The EU Data Act in practice: understanding and applying the Model Contractual Terms

A core element of new EU Data Act is the right to access and share data, particularly data generated through the use of connected products and services.  This article explains what the European Commission's Model Contractual Terms (MCTs) for data sharing are, how they are structured, what practical scenarios they address, and what companies should do to prepare for their use.

While the Data Act's new rights and obligations create opportunities, they also bring contractual complexity. Data access in practice rarely happens automatically -  it is enabled through agreements between parties that define who may access which data, under what conditions, and for which purposes. Ultimately, legal rights and obligations alone are not enough to create an efficient data ecosystem. It is through contracts that data sharing becomes operational.

This is precisely where the MCTs come in. These clauses are intended to provide businesses with a structured, pre-formulated legal framework to facilitate fair and balanced data sharing agreements. They aim to "reduce transaction costs, shorten negotiation cycles, and increase legal certainty" - much like the GDPR’s Standard Contractual Clauses (SCCs) did in the context of international data transfers.

Although Article 41 of the Data Act required the European Commission to adopt non-binding MCTs by 12 September 2025, no final recommendation had been issued at the time of writing and only the 1 April 2025 expert draft of the MCTs is available. Nonetheless, both FAQ 33 on the Commission’s website and the official 'Data Act explained' site (see section covering “Next Steps”) make explicit reference to forthcoming MCTs and their expected role in shaping contractual practice.

The working assumption in the market is therefore clear: the MCTs will be relevant - and potentially transformative - for data transactions across the EU.

Legal and strategic relevance

While the MCTs will not have binding legal force, they are expected to shape contractual practice across the internal market.

Their role is:

• Standardisation: providing a 'common legal and commercial language' for data sharing agreements, applicable in both B2B and B2C settings.
• Risk reduction: mitigating legal uncertainty and power imbalances by offering a fair baseline, particularly for SMEs that may lack the resources to draft bespoke agreements.

Even though parties may deviate from the MCTs, market pressure and regulatory expectations are likely to drive wide adoption. Early movers may benefit from faster transactions and smoother negotiations, especially where contractual asymmetries exist, while also gaining the opportunity to set their own standards and build trust in the market.

Implementation considerations and strategic advantages

Modular building blocks of the draft MCTs

The MCTs are modular and structured into four annexes, each addressing a typical data sharing constellation:

• contracts between a data holder and a user (Annex I): data holder wants to use the data generated by the user’s product or service
• contracts between a user and a third-party data recipient (Annex II)
• contracts between a data holder and a third-party data recipient (Annex III)
• contracts between a data sharer and a data recipient – voluntary data sharing agreements (Annex IV).

This modular design allows companies to select and adapt only those components relevant to their business model. While the exact wording may still change before final adoption, the draft version already reveals a clear contractual architecture that will likely endure.

Key benefits of the modular approach

• Parties and roles - clear definition of data holder, user, data recipient
• Data scope and access rights - specification of datasets, formats, APIs, access limitations
• Reasonable compensation - methodology for determining fair payment where applicable
• Protection of trade secrets and confidentiality - including NDAs, IP safeguards, and restrictions on reverse engineering
• Liability and warranties - disclaimers on data accuracy, caps on damages, and allocation of responsibilities
• Purpose limitation and onward transfer - ensuring alignment with the Data Act and other legal requirements.
• Exit, return and deletion - procedures when contracts end, including data retrieval and secure deletion.

These comprehensive clause areas ensure that the MCTs address the full lifecycle of data sharing relationships, from initial access through contract termination.

Annex I - data holder uses data generated by the user’s product or service

Under Article 4(13) of the Data Act, product data is attributed to the user. However, many data holders, particularly manufacturers of connected devices, also wish to use this data for their own legitimate purposes (eg product improvement, analytics, service optimisation). Annex I is designed precisely for this situation.

Practical implications

In mass-market B2C scenarios, these terms will typically be integrated into standard T&Cs, such as click-through agreements or online terms of service. In B2B settings, more negotiable contracts may be used, with configurable options under the MCT framework. This dual design reflects the reality that consumer and business relationships differ substantially in flexibility and bargaining power.

Key elements

• Scope of the data use by the data holder
• User rights of access to the data
• Optional user compensation where provided by law or agreed contractually
• Protection of trade secrets and IP
• Purpose limitation and restrictions on onward use.

Strategic relevance

Annex I is likely to become one of the most frequently deployed modules because it addresses the core commercial scenario for IoT manufacturers and service providers: using product-generated data while ensuring compliance with the Data Act.  It establishes the framework for data holders to monetise IoT-generated data while maintaining Data Act compliance.

Annex II - user and third-party data recipient

Article 5 of the Data Act gives users the right to request that data generated through their use of a product or service be made available to a third-party data recipient of their choice. Annex II provides the contractual structure for the agreement between the user and that third party.

Practical implications

• The data holder enables data access but is not a party to this contract
• The MCTs set out key rights and obligations between user and recipient, ensuring transparency and security
• This scenario is especially relevant for consumer-facing services and data-driven value chains, where intermediaries rely on user consent to obtain access to data
• User consent mechanisms must comply with GDPR requirements where personal data is involved.

Key elements

• Clear specification of permitted uses by the data recipient
• Confidentiality and data security obligations
• Restrictions on onward transfers
• Liability allocation between user and recipient.

Annex III - data holder and third-party data recipient

Also grounded in Article 5, Annex III covers the contract between the data holder and the third-party data recipient, triggered by a user’s sharing request. This scenario often arises in B2B ecosystems, where manufacturers or platform operators must make data available to partners, service providers or integrators.

Special features

• Annex III allows for modifications if the obligation to share data arises under other EU legislation rather than Article 5 (eg sectoral data access rules)
• This flexibility reflects the reality of layered regulatory frameworks, such as in mobility, energy or financial services.

Key elements

• Technical access mechanisms and security
• Confidentiality and IP protection
• Reasonable compensation (guidelines expected, see Article 9(5) DA)
• Liability and allocation of risks
• Exit and termination provisions
• Data deletion and return obligations on contract termination.

Annex IV - voluntary data sharing agreements

Unlike Annexes II and III, Annex IV applies independently of any user request. It covers voluntary data sharing agreements between parties (business entities) wishing to share or pool data on their own initiative.

Strategic use cases

• Industry consortia and data spaces
• Research collaborations
• Platform or ecosystem models
• Public-private partnerships.

Key elements

• Full contractual freedom within the MCT framework
• Baseline structure for interoperability and legal certainty
• Optional clauses for compensation, licensing, IP rights and dispute resolution.

Strategic relevance

Annex IV supports voluntary, market-driven data sharing on standardised terms. By providing an easy-to-use template, it can accelerate the emergence of data ecosystems - one of the central goals of the Data Act.

Interplay with other legal frameworks

Data privacy

Importantly, MCTs do not override GDPR obligations. Where personal data is involved, parties must still comply with applicable data protection rules, including the need for a valid legal basis for processing, transparency, and data-processing agreements under Article 28 GDPR.

This applies in particular to mixed datasets where "personal and non-personal data are inextricably linked". In such cases, the GDPR applies in full, and the presence of non-personal data does not diminish the level of protection required.

On 1 July 2025, the European Data Protection Board (EDPB) issued a statement on the draft MCTs. It welcomed their potential to 'enhance legal certainty' but emphasised the need to 'clearly distinguish between personal and non-personal data'.

The EDPB also stressed that "compliance with MCTs does not equal compliance with GDPR". Businesses must assess data protection requirements separately, including purpose limitation, legal bases, and security obligations.  See here for more on the interaction of the Data Act and the GDPR.

Trade secrets law

MCTs incorporate references to trade secret protection, ensuring that data sharing does not compromise "proprietary information or confidential know-how". This aligns with the Directive (EU) 2016/943 on trade secrets, which remains fully applicable.  See here for more on the trade secrets elements.

Sectoral regulations

It is important to note that certain sectors (eg mobility, energy, health) are already subject to specific EU data access regimes under sectoral legislation. The MCTs are designed to be flexible, allowing adaptation where other legal frameworks apply, ensuring compatibility with existing regulatory requirements.

Practical to-dos

Even though the final MCTs have not yet been published, organisations can already prepare strategically for their implementation. Key steps include:

• Map roles and data flows - identify whether your organisation is a data holder, recipient, user, or a combination thereof. This determines which modules are relevant
• Review the contractual landscape - assess how current data sharing agreements, terms & conditions, and processing contracts align with the MCT framework.
• Integrate MCT modules - consider incorporating relevant annexes (especially Annex I for manufacturers and Annex III for B2B partnerships) into standard contract templates
• Align with GDPR and trade secrets law - ensure that contracts involving personal or sensitive data remain compliant with applicable legal obligations
• Prepare for operational implementation - MCT obligations often have technical implications eg API access, data format interoperability, security measures, exit-readiness.
• Develop negotiation strategies - different annexes involve different power dynamics. Early preparation can shorten deal cycles and improve leverage.

Outlook

The final Commission recommendation on MCTs is expected in the coming months. Once published, the MCTs will likely become a default contractual standard for data sharing across the EU.

Much like the GDPR SCCs, the influence of the MCTs is likely to extend far beyond their non-binding legal status. Regulators, contracting parties and courts may increasingly refer to them as a benchmark for "fair, transparent and balanced agreements".

It is important to note, however, that unlike the GDPR SCCs, the models are not static. They may be complemented or shaped by national legislation, sector-specific rules, or industry standards. Precisely because of this evolving landscape, businesses that act early - by mapping data flows, adjusting their contract architecture, and integrating relevant modules - will be better placed to shape these standards rather than simply follow them. Those who wait may face more complex and protracted negotiations once the MCTs become market standard.