Wibu-Systems' Compliance to Data Act

The Data Act mandates that providers of “connected products” and “related services” grant users access to certain product and associated service data.

I. Scope of the Data Act

1. Connected Products

A connected product refers to “an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user”.

2. Related Services

A related service refers to “a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product”.

II. Wibu-Systems’ Products and Services Are Not Covered by the Data Act

Wibu-Systems’ solutions are designed exclusively to secure commercial software by ensuring protected delivery, operation only with a valid license, and prevention of unauthorized replication or manipulation. These solutions neither qualify as “connected products” nor capture, store, or analyze data generated by connected products through a related service.

Physical products from Wibu-Systems, such as CmDongle or CmASIC, function solely as “hardware security modules” for software protection and licensing. They do not process sensory inputs, possess network communication capabilities, or generate data as defined by the Data Act.

The same applies to Wibu-Systems’ digital services. For instance, CodeMeter License Reporting collects only licensing usage data for license allocation and billing purposes. Likewise, CodeMeter License Central, CodeMeter License Portal, CodeMeter WebDepot, CodeMeter Cloud, and CodeMeter Cloud Lite operate outside the scope of the Data Act, as they do not process product data within its meaning.

III. Data Protection Considerations

1. Background of Data Processing

In the context of collaborations between Wibu-Systems and an ISV (Independent Software Vendor), Wibu-Systems processes personal data of end customers exclusively on behalf of the ISV and in full compliance with GDPR requirements. Such processing occurs in particular when:

1. Wibu-Systems supplies license containers (e.g. CmDongle, CmActLicense, or CmCloudContainer) to an ISV for subsequent distribution to end customers.
2. The ISV commissions Wibu-Systems to host solutions such as CodeMeter License Central, CodeMeter Cloud, CodeMeter License Portal and/or CodeMeter WebDepot.

2. No Direct User Identification

Wibu-Systems does not directly identify individual users. Its systems record only container serial numbers and the IP addresses of current container holders.

Although these values could, in theory, be linked to a specific individual by an Internet provider or an ISV through significant effort, the usage data is aggregated at the container, and container ownership may change over time. As a result, the stored container data cannot be attributed to any specific user.

Consequently, disclosing such data to a current user – whether or not required by the Data Act – would contravene data protection laws unless it can be verified as the user’s own personal data.

Contact Wibu-Systems

Questions concerning the Data Act and related compliance matters should be addressed to compliance(at)wibu.com.