In Part 1 of our 'Deep Dive' series, we explored the types of data and entities covered by the Data Act (Act), the new European Union regulation that centres on 'data' and which comes into effect on 12 September 2025.
Here in Part 2, we look to data use and access obligations which may apply to in-scope organisations. The central tenet of the Act is access to data in the digital economy. Unsurprisingly organisations who are in-scope 'manufacturers' or 'data holders' must comply with access and sharing obligations.
1. Core Obligations of Data Holders to Users
(a) Data Access
As a data holder, organisations may be required to provide data access to:
- users on a business-to-business (B2B) or business-to-consumer basis (B2C) basis (Chapter II of the Act);
- third parties on a B2B basis (Chapters II to IV of the Act); or
- public sector bodies on a business-to-government (B2G) basis (Chapter V of the Act).
Under Chapter II, users may access data either by design (Article 3), meaning the data is directly accessible, or by request (Article 4) where direct access is not technically feasible.
For access by design, new products placed on the market after 12 September 2026 will need to be designed to allow access to product and related service data directly by the user (easily, securely and free of charge), in a comprehensive machine-readable format, where relevant and technically feasible. Conversely, to the extent that a user cannot obtain direct access, data holders must make "readily available data" and "relevant metadata" accessible to the user on the same conditions "without undue delay" and of the same quality as is available to the data holder and where relevant and technically feasible, continuously and in real time.
Organisations can, in certain circumstances outsource their role as a data holder. For example, manufacturers may contract out to another entity the role of 'data holder' for all or part of that manufacturer's connected products.
Under the Act, the designation of a data holder is determined not by who manufactures the hardware or software, but by who controls access to the readily available data. This means a manufacturer is not automatically considered the data holder. Additionally, an organisation cannot simultaneously be both the user and the data holder for the same dataset. However, it may be a data holder for one connected product or related service, and as a user for another, depending on the specific context.
Image Source: European Commission FAQs.
(b) Data Sharing
In addition to data access rights, users have a right to request that data holders share "readily available data", as well as relevant metadata necessary to interpret and use those data, to third parties without undue delay (Article 5 of the Act). The provision of this data must meet specific standards which are similar to those set out in the data access provisions of the Act. The data must be of the same quality as is available to the data holder, and provided securely and free of charge. Additionally, the data must be delivered in a comprehensive, structured and commonly used, and machine-readable format. Where relevant and technically feasible, the data should also be made available continuously and in real time.
In the case of personal data, where the user is not a data subject whose personal data is requested, any personal data generated by the use of a connected product or related service must be made available by the data holder to the third party only where:
- there is a valid legal basis for processing under Article 6 of the GDPR and,
- if there is special category personal data, under the conditions of Article 9 of the GDPR.
Interestingly, the Act does not specify whose legal basis should be relied upon for the processing meaning the GDPR assessment of "who" is a controller will apply.
Are any organisations exempt from data sharing obligations?
Small and medium-sized enterprises (SMEs) are exempt from the data sharing obligations in Article 5 of the Act (Article 7(1) of the Act). The category of SMEs is made up of businesses which employ fewer than 250 persons, and which have an annual turnover not exceeding €50,000,000, and/or an annual balance sheet total not exceeding €43,000,000. Additionally, companies are exempt from obligations to share data when the third party request is from organisations registered as "Gatekeepers" under the Digital Markets Act (Article 6(2) of the Act).
Data holders may also refuse access to data if sharing would unduly compromise the security of a connected product or related service (Article 4(2) and Article 6(2) of the Act), or if it would expose trade secrets (Article 8(6) of the Act) (see more on this below). Furthermore, prototypes are exempt from the scope of the Act because they are not placed on the market.
2. Trade Secrets – balancing data access rights against the need to uphold legal protection
Data that can be identified as a trade secret is exempt from disclosure, unless all necessary measures to preserve the confidentiality of such data can be agreed and implemented (Article 5(9) – (11) of the Act).
The Act does not alter existing legal protections for trade secrets, such as the provisions of the Trade Secrets Directive 2016. The Act introduces a new mechanism for safeguarding trade secrets, referred to as the 'trade secrets handbrake'. The Act seeks to strike a careful balance between preventing illegitimate restrictions on the user's new data access rights and maintaining the legal protection of trade secrets.
Data Holders can protect their trade secrets whether or not they provide users with 'direct access' or 'indirect access'. For example, if an organisation is providing direct access, the data holder may contractually oblige the user to protect certain data that are made directly accessible. However, at a practical level, it may be easier for data holders to implement indirect access controls and monitor data which is disclosed to users.
3. Model Contractual Clauses
Lastly, organisations will need to consider what contractual provisions they need to implement in order to comply with the access and sharing obligations under the Act.
The European Commission set up an expert group on B2B Data Sharing and Cloud Computing Contracts (Expert Group) to simplify negotiations and ensure legal certainty in B2B arrangements. On 2 April 2025, the Expert Group published a set of model contractual terms (MCTs) (Access the MCTs here).
The MCTs are designed to help companies comply with the Act and establish fair, secure and transparent agreements for data sharing. They are structured across four typical data-sharing scenarios: (1) Data Holder to Data User, (2) User to Data Recipient; (3) Data Holder to Data Recipient; and (4) Voluntary Data Sharer to Data Recipient.
More information to follow
Part 2 of our Data Act Deep Dive series provided an overview of the data access and sharing obligations introduced by the Act. As organisations begin to navigate these requirements, understanding the role of the data holder and the conditions for lawful sharing will be key to ensuring compliance and avoiding regulatory risk.
Stay tuned to our Data Act Deep Dive series as William Fry's Technology team uncovers some more of the Act's key features:
- Part 3: Data Switching and Interoperability
- Part 4: B2B Unfair Contractual Terms
For more information about the Data Act, please contact Leo Moore, Rachel Hayes, Jordie Sattar or your usual William Fry contact.
Contributed by Aoife Keenan and Caroline Keaveny
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.