Have You Updated Your Contracts to Reflect the Changes Introduced by the Data Act?

Authors: Maria Aholainen, Lasse Riski, and Jesper Nevalainen

In this blog, we explore what types of contractual obligations the Data Act imposes on businesses and which actors are impacted by these contractual changes. Upon its entry into force, the Data Act will impose many new obligations on different parties, but in this blog, we will focus on data-sharing obligations in business relations.

New Limitations to Freedom of Contract

Traditionally, agreements between business partners have been based on the principle of freedom of contract, which allows the business partners to freely negotiate the terms of the contract.

While the freedom of contract is the underlying principle in business relations, there are already existing limitations to this principle. Special legislation in each country and jurisdiction may impose limitations that restrict the parties’ ability to freely negotiate the terms of contract. In recent years, the freedom of contract has also been gradually restricted by the EU. For instance, the GDPR sets minimum and non-negotiable terms on data protection, and this standard level of data protection is then enforced through contracts. The Data Act follows in the footsteps of the GDPR and sets minimum requirements for data sharing in business relations.

The Data Act sets a framework for data sharing. In practice, it imposes new obligations on businesses that must be agreed upon in the contract, including

1. the obligation for data holders to share product and service-generated data with users and third parties;
2. the obligation for data holders to share data with public sector bodies in exceptional circumstances; and
3. the obligation for cloud and edge service providers to ensure switching and exporting data from one service provider to another and provide exit and transition support.

As mentioned, this blog will only focus on point (i), i.e. the data-sharing obligations under the Data Act.

While the freedom of contract remains the underlying principle in business relations even after the Data Act becomes applicable on 12 September 2025, business partners must, in addition to other mandatory laws, comply with the requirements of the Data Act.

Data Sharing Terms under the Data Act

In a basic example, a data holder is a manufacturer who has designed and manufactured a connected product, such as a smart vehicle or a wearable, placed on the EU market and a user is a customer who has bought or leased the product. A user can be a consumer or a business.

As of today, a data holder usually has a strong negotiation position and can reserve all rights and “ownership” to the data collected by the connected product, while a product user has no means to access or benefit from the data. This setup will now change, and users will have strong access and portability rights to the data directly based on mandatory provisions in the law, while the data holder will need to obtain its rights to the data through contracts and negotiation power. Having said that, the user’s rights have limits. The Data Act will not capture all “product data” but rather only applies to data generated by the use of the product. For example, product development data (including prototypes, internal product analyses, and trade secrets) and enriched data (inferred or derived data) are both outside the scope of the Data Act, and the data holder retains “full” rights to these. As one might expect, sometimes the line between in-scope and out-of-scope data is thin, and this is where the contracts and carefully selected contractual terms play a crucial role.

Pursuant to the Data Act, a data holder must make user-generated product and service data available to the user free of charge. There is no provision in the Data Act explicitly listing what should be agreed upon in the contract between the data holder and the user; however, the data holder cannot use data generated by the use of the product or related service unless the parties have agreed on the use in the agreement. Therefore, it is essential for the data holder to agree on the terms under which it retains the right to use the data for its own purposes, e.g., for product development. Similarly, the relevant terms must be agreed upon with and/or flowed down to suppliers who deliver the data-generating components for the connected product.

Upon the user’s request, the product-generated data must also be made available to third parties under fair, reasonable, and non-discriminatory (FRAND) terms. The Data Act recognises that the contracting parties may have an imbalance in negotiating power and, therefore, contains a non-exhaustive list of contractual terms that are always considered unfair and contractual terms that are presumed to be unfair. For example, a clause will be presumed unfair if it prevents the party from making use of the data during the period of the contract. Unfair clauses are void and not binding on the other party.

Unlike the GDPR, the Data Act does not contain a provision listing mandatory contractual terms. However, from a legal and commercial perspective, the relevant contractual terms should include the following:

• definition of what data is in scope
• terms under which the data will made available to users and third parties
• terms under which the data holder can use the data
• restrictions on data access and disclosure by the parties
• non-compete clause (the user or a third party cannot use the data to develop a product that competes with the product from which the data originates)
• confidentiality obligation
• security measures based on risk level associated with the data
• compensation (only applicable to third parties – SMEs are excluded)
• personal data terms in line with the GDPR if personal data is in scope
• liability for breach of contract

Contractual terms on non-standard products designed and tailored to the user could also include terms on “access to data by design and default”. This is yet another example of how the Data Act follows in the footsteps of the GDPR by extending the existing “privacy by design and default principle” beyond personal data and the limitations of the GDPR. Ideally, the contractual terms should stipulate that the connected products and related services must be designed and provided in such a way that product-generated data is accessible by default in real time via a user interface.

In addition, before concluding a contract, the data holder must provide the user with some mandatory information on data collection (cf. “privacy notice” under the GDPR), such as

• the nature and volume of the data likely to be generated by the use of the product
• whether the data is likely to be generated continuously and in real-time
• how the user may access the data
• whether the manufacturer/service provider intends to use the data itself or allow a third party to use the data and, if so, the purposes for which those data will be used.

For full list, please see under Article 3(2) of the Data Act. Furthermore, it is important to bear in mind that the roles of the parties must be assessed on a case-by-case-basis. For example, a manufacturer is not a data holder if a user acquires a product where the data is directly transferred to the user’s computer and the manufacturer has no access to the data. In this case, the parties are not required to agree on the terms in accordance with the Data Act. Consequently, it is advisable to specify this in the agreement to avoid ambiguity and unnecessary disputes. Similarly to the defined terms of the Data Act, the defined terms of the agreement matter.

Interplay Between the GDPR and the Data Act – Personal Data Terms under the GDPR May Need Changes

The GDPR remains valid as it is. When the data to be shared qualifies as personal data, the contracting parties must also assess their roles under the GDPR and establish a legal basis for disclosing the personal data under the GDPR. Since the roles of “data holder” and “user” under the Data Act are not equivalent to the GDPR roles of “controller” and “processor”, the parties must assess and identify their roles on a case-by-case basis under both laws.

Provided that the user is a business, the user is a controller of the personal data. Depending on the case, the data holder may be, for example, a controller or a joint controller. Where the parties are independent controllers, there is no obligation to include any specific data protection provisions in the contract. However, it is advisable to define the roles of the parties under the GDPR and ensure that both parties comply with their respective obligations.

Where the data holder and the user are joint controllers, they shall enter into a joint controller agreement with the mandatory contractual terms under Article 26 of the GDPR.

While many businesses have already entered into data processing agreements (DPA) with their customers and suppliers, the terms may now need updating. For example, businesses may need to align the data-sharing terms under both the Data Act and the GDPR or supplement the existing terms on disclosure of data and data portability.

Who Is Affected by the Contractual Changes?

The data-sharing obligation applies to businesses that manufacture or sell products and related services that generate data through their use via sensors or connection to a mobile network, the internet, or any other network. In practice, the scope is broad and captures a wide range of actors who manufacture, sell, resell, rent, or lease connected products, such as industrial machines and factory appliances, smart vehicles, home automation, and medical devices. The Data Act will require contractual changes to both sales and procurement agreements and related sales/procurement processes and supply chains. In addition to in-house legal counsel, sales and procurement teams must be aware of these obligations and how to agree with customers and suppliers on data disclosure. Furthermore, R&D teams must design the products in a way that data access can be ensured in a secure and lawful way.

Equally important (even though not mandatory) is that users of connected products and related services are prepared in the contract negotiations and aware of their new access rights. In the future, one can expect standard terms relating to data sharing, similar to the data processing terms under the GDPR, and the European Commission will publish a non-binding data sharing agreement that could be useful as a benchmark. In the meantime, the parties should set forth and negotiate their own data-sharing terms.

Timeframe

Most obligations under the Data Act will apply as of 12 September 2025. This deadline also applies to new agreements and their data sharing obligations.

Existing contractual terms on data sharing concluded before the Data Act entered into force (11 January 2024) remain unaffected. However, in the following circumstances, the existing agreements must be updated:

1. The agreement has indefinite duration; or
2. The agreement is due to expire at least ten (10) years after the Data Act entered into force (11 January 2034)

Obligations relating to “data access by design and default” under Article 3(1) of the Data Act will apply to the connected products and related services placed on the market after 12 September 2026.

What Can We Do for You?

Hannes Snellman’s IP & Technology Team is here to support your organisation in preparing for the Data Act:

Contract review and negotiation: We regularly support our clients with contract revision and negotiation, with terms and conditions applicable to products and services as well as with IT procurement terms. We know how to transpose regulatory requirements into practical contractual terms that meet both the regulatory requirements and our client’s business needs.

Pre-assessment and/or implementation project: We regularly advise our clients with regulatory projects where we help determine whether specific legislation (e.g., the Data Act) is applicable to their products and services and to what extent they need to implement the needed changes as part of product design and procurement processes. We also draft relevant policies and supplier requirements and advise with relevant governance structures and trainings. The project scope is agreed upon separately with the client based on client needs.

Everything from day-to-day advice to litigation: We support our clients with a broad range of assignments, whether your question relates to trade secrets, mixed datasets, supply chains, or potential disputes or investigations by authorities.

If you would like to know more, please contact our lawyers below.