Smart Buildings and the Data Act

Data access, data transfer and new requirements for cloud switching

Today's buildings are data rooms. Sensors and IoT systems provide information about energy flows, climate, access controls, and space utilisation. This data is valuable for operators, tenants and service providers, but until now it has often been locked away in proprietary systems. Since 12 September 2025, the Data Act has been in force, a binding European legal framework that reorganises access to and use of data. 

The Data Act strengthens the position of users. Anyone who uses a networked product or connected service is entitled to the data generated in the process. This data may also be passed on to third parties by the user. 

Opportunities and risks for the real estate industry

Manufacturers and providers of connected products and services must design them in such a way that access to this usage data is actually possible. For the real estate industry, this means a noticeable shift in ‘data power’: operators and tenants can request data that was previously only available to the manufacturer or service provider.

This brings with it both opportunities and obligations. This data transparency enables new business models and more efficient operating processes. At the same time, companies must review their contracts, technical interfaces, and compliance processes. Data protection, trade secrets, and liability issues must be carefully addressed. Above all, however, it is of central importance that the use of data, for example by building management, is only permitted with the consent of the users. 

Access, disclosure, and protection of data

At the heart of the Data Act is the right of users to access data generated through the use of a connected product or service. For smart buildings, this includes sensor values, status reports and event logs that are available directly or via accompanying (connected) services. Enriched analyses or complex models are not covered by the provision obligation; instead, the focus is on the raw data collected directly.

Users can be not only the owners of the residential unit, but also its operators or even tenants. They can request the usage data generated from the data owner themselves or demand that it be passed on to third parties. Manufacturers and providers must verify the user's status and set up practical access options. The Data Act ideally provides for direct access to the product or service. If this is not technically feasible, indirect data access via suitable interfaces is mandatory. Clear information about data types, access options and any restrictions must also be provided prior to the conclusion of a contract. 

One innovation that is particularly relevant to the real estate industry is the possibility for users to designate a third party as a ‘data recipient’. If, for example, a tenant wishes to pass on their consumption data to an energy service provider, the data owner must ensure that the data is transferred to this data recipient, even if it is a competitor. The contractual terms between the data owner and the data recipient must be fair, reasonable, and non-discriminatory. At the same time, the Data Act protects trade secrets and security interests. In exceptional cases, the data owner may restrict the disclosure of data if there is a high risk to secrets or security, but only under strict conditions. 

Cloud switching and interoperability

Cloud switching is of great importance for digital offerings in the real estate industry. Many smart building platforms run in the cloud. The Data Act obliges providers to remove barriers to switching to alternative providers, disclose interfaces. and map exit rules both contractually and technically. Switching fees will be reduced and prohibited altogether in the future. The aim of the Data Act is to reduce dependence on proprietary systems.

Practical implementation and compliance

The first challenge lies in clarifying roles. Building owners, building managers or operators, platform providers, service providers, and tenants all play a role in a building. Who is the data owner and who is the user must be defined for each system and each usage constellation. It is advisable to systematically assign the relevant products and services, combined with a matrix that documents data categories, user groups, and responsibilities. Secondly, there is the question of protecting trade secrets. Much building data contains information that allows conclusions to be drawn about security architecture or maintenance strategies. The Data Act provides for protective mechanisms, including graduated measures for exceptional circumstances. The parties concerned should set out in a contract how secrets are to be protected and what procedures apply when users request data relating to sensitive areas.

A third point is the interaction with data protection law. Much of the data from smart buildings is personal, for example in access systems or workplace sensors. The Data Act does not create a separate legal basis here in the sense of the GDPR. This means that any data transfer must be based either on consent or another legal basis. Companies should therefore establish procedures to identify personal data and handle it in a legally compliant manner. 

Providers of SaaS and other cloud services in the real estate context are also obliged to provide options for switching and to promote interoperability. For real estate companies, this means that they must draft future platform contracts with clear exit clauses and migration paths. Particular challenges arise in this regard when drafting a ‘termination fee’ clause for the early termination of a long-term contract. The model clauses yet to be published by the Commission can serve as a guide.

Recommendations for action for real estate companies

If the provisions of the Data Act have not yet been fully implemented, companies in the real estate industry must take action now. The first step is to conduct a comprehensive data inventory. What data is collected in the buildings, who collects it, and who currently has access to it? On this basis, it is possible to check whether the provisions of the Data Act are being complied with.

Existing contracts with manufacturers, platform operators, service providers, and tenants must be reviewed for compatibility with the new obligations. Where necessary, adjustments must be made. 

At the same time, a technical review is required. Data access must not only exist in theory, but must also be usable in practice. Data owners must check whether interfaces are available and functional and whether the data can be provided in the required format.

It is equally important to establish clear compliance processes. User requests must be reviewed, documented and answered. This also includes procedures for reviewing trade secrets and data protection. Interdisciplinary teams from IT, legal and facility management can take on these tasks together.

The cloud strategy should also be reviewed from the perspective of ‘cloud switching’. Contract negotiations offer scope here to reduce costs and dependencies.

Open communication with owners, tenants, and service providers creates trust and prevents conflicts. Transparency about rights and obligations facilitates implementation and strengthens the company's position in the market.

Conclusion: Data as a strategic factor

The Data Act fundamentally changes how building data is handled. Since September 12, 2025, binding rules have been in place for accessing and using data in smart buildings. User rights are strengthened, while manufacturers and providers must adapt their systems and contracts.

For real estate companies, this means new opportunities and, at the same time, new obligations. Those who implement data inventory, contract review, and technical interfaces in a timely manner will secure competitive advantages and reduce legal risks. 

The coming months will show how the requirements prove themselves in practice. However, it is already clear that data is increasingly becoming a strategic factor in the real estate sector. Anyone who wants to operate smart buildings successfully needs not only modern technology, but also a robust data strategy in line with the Data Act and the GDPR.