With our article series drawing to a close, we shift focus to a more serious subject: the consequences of infringements under the Data Act. Understanding these repercussions is essential to fully grasp the risks associated with non-compliance.
In the event of a violation, both natural and legal persons may file a complaint with the relevant competent authority. They also have the right to seek an effective judicial remedy against legally binding decisions issued by these authorities. The structure and number of competent authorities vary across EU member states. Some may rely on newly established bodies, while others may assign existing institutions. In cases where multiple authorities are involved – as is likely the case e.g. in Germany – a designated data coordinator will oversee and facilitate their cooperation. Additionally, supervisory authorities already tasked with enforcing the GDPR will also be responsible for overseeing the application of personal data provisions under the Data Act.
Competent authorities handle complaints under the Data Act, raise awareness of user rights, and assess contentious data access requests. They may impose penalties or initiate legal action in cases of unlawful data access denial, misuse of data or unfair contractual terms.
While the Data Act itself does not set out penalties for non-compliance, it leaves this to the discretion of the individual member states – provided their sanctions are effective, proportionate, and dissuasive. This decentralized approach initially raises concerns about “forum shopping”, with companies potentially gravitating towards jurisdictions with more lenient rules. However, such fears may be unfounded, as we anticipate that most member states will either align their penalties with the GDPR to meet EU standards or follow the European Data Innovation Board’s (EDIB) recommendations on sanctions.
Member states must notify the Commission of their rules and measures by 12 September 2025. The Commission is required to publish and regularly update this information in a publicly accessible register on its official website allowing anyone to review the measures adopted. At the end of July, this register was not yet available.
If personal data is involved, the supervisory authority under the GDPR is empowered to impose fines for breaches of GDPR obligations. The amount of the fine depends on the nature, gravity, scope, and duration of the infringement and, as under the GDPR, may be calculated as a percentage of the offending party’s global annual turnover. Fines can reach up to EUR 20,000,000 or 4% of the worldwide annual turnover of the preceding financial year, whichever is higher.
In any case, users have the right to lodge a complaint with the competent authority in the member state of their habitual residence, place of work, or place of establishment – including in cross-border situations.
Now is the time to take proactive steps to comply with the Data Act and avoid potential penalties. Don’t wait – act now!
Need guidance on the Data Act?
