EU Data Act B2B Data Sharing Contract Clauses

A Data Act B2B data-sharing clause should first state why the data holder is making data available. Article 8 applies where, in a business-to-business relationship, a data holder is obliged under Article 5 or other applicable Union or national law to make data available to a data recipient.

Define the user, data holder, data recipient, connected product or related service, dataset, and request route before drafting commercial protections. The Commission's model contractual terms separate the data-holder-to-user, user-to-data-recipient, and data-holder-to-data-recipient relationships, which is a useful drafting structure even when the parties use their own language.

The data schedule should be specific enough for engineering to deliver the package and for legal to test the Data Act scope. Include the connected product or related service, data categories, metadata, quality, format, update frequency, delivery route, security controls, exclusions, and any dependencies on the user's request.

For Chapter II connected-product data, the access right targets readily available product data and related service data, including metadata necessary to interpret and use the data. The Commission FAQs describe the practical boundary as raw and pre-processed data, while inferred or derived outputs from additional investments are outside that access scope unless the parties agree otherwise.

FRAND wording should be measurable. A clause that says access is provided on FRAND terms is weak unless it also explains delivery quality, request verification, support, availability, change notice, security conditions, and how the data holder will show comparable recipients are not treated differently without objective reasons.

Article 8 requires the data holder not to discriminate between comparable categories of data recipients. If a data recipient gives a reasoned request, the data holder must provide information showing there has been no discrimination without undue delay.

A compensation clause should show the calculation basis. Article 9 allows reasonable, non-discriminatory compensation that may include a margin, but the calculation must take account of costs incurred in making data available and, where applicable, investments in collecting and producing the data.

For SME data recipients and not-for-profit research organisations without non-SME partner or linked enterprises, compensation cannot exceed the costs incurred in making the data available. The Data Act also requires the data holder to give the data recipient enough detail to assess whether the Article 9 requirements are met.

Trade secret clauses should not be blanket refusals. Articles 4 and 5 require protected trade secrets to be identified, including in relevant metadata, and disclosed only where the parties take necessary measures before disclosure to preserve confidentiality.

The clause should list the technical and organisational measures that apply to the recipient: confidentiality undertakings, access controls, named users, secure environments, encryption, logging, onward-sharing limits, deletion duties, and incident notice. If no agreement is reached on necessary measures, or if agreed measures are not implemented or confidentiality is undermined, the data holder may withhold or suspend the sharing of identified trade-secret data with written reasons.

Recipient clauses should state the permitted purpose, prohibited uses, onward-sharing controls, data security duties, deletion triggers, and remedies for misuse. Article 11 allows data holders to use technical protection measures such as smart contracts and encryption, provided those measures do not discriminate between data recipients or hinder the user's rights.

The Data Act gives specific response tools when a recipient uses false information, deceptive or coercive means, abuses technical gaps, uses data for unauthorised purposes, unlawfully discloses data, fails to maintain trade-secret safeguards, or removes technical protection measures without agreement.

Article 13 applies to B2B terms concerning access to and use of data, or liability and remedies for breach or termination of data-related obligations, when they are unilaterally imposed by one enterprise on another. If an unfair term is severable, the rest of the contract remains binding.

Do not give one party exclusive power to decide whether supplied data conforms to the contract, remove all remedies for non-performance, block termination within a reasonable period, block copies of data after termination, or allow unexplained unilateral changes to data price, format, quality, nature, or quantity.

Audit and logging clauses should be narrow enough to respect the Data Act's necessity limits. Article 4 says a data holder must not keep user access information, especially log data, beyond what is necessary for sound execution of the access request and for security and maintenance of the data infrastructure.

For B2B recipient access, the contract should keep enough evidence to verify compliance with the access terms and Data Act obligations, but Article 8 prevents the parties from demanding information beyond what is necessary for that verification.

The Data Act covers personal and non-personal data, but it does not supersede GDPR or ePrivacy rules. Article 1 says that where there is a conflict, Union or national personal data and privacy law prevails.

If the user is not the data subject, the data holder may make personal data generated by the connected product or related service available to the user only where there is a valid GDPR legal basis and, where relevant, the conditions for special category data and terminal-equipment access are met. The clause should therefore separate Data Act access mechanics from controller, processor, lawful basis, transparency, minimisation, security, and data-subject-rights terms.

The finished contract pack should include the operative clauses, a dataset schedule, a recipient-use schedule, a compensation calculation note, trade-secret safeguard schedule, personal-data boundary note, logging and audit schedule, and termination and post-termination data handling terms.

Use Commission model contractual terms as drafting support, not as mandatory wording. The public Commission page says the model terms are voluntary, mainly drafted for B2B contracts, and designed to help parties implement the Data Act.