Data is a central foundation of modern companies. It is created in digital services, software, documents, processes, communication systems, and AI applications. For companies to use this data sensibly, clear rules are needed: Who may use which data? How can data be made available? How is it protected? And how can a switch between digital services be designed fairly?

This is exactly where the EU Data Act comes in.

The exact title is:

Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act).

As a general rule, the Regulation has applied since 12 September 2025, although individual provisions may have different dates of application.

What is the EU Data Act?

The EU Data Act is a European regulation for a fairer, more transparent, and better regulated handling of data. It is intended to facilitate access to certain data, create fair conditions for data use, and prevent companies from becoming unnecessarily dependent on individual providers or systems.

This is not about uncontrolled disclosure of data. The Data Act expressly takes protective interests into account, such as data protection, trade secrets, security requirements, and the rights of third parties. Personal data remains protected by the GDPR.

The European Commission describes the Data Act as a framework for data access and data use that is intended to promote data availability, innovation, and fairness in the data economy.

What is the EU Data Act for?

The EU Data Act is intended to give companies, users, and public authorities more clarity in dealing with data. Particularly important are:

• fair access to certain data,
• transparent rules for data use,
• better options for switching between digital services,
• protection against unfair contractual terms,
• promotion of competition and innovation,
• protection of non-personal data against unlawful access,
• better data portability and interoperability.

This is especially relevant for cloud, software, and data processing services. Providers should not make switching and data transfers unnecessarily difficult. The European Commission expressly states that customers should be able to switch between data processing services without losing data or core functions; data should be exportable at least in a common and machine-readable format.

Why is this important for AI?

AI systems work with data. This includes, for example, documents, inputs, knowledge bases, chat histories, project information, configurations, analysis results, or generated outputs.

For companies, it is therefore crucial that AI does not lead to a loss of control over their own data. A good AI system must be understandable, controllable, and secure. Companies should be able to use their knowledge better without losing sovereignty over their own information.

The Vimmera principle is therefore:

AI should make company knowledge usable, not take it away.

How does Vimmera take the EU Data Act into account?

Vimmera develops and operates AI solutions for companies. Depending on the customer solution, different data may be processed, for example documents, process information, conversation content, knowledge bases, project files, user information, technical settings, or inputs and outputs from AI systems.

The specific application of the EU Data Act always depends on the respective system, intended use, contract, and data inventory. Vimmera therefore takes the requirements of the Data Act into account within the framework of the respective customer solution, the technical possibilities, and the legal permissibility.

Transparency about data and systems

Vimmera places importance on ensuring that customers can understand how an AI solution is structured, which data is used, and for what purpose the processing takes place.

AI systems are not understood as uncontrolled black boxes, but as clearly defined tools within a specific business process. This includes clear roles, permissions, data sources, functions, and system boundaries.

Purpose-bound processing

Data is not used arbitrarily at Vimmera. Processing takes place within the scope of the agreed purpose and the respective customer solution.

A system is therefore set up for a specific task, for example internal knowledge search, assistance functions, document analysis, minutes creation, support, translation, or process support.

Use of customer data for other purposes does not take place without an appropriate basis.

Protection of company knowledge

Company knowledge is particularly worthy of protection. This includes internal documents, processes, conversation content, technical information, project documents, contracts, knowledge bases, and organizational know-how.

Vimmera protects such information through technical and organizational measures such as access restrictions, authorization concepts, separate data areas, encryption, logging, and controlled system access.

The principle is:

Access only where it is required for the respective purpose.

Disclosure, export, and switching options

Customer data belongs to the customers. Vimmera will not be an obstacle to customers receiving, backing up, or transferring their own data to other systems.

In accordance with the respective contractual agreements, technical possibilities, and legal permissibility, Vimmera shall, upon request from its customers, in particular upon termination of the contract or a justified request for disclosure, provide the data received from, provided by, or uploaded by the respective customer in a technically manageable and suitable format.

This may include in particular:

• documents and files provided by the customer,
• content from Vimmera Cortex,
• data from project folders, tools, or agents,
• structured customer data and knowledge bases,
• lists of user accounts,
• role and access rules,
• relevant settings and configurations,
• documentation on software functions provided within the framework of the contractual agreements.

The aim is maximum transparency and fairness in dealing with customer data. Customers should be able to understand which data was brought in and which information is required for internal further processing or an orderly switch.

Data protection requirements, third-party rights, trade secrets, security requirements, and technical protective measures are taken into account.

Not included in the disclosure are Vimmera’s own protective rights, internal system components, and intellectual property. This includes in particular system prompts, internal storage and processing logic, embeddings, proprietary configurations, internal methods, technical architectural decisions, source code, operating logic, and other Vimmera know-how.

In short:

Customer data remains customer data. Vimmera data and Vimmera know-how remain the property of Vimmera.

Clear contractual arrangements

Vimmera works with transparent contractual foundations. Depending on the project, these include service descriptions, data protection provisions, agreements on data processing, technical and organizational measures, confidentiality provisions, and rules on access, export, deletion, and use of data.

This makes it possible to clearly regulate which data is processed, for what purpose, and which rights and obligations exist.

Thinking about data protection and the Data Act together

The EU Data Act does not replace the GDPR. As soon as personal data is processed, the requirements of the GDPR continue to apply without restriction.

Vimmera therefore considers Data Act requirements together with data protection, IT security, confidentiality, role and rights concepts, and other requirements for responsible AI.

Our understanding

The EU Data Act fits our understanding of responsible AI.

AI should not make companies dependent, but more capable of acting. Companies should be able to use their knowledge better without losing control over their data.

That is why Vimmera develops AI solutions with clear purposes, secure structures, and understandable rules.

Our goal is not to use data as extensively as possible. Our goal is to make data usable where it creates real added value, in a sensible, secure, and controlled way.