The EU's "Data Act" is an important regulation in the field of data governance, which clearly defines the applicable subjects and sets specific requirements for corporate compliance, with severe penalties for violations. Its applicable subjects fall into three categories: first, manufacturers, service providers, and data recipients of connected products within the EU; second, data holders, public authorities requesting data, and suppliers providing data processing services to the EU (not limited by the place of operation); third, relevant entities using or deploying smart contracts in the data space.
For Chinese sellers going overseas to the EU, the core of compliance lies in clarifying roles, sorting out processes, and establishing systems. They need to first inventory their data assets, define their roles such as "data holder" and "data processor", disclose data types, storage, and access methods in plain language on their websites and privacy policies; provide free and accessible machine-readable data interfaces to optimize user experience; standardize third-party data sharing, sign protection agreements, and comply with GDPR. It should be noted that the basis for public authorities' data requests is Articles 6-7 of the Data Act, not Article 15 of GDPR.
General corporate compliance should be advanced in four steps. The initial preparations should clarify responsibilities through contracts and technical evaluations, and conduct a comprehensive inventory of data by category; in the product end, interfaces should be re-designed based on the "data acquisition as design" principle, and compliance for new products should be completed by September 2026; form a cross-departmental special team, conduct comprehensive training for all employees, and only appoint a DPO for specific scenarios, without mandatory appointment for all employees; at the same time, track regulatory updates and conduct regular compliance audits.
This act does not affect the implementation of GDPR, and the penalties for violations are severe. Violating obligations in Chapters 2, 3, and 5 (such as data sharing requirements) can result in a maximum fine of 20 million euros or 4% of the company's global revenue in the previous fiscal year (whichever is higher); violating obligations in Chapter 5, the European Data Protection Supervisor can impose a fine of 50,000 euros per infringement and a cumulative fine of 500,000 euros per year. Companies need to actively adapt and balance compliance costs with business development.
