Data Act

33 Questions

General

It very likely is. It applies to all industries and all levels of the economy and is relevant for anyone who holds, licenses, voluntarily makes available or is obliged to make available – any – data to third parties. It is particularly relevant for

  • Enterprises that develop, manufacture or offer connected products or related services, as well as enterprises that have (de facto) control over the data generated by connected products or related services (so-called product data and related service data).
  • Enterprises which, under EU law or under national law based on EU law, are obliged to make data available to third parties (see also question 24). This not only concerns making product data or related service data available, but also statutory rights to access all types of data. In particular, the Data Act contains provisions on compensation and contract design.
  • Enterprises that conclude contracts with other enterprises on access to and/or use of data (see also question 26). This, too, not only concerns the use of product data or related service data, but also all B2B contracts on all types of data. The Data Act subjects data contracts to a review similar to that under the provisions governing general terms and conditions. 
  • All enterprises that have (any) data, in situations of “exceptional need” such as, in particular, natural disasters or epidemics. The Data Act contains provisions on making data available for national authorities and EU institutions in certain emergencies (see also question 30).
  • Providers of data processing services (in particular, providers of software-as-a-service (SaaS) services and of cloud and edge services), to allow switching to another provider (see also question 32). [Article 23 et seq. Data Act]
  • Participants in European data spaces, to allow interoperability (see also question 33). [Article 33 et seq. Data Act]

Yes. There are however important exceptions, in particular to the obligation to make data available (see also question 8): 

  • The obligation to make data available that are generated by connected products or related services (so-called product data and related service data) does not apply if the products are manufactured or designed by a microenterprise or small enterprise or if such an enterprise provides the related services. However, in order to prevent circumvention, the exception does not apply if (i) the microenterprise or small enterprise has a “partner enterprise” or a group enterprise that is not a microenterprise or small enterprise, or (ii) the enterprise is subcontracted to manufacture or design the connected product or to provide the related service. [Article 7(1) Data Act]
  • If a microenterprise or small enterprise becomes a medium-sized enterprise, a transitional period of one year applies until the obligations to make data available apply. [Article 7(1) Data Act]
  • The obligations for medium-sized enterprises to make data available with regard to connected products do not apply until one year after the connected product has been placed on the market by the medium-sized enterprise. [Article 7(1) Data Act] However, data generated by related services are not given corresponding privileged treatment.

In addition, microenterprises and small enterprises are given privileged treatment with regard to making data available to public sector bodies in cases of exceptional need (see also question 30). On the one hand, stricter requirements are to be used for determining whether “exceptional need” exists in the case of microenterprises and small enterprises [Article 15(2)] whereas, on the other hand, such enterprises are also entitled to financial compensation when larger enterprises must make data available free of charge. [Article 20(1) Data Act]

The EU definition is relevant for determining what is considered to be a microenterprise, a small enterprise or a medium-sized enterprise (see also SME):
 
Table with company sizes

The obligations under the Data Act will in principle apply as of 12 September 2025, but the design obligations that arise for manufacturers of connected products and related services only apply to those products and their related services that are placed on the market after 12 September 2026. [Article 50 Data Act]

However, contracts that already exist or are concluded before 12 September 2025 may also be subject to the unfairness test for general terms and conditions of business (see also question 27). Yet this only applies if the contract is either of indefinite duration or due to expire on 11 January 2034 at the earliest. [Article 50 Data Act] Then the unfairness test will apply from 12 September 2027; thus, from then on, any provisions contained therein may become invalid.

In addition, the design obligations (see also question 23) have a kind of practical advance effect, as development cycles for connected products and related services often take a long time. Therefore, if a product is to be placed on the market after 12 September 2026, the product obligations must already be complied with during the development phase prior to this date.

Yes, if one of the following conditions is met: 

  • You manufacture connected products that are placed on the market in the EU and/or you offer services related to such connected products (placed on the market in the EU). [Article 1(3)(a) Data Act]
  • You make data available to data recipients in the EU. [Article 1(3)(c) Data Act]
  • You are a data processing service (e.g. you offer Software-as-a-Service solutions or cloud or edge services) and have customers in the EU. [Article 1(3)(f) Data Act]
  • You are
    • a vendor of applications using smart contracts when data are being made available, or 
    • your business involves the deployment of smart contracts for others in the context of executing an agreement. [Article 1(3)(g) Data Act]

      In both cases, it is in our assessment necessary for the selling or deployment to take place in the EU, even if the text of the Data Act does not explicitly state this.

No. The Data Act does not concern the protection of personal data. These remain subject to the General Data Protection Regulation (GDPR). The provisions therein are not restricted by the Data Act.

In most areas, the Data Act does not distinguish between personal and non-personal data. Both types of data fall within the scope of the Data Act, but there are differences in some areas, e.g. with regard to dealing with requests from foreign authorities. Within the scope of their powers, i.e. when it comes to the protection of personal data, data protection supervisory authorities can also impose fines in accordance with the GDPR for infringements of the Data Act. [Article 37(3), 40(1) and (4) Data Act]

Civil law-related legal consequences and fines are possible. 

  • The amount of the fines has not yet been determined. The Data Act itself does not contain any specific penalties in the case of infringements. Member States are obliged to lay down rules on penalties and must, in so doing, take into account, inter alia, the nature, gravity, scale and duration of the infringement, financial benefits as well as, for determining the amount of the penalty, the infringing party’s annual turnover in the preceding financial year in the Union [Article 40 Data Act]. Member States must notify the Commission of these rules by 12 September 2025. 

    When it comes to the protection of personal data, data protection supervisory authorities can also impose fines in accordance with the GDPR for infringements of the Data Act. [Article 37(3), 40(1) and (4) Data Act]
     
  • The following can be said for the time being with regard to legal consequences under civil law.
    • Some of the legal consequences under civil law are already stipulated in the Data Act. Contractual terms that restrict certain rights of the user are invalid. [Article 7(2) Data Act] The same applies to terms that exclude a party’s rights under Chapter III of the Data Act. [Article 12(2) Data Act]
    • Insofar as the Data Act does not contain any rules on civil law issues, the applicable national law shall apply. This is to be determined via the “Rome I Regulation” (Rome I Regulation).

Anyone who feels that their rights under the Data Act have been infringed can lodge a complaint with the competent national authority. [Article 38 Data Act] Certified dispute settlement bodies will also be established for certain disputes, such as those concerning contractual terms and conditions (see also question 28) or in connection with measures to protect trade secrets (see also question 20). [Article 10 Data Act] In addition, legal recourse is of course always available. A violation of the requirements of the Data Act, for example, may constitute a defect under sales law (e.g. a connected product does not meet the requirements of the Data Act (see the design obligations, question 23). In this case, warranty claims and claims for damages by the purchaser are possible. In the event of data protection infringements, claims for damages under data protection law are also conceivable.

  • The rights to access data (see also question 8) only apply to data that were generated from a connected product or a related service. The Data Act refers to such data as product data or related service data. [Article 2, nos. 15, 16 Data Act]
  • However, this restriction does not apply to most of the other provisions. In particular, the unfairness test is relevant for contracts on any type of private sector data that are retrieved, shared or used on a contractual basis (see also questions 27 and 28). The provisions on the conditions for making data available (see also question 24) also generally apply to all types of data. In this connection, the Data Act has a very broad understanding of “data”. It considers data to be “any digital representation of acts, facts or information and any compilation of such acts, facts or information […]”. Accordingly, all digital representations of (any) facts are considered to be “data”. This also includes sound, visual or audio-visual recording. [Article 2(1) Data Act] 

It is generally irrelevant whether the data are personal or non-personal data. In individual cases, however, personal data are treated differently than non-personal data. 

Right to access data

Yes. The Data Act gives the user of a connected product or a related service – but not other third parties – a right to require the data holder to make certain data available to them. The user may request that the data be provided either to them [Article 4(1) Data Act] or to third parties. [Article 5(1) and (3) Data Act]

The third parties may in principle be any third parties, including, for example, competitors of the data holder. However, there is an exception for undertakings that the EU has designated as gatekeepers within the meaning of Article 3 of the Digital Markets Act (DMA). (Gatekeepers) [Article 5(3) Data Act]

The user is not entitled to have the data provided to them if they can already access the data directly from the connected product or the related service, e.g. if they can simply download it from the device. However, this does not exclude the right to have the data made available to a third party.

The user can request that “readily available data” be made available. These are not just any data, but instead only product data or related service data, in each case including the metadata required for interpretation.

The term “readily available” has several implications:

  • Firstly, this only includes data that the data holder lawfully obtains or can lawfully obtain from the connected product or related service without disproportionate effort. [Article 2(17) Data Act] The design of the product or service determines what types of data these are. The manufacturer does not have an obligation to design certain data as readable. Essentially, it can therefore determine which data are to be accessible at all by means of its design decisions. If data do not leave the component in which they are generated, they are not readily available. [Recital 20 Data Act] Only if data can generally be obtained from the product as intended (e.g. in order to store them in a central CPU or to transfer them to a central data centre of the data holder) are they readily available. Thus, there is no obligation under the Data Act to store product data and related service data on a central computing unit. [Recital 20 Data Act]
  • Secondly, only data that at most require a low level of processing are “readily available”:
    • The raw data, i.e. the data obtained directly and unprocessed from the connected product or related service, are readily available data.
    • A certain level of pre-processing is also possible. Such pre-processed data include, for example, measurement data that are already interpreted as a certain temperature, certain coordinates, certain pressure, etc. However, this may only involve simple processing. [Article 2, point 17 Data Act]

Data that are interpreted or manipulated and analysed by algorithms are no longer readily available data (e.g. where the results of various sensors of an automated vehicle are combined and analysed to create an all-around picture of the surroundings, so-called sensor fusion). There is no right to such analyses.

The question is how long the data holder must retain the data. The recitals suggest that this only has to be the case for a “reasonable” period of time. [Recital 24 Data Act] Systematic erasure that effectively excludes or severely restricts the possibility of access is likely not permissible. However, the situation is likely to be different if the data are constantly being overwritten for technical reasons, e.g. if there is limited storage and at the same time a high volume of data.

Roughly speaking, a connected product is an IoT (internet of things) product. It has the following characteristics:

  • It generates, records or collects data about its environment or its use, and
  • it can communicate these product data by whatever means (e.g. WLAN, physical connection, NFC, 4G/5G).

Examples: Smartwatches; connected cars; industrial machines which communicate use or maintenance data; remote surveillance cameras, etc. This does not include cloud storage or other products whose main task is to store/process/transmit data for third parties.

A related service is a digital service which is connected to a connected product and supports its functions. It can also be software. It renders, adds to, updates or adapts the product’s functions either from the outset or later. However, a mere ability to read data from a connected product is not sufficient; a data exchange must take place, i.e. the service must also be able to control the product functions. 

Examples: Software updates which improve the security or performance of a connected product or add new functions; apps or services for remote servicing or diagnosis; personalised recommendations or advertising that is offered based on user behaviour. 

One can be a user of a connected product or a related service. (What is meant by a connected product and a related service see alsoin Question 10) Both are treated in the same way. The user can be a natural or legal person. Not only the end consumer who uses or obtains the product or service for private purposes can be a user, but a company can as well.

  • The user of a connected product is its owner or someone who is contractually entitled to use the product for a fixed period of time, i.e. in particular the renter or lessee. [Article 2(12) Data Act] Several persons can also be users of a connected product at the same time, e.g. co-owners. Contrary to the German wording “Besitzer” (English: possessor), mere actual possession is not sufficient. Accordingly, if someone has purchased or leased a smartwatch (a connected product) for example, they are its user. If they lend it to a friend as a favour to use for sports, that friend does not become a user because they have not acquired a contractual right of use.
  • The user of a related service is the person who makes use of the service. [Article 2(12) Data Act] The Data Act does not appear to require a contractual relationship in this case. However, this should most likely be interpreted to mean that the user is the person who has (contractually) subscribed to the service and utilises the services on this basis.

The Data Act is unclear as to who the data holder is. [Article 2(13) Data Act] Until this is clarified, it would make sense in our assessment to assume that the data holder is the person who has the actual or legal authority to dispose of the data. 

The problem with the definition is that it states that the data holder is the person that has the right or obligation under EU law to use and make available data. This goes round in circles, however, because the obligation under the Data Act applies precisely to the data holder. The German version also has a translation error that creates the impression that it is only about related service data  (“Daten […] zu nutzen und bereitzustellen, die sie während der Erbringung eines verbundenen Dienstes abgerufen oder generiert hat”: “to use and make available data [...] which it has retrieved or generated during the provision of a related service”). 

Yes, there can be several users at the same time.

This may be the case, for example, if a connected product is jointly owned by several people. There will also be more than one user if the connected product is rented or leased, as the product will also have at least one owner as well.

In principle, every user is entitled to the provision of readily available product data and related service data (see also question 9). It is not directly apparent from the text of the Data Act to what extent joint users can assert this right. It is conceivable that each of them can request any and all data, or that each user can only request the data that they have generated themselves, e.g. by driving the connected car or wearing the smartwatch on their wrist.

The recitals contain statements that could be read to mean that the solution is to set up user accounts in order to “enable each user to have access to the data they generate”. [Recital 21] But “generating data” is not a prerequisite for a user having the right to request that data be made available. The owner of a connected vehicle can, for example, also request the data generated by her husband, to whom she has lent the car (subject to data protection requirements). It is also accepted that data generated when the car is at rest, e.g. while it is parked, can be requested. No-one is actively “generating” the data at that time. In our assessment, it therefore seems a more likely scenario that every user has a comprehensive right to the provision of all product data and related service data, including data actively generated by a co-user, e.g. by driving the car. Where personal data is involved, the proviso laid down in Article 4(12) Data Act obviously applies (see also question 19). Otherwise, the “mere” owner who has rented out or leased a product and therefore does not normally use it would never be entitled to the provision of the data generated with it. This would mean that the owner of a leased fleet of vehicles would have virtually no rights. But according to the Data Act, owners are explicitly included in the group of users without necessarily having to use the product themselves.

Only the current user is entitled to the provision of product data and related service data (see also question 8). 

From a practical point of view, the question arises as to how the respective user can be identified. User accounts that allow users to close their accounts if they resell the product will be particularly suitable for this purpose. The new user can then open a new account. [Recital 21] The data holder may in principle require appropriate user identification to verify a user’s entitlement to access the data. [Recital 29] However, no information may be required that goes “beyond what is necessary”. [Article 5(4) Data Act]

Yes, specific requirements must be met:

  • The data must be made available to both the user and a third party without undue delay, easily, securely and in a comprehensive, structured, commonly used and machine-readable format. Where relevant and technically feasible, the data must be made available continuously and in real-time. [Article 4(1) and Article 5(1)]
  • In the case of a third party, the data must also be made available in the same quality as is available to the data holder. [Article 5(1)] Where the data are made available directly to the user, this requirement only applies “where relevant and technically feasible”. [Article 4(1)]
  • The data must always be made available free of charge to both the user and any third party nominated by the user. [Article 4(1) and Article 5(1)] If the third party is an enterprise, the data holder may request compensation from such enterprise subject to FRAND principles (see also question 25).

It is not yet clear what is meant by “make available”. It could mean that the data holder may be required to provide a copy of the data or that it would be sufficient for the data holder to grant access to, for example, one of its servers on which the data are stored and where they can be read and, if necessary, analysed and manipulated. Since the Data Act, e.g. in Article 11(1) (albeit in a different context), refers to a right of the user to “obtain a copy of the data”, a mere right of access without obtaining a copy does not generally appear to us to be sufficient.

It depends on who the data is made available to.

  • The data must be made available to the user free of charge. [Article 4(1) Data Act]
  • For data which a data holder must make available to persons other than the user, the rules of Chapter III, including Article 9 Data Act, apply (see also question 25). According to these rules, compensation may be requested from a third party if such third party is an enterprise. However, the amount of the compensation may not be arbitrary. The conditions must always be reasonable and non-discriminatory. [Article 9(1)]
  • If the third party is not an enterprise, but in particular therefore a consumer or public body, Article 9 Data Act does not apply. Whether compensation can be requested, and if so in what amount, is left open. The recitals state that the reasonable compensation pursuant to Article 9 Data Act does not constitute payment for the data themselves, but are merely to constitute investment incentives. [Recital 46] This could be interpreted to mean that in general, payment may not be demanded for the data, but merely investment incentives to the extent regulated by law. However, it will be necessary to await legal developments in this respect.

This depends on whether the data are made available to the user or a third party.

  • A user may generally use the data that are made available for any legal purpose. It may also share them with third parties, including for commercial purposes. Exception: It may not use the data to develop a competing product (although the development of a competing related service is allowed) and may not share the data with this intention. Moreover, the user may not use the data to derive insights about the economic situation, assets and production methods of the manufacturer or the data holder. [Article 4(10)].
  • If the data are made available to a third party, the scope of the right of use will depend on what it has agreed upon with the user. [Article 6(1)] 
  • You may only use the data as you have agreed with the user. If personal data are involved, you must additionally comply with the GDPR. [Article 6(1) Data Act]
  • You must delete the data once you have fulfilled the purpose of the agreed use unless otherwise agreed with the user. [Article 6(1) Data Act]
  • You may not share the data with another third party without the consent of the user. If sharing is allowed, it must be ensured that the recipient protects any trade secrets contained in the data. [Article 6(2)(c) and (d) Data Act] (For more on the protection of trade secrets, see Question 20)
  • You may not develop any products that are in competition with those of the user or share the data for that purpose. [Article 6(2)(e) Data Act]
  • You must avoid any use that could jeopardise the security of the product or the service. [Article 6(2)(f) Data Act]
  • You may not ask the user to make the data available to you exclusively. [Article 6(2)(h) Data Act]

No. As the data holder you may only use data generated from a connected product or a related service if there is a legal basis for doing so.

  • Are the data personal data within the meaning of the GDPR? If so, you may only use these data if and to the extent permitted by the GDPR. You must comply with the data protection rules.
  • Are they non-personal data? If so, you may only use them if and to the extent the user has contractually permitted you to do so [Article 4(13) Data Act]. Accordingly, you absolutely need a contract with the user.

The following are in any case prohibited:

  • using the data to obtain insights about the economic situation, assets and production methods of the user (or a third party with which the user has shared the data);
  • using the data to develop a product that competes with the connected product or the related service from which the accessed data originate;
  • sharing the data with other third parties unless the user has permitted this.

No. If personal data are involved, restrictions under data protection law must be observed.

This means that personal data may only be made available to a user, even at their request, if the user is the “data subject” within the meaning of the GDPR (and thus their data are involved). If that is not the case, the data holder may only provide the data to the user if there is a legal basis for doing so under the GDPR. [Article 4(12) Data Act] The duty to make data available, as well as the right to access the data do not comprise a legal basis within the meaning of the GDPR; accordingly, it is only permissible to make the data available if, for example, consent has been given or this is necessary to perform a contract or protect legitimate interests. [Article 6(1) (a), (b) and (f) GDPR]

This requires data holders to walk a regulatory tightrope. Focusing too strongly on data protection can lead to a breach of the duty under the Data Act to make data available, while focusing too strongly on data access can lead to a violation of data protection law. Data holders may not be able to avoid requiring the establishment of individual user accounts – meaning that data which were originally not personal will become personal data.

Yes, even trade secrets generally have to be disclosed. However, technical and organisational measures to preserve their confidentiality may be requested. Suitable measures would include the use of model contractual terms, confidentiality agreements, strict access protocols and codes of conduct.

Only in two cases is it possible to refuse to provide the data:

  • Where no agreement is reached on the necessary measures or the user fails to implement these measures. In that case, the data holder must adequately substantiate its decision, provide such substantiation in writing to the user and notify the supervisory authority as well. [Article 4(6) and (7), Article 5(9) and (10) Data Act]
  • If the data holder is able to demonstrate that despite the confidentiality measures, it is highly likely to suffer serious economic damage. This refusal must also be adequately substantiated and communicated to the supervisory authority. [Article 4(8), Article 5(11) Data Act]

No. Contractual terms which restrict the rights of the user are not binding on the user. [Article 7(2) Data Act]

An exception applies only if otherwise statutory security requirements would be undermined and the health, safety or security of natural persons would be jeopardised as a result. [Article 4(2) Data Act] Theoretically, the new Cyber Resilience Act, which will impose security requirements on connected products, could be considered here. 

Yes, there is an obligation to provide information before concluding a contract. [Article 3(2) and (3) Data Act]

Among other things, information must be provided on

  • the type, format and volume of the data to be generated
  • the possibility of generating data continuously and in real-time
  • the storage capabilities
  • how the user can access the data.

From a practical point of view, this obligation to provide information before concluding a contract can be fulfilled by providing a web link that leads to the information. 

Yes. Manufacturers of connected products and providers of related services must ensure, when designing the product or service, that the generated product data and related service data are, by default, accessible to the user in a commonly used format. Insofar as this is “relevant and technically feasible”, the data must also be directly accessible to the user, i.e. not via the data holder. [Article 3(1) Data Act]

In the case of product data, however, it is up to the manufacturer to decide what type of data it designs to be retrievable. There is no obligation to make all data generated by a connected product retrievable. However, if a category of data can generally be retrieved, this category must also be retrievable for the user in the required form. The Data Act therefore introduces the concept of data access by design.

The obligation to design connected products and related services accordingly only applies to products placed on the market after 12 September 2026 (see also question 3). [Article 50 Data Act]

Obligations of an enterprise when data available to another enterprise

It depends on what basis you are required to make data available. 

Chapter III of the Data Act contains rules on how data are to be made available. 

These apply not only to the obligations to make data available under the Data Act (i.e. the obligation to make data available to users of IoT products and third parties see question 8 et seq.), but also to other obligations to make data available under other legislation. Whether the requirements of the Data Act apply to your obligation to make data available depends on the legal basis on which you are obliged to do so:

  • If you, as the data holder, are obliged to provide readily available data to the user or a third party on the basis of the Data Act, the right to be provided with such data falls under the rules of Chapter III. [Article 8(1) Data Act]
  • The same applies if you are obliged to make data available on the basis of other Union law, i.e. in particular on the basis of a European Regulation. And the situation is no different if the obligation to make data available arises from national law, but this is based on European law, i.e. in particular on a European directive that has been transposed into national law. [Article 8(1) Data Act]
  • However: The rules do not apply to obligations to make data available that already exist today. They only apply to obligations to make data available based on Union law or national legislation adopted in accordance with such law that enters into force after 12 September 2025.

    Example: Under Article 61(1) Regulation EU 2018/858 (Type Approval Regulation), independent economic operators are entitled to require vehicle manufacturers to grant them access to vehicle OBD information and other data required for maintenance. Although this right is based on EU law, the legal basis is already in force. The right to the provision of data under this Type Approval Regulation is therefore not subject to the provisions of Chapter III of the Data Act.

And what does it mean if Chapter III of the Data Act applies? For example to rights to be provided with data under the Data Act itself (see also question 8 et seq.).

The data must then be made available under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner. [Article 8(1) Data Act] These FRAND terms and conditions must be understood as a fundamental principle. The Data Act aims to prevent contractual imbalances that hinder fair access to and use of data. [Recital 5 Data Act] 

In this context, the fairness requirement means that one party may not be disproportionately disadvantaged in the specific situation in which data is made available. The requirement of reasonableness makes it possible to weigh up the interests involved. And the requirement that the terms and conditions must be non-discriminatory means that different parties requesting data may not be treated differently unless there is objective justification for this. 

Yes, reasonable compensation may be requested for making data available, which may also include a margin. [Article 9(1) Data Act] The costs incurred in making the data available, investments in the production of data, as well as the volume, format and nature of the data must be taken into account, in particular.

If the data is made available to a microenterprise, a small enterprise or a medium-sized enterprise, the compensation requested must not exceed the costs of making the data available. This means that no margin may be included. [Article 9(4) Data Act] 

How the specific charge was calculated must be disclosed to the data recipient for reasons of transparency. [Article 9(7) Data Act] The latter must be able to assess whether the requested compensation is reasonable. Guidelines on calculating reasonable compensation to be issued by the Commission should provide assistance in this respect in future. [Article 9(5) Data Act] 

Contracts on data access and use between enterprises

Firstly, it should be borne in mind that the FRAND principles must be observed for some contracts on the provision of data (see also questions 24 and 25).

Secondly, certain contracts are subject to a review similar to that under the provisions governing general terms and conditions. The Data Act provides for an unfairness test for contracts involving data in B2B transactions (see also question 27). [Article 13 et seq. Data Act]

Under three conditions: In the case of B2B transactions, where data are involved, and where terms are unilaterally imposed.

  • The unfairness test under Chapter IV of the Data Act only applies to the B2B sector, not in relation to consumers. But within this sector it applies to all enterprises and not just in relation to micro-, small or medium-sized enterprises. However, it cannot be ruled out that the results of an unfairness test carried out in respect of B2B transactions under the Data Act will find their way indirectly into a review under the provisions that govern general terms and conditions carried out in relation to consumers.
  • The contractual term must involve data. This is the case if it relates to data access, data use or liability or legal remedies regarding data-related obligations.
  • The contractual term must be imposed unilaterally. Such a term is considered to be “unilaterally imposed” within the meaning of the Data Act if it was supplied by one party and the other party could not influence its content despite an attempt to negotiate it. [Article 13(6) Data Act] According to the wording, it is not sufficient that one party supplies a contractual term and the other party simply accepts it. If this provision were to be applied by the courts in this way, the legal situation would differ from the German understanding of general terms and conditions.

Contractual terms that define the main subject matter of the contract or the adequacy of the price paid in exchange for the data provided are excluded from the unfairness test. [Article 13(8) Data Act] This is in line with German practice, which likewise does not regard the essentialia negotii as general terms and conditions. 

The Data Act follows a three-stage approach: 

  1. First of all, the Act stipulates which contractual terms are always considered unfair, the “blacklist”. [Article 13(4) Data Act] These are terms whose validity is not open to assessment. 
  2. The “greylist” contains terms whose validity is open to assessment. [Article 13(5) Data Act] These terms are presumed to be unfair, but companies can rebut this presumption. 
  3. Contractual terms that do not fall under either the “blacklist” or the “greylist” can still be unfair according to the general prohibition of unfair terms. [Article 13(3) Data Act]

The following contractual terms, for example, are always unfair:

  • a term that excludes the party’s liability for intentional acts or gross negligence; [Article 13(4)(a) Data Act]
  • a term that stipulates that the party imposing the term determines whether the data supplied are in conformity with the contract. [Article 13(4)(c) Data Act]

A contractual term is presumed to be unfair, for example,

  • if the party on whom the term was unilaterally imposed 
    • is prevented from using the data provided or generated by it during the term of the contract, or is so restricted that it can no longer  use, capture, access or control such data or exploit the value of such data in an adequate manner; [Article 13(5) (c) Data Act]
    • obtaining a copy of the data provided or generated by that party during the period of the contract or within a reasonable period after the termination thereof; [Article 13(5) (e) Data Act] or
  • if the party imposing the term grants itself the option
    • to terminate the contract at unreasonably short notice; [Article 13(5) (f) Data Act]
    • to change substantive conditions related to the nature, format, quality or quantity of the data without specifying a valid reason and without granting the other party the right to terminate the contract. [Article 13(5) (g) Data Act]

For a contractual term to fall under the general prohibition of unfair terms, it must be of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing. [Article 13(3) Data Act] This very vague wording allows for a more or less restrictive interpretation The German translation presents another problem. There, the two aspects - gross deviation from good business practice and violation of good faith - are connected with an "or". Consequently, the question arises whether it is sufficient for only one of the two elements to be present, or whether both, as expressed in the English version, must be present cumulatively. 

In principle, the German law governing general terms and conditions exists alongside the unfairness test under the Data Act. The unfairness test only applies to contractual terms involving data. If a contract contains data-related and other provisions, two separate reviews must therefore be carried out. Data-related terms fall under the unfairness test prescribed by the Data Act, whereas other provisions fall under the national law governing general terms and conditions pursuant to sections 310(1) and 305 et seq. Civil Code (Bürgerliches Gesetzbuch). However, it remains to be seen whether the results of an unfairness test carried out under the Data Act (which only applies to the B2B sector) may ultimately also be used as part of a review under the provisions governing general terms and conditions in relation to consumers. This could be the case, for example, with the granting of exclusive rights of use in B2C contracts, which are generally regarded as invalid under the new unfairness test prescribed by the Data Act. [Article 13(5) (c) Data Act]

Making data available to public sector bodies

Yes. Data must be made available to national public sector bodies and EU institutions in cases where there is a demonstrated exceptional need. [Article 14 Data Act]

An exceptional need is considered to exist if

  • the data are necessary to respond to a public emergency [Article 15(1) (a) Data Act], i.e. typically an exceptional situation involving public health or a natural disaster;
  • a public sector body is lacking specific non-personal data for the fulfilment of tasks assigned to it by law in the public interest and such data cannot be obtained in any other way. [Article 15(1) (b) Data Act]

This obligation covers data, including the metadata necessary to interpret and use the data, that the public sector body needs to carry out its tasks in the public interest and that it cannot obtain in a timely manner in another way. The data need not be related to a specific product. (For a definition of the term “data” see also question 7) 

Microenterprises and small enterprises only have to provide public sector bodies with data necessary to respond to a public emergency, however. [Article 15(2) Data Act]

The decisive factor is the reason for requesting the data.

Data needed to respond to a public emergency must be made available free of charge [Article 20(1) Data Act]. This does not apply to microenterprises and small enterprises, however.

If the request relates to non-personal data, the lack of which prevents the public sector bodies from fulfilling tasks assigned to them by law, then the data holder is entitled to fair compensation. This covers the costs incurred to comply with the request and may also include a margin. [Article 20(2) Data Act]

Switching between data processing services/interoperability

The terms for switching between data processing services must be laid down in a contract and made available to the customer before the contract is signed. [Article 25(1) Data Act] The terms for switching services must fulfil a large number of specific requirements, for example the notice period for initiating the switching process must not exceed two months.

Providers of data processing services must inform their customers about possible procedures for switching and porting content. [Article 26 (a) Data Act] They must also provide a reference to an up-to-date online register hosted by the provider of data processing services, with details of the data structures, relevant standards and interoperability specifications. [Article 26 (b) Data Act] There are further obligations to provide information in cases involving international access to and transfer of data. [Article 28 Data Act]

The existing switching charges are to be gradually withdrawn. [Article 29 Data Act]

The interoperability requirements (see also question 33) which must be complied with in future should also help simplify the exchange of data.

From a technical perspective, it must be possible to migrate the data, applications and other digital assets without impediments and maintain them in a functionally and technically equivalent manner with another data processing service provider. These data portability requirements mean that developers must already make standardised migrations possible and create the technical prerequisites for this. 

The interoperability requirements are relevant for:

  • Operators of data spaces
  • Providers of data processing services, such as providers of SaaS solutions or other cloud providers
  • Vendors of applications in which smart contracts are used

Participants in EU data spaces must comply with minimum requirements in future [Article 33 Data Act], namely:

  • The dataset content, use restrictions, data collection methodology, data quality and any uncertainty must be sufficiently described so that the data recipient can easily find, access and use the data.
  • The data structures, classification schemes, taxonomies and code lists must be made publicly accessible.
  • The technical means to access the data (e.g. programming interfaces) must be sufficiently described to enable automatic access and transmission of data on a continuous basis.
  • Where applicable, the means to enable the interoperability of smart contracts within their services must be provided.

The Data Act does not contain any specific requirements for data processing services, but merely lays down prerequisites for the specifications and standards to be developed. One of the requirements for these interoperability specifications and standards is that they enhance the portability of digital assets between data processing services. [Article 35 Data Act]

Vendors of applications using smart contracts must ensure that these contracts meet certain requirements. They must, for example, be sufficiently robust to avoid functional errors and manipulation by third parties. There must also be mechanisms in place to ensure the safe termination or interruption of transactions to prevent or reset accidental executions. [Article 36 Data Act]