Is there such a thing as worthless data? In a data-driven economy: hardly. Even seemingly worthless raw data can be priceless for competitors, if they have the ‘key’ to utilise it properly. For competitors, even the absence or inaccuracy of data can be an important indicator of a product's functionality. Similarly, a third party can easily fill gaps with such data when test data is difficult to obtain.
Data such as operating parameters, sensor and monitoring data, error messages, maintenance and service data as well as certain usage data may indeed constitute a manufacturer's core know-how and be of commercial value. Due to the broad and technology-neutral definition of a trade secret, even raw machine data produced by certain products may constitute a trade secret. Know-how is an essential company asset, and know-how holders go to great lengths to protect their trade secrets. However, the broad access obligations under the Data Act, which we explored in previous articles, may also apply to them. Is this the end of know-how protection as we know it?
The access obligations are in principle mandatory and cannot be waived by contract. Essentially, the data must be provided to users without undue delay, in the same quality, comprehensively and easily accessible. Where relevant and technically feasible, data must be provided continuously and in real time. The practicability of this obligation may pose a challenge to data holders, not only because of the unclear scope of the term 'continuously and in real time'.
The Data Act does not provide a general exception for trade secrets. It only states that trade secrets should be preserved and that the provided data may not be used to develop competing products. To protect their trade secrets, data holders shall therefore agree proportionate technical and organisational measures with the users and third parties to preserve confidentiality (e.g. appropriate confidentiality agreements, restriction of access to certain persons on a need-to-know basis, technical limitations). The data holder may only refuse to disclose the data to the user or a third party, if no agreement has been reached on the measures to be taken or if the user or the third party have failed to implement such measures. In case appropriate measures are implemented, the data holder may only refuse the access request, if they can demonstrate that they are likely to suffer serious economic damage from disclosure. When suspending data provision or refusing access, however, the data holder must substantiate this in writing to the user or the third party respectively and notify the competent authority.
The data holder must take urgent action to continue to protect its valuable assets. So, the question for you is: Are you ready for the Data Act applicable from 12 September 2025?
- Have you reviewed the data that is collected and which of this data would need to be disclosed?
- Have you reviewed your current know-how protection measures?
- Have you reviewed the existing contractual clauses regarding data access and use, in accordance with the Data Act's provisions?
In the upcoming edition of our article-series, we will be exploring the link between GDPR and the Data Act.
Stay tuned!
Need guidance on the Data Act?
