Implementation of the EU Data Act in WinCC OA

1. Introduction

  • The EU Data Act (Regulation (EU) 2023/2854) (see https://eur-lex.europa.eu/eli/reg/2023/2854/oj?locale=de ) regulates the use and sharing of data in Europe.
  • It obliges manufacturers and operators of digital products and services to provide users with easy access to generated data as well as to ensure data portability and sharing.
  • The Data Act applies directly in all EU member states from September 12, 2025.
  • This chapter describes how WinCC OA supports the requirements of the Data Act.

2. Type, format, and estimated scope of generable product data

WinCC OA processes a variety of data, including:

  • Real-time process data (measured values, switching states, alarm messages)
  • Historical data (archive databases, event logs)
  • User data (login, roles, configuration)
  • Project data (panel definitions, scripts, driver configurations)

These data are typically organized in the internal data model and can be processed or queried via various interfaces.

The actual data available largely depends on the project configuration as selected during project creation.

WinCC OA supports a wide range of data types (see Datapoints as bearer of information for details).

Important:
All data present or processed in WinCC OA remain in the system and are, in principle, fully accessible to the project operator – unless otherwise configured during project creation (e.g., by a system provider) – through various means.

3. Data access and interfaces

WinCC OA offers comprehensive options for accessing generated data, including:

Access option Example usage
OPC UA Standardized industrial protocol for data integration
REST API Access to data and objects via web interfaces
SQL access to history Direct access to archived databases
MQTT/JSON exports Integration with cloud platforms or third-party systems
ASCII export Export to structured, machine-readable formats
For many of the interfaces available in WinCC OA, secure data transmission (e.g., via HTTPS, TLS) is also available.

4. Data storage and retention period

The data in WinCC OA are stored in the file system of the respective platform (e.g., logs) or kept in memory and persisted in various ways (see also Database).

The retention period is permanently dependent on the configuration of the respective environment.

Remote data storage:

Data transfer to external systems is possible via various communication interfaces (see Northbound Interfaces).

Logging data can also be transferred to a SIEM system.

The retention period on external systems depends on the configuration of the respective system.

The persisted data can be secured via various backup options.

For example:

5. User rights according to the EU Data Act

According to Articles 4–7 of the Data Act, users are entitled to the following rights, which are technically supported by WinCC OA:

  1. Right of access to data
    • Users with the appropriate permissions can view all generated or stored data via visualization (e.g., PARA module), archives, log files, or APIs.
  2. Right to data portability
    • Export functions and APIs enable the transfer of structured data (e.g., as CSV, JSON, XML).
    • Project and configuration data can be backed up and shared.
  3. Right to share with third parties
    • Via standardized interfaces such as MQTT or REST, data can be easily made available to external platforms.

6. Technical and organizational measures for data security

WinCC OA supports the following functions to secure data usage:

  • Role and permission management (user groups, access protection)
  • Audit trail and event logging
  • TLS/SSL encryption for UI/web access
  • Access logging
  • Flexible export control (e.g., selective data export)

7. Recommendations for system operators

To fulfill legal obligations, it is recommended to record the following information in the project documentation:

  • Description of which data are collected and how they can be exported
  • Documentation of assigned user rights
  • Description of the interfaces used
  • Procedures for handling data portability requests
Tip:
This can be especially relevant for those operators who offer WinCC OA as the basis of their own product solution or as SaaS.

8. Deletion of data

By uninstalling/deleting the installation or project directory, all data from WinCC OA can be removed.

9. Disclaimer

Warning:
The information contained in this chapter does not constitute legal advice. Responsibility for compliance with legal requirements in individual cases lies with the respective operator/creator of the system.

10. FAQ: Data Act and WinCC OA

Q: Which data can be exported?
A: All process-, user-, and configuration data generated by WinCC OA, depending on configured access.
Q: Can a customer take their data to another system?
A: Yes, data can be prepared for third parties via export functions and APIs.
Q: Do I need to configure anything as an operator?
A: It is recommended to clearly define and document user permissions and API access.