Act obligations.

The decisive factor is the combination of physical item and data connection. An ordinary spanner is not a connected product. A spanner with built-in sensors that register torque and transmit data to an app is. The physical item generates data, and data can be communicated onward.

Examples of connected products

Connected products exist in all sectors. Here are some typical examples:

**Industry and manufacturing:**

CNC machines that report operational data and error codes
Industrial sensors measuring temperature, pressure and vibrations
Robots with network connections for control and monitoring

**Consumer devices:**

Smartwatches and fitness trackers
Smart home devices (thermostats, lighting, security cameras)
Connected white goods (washing machines, refrigerators)

**Transport and mobility:**

Connected vehicles that collect driving data
Fleet management systems with GPS tracking
Electric charging stations with network connections

Pure software without connection to a physical product is not a connected product under the Data Act. A cloud-based CRM solution, for example, is not covered. But a smart sensor that delivers data to the cloud solution is.

Rights to data

The Data Act creates clear rules about who has the right to data from connected products:

**The user.** If you own or use a connected product, you have the right to the data the product generates. The data holder (typically the manufacturer) must make data available without undue delay and in a structured, machine-readable format.

**Third parties.** As a user, you may request that your data be shared with a third party. The data holder must honour the request on FRAND terms. This opens up competition because independent repairers, service companies and other actors can access the data they need. Read more under B2B data sharing.

**The data holder.** The manufacturer retains the right to use data for its own purposes but cannot block the user's access. The data holder may protect trade secrets and charge compensation from third parties (not from the user).

If data contain personal data, GDPR applies alongside. You must have a valid consent or other legal basis for processing, and you must respect the data subject's rights, including the right to erasure.

Design and manufacturer obligations

The Data Act places requirements on how connected products are designed and marketed:

**Data access by design.** New connected products must be designed so that users can easily and securely access the data the product generates. Data access must be built in from the start, not added as an afterthought.

**Information obligation.** Before purchase, the manufacturer must inform the user about which data the product generates, how the user can access them, whether data are stored locally or in the cloud, and whether the manufacturer shares data with third parties.

**Security.** The manufacturer must implement appropriate security measures to protect data. This includes encryption of data in transit and at rest, as well as access control so that only authorised parties can access data.

**Interoperability.** Data must be made available in formats that support interoperability. The user must be able to use data in other systems without depending on the manufacturer's proprietary software.

For manufacturers of connected products, the Data Act represents a fundamental shift in how data are perceived. Data are no longer the manufacturer's exclusive resource. They belong to the ecosystem, and the manufacturer is a data holder with clear obligations. Organisations that embrace this change and build open, transparent data practices create competitive advantages. A thorough ISMS helps you balance openness and security.

Frequently Asked Questions about Connected Product

What is a connected product under the Data Act?

A connected product is a physical item that can obtain, generate or collect data about its use or its environment and communicate these data via a network connection. Examples include smart machines, industrial sensors, connected vehicles and smart home devices.

Which products are covered by the Data Act?

The Data Act covers all physical products that can collect and communicate data via a network connection. This includes industrial equipment, consumer electronics, vehicles, medical devices and agricultural machinery. Pure software without connection to a physical product is not covered.

Who has the right to data from a connected product?

The user of the connected product has the right to access the data the product generates. The user may also request that data be shared with third parties. The data holder (typically the manufacturer) is obliged to make data available.

Must manufacturers redesign existing products to comply with the Data Act?

The Data Act requires connected products to be designed so that users can easily access data. For new products, this must be built in from the start (data access by design). Existing products must be adapted to the extent technically possible before the regulation applies.

Does the Data Act also apply to personal data from connected products?

Yes. If a connected product collects personal data, GDPR applies in parallel with the Data Act. The manufacturer must ensure that data sharing complies with both regulatory frameworks, including requirements for consent or another legal basis for processing personal data.