Contractual requirements under the Data Act

The purpose of the contracts between data holders and users is to ensure transparency, legal certainty, and a clear definition of the parties' rights and obligations in data processing. The most important elements of such contracts are:

• Definition of the data available to the user

• Information on the creation, use and access to data

• Rules for data holder’s own use of the data

• Rules for sharing of the data to third parties by data holder

• Protective measures for trade secrets

Contracts between the user and the data recipient (U2R Contract)

The user may wish to share data with a third party (called “data recipient” in the Act). The most obvious purpose for sharing data would be to allow the data recipient to provide additional services related to a connected product to the user, such as repairs, maintenance or data analytics. If the user opts to share data with a data recipient, a contract needs to govern the relationship and obligations between the user and the data recipient in respect of data shared. Such contracts would include provisions on:

• Details on the devices/services and data to be shared

• Practicalities of access to the data

• Purposes and limitations of use of data by the data recipient

• Protective measures to safeguard the data

• Further sharing of data by the data recipient

Contracts between the data holder and data recipients (H2R Contract)

The user may request from the data holder that data is shared directly to a data recipient. The request may also be made directly by the data recipient with authorization by the user. To facilitate this sharing and to cover the terms of use for the data, an additional contract is needed between the data holder and the data recipient. Such a contract would include:

• Details on the user, product and/or service that the contract covers

• Requests of the user

• Details on the data being shared

• Purposes and limitations of use of data by the data recipient

• Limitations on further sharing of the data by the data recipient

• Compensation payable by the data recipient

• Provisions related to protection of trade secrets

In addition to provisions dealing with connected products and related services in Chapters II-III, the Data Act also includes provisions related to the switching of data processing services, which are in Chapter VI. There are specific mandatory contractual requirements in Chapter VI that the data processing services providers need to adhere to. To aid the service providers’ drafting efforts, the Expert Group drafted six standard clauses to cover the main contractual issues identified for the cloud computing contracts and one general clause. Together, these clauses are known as the Standard Contractual Clauses or SCCs. These SCCs are not complete contracts in the way the MCTs are but are instead meant to be inserted by the parties into data processing services agreements.

The SCCs consist of:

• General terms related to provision of services

• Practicalities of the switching and exit process

• Termination of the services

• Security and business continuity provisions

• Non-dispersion clauses to collate the contractual terms related to services

• Liability provisions related to the transfer obligations

• Non-amendment rules limiting the allowed changes to the terms

Apart from the specific requirements in the Data Act to have contracts in place for data processing services, it is in the interest of the data holder of connected product and related services data to have contracts with the users concluded before application of the Act on 12 September 2025. Firstly, contracts are an easy way to fulfil the requirements to inform user of the collected data and its processing, as specifically required by the Act. Second, they clarify the mechanisms and practices related to providing the data to the user. In addition, there are two major reasons for the data holder to push for concluding contracts in time: The right of the data holder to use and distribute the data itself and protection of trade secrets that can be deduced from the data.

Data holder’s right to use and share data to third parties

The Data Act allows for the user of a connected device or a related service to ultimately determine what the data created or collected by the device or service can be used for. The data holder (which may or may not be the manufacturer of the device or provider of the service) can only use the data based on a contract with the user. In other words, if there is no contract in place between the data holder and the user, the data holder may not utilize the data for its own purposes, such as further development, quality control or analytics. Same principle applies to making the data available to third parties by the data holder, it is only allowed for the purposes of fulfilment of the data holder’s contract with the user. It is therefore in the interest of the data holder to agree on the terms of use and sharing of data before the Data Act starts to apply.

Protection of trade secrets

The Data Act does not allow for the data holder to categorically refuse to make the device or service data available to the user or, upon the user’s request, a third party (which may be a competitor to the data holder) simply because the data holder claims that the data contains trade secrets. To be able to effectively protect trade secrets the data holder needs to identify and inform the user of the data protected as trade secrets already before the user enters into a contract for the purchase, rent or lease of the device or signs up to a service. In addition, the data holder needs to try and agree with the user on proportionate technical and organizational measures necessary to preserve the confidentiality of the shared data. Only if the data holder and user cannot reach an agreement on the appropriate means of protection or the user fails to implement the defined protective measures, the data holder may withhold or suspend the sharing of data that is identified as including trade secrets. Any such decision must be substantiated in writing to the user and the data holder must also inform the competent authority of its decision to withhold or suspend data sharing. Therefore, if the data might reveal any trade secrets of the data holder, there must be an agreement in place to protect them since simply refusing to provide the data is not a viable option for protection.

The Data Act covers such a wide variety of different products, services and situations, that drafting one-size-fits-all model terms is simply impossible. While the MCTs and SCCs published by the Expert Group certainly help in drafting the necessary contract terms, they are not directly usable as-is. They do offer good baseline solutions that make it a lot easier to stay in line with the requirements of the Data Act. The model terms have been drafted to ensure fair, reasonable and non-discriminatory contractual rights and obligations, which is a specific requirement of the Data Act.

Since the contracts may end up being rather complex and will need adaptation and input from multiple stakeholders, ample time should be reserved for drafting. After the drafting is done, the implementation process also requires time and effort. This phase may include back-and-forth negotiations, especially with bigger customers. For cloud services the service terms often include a notice period to adhere to before any changes take effect. The entire process from internal kickoff meeting to handshakes can take several months, which should be considered when timing efforts related to contracting.

Our team of Data Economy experts are available to help you in all your needs related to the Data Act, including drafting and negotiating the relevant contracts.

This article is part of a series of articles focusing on the Data Act, which explores individual issues from different perspectives and as practical as possible.