In Volume 3 of our article series, we examined the users' rights to share their data with third parties (data recipients). Building on this, the current article explores the business models emerging from such rights – and the legal boundaries that govern how the shared data may be used.
Users have the right to use their data for both commercial and non-commercial purposes and may also transfer it to data recipients accordingly. This is particularly relevant for data intermediation services – like data management platforms. A key requirement in such constellations is the existence of a clear contractual agreement between the user and the data intermediary, specifying all permitted purposes of the data use. Based on user consent, intermediaries may charge fees or even resell the data to third parties.
However, data intermediation services must comply with the obligations set out in the Data Governance Act (DGA). Notably, DGA prohibits intermediaries from using the data for purposes other than making it available to data users and requires that such services be offered through a separate legal entity. Furthermore, any metadata collected during the provision of the intermediation service – such as timestamps, geolocation, duration, or interaction data – may only be used for developing the service itself, including fraud detection and cybersecurity measures, and must be shared with data holders upon request.
As previously outlined, data holders may, at the user’s request, transfer data to a data recipient in exchange for adequate compensation. This compensation is not a payment for the data itself, but rather a reimbursement of costs directly related to making the data available - such as expenses for reproduction, storage, or pre-processing. It explicitly excludes costs incurred during the original data collection.
In the case of long-term arrangements - such as subscription models or smart contracts - the Data Act’s recitals indicate that costs associated with regular or repeated transactions should be assessed at a lower rate. Cost recovery may apply to individual or multiple requests, but in such recurring scenarios, the financial burden of data provision should not fall entirely on each data recipient.
This does not mean that a profit margin is excluded - except in cases involving small and medium-sized enterprises (SMEs) or research organizations. Such a margin may be permissible and can depend on factors such as the volume, format, and type of data, as well as whether the data was originally collected for the data holder’s own business purposes. Further clarification from the European Commission on what constitutes an adequate compensation is expected later this year.
Is your business model compliant and are your contracts and data use purposes compliant with the law? Check out all content provided within our Data Act Weeks to be sure.
In the final instalment of our series, we will address the sensitive topic of potential sanctions. Stay tuned!
Need guidance on the Data Act?
