In our previous article, we explored the obligation of manufacturers of connected products and providers of related services (collectively, “data holders”) to grant users access to data generated by their products. However, the Data Act goes even further. Data holders are also required to make this data available to third parties (“data recipients”) – if requested by the user. This marks a significant shift in control, placing users in the centre of data-driven value chains.
As highlighted in our first article, one of the central goals of the Data Act is to ensure that data is easily and seamlessly available. Data sharing should be straightforward, removing unnecessary barriers and moving away from the old mindset of "those who guard their business don't share data." This traditional approach often leads to lock-in effects, limiting competition and preventing users from switching between providers. To address this, the Data Act establishes a clear legal framework that empowers users to transfer data collected by the data holder – either to themselves or directly to a third party.
The data holder must make the requested data available without undue delay, free of charge, and in a machine-readable format. This ensures that the transfer of data – whether to the user or a third party – remains both technically feasible and practically accessible. However, the right to data sharing is not without limits. For instance, designated gatekeepers under the Digital Markets Act may never act as data recipients. Additionally, the Data Act includes specific safeguards to protect trade secrets, which we will explore in more detail in upcoming articles. If a data holder refuses to transfer the data, users are not left without recourse – they can merely challenge such refusals before competent authorities or designated dispute resolution bodies.
If the user requests that data shall be transferred directly to a data recipient, the data holder is obligated to grant access based on a contractual agreement. This agreement must adhere to the principles of fair, reasonable, and non-discriminatory terms (FRAND). These requirements are designed to prevent the abuse of market power and to ensure transparent and equitable data sharing practices, particularly in situations where data holders could otherwise set restrictive or exploitative conditions.
Data holders are not required to provide access to data recipients purely out of goodwill or entirely free of charge. When data is shared in the context of business-to-business relations, the data holder is entitled to receive compensation. However, this compensation is not a commercial payment, but rather a reimbursement for actual costs related to generating, formatting, and providing the data. The compensation must reflect real, verifiable expenses – unjustified or excessive pricing is explicitly prohibited under the Data Act.
The Data Act also sets clear obligations for data recipients. Use of the data must remain within a limited, purpose-bound scope, and the data may not be retained longer than necessary to fulfil the agreed purpose. Any use, disclosure, or storage beyond these terms is strictly prohibited.
The Data Act places concrete obligations not only on data holders, but also on those who receive and further process data. To prepare, we encourage every business that collects or receives data to carefully consider the following questions:
- Do you clearly understand which data you are required to provide?
- Have you implemented safeguards to ensure data is shared only with authorised data recipients?
- Are your contracts fully aligned with the obligations?
We are ready for the Data Act – are you?
In the next edition of our article-series, we will explore how the Data Act balances data sharing and access rights with the protection of trade secrets.
Stay tuned!
Need guidance on the Data Act?
