Chapter II – Business to consumer and business to business data sharing (Art. 3-7)
Art. 3 Data Act - Obligation to make product data and related service data accessible to the user arrow_right_alt
- Connected products shall be designed and manufactured, and related services shall be designed and provided, in such a manner that product data and related service data, including the relevant metadata necessary to interpret and use those data, are, by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user.
- Before concluding a contract for the purchase, rent or lease of a connected product, the seller, rentor or lessor, which may be the manufacturer, shall provide at least the following information to the user, in a clear and comprehensible manner:
- the type, format and estimated volume of product data which the connected product is capable of generating;
- whether the connected product is capable of generating data continuously and in real-time;
- whether the connected product is capable of storing data on-device or on a remote server, including, where applicable, the intended duration of retention;
- how the user may access, retrieve or, where relevant, erase the data, including the technical means to do so, as well as their terms of use and quality of service.
- Before concluding a contract for the provision of a related service, the provider of such related service shall provide at least the following information to the user, in a clear and comprehensible manner:
- the nature, estimated volume and collection frequency of product data that the prospective data holder is expected to obtain and, where relevant, the arrangements for the user to access or retrieve such data, including the prospective data holder’s data storage arrangements and the duration of retention;
- the nature and estimated volume of related service data to be generated, as well as the arrangements for the user to access or retrieve such data, including the prospective data holder’s data storage arrangements and the duration of retention;
- whether the prospective data holder expects to use readily available data itself and the purposes for which those data are to be used, and whether it intends to allow one or more third parties to use the data for purposes agreed upon with the user;
- the identity of the prospective data holder, such as its trading name and the geographical address at which it is established and, where applicable, of other data processing parties;
- the means of communication which make it possible to contact the prospective data holder quickly and communicate with that data holder efficiently;
- how the user can request that the data are shared with a third party and, where applicable, end the data sharing;
- the user’s right to lodge a complaint alleging an infringement of any of the provisions of this Chapter with the competent authority designated pursuant to Article 37;
- whether a prospective data holder is the holder of trade secrets contained in the data that is accessible from the connected product or generated during the provision of a related service, and, where the prospective data holder is not the trade secret holder, the identity of the trade secret holder;
- the duration of the contract between the user and the prospective data holder, as well as the arrangements for terminating such a contract.
- 20
- 21
- 22
- 23
- 24
Recital 20
In practice, not all data generated by connected products or related services are easily accessible to their users and there are often limited possibilities regarding the portability of data generated by products connected to the internet. Users are unable to obtain the data necessary to make use of providers of repair and other services and businesses are unable to launch innovative, convenient and more efficient services. In many sectors, manufacturers are able to determine, through their control of the technical design of the connected products or related services, what data are generated and how they can be accessed, despite having no legal right to those data. It is therefore necessary to ensure that connected products are designed and manufactured, and related services are designed and provided, in such a manner that product data and related service data, including the relevant metadata necessary to interpret and use those data, including for the purpose of retrieving, using or sharing them, are always easily and securely accessible to a user, free of charge, in a comprehensive, structured, commonly used and machine-readable format. Product data and related service data that a data holder lawfully obtains or can lawfully obtain from the connected product or related service, such as by means of the connected product design, the data holder’s contract with the user for the provision of related services, and its technical means of data access, without disproportionate effort, are referred to as ‘readily available data’. Readily available data does not include data generated by the use of a connected product where the design of the connected product does not provide for such data being stored or transmitted outside the component in which they are generated or the connected product as a whole.
This Regulation should therefore not be understood to impose an obligation to store data on the central computing unit of a connected product. The absence of such an obligation should not prevent the manufacturer or data holder from voluntarily agreeing with the user on the making of such adaptations. The design obligations in this Regulation are also without prejudice to the data minimisation principle laid down in Article 5(1), point (c), of Regulation (EU) 2016/679 and should not be understood as imposing an obligation to design connected products and related services in such a way that they store or otherwise process any personal data other than the personal data necessary in relation to the purposes for which they are processed. Union or national law could be introduced to outline further specificities, such as the product data that should be accessible from connected products or related services, given that such data may be essential for the efficient operation, repair or maintenance of those connected products or related services. Where subsequent updates or alterations to a connected product or a related service, by the manufacturer or another party, lead to additional accessible data or a restriction of initially accessible data, such changes should be communicated to the user in the context of the update or alteration.
Recital 21
Where several persons or entities are considered to be users, for example in the case of co-ownership or where an owner, renter or lessee shares rights of data access or use, the design of the connected product or related service, or the relevant interface, should enable each user to have access to the data they generate. Use of connected products that generate data typically requires a user account to be set up. Such an account allows the user to be identified by the data holder, which may be the manufacturer. It can also be used as a means of communication and to submit and process data access requests. Where several manufacturers or related services providers have sold, rented or leased connected products or provided related services, integrated together, to the same user, the user should turn to each of the parties with which it has a contract. Manufacturers or designers of a connected product that is typically used by several persons should put in place the necessary mechanisms to allow separate user accounts for individual persons, where relevant, or for the possibility of several persons using the same user account. Account solutions should allow users to delete their accounts and erase the data related to them and could allow users to terminate data access, use or sharing, or submit requests to terminate, in particular taking into account situations in which the ownership or usage of the connected product changes. Access should be granted to the user on the basis of simple request mechanism granting automatic execution and not requiring examination or clearance by the manufacturer or data holder. This means that the data should be made available only when the user actually wants access. Where automated execution of the data access request is not possible, for example via a user account or accompanying mobile application provided with the connected product or related service, the manufacturer should inform the user as to how the data may be accessed.
Recital 22
Connected products may be designed to make certain data directly accessible from on-device data storage or from a remote server to which the data are communicated. Access to on-device data storage may be enabled via cable-based or wireless local area networks connected to a publicly available electronic communications service or mobile network. The server may be the manufacturer’s own local server capacity or that of a third party or a cloud service provider. Processors as defined in Article 4, point (8), of Regulation (EU) 2016/679 are not considered to act as data holders. However, they can be specifically tasked with making data available by the controller as defined in Article 4, point (7), of Regulation (EU) 2016/679. Connected products may be designed to permit the user or a third party to process the data on the connected product, on a computing instance of the manufacturer or within an information and communications technology (ICT) environment chosen by the user or the third party.
Recital 23
Virtual assistants play an increasing role in digitising consumer and professional environments and serve as an easy-to-use interface to play content, obtain information, or activate products connected to the internet. Virtual assistants can act as a single gateway in, for example, a smart home environment and record significant amounts of relevant data on how users interact with products connected to the internet, including those manufactured by other parties, and can replace the use of manufacturer-provided interfaces such as touch screens or smartphone apps. The user may wish to make available such data to third party manufacturers and enable novel smart services. Virtual assistants should be covered by the data access rights provided for in this Regulation. Data generated when a user interacts with a connected product via a virtual assistant provided by an entity other than the manufacturer of the connected product should also be covered by the data access rights provided for in this Regulation. However, only the data arising from the interaction between the user and a connected product or related service through the virtual assistant should be covered by this Regulation. Data produced by the virtual assistant which are unrelated to the use of a connected product or related service are not covered by this Regulation.
Recital 24
Before concluding a contract for the purchase, rent, or lease of a connected product, the seller, rentor or lessor, which may be the manufacturer, should provide to the user information regarding the product data which the connected product is capable of generating, including the type, format and the estimated volume of such data, in a clear and comprehensible manner. This could include information on data structures, data formats, vocabularies, classification schemes, taxonomies and code lists, where available, as well as clear and sufficient information relevant for the exercise of the user’s rights on how the data may be stored, retrieved or accessed, including the terms of use and quality of service of application programming interfaces or, where applicable, the provision of software development kits. That obligation provides transparency over the product data generated and enhances easy access for the user. The information obligation could be fulfilled, for example by maintaining a stable uniform resource locator (URL) on the web, which can be distributed as a web link or QR code, pointing to the relevant information, which could be provided by the seller, rentor or lessor, which may be the manufacturer, to the user before concluding the contract for the purchase, rent or lease of a connected product. It is, in any case, necessary that the user is able to store the information in a way that is accessible for future reference and that allows the unchanged reproduction of the information stored.
The data holder cannot be expected to store the data indefinitely in view of the needs of the user of the connected product, but should implement a reasonable data retention policy, where applicable, in line with storage limitation principle pursuant Article 5(1), point (e), of Regulation (EU) 2016/679, that allows for the effective application of the data access rights provided for in this Regulation. The obligation to provide information does not affect the obligation of the controller to provide information to the data subject pursuant to Articles 12, 13 and 14 of Regulation (EU) 2016/679. The obligation to provide information before concluding a contract for the provision of a related service should lie with the prospective data holder, independently of whether the data holder concludes a contract for the purchase, rent or lease of a connected product. Where information changes during the lifetime of the connected product or the contract period for the related service, including where the purpose for which those data are to be used changes from the originally specified purpose, it should also be provided to the user.
Art. 4 Data Act - The rights and obligations of users and data holders with regard to access, use and making available product data and related service data arrow_right_alt
- Where data cannot be directly accessed by the user from the connected product or related service, data holders shall make readily available data, as well as the relevant metadata necessary to interpret and use those data, accessible to the user without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. This shall be done on the basis of a simple request through electronic means where technically feasible.
- Users and data holders may contractually restrict or prohibit accessing, using or further sharing data, if such processing could undermine security requirements of the connected product, as laid down by Union or national law, resulting in a serious adverse effect on the health, safety or security of natural persons. Sectoral authorities may provide users and data holders with technical expertise in that context. Where the data holder refuses to share data pursuant to this Article, it shall notify the competent authority designated pursuant to Article 37.
- Without prejudice to the user’s right to seek redress at any stage before a court or tribunal of a Member State, the user may, in relation to any dispute with the data holder concerning the contractual restrictions or prohibitions referred to in paragraph 2:
- lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority; or
- agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1).
- Data holders shall not make the exercise of choices or rights under this Article by the user unduly difficult, including by offering choices to the user in a non-neutral manner or by subverting or impairing the autonomy, decision-making or choices of the user via the structure, design, function or manner of operation of a user digital interface or a part thereof.
- For the purpose of verifying whether a natural or legal person qualifies as a user for the purposes of paragraph 1, a data holder shall not require that person to provide any information beyond what is necessary. Data holders shall not keep any information, in particular log data, on the user’s access to the data requested beyond what is necessary for the sound execution of the user’s access request and for the security and maintenance of the data infrastructure.
- Trade secrets shall be preserved and shall be disclosed only where the data holder and the user take all necessary measures prior to the disclosure to preserve their confidentiality in particular regarding third parties. The data holder or, where they are not the same person, the trade secret holder shall identify the data which are protected as trade secrets, including in the relevant metadata, and shall agree with the user proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data, in particular in relation to third parties, such as model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.
- Where there is no agreement on the necessary measures referred to in paragraph 6, or if the user fails to implement the measures agreed pursuant to paragraph 6 or undermines the confidentiality of the trade secrets, the data holder may withhold or, as the case may be, suspend the sharing of data identified as trade secrets. The decision of the data holder shall
be duly substantiated and provided in writing to the user without undue delay. In such cases, the data holder shall notify the competent authority designated pursuant to Article 37 that it has withheld or suspended data sharing and identify which measures have not been agreed or implemented and, where relevant, which trade secrets have had their confidentiality undermined. - In exceptional circumstances, where the data holder who is a trade secret holder is able to demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets, despite the technical and organisational measures taken by the user pursuant to paragraph 6 of this Article, that data holder may refuse on a case-by-case basis a request for access to the specific data in question. That demonstration shall be duly substantiated on the basis of objective elements, in particular the enforceability of trade secrets protection in third countries, the nature and level of confidentiality of the data requested, and the uniqueness and novelty of the connected product, and shall be provided in writing to the user without undue delay. Where the data holder refuses to share data pursuant to this paragraph, it shall notify the competent authority designated pursuant to Article 37.
- Without prejudice to a user’s right to seek redress at any stage before a court or tribunal of a Member State, a user wishing to challenge a data holder’s decision to refuse or to withhold or suspend data sharing pursuant to paragraphs 7 and 8 may:
- lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority, which shall, without undue delay, decide whether and under which conditions data sharing is to start or resume; or
- agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1).
- The user shall not use the data obtained pursuant to a request referred to in paragraph 1 to develop a connected product that competes with the connected product from which the data originate, nor share the data with a third party with that intent and shall not use such data to derive insights about the economic situation, assets and production methods of the manufacturer or, where applicable the data holder.
- The user shall not use coercive means or abuse gaps in the technical infrastructure of a data holder which is designed to protect the data in order to obtain access to data.
- Where the user is not the data subject whose personal data is requested, any personal data generated by the use of a connected product or related service shall be made available by the data holder to the user only where there is a valid legal basis for processing under Article 6 of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of that Regulation and of Article 5(3) of Directive (EU) 2002/58 are fulfilled.
- A data holder shall only use any readily available data that is non-personal data on the basis of a contract with the user. A data holder shall not use such data to derive insights about the economic situation, assets and production methods of, or the use by, the user in any other manner that could undermine the commercial position of that user on the markets in which the user is active.
- Data holders shall not make available non-personal product data to third parties for commercial or non-commercial purposes other than the fulfilment of their contract with the user. Where relevant, data holders shall contractually bind third parties not to further share data received from them.
- 23
- 25
Recital 23
Virtual assistants play an increasing role in digitising consumer and professional environments and serve as an easy-to-use interface to play content, obtain information, or activate products connected to the internet. Virtual assistants can act as a single gateway in, for example, a smart home environment and record significant amounts of relevant data on how users interact with products connected to the internet, including those manufactured by other parties, and can replace the use of manufacturer-provided interfaces such as touch screens or smartphone apps. The user may wish to make available such data to third party manufacturers and enable novel smart services. Virtual assistants should be covered by the data access rights provided for in this Regulation. Data generated when a user interacts with a connected product via a virtual assistant provided by an entity other than the manufacturer of the connected product should also be covered by the data access rights provided for in this Regulation. However, only the data arising from the interaction between the user and a connected product or related service through the virtual assistant should be covered by this Regulation. Data produced by the virtual assistant which are unrelated to the use of a connected product or related service are not covered by this Regulation.
Recital 25
This Regulation should not be understood to confer any new right on data holders to use product data or related service data. Where the manufacturer of a connected product is a data holder, the basis for the manufacturer to use non-personal data should be a contract between the manufacturer and the user. Such a contract could be part of an agreement for the provision of the related service, which could be concluded together with the purchase, rent or lease agreement relating to the connected product. Any contractual term stipulating that the data holder may use product data or related service data should be transparent to the user, including regarding the purposes for which the data holder intends to use the data. Such purposes could include improving the functioning of the connected product or related services, developing new products or services, or aggregating data with the aim of making available the resulting derived data to third parties, provided that such derived data do not allow the identification of specific data transmitted to the data holder from the connected product, or allow a third party to derive those data from the dataset. Any change of the contract should depend on the informed agreement of the user. This Regulation does not prevent parties from agreeing on contractual terms the effect of which is to exclude or limit the use of non-personal data, or certain categories of non-personal data, by a data holder. Neither does it prevent parties from agreeing to make product data or related service data available to third parties, directly or indirectly, including, where applicable, via another data holder.
Moreover, this Regulation does not prevent sector-specific regulatory requirements under Union law or national law compatible with Union law which would exclude or limit the use of certain such data by the data holder on well-defined public policy grounds. This Regulation does not prevent users, in the case of business-to-business relations, from making data available to third parties or data holders under any lawful contractual term, including by agreeing to limit or restrict further sharing of such data, or from being compensated proportionately, for example in exchange for waiving their right to use or share such data. While the notion of ‘data holder’ generally does not include public sector bodies, it may include public undertakings.
Art. 5 Data Act - Right of the user to share data with third parties arrow_right_alt
- Upon request by a user, or by a party acting on behalf of a user, the data holder shall make available readily available data, as well as the relevant metadata necessary to interpret and use those data, to a third party without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge to the user, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. The data shall be made available by the data holder to the third party in accordance with Articles 8 and 9.
- Paragraph 1 shall not apply to readily available data in the context of the testing of new connected products, substances or processes that are not yet placed on the market unless their use by a third party is contractually permitted.
- Any undertaking designated as a gatekeeper, pursuant to Article 3 of Regulation (EU) 2022/1925, shall not be an eligible third party under this Article and therefore shall not:
- solicit or commercially incentivise a user in any manner, including by providing monetary or any other compensation, to make data available to one of its services that the user has obtained pursuant to a request under Article 4(1);
- solicit or commercially incentivise a user to request the data holder to make data available to one of its services pursuant to paragraph 1 of this Article;
- receive data from a user that the user has obtained pursuant to a request under Article 4(1).
- For the purpose of verifying whether a natural or legal person qualifies as a user or as a third party for the purposes of paragraph 1, the user or the third party shall not be required to provide any information beyond what is necessary. Data holders shall not keep any information on the third party’s access to the data requested beyond what is necessary for the sound execution of the third party’s access request and for the security and maintenance of the data infrastructure.
- The third party shall not use coercive means or abuse gaps in the technical infrastructure of a data holder which is designed to protect the data in order to obtain access to data.
- A data holder shall not use any readily available data to derive insights about the economic situation, assets and production methods of, or the use by, the third party in any other manner that could undermine the commercial position of the third party on the markets in which the third party is active, unless the third party has given permission to such use and has the technical possibility to easily withdraw that permission at any time.
- Where the user is not the data subject whose personal data is requested, any personal data generated by the use of a connected product or related service shall be made available by the data holder to the third party only where there is a valid legal basis for processing under Article 6 of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of that Regulation and of Article 5(3) of Directive (EU) 2002/58 are fulfilled.
- Any failure on the part of the data holder and the third party to agree on arrangements for transmitting the data shall not hinder, prevent or interfere with the exercise of the rights of the data subject under Regulation (EU) 2016/679 and, in particular, with the right to data portability under Article 20 of that Regulation.
- Trade secrets shall be preserved and shall be disclosed to third parties only to the extent that such disclosure is strictly necessary to fulfil the purpose agreed between the user and the third party. The data holder or, where they are not the same person, the trade secret holder shall identify the data which are protected as trade secrets, including in the relevant metadata, and shall agree with the third party all proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data, such as model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.
- Where there is no agreement on the necessary measures referred to in paragraph 9 or if the third party fails to implement the measures agreed pursuant to paragraph 9 or undermines the confidentiality of the trade secrets, the data holder may withhold or, as the case may be, suspend the sharing of data identified as trade secrets. The decision of the data holder shall be duly substantiated and provided in writing to the third party without undue delay. In such cases, the data holder shall notify the competent authority designated pursuant to Article 37 that it has withheld or suspended data sharing and identify which measures have not been agreed or implemented and, where relevant, which trade secrets have had their confidentiality undermined.
- In exceptional circumstances, where the data holder who is a trade secret holder is able to demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets, despite the technical and organisational measures taken by the third party pursuant to paragraph 9 of this Article, that data holder may refuse on a case-by-case basis a request for access to the specific data in question. That demonstration shall be duly substantiated on the basis of objective elements, in particular the enforceability of trade secrets protection in third countries, the nature and level of confidentiality of the data requested, and the uniqueness and novelty of the connected product, and shall be provided in writing to the third party without undue delay. Where the data holder refuses to share data pursuant to this paragraph, it shall notify the competent authority designated pursuant to Article 37.
- Without prejudice to the third party’s right to seek redress at any stage before a court or tribunal of a Member State, a third party wishing to challenge a data holder’s decision to refuse or to withhold or suspend data sharing pursuant to paragraphs 10 and 11 may:
- lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority, which shall, without undue delay, decide whether and under which conditions the data sharing is to start or resume; or
- agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1).
- The right referred to in paragraph 1 shall not adversely affect the rights of data subjects pursuant to the applicable Union and national law on the protection of personal data.
- 26
- 29
- 31
- 33
- 35
- 40
Recital 26
To foster the emergence of liquid, fair and efficient markets for non-personal data, users of connected products should be able to share data with others, including for commercial purposes, with minimal legal and technical effort. It is currently often difficult for businesses to justify the personnel or computing costs that are necessary for preparing non-personal datasets or data products and to offer them to potential counterparties via data intermediation services, including data marketplaces. A substantial hurdle to the sharing of non-personal data by businesses therefore results from the lack of predictability of economic returns from investing in the curation and making available of datasets or data products. In order to allow for the emergence of liquid, fair and efficient markets for non-personal data in the Union, the party that has the right to offer such data on a market must be clarified. Users should therefore have the right to share non-personal data with data recipients for commercial and non-commercial purposes. Such data sharing could be performed directly by the user, upon the request of the user via a data holder, or through data intermediation services. Data intermediation services, as regulated by Regulation (EU) 2022/868 of the European Parliament and of the Council(1) could facilitate a data economy by establishing commercial relationships between users, data recipients and third parties and may support users in exercising their right to use data, such as ensuring the anonymisation of personal data or aggregation of access to data from multiple individual users.
Where data are excluded from a data holder’s obligation to make them available to users or third parties, the scope of such data could be specified in the contract between the user and the data holder for the provision of a related service so that users can easily determine which data are available to them for sharing with data recipients or third parties. Data holders should not make available non-personal product data to third parties for commercial or non-commercial purposes other than the fulfilment of their contract with the user, without prejudice to legal requirements pursuant to Union or national law for a data holder to make data available. Where relevant, data holders should contractually bind third parties not to further share data received from them.
(1) Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (OJ L 152, 3.6.2022, p. 1).
Recital 29
Data holders may require appropriate user identification to verify a user’s entitlement to access the data. In the case of personal data processed by a processor on behalf of the controller, data holders should ensure that the access request is received and handled by the processor.
Recital 31
Directive (EU) 2016/943 of the European Parliament and of the Council(1) provides that the acquisition, use or disclosure of a trade secret shall be considered to be lawful, inter alia, where such acquisition, use or disclosure is required or allowed by Union or national law. While this Regulation requires data holders to disclose certain data to users, or third parties of a user’s choice, even when such data qualify for protection as trade secrets, it should be interpreted in such a manner as to preserve the protection afforded to trade secrets under Directive (EU) 2016/943. In this context, data holders should be able to require users, or third parties of a user’s choice, to preserve the confidentiality of data considered to be trade secrets. To that end, data holders should identify trade secrets prior to the disclosure, and should have the possibility to agree with users, or third parties of a user’s choice, on necessary measures to preserve their confidentiality, including by the use of model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct. In addition to the use of model contractual terms to be developed and recommended by the Commission, the establishment of codes of conduct and technical standards related to the protection of trade secrets in handling the data could help achieve the aim of this Regulation and should be encouraged. Where there is no agreement on the necessary measures or where a user, or third parties of the user’s choice, fail to implement agreed measures or undermine the confidentiality of the trade secrets, the data holder should be able to withhold or suspend the sharing of data identified as trade secrets. In such cases, the data holder should provide the decision in writing to the user or to the third party without undue delay and notify the competent authority of the Member State in which the data holder is established that it has withheld or suspended data sharing and identify which measures have not been agreed or implemented and, where relevant, which trade secrets have had their confidentiality undermined. Data holders cannot, in principle, refuse a data access request under this Regulation solely on the basis that certain data is considered to be a trade secret, as this would subvert the intended effects of this Regulation. However, in exceptional circumstances, a data holder who is a trade secret holder should be able, on a case-by-case basis, to refuse a request for the specific data in question if it is able to demonstrate to the user or to the third party that, despite the technical and organisational measures taken by the user or by the third party, serious economic damage is highly likely to result from the disclosure of that trade secret. Serious economic damage implies serious and irreparable economic loss. The data holder should duly substantiate its refusal in writing without undue delay to the user or to the third party and notify the competent authority. Such a substantiation should be based on objective elements, demonstrating the concrete risk of serious economic damage expected to result from a specific data disclosure and the reasons why the measures taken to safeguard the requested data are not considered to be sufficient. A possible negative impact on cybersecurity can be taken into account in that context. Without prejudice to the right to seek redress before a court or tribunal of a Member State, where the user or a third party wishes to challenge the data holder’s decision to refuse or to withhold or suspend data sharing, the user or the third party can lodge a complaint with the competent authority, which should, without undue delay, decide whether and under which conditions data sharing should start or resume, or can agree with the data holder to refer the matter to a dispute settlement body. The exceptions to data access rights in this Regulation should not in any case limit the right of access and right to data portability of data subjects under Regulation (EU) 2016/679.
(1) Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ L 157, 15.6.2016, p. 1).
Recital 33
A third party to whom data is made available may be a natural or legal person, such as a consumer, an enterprise, a research organisation, a not-for-profit organisation or an entity acting in a professional capacity. In making the data available to the third party, a data holder should not abuse its position to seek a competitive advantage in markets where the data holder and the third party may be in direct competition. The data holder should not therefore use any readily available data in order to derive insights about the economic situation, assets or production methods of, or the use by, the third party in any other manner that could undermine the commercial position of the third party on the markets in which the third party is active. The user should be able to share non-personal data with third parties for commercial purposes. Upon the agreement with the user, and subject to the provisions of this Regulation, third parties should be able to transfer the data access rights granted by the user to other third parties, including in exchange for compensation. Business-to-business data intermediaries and personal information management systems (PIMS), referred to as data intermediation services in Regulation (EU) 2022/868, may support users or third parties in establishing commercial relations with an undetermined number of potential counterparties for any lawful purpose falling within the scope of this Regulation. They could play an instrumental role in aggregating access to data so that big data analyses or machine learning can be facilitated, provided that users remain in full control of whether to provide their data to such aggregation and the commercial terms under which their data are to be used.
Recital 35
Product data or related service data should only be made available to a third party at the request of the user. This Regulation complements accordingly the right, provided for in Article 20 of Regulation (EU) 2016/679, of data subjects to receive personal data concerning them in a structured, commonly used and machine-readable format, as well as to port those data to another controller, where those data are processed by automated means on the basis of Article 6(1), point (a), or Article 9(2), point (a), or of a contract pursuant to Article 6(1), point (b) of that Regulation. Data subjects also have the right to have the personal data transmitted directly from one controller to another, but only where that is technically feasible. Article 20 of Regulation (EU) 2016/679 specifies that it pertains to data provided by the data subject but does not specify whether this necessitates active behaviour on the side of the data subject or whether it also applies to situations where a connected product or related service, by its design, observes the behaviour of a data subject or other information in relation to a data subject in a passive manner. The rights provided for under this Regulation complement the right to receive and port personal data under Article 20 of Regulation (EU) 2016/679 in a number of ways. This Regulation grants users the right to access and make available to a third party any product data or related service data, irrespective of their nature as personal data, of the distinction between actively provided or passively observed data, and irrespective of the legal basis of processing. Unlike Article 20 of Regulation (EU) 2016/679, this Regulation mandates and ensures the technical feasibility of third party access for all types of data falling within its scope, whether personal or non-personal, thereby ensuring that technical obstacles no longer hinder or prevent access to such data. It also allows data holders to set reasonable compensation to be met by third parties, but not by the user, for costs incurred in providing direct access to the data generated by the user’s connected product. If a data holder and a third party are unable to agree on terms for such direct access, the data subject should in no way be prevented from exercising the rights laid down in Regulation (EU) 2016/679, including the right to data portability, by seeking remedies in accordance with that Regulation. It is to be understood in this context that, in accordance with Regulation (EU) 2016/679, a contract does not allow for the processing of special categories of personal data by the data holder or the third party.
Recital 40
Start-ups, small enterprises, enterprises that qualify as a medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC and enterprises from traditional sectors with less-developed digital capabilities struggle to obtain access to relevant data. This Regulation aims to facilitate access to data for those entities, while ensuring that the corresponding obligations are as proportionate as possible to avoid overreach. At the same time, a small number of very large enterprises have emerged with considerable economic power in the digital economy through the accumulation and aggregation of vast volumes of data and the technological infrastructure for monetising them. Those very large enterprises include undertakings that provide core platform services controlling whole platform ecosystems in the digital economy and which existing or new market operators are unable to challenge or contest. Regulation (EU) 2022/1925 of the European Parliament and of the Council(1) aims to redress those inefficiencies and imbalances by allowing the Commission to designate an undertaking as a ‘gatekeeper’, and imposes a number of obligations on such gatekeepers, including a prohibition to combine certain data without consent and an obligation to ensure effective rights to data portability under Article 20 of Regulation (EU) 2016/679. In accordance with Regulation (EU) 2022/1925, and given the unrivalled ability of those undertakings to acquire data, it is not necessary to achieve the objective of this Regulation, and would therefore be disproportionate for data holders made subject to such obligations, to include gatekeeper as beneficiaries of the data access right. Such inclusion would also likely limit the benefits of this Regulation for SMEs, linked to the fairness of the distribution of data value across market actors. This means that an undertaking that provides core platform services that has been designated as a gatekeeper cannot request or be granted access to users’ data generated by the use of a connected product or related service or by a virtual assistant pursuant to this Regulation. Furthermore, third parties to whom data are made available at the request of the user may not make the data available to a gatekeeper. For instance, the third party may not subcontract the service provision to a gatekeeper. However, this does not prevent third parties from using data processing services offered by a gatekeeper. Nor does it prevent those undertakings from obtaining and using the same data through other lawful means. The access rights provided for in this Regulation contribute to a wider choice of services for consumers. As voluntary agreements between gatekeepers and data holders remain unaffected, the limitation on granting access to gatekeepers would not exclude them from the market or prevent them from offering their services.
(1) Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (OJ L 265, 12.10.2022, p. 1).
Art. 6 Data Act - Obligations of third parties receiving data at the request of the user arrow_right_alt
- A third party shall process the data made available to it pursuant to Article 5 only for the purposes and under the conditions agreed with the user and subject to Union and national law on the protection of personal data including the rights of the data subject insofar as personal data are concerned. The third party shall erase the data when they are no longer necessary for the agreed purpose, unless otherwise agreed with the user in relation to non-personal data.
- The third party shall not:
- make the exercise of choices or rights under Article 5 and this Article by the user unduly difficult, including by offering choices to the user in a non-neutral manner, or by coercing, deceiving or manipulating the user, or by subverting or impairing the autonomy, decision-making or choices of the user, including by means of a user digital interface or a part thereof;
- notwithstanding Article 22(2), points (a) and (c), of Regulation (EU) 2016/679, use the data it receives for the profiling, unless it is necessary to provide the service requested by the user;
- make the data it receives available to another third party, unless the data is made available on the basis of a contract with the user, and provided that the other third party takes all necessary measures agreed between the data holder and the third party to preserve the confidentiality of trade secrets;
- make the data it receives available to an undertaking designated as a gatekeeper pursuant to Article 3 of Regulation (EU) 2022/1925;
- use the data it receives to develop a product that competes with the connected product from which the accessed data originate or share the data with another third party for that purpose; third parties shall also not use any non-personal product data or related service data made available to them to derive insights about the economic situation, assets and production methods of, or use by, the data holder;
- use the data it receives in a manner that has an adverse impact on the security of the connected product or related service;
- disregard the specific measures agreed with a data holder or with the trade secrets holder pursuant to Article 5(9) and undermine the confidentiality of trade secrets;
- prevent the user that is a consumer, including on the basis of a contract, from making the data it receives available to other parties.
- 37
- 38
- 39
Recital 37
In order to prevent the exploitation of users, third parties to whom data has been made available at the request of the user should process those data only for the purposes agreed with the user and share them with another third party only with the agreement of the user to such data sharing.
Recital 38
In line with the data minimisation principle, third parties should access only information that is necessary for the provision of the service requested by the user. Having received access to data, the third party should process it for the purposes agreed with the user without interference from the data holder. It should be as easy for the user to refuse or discontinue access by the third party to the data as it is for the user to authorise access. Neither third parties nor data holders should make the exercise of choices or rights by the user unduly difficult, including by offering choices to the user in a non-neutral manner, or by coercing, deceiving or manipulating the user, or by subverting or impairing the autonomy, decision-making or choices of the user, including by means of a user digital interface or a part thereof. In that context, third parties or data holders should not rely on so-called ‘dark patterns’ in designing their digital interfaces. Dark patterns are design techniques that push or deceive consumers into decisions that have negative consequences for them. Those manipulative techniques can be used to persuade users, in particular vulnerable consumers, to engage in unwanted behaviour, to deceive users by nudging them into decisions on data disclosure transactions or to unreasonably bias the decision-making of the users of the service in such a way as to subvert or impair their autonomy, decision-making and choice. Common and legitimate commercial practices that comply with Union law should not in themselves be regarded as constituting dark patterns. Third parties and data holders should comply with their obligations under relevant Union law, in particular the requirements laid down in Directives 98/6/EC(1) and 2000/31/EC(2) of the European Parliament and of the Council and in Directives 2005/29/EC and 2011/83/EU.
(1) Directive 98/6/EC of the European Parliament and of the Council of 16 February 1998 on consumer protection in the indication of the prices of products offered to consumers (OJ L 80, 18.3.1998, p. 27).
(2) Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1).
Recital 39
Third parties should also refrain from using data falling within the scope of this Regulation to profile individuals unless such processing activities are strictly necessary to provide the service requested by the user, including in the context of automated decision-making. The requirement to erase data when no longer required for the purpose agreed with the user, unless otherwise agreed in relation to non-personal data, complements the data subject’s right to erasure pursuant to Article 17 of Regulation (EU) 2016/679. Where a third party is a provider of a data intermediation service, the safeguards for the data subject provided for by Regulation (EU) 2022/868 apply. The third party may use the data to develop a new and innovative connected product or related service but not to develop a competing connected product.
Art. 7 Data Act - Scope of business-to-consumer and business-to-business data sharing obligations arrow_right_alt
- The obligations of this Chapter shall not apply to data generated through the use of connected products manufactured or designed or related services provided by a microenterprise or a small enterprise, provided that that enterprise does not have a partner enterprise or a linked enterprise within the meaning of Article 3 of the Annex to Recommendation 2003/361/EC that does not qualify as a microenterprise or a small enterprise and where the microenterprise and small enterprise is not subcontracted to manufacture or design a connected product or to provide a related service. The same shall apply to data generated through the use of connected products manufactured by or related services provided by an enterprise that has qualified as a medium-sized enterprise under Article 2 of the Annex to Recommendation 2003/361/EC for less than one year and to connected products for one year after the date on which they were placed on the market by a medium-sized enterprise.
- Any contractual term which, to the detriment of the user, excludes the application of, derogates from or varies the effect of the user’s rights under this Chapter shall not be binding on the user.
- 3
- 41
Recital 3
In sectors characterised by the presence of microenterprises, small enterprises and medium-sized enterprises as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC(1) (SMEs), there is often a lack of digital capacities and skills to collect, analyse and use data, and access is frequently restricted where one actor holds them in the system or due to a lack of interoperability between data, between data services or across borders.
(1) Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).
Recital 41
Given the current state of technology, it would be overly burdensome on microenterprises and small enterprises to impose further design obligations in relation to connected products manufactured or designed, or the related services provided, by them. That is not the case, however, where a microenterprise or a small enterprise has a partner enterprise or a linked enterprise within the meaning of Article 3 of the Annex to Recommendation 2003/361/EC that does not qualify as a microenterprise or a small enterprise and where it is subcontracted to manufacture or design a connected product or to provide a related service. In such situations, the enterprise which has subcontracted the manufacturing or design to a microenterprise or a small enterprise is able to compensate the subcontractor appropriately. A microenterprise or a small enterprise may nevertheless be subject to the requirements laid down by this Regulation as data holder where it is not the manufacturer of the connected product or a provider of related services. A transitional period should apply to an enterprise that has qualified as a medium-sized enterprise for less than one year and to connected products for one year after the date on which they were placed on the market by a medium-sized enterprise. Such a one-year period allows such a medium-sized enterprise to adjust and prepare before facing competition in the market for services for the connected products that it manufactures on the basis of the access rights provided by this Regulation. Such a transitional period does not apply where such a medium-sized enterprise has a partner enterprise or a linked enterprise that does not qualify as a microenterprise or a small enterprise or where such a medium-sized enterprise was subcontracted to manufacture or design the connected product or to provide the related service.