The EU Data Act, set to take effect on 12 September 2025, introduces new regulations on data access and sharing, reshaping how hospitality businesses handle operational and IoT-generated data. While the General Data Protection Regulation (GDPR) remains the foundation of data protection, this new law expands compliance requirements for hoteliers.

In this week’s feature of the VENZA Echo, we explore the key differences between GDPR and the Data Act and what this new law means for compliance.

GDPR Vs. Data Act

The EU Data Act, adopted in January 2024 and set to take effect in September 2025, introduces new regulations on the access and use of data generated by connected products and related services across the EU.

While GDPR safeguards personal data, the Data Act takes a broader approach, ensuring fair access to and use of non-personal and industrial data, particularly in IoT and cloud-based environments.
Key differences include:

Feature	GDPR	Data Act
Objective	Ensures individuals’ rights over their personal data and mandates data security.	Establishes rules for business-to-business (B2B), business-to-government (B2G), and consumer data access and sharing.
Data	Only personal data (e.g., name, email, location, IP address).	Primarily non-personal data (e.g., IoT-generated data, industrial data), but
Applicability	Any company processing the personal data of EU citizens.	Companies handling non-personal and industrial data, particularly in IoT, cloud services, and data-driven industries.

New Requirements

The EU Data Act introduces several new obligations for businesses, particularly those handling IoT-generated data, cloud services, and industrial data.

Key requirements include:

*User access for users to the data their devices generate, and companies cannot restrict access to IoT-generated data.

*Data-sharing agreements must be fair, with protections in place to prevent SMEs (small and medium enterprises) from being subjected to unfair contract terms.

*Governments may request business-held data during public emergencies, such as pandemics or disasters.

*Cloud providers must facilitate seamless switching between services without imposing vendor lock-in or excessive exit fees.

*Dominant companies are prohibited from enforcing unfair data-sharing agreements on smaller businesses.

Hotelier Impact

The EU Data Act presents both opportunities and challenges for hoteliers as it reshapes data access and sharing regulations.
Hoteliers leveraging IoT-enabled smart room devices and guest analytics tools will gain greater control over these technologies’ data. Additionally, it provides greater flexibility in cloud services, making it easier to switch between hotel management systems and cloud-based platforms without vendor lock-in. It also ensures more transparent data partnerships, leading to fairer agreements between hotels and service providers such as PMS, CRS, and guest loyalty programs.

However, compliance with the Data Act introduces new challenges.

Hotels using IoT, smart devices, or cloud services must adhere to stricter data-sharing obligations, ensuring compliance with the law. Public institutions may also request hotel data in emergencies, such as during a pandemic or crisis, requiring careful data governance. Lastly, hotels will need to revisit and adjust contractual agreements with technology vendors to align with the fair data-sharing requirements outlined in the regulation.

Moving Forward

The EU Data Act is poised to reshape data access and sharing for hoteliers. While it enhances control over IoT and operational data, it also introduces new compliance obligations.

Preparing now—by reviewing data-sharing agreements and cloud service contracts—will help hotels stay compliant and leverage these changes for greater transparency and efficiency.

Feeling overwhelmed? Don’t be. As a leader in hospitality data protection, VENZA provides vendor security assessments and privacy management solutions to help hoteliers navigate the evolving global regulatory landscape.

Ready to get started? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.

***

Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

***

Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.