Contract TemplateEUData Act

EU Data Act B2B Data-Sharing Contract Template

Use this as a drafting outline for B2B Data Act data-sharing agreements: identify the user and data holder, define the dataset, record the access route, set permitted-use limits, protect trade secrets, price access transparently, and preserve evidence.

The structure is grounded in Regulation (EU) 2023/2854, the Commission Data Act FAQ, and Commission materials on data contracts and model terms. It is a practical drafting aid, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.

Back to main artifactReview sources
Author
Sorena AI
Published
May 6, 2026
Updated
May 25, 2026
Sections
9

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 6, 2026
Updated May 25, 2026
Overview

A Data Act B2B data-sharing contract should not be a generic confidentiality addendum. It needs schedules that product, legal, security, privacy, and commercial teams can complete for a specific connected product, related service, user request, data recipient, dataset, delivery method, and compensation position.

Section 1

Data Act Template front sheet: parties, role, request authority, and source rule

Start the template with a front sheet that makes the Data Act role map explicit. The same company can be a user for one product and a data holder for another, so the agreement should not rely on generic supplier or customer labels.

The front sheet should also state whether the data is made available to the user under Article 4, to a third party at the user's request under Article 5, or to a data recipient under another EU or national legal obligation covered by Chapter III.

  • Required fields: agreement title, version, product or related service, user, data holder, data recipient or third party, trade secret holder if different, privacy contact, security contact, and commercial owner.
  • Authority fields: evidence that the requester is the user or acts on the user's behalf, the request channel used, the requested purpose, and any limits on the information collected only to what is necessary to verify the role.
  • Scope switch: mark whether this is direct user access, data-holder-to-third-party sharing, or another legally required B2B data availability arrangement.
  • Complaint and dispute fields: name the competent authority route, court route, and whether the parties agree to use a certified dispute settlement body for FRAND, safety, security, or trade-secret disputes.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act)
Articles 4, 5, 8, and 10 support the template fields for user requests, third-party sharing, B2B FRAND arrangements, and dispute settlement.
European Commission - Data Act FAQ
The FAQ explains role mapping, multiple-user scenarios, and that companies may have different Data Act roles in different product or service relationships.
Section 3

Data Act Access method clause: delivery channel, service levels, security controls, and technical protection

The agreement should state how access happens, not just that access is allowed. A usable clause names the interface, authentication method, delivery frequency, error handling, support route, and evidence kept for each transfer.

Security language should protect the data and the connected product without becoming a hidden veto over the user's access right.

  • Delivery fields: API endpoint, export workspace, on-device or remote access route, authentication method, encryption in transit, credential owner, start date, frequency, and termination or pause trigger.
  • Service-level fields: expected response time, batch or real-time delivery, data refresh interval, planned downtime notice, incident contact, and fallback delivery if the main route fails.
  • Technical protection fields: encryption, access logs, strict access protocols, smart contract or other control where used, and an express rule that controls cannot discriminate between comparable recipients or obstruct Data Act access rights.
  • Security restriction fields: the legal security requirement relied on, the serious adverse effect being avoided, the narrower restriction proposed, the notice to the competent authority if sharing is refused, and the user's challenge route.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act)
Article 4 supports secure access and limited security restrictions; Article 11 supports technical protection measures that prevent unauthorised use without blocking lawful access.
European Commission - Data Act FAQ
The FAQ explains practical format, latency, convenience, security, and the safety and security handbrake for access restrictions.
Section 4

Data Act Permitted use clause: purpose, recipient obligations, onward sharing, and competing-product limits

The permitted-use clause should be short enough to enforce and specific enough to audit. It should tie use of the data to the purpose agreed with the user and identify uses that the Data Act does not allow.

For third-party recipients, the template should include recipient undertakings rather than leaving them in a separate service proposal.

  • Purpose fields: agreed service or business purpose, user instruction, authorised users, authorised systems, data retention period for the purpose, and erasure or return step when the purpose ends.
  • Recipient promises: do not use coercive or deceptive means to obtain data, do not abuse technical gaps, do not undermine agreed trade-secret safeguards, and do not remove technical protection measures without agreement.
  • Onward sharing fields: whether onward sharing is allowed, identity of onward recipient, contract with the user, confidentiality measures carried forward, and a prohibition on making data available to a Digital Markets Act gatekeeper through the Article 5 route.
  • Competition limits: do not use the data to develop a competing connected product and do not use non-personal product or related service data to derive insights about the data holder's economic situation, assets, production methods, or use.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act)
Article 6 supports recipient-purpose limits, erasure, profiling limits, onward-sharing controls, gatekeeper limits, and competing-product prohibitions.
European Commission - Data Act FAQ
FAQ Questions 35 and 36 explain what third parties may do with received data and why DMA gatekeepers cannot rely on the Article 5 mandatory sharing route.
Section 5

Data Act Trade secret annex: identification, safeguards, handbrake records, and notice

Do not hide trade secrets in a broad confidentiality clause. The annex should require the data holder or trade secret holder to identify the protected data, including relevant metadata, before disclosure and to agree proportionate safeguards with the user or third party.

The same annex should record the limited cases where sharing is withheld, suspended, or refused and the notices that must follow.

  • Identification fields: trade secret owner, dataset rows or fields affected, metadata marking, reason for confidentiality, jurisdictions or recipients that increase risk, and whether a redacted or filtered dataset can satisfy the request.
  • Safeguard fields: confidentiality agreement, strict access protocol, access list, encryption, secure workspace, export limits, deletion duty, audit trail, technical standard, code of conduct, or Commission model term where used.
  • Withhold or suspend record: missing safeguard agreement, failed implementation, confidentiality undermined, data affected, written reasons, competent-authority notice, and restart condition.
  • Exceptional refusal record: specific data refused, objective evidence of highly likely serious economic damage, why safeguards are insufficient, written notice, competent-authority notice, and challenge route.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act)
Articles 4(6)-(9) and 5(9)-(12) support trade-secret identification, safeguards, withholding, suspension, exceptional refusal, notices, and challenge routes.
European Commission - Data Act FAQ
FAQ Question 23 explains that trade-secret protection continues and describes the Data Act handbrake mechanism for withholding, suspension, and exceptional refusal.
Section 6

Data Act Compensation schedule: FRAND terms, cost basis, SME cap, and invoice evidence

The compensation schedule should make the pricing basis visible before the parties argue about the number. Under Chapter III, compensation in B2B data availability arrangements must be non-discriminatory and reasonable, and the data holder must explain the calculation in enough detail for the recipient to assess it.

If the data recipient is an SME or a not-for-profit research organisation without non-SME partner or linked enterprises, the template should flag the narrower cost ceiling.

  • Pricing fields: cost elements for formatting, electronic dissemination, storage, access setup, support, anonymisation or pseudonymisation where relevant, volume, format, nature of the data, and any margin.
  • SME and research fields: recipient status, linked or partner enterprise check, whether the SME or not-for-profit research cost limit applies, and excluded margin if the limit applies.
  • Non-discrimination fields: comparable recipient category, comparable prior terms, differences justified by volume, format, nature, access route, support level, or legal obligation.
  • Invoice evidence: calculation worksheet, cost assumptions, access logs, delivered volume, credit or adjustment mechanism, and dispute route for FRAND or compensation disagreement.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act)
Articles 8 and 9 support FRAND access terms, transparent compensation, cost factors, SME and research limits, and calculation disclosure.
European Commission - Data Act FAQ
FAQ Questions 38 to 40 explain comparable-recipient analysis, compensation transparency, SME margin limits, and dispute settlement.
Section 7

Data Act GDPR boundary clause: personal data, mixed datasets, controller roles, and minimisation

The Data Act does not supersede GDPR or ePrivacy rules. The contract should therefore treat mixed personal and non-personal datasets as a privacy review trigger rather than as ordinary commercial data.

The clause should record whether the user is the data subject, whether the requested data includes personal data of other people, and which legal basis and safeguards are relied on for each processing step.

  • Boundary fields: personal data present, special-category data present, terminal-equipment access issue, user is or is not the data subject, controller or processor allocation, and data subject rights owner.
  • Legal basis fields: Article 6 GDPR basis, Article 9 GDPR condition if needed, ePrivacy condition if terminal-equipment access is relevant, and why the Data Act is not being treated as a standalone legal basis to collect or generate personal data.
  • Minimisation fields: data fields removed, pseudonymisation, anonymisation, filtering to the user's own data where feasible, retention period, erasure step, and audit log retention limited to access execution, security, and infrastructure maintenance.
  • Conflict rule: the agreement should state that Data Act access, recipient use, and onward sharing do not reduce data subject rights under Union or national data protection law.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act)
Recital 7 and Articles 4(12), 5(7), 5(13), and 6 support GDPR and ePrivacy boundaries for personal data in Data Act access flows.
European Commission - Data Act FAQ
The FAQ explains that the Data Act complements GDPR portability and that different personal-data scenarios require separate analysis.
Section 8

Data Act Audit, unfair-term review, breach remedies, and termination

The final schedules should make the agreement reviewable after signature. Keep records showing which data was requested, what was delivered, what was withheld or restricted, why compensation was charged, and how misuse or termination is handled.

Unfair-term review belongs in the template because Chapter IV can apply to data-access and data-use terms inside a broader commercial contract, even when the main contract is not primarily a data-sharing agreement.

  • Audit fields: request log, authority evidence, completed data schedule, delivery logs, access logs, trade-secret decisions, compensation worksheet, security incidents, erasure confirmations, and version history.
  • Unfair-term checks: no unilateral term giving one party exclusive power to decide conformity or interpret the contract; no inappropriate limits on remedies; no unreasonable short-notice termination; no unjustified unilateral change to data nature, format, quality, quantity, or price.
  • Misuse remedies: erase data and copies, stop infringing uses, notify the user of unauthorised use or disclosure, compensate the harmed party where Article 11 conditions apply, and preserve evidence for dispute or authority review.
  • Termination fields: duration, termination notice period, data access end date, survival of confidentiality and trade-secret safeguards, copy or export right within a reasonable period where relevant, return or deletion duty, and post-termination audit evidence.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act)
Articles 11 and 13 support remedies for unauthorised use or disclosure and the unfair-term review points for B2B data access, use, liability, remedies, and termination clauses.
European Commission - Data Act FAQ
FAQ Questions 42 and 42a explain when Article 13 unfairness control applies to data-related clauses, including clauses inside contracts primarily about another subject.
Recommended next step

Data Act Turn the template into a reviewed agreement pack

Use Sorena to connect each clause, schedule, and fallback position to the Data Act source text, the product data map, and the evidence needed for negotiation or review.

Research workflow
Open Research Copilot

Check Data Act scope, clause support, and source citations before sending a template for review.

Explore next step
Talk to Sorena
Talk through implementation

Review product scope, data schedules, trade-secret controls, compensation evidence, and GDPR boundaries.

Explore next step
Section 9

Data Act How to use Commission model contractual terms without overstating them

The Data Act requires the Commission to recommend non-binding model contractual terms on data access and use. Those materials can help drafting, especially for SMEs, but the template should not present them as mandatory clauses or as a substitute for checking the actual product, dataset, role, and legal basis.

Use model terms as a clause library, then keep a clause matrix showing which term supports access mechanics, permitted use, trade secrets, compensation, security, termination, or dispute handling.

  • Model-term fields: model term used, clause amendment, mandatory Data Act rule supported, optional commercial position added, reviewer, and reason for departure from the model.
  • Do not replace the data schedule, GDPR boundary clause, or trade-secret annex with a generic reference to model terms.
  • Do not cite model terms as the legal basis for refusing, pricing, or narrowing access; cite the Data Act article and the facts that support the position.
  • Review the template when Commission model terms, FAQs, sector guidance, product architecture, or data categories materially change.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act)
Article 41 requires Commission-recommended non-binding model contractual terms for data access and use, reasonable compensation, and trade-secret protection.
European Commission - Model contractual terms and cloud SCCs
The Commission model-terms page supports the page's distinction between voluntary drafting support and binding Data Act obligations.
European Commission - Innovative technologies and data in contracts
The Commission contract-law page explains why data-sharing and data-provision contracts need data-specific rights and obligations in addition to general contract law.
Primary sources

References and citations

European Commission - Data Act FAQ
ec.europa.eu
Referenced sections
  • FAQ Questions 42 and 42a explain when Article 13 unfairness control applies to data-related clauses, including clauses inside contracts primarily about another subject.
Regulation (EU) 2023/2854 (Data Act)
eur-lex.europa.eu
Referenced sections
  • Article 41 requires Commission-recommended non-binding model contractual terms for data access and use, reasonable compensation, and trade-secret protection.
Related guides

Explore more topics

Data Act and Common European Data Spaces
How Data Act Article 33 connects data-space participation with metadata, vocabularies, APIs, access terms, data quality, governance, and standards monitoring.
Data Act and Data Governance Act Overlap FAQ
FAQ explaining where the EU Data Act and Data Governance Act overlap, how they differ, and how to route product, cloud, public-sector reuse, intermediary, and data altruism workflows.
Data Act and GDPR Personal Data Overlap FAQ
FAQ on how the EU Data Act works when connected-product or related-service data includes personal data, mixed datasets, GDPR roles, lawful basis, trade secrets, and third-party sharing.
Data Act Audit Evidence And Request Logs FAQ
FAQ for Data Act request logs covering user and third-party access, B2G exceptional need requests, cloud switching records, contract terms, trade secrets, and GDPR boundaries.
Data Act B2B Data-Sharing Contract Clauses
Clause guide for EU Data Act B2B data sharing: FRAND terms, compensation, trade secret safeguards, recipient limits, termination, logs, and GDPR boundaries.
Data Act B2G Exceptional-Need Requests
A grounded guide to EU Data Act Chapter V requests from public bodies: exceptional need, public emergencies, request contents, limits, safeguards, costs, and records.
Data Act Cloud Switching Compliance Checklist
A grounded EU Data Act checklist for cloud and data processing service providers covering switching clauses, notices, export formats, charges, interoperability, and evidence.
Data Act Cloud Switching Contract Terms FAQ
FAQ on EU Data Act cloud switching contract terms: Article 25 clauses, assistance, notice, transition, charges, export, termination, interoperability, and records.
Data Act Cloud Switching Fees And Deadlines FAQ
FAQ on EU Data Act cloud switching charges, 2027 fee removal, notice periods, transition windows, data retrieval, contract terms, and evidence records.
Data Act Complaints and Dispute Settlement FAQ
FAQ on EU Data Act complaints, competent authorities, dispute settlement bodies, B2B data-sharing disputes, B2G requests, cloud switching disputes, and evidence records.
Data Act Exportable Data and Metadata FAQ
FAQ explaining which product, related service, metadata, and cloud switching data must be exportable under the EU Data Act, and which data can be excluded.
Data Act FAQ for Aftermarket Repair and Mobility Services
FAQ on EU Data Act vehicle-data access for repairers, independent service providers, fleets, insurers, and mobility services.
Data Act Functional Equivalence FAQ
FAQ on Data Act functional equivalence for cloud switching: IaaS scope, customer outcomes, export support, interoperability duties, limits, and evidence.
Data Act Indirect Access Request Flows FAQ
FAQ for Data Act teams handling user and third-party data requests when direct connected-product access is unavailable, incomplete, or limited.
Data Act International Government Access FAQ
FAQ on EU Data Act safeguards for non-EU government access to non-personal data held in the Union by data processing service providers.
Data Act Interoperability Standards FAQ
FAQ on EU Data Act interoperability standards for data spaces, cloud switching, smart contracts, harmonised standards, common specifications, and M/614.
Data Act Model Contractual Terms FAQ
FAQ on the EU Data Act non-binding model contractual terms for data access and use, cloud switching clauses, B2B use, unfair terms, and evidence.
Data Act Public Emergency Requests FAQ
FAQ on EU Data Act public emergency requests: exceptional need, request content, timing, data holder response, compensation, confidentiality, and records.
Data Act Smart Contracts for Data Sharing
Data Act Article 36 smart contract guide for data-sharing agreements: scope, robustness, access control, termination, interruption, archiving, standards status, and conformity evidence.
Data Act SME Exceptions and Startups FAQ
FAQ on where the EU Data Act gives micro, small, medium-sized, startup, and SME actors narrower treatment for access duties, compensation, and B2B terms.
Data Act Trade Secret Technical Protection Measures FAQ
FAQ on how EU Data Act data holders can protect trade secrets with confidentiality safeguards, technical measures, limited withholding, suspension, refusal, and evidence.
Data Act Trade Secrets and Protection Measures
Data Act guide for protecting trade secrets during access and sharing: classification, safeguards, refusal thresholds, notices, evidence records, and reviews.
Data Act Unfair Contractual Terms | Article 13 B2B Contract Review
Review B2B data-sharing clauses under EU Data Act Article 13: unilateral terms, always unfair examples, presumed unfair terms, model clauses, evidence, and remediation.
Data Act Vehicle Data Guidance
Commission-grounded guide to Data Act vehicle data access: connected vehicles, vehicle-related services, raw and pre-processed data, aftermarket use cases, access routes, safeguards, and GDPR boundaries.
Data Act vs GDPR: connected-product data access
Compare EU Data Act connected-product access duties with GDPR personal-data rules: scope, roles, lawful basis, data subject rights, third-party sharing, trade secrets, and conflicts.
EU Data Act and Common European Data Spaces FAQ
FAQ on how EU Data Act interoperability duties, Data Governance Act rules, and sector data-space governance fit together without treating participation as a general obligation.
EU Data Act Applicability Test
Check whether a product, related service, data holder, cloud service, data-space role, smart contract, or B2G request is in scope of the EU Data Act.
EU Data Act Application Dates And Transition FAQ
FAQ on when the EU Data Act applies, which obligations are delayed, and what product, contract, cloud, and evidence records teams should maintain.
EU Data Act Article 3 Pre-Contract Information
What Article 3 of the EU Data Act requires before connected-product purchase, rent, lease, or related-service contracting: data categories, access, data holder identity, third-party sharing, complaints, and evidence.
EU Data Act Article 36 Smart Contract Controls FAQ
FAQ explaining when EU Data Act Article 36 applies to smart contracts for data-sharing agreements and what controls, conformity evidence, and limits it requires.
EU Data Act B2B Data Sharing Compensation FAQ
FAQ on when Data Act data holders may charge B2B data recipients, what reasonable compensation can include, SME limits, unfair terms, disputes, and trade secret safeguards.
EU Data Act B2G Compensation and Costs FAQ
FAQ on when Data Act B2G exceptional-need requests are free, when fair compensation may be claimed, which costs can be included, and what records to keep.
EU Data Act B2G Exceptional Need FAQ
When public-sector bodies can request business-held data under the EU Data Act, what a valid request must contain, and how data holders handle limits, trade secrets, compensation, and evidence.
EU Data Act Checklist for Product, Cloud, and Contract Teams
A grounded EU Data Act checklist for connected-product data access, third-party sharing, B2G requests, cloud switching, unfair terms, smart contracts, personal data boundaries, evidence, and owners.
EU Data Act Cloud Switching and Exit Plans
A grounded EU Data Act guide for data processing service exit plans: switching contracts, exportable data, assistance, charges, interoperability, retrieval, erasure, and records.
EU Data Act Cloud Switching Procurement FAQ
Procurement checklist FAQ for EU Data Act cloud switching: contract terms, exit support, exportable data, switching charges, interoperability, termination, and supplier evidence.
EU Data Act Compliance Program
Build a Data Act compliance program for connected-product data access, contracts, B2G requests, cloud switching, smart contracts, GDPR boundaries, records, and ownership.
EU Data Act Connected Product Scope and Data Types
Classify EU Data Act connected products, related services, product data, related-service data, readily available data, metadata, and excluded derived outputs.
EU Data Act Connected Product Scope FAQ
FAQ explaining when connected products, related services, generated data, EU market placement, and SME exceptions fall within EU Data Act scope.
EU Data Act Data Processing Service Switching
A grounded EU Data Act guide for provider and customer switching duties: exit assistance, exportable data, contract clauses, charges, interoperability, retrieval, and erasure.
EU Data Act data spaces interoperability FAQ
FAQ explaining Article 33 Data Act interoperability requirements for data-space participants, common European data spaces, standards, APIs, metadata, and architecture evidence.
EU Data Act deadlines and compliance calendar
A source-linked calendar for EU Data Act application dates, product design timing, contract remediation, cloud switching charges, response periods, standards work, and evidence records.
EU Data Act Direct Access by Design FAQ
FAQ for product and legal teams designing user access to connected-product and related-service data under the EU Data Act.
EU Data Act Enforcement And Competent Authorities FAQ
FAQ on who enforces the EU Data Act, how complaints work, how Member States set penalties, when dispute settlement can be used, and when GDPR authorities remain responsible.
EU Data Act FAQ: scope, access rights, B2G, cloud switching, GDPR, and dates
Grounded EU Data Act FAQ index covering connected-product data access, third-party sharing, B2G exceptional need, cloud switching, smart contracts, GDPR boundaries, unfair terms, trade secrets, and application dates.
EU Data Act Non-Emergency Public-Sector Requests FAQ
FAQ on EU Data Act requests where a public body claims exceptional need outside a public emergency, including scope, request contents, limits, compensation, confidentiality, and evidence.
EU Data Act Non-Personal Data and Mixed Datasets FAQ
FAQ on how the EU Data Act treats non-personal data, mixed datasets, GDPR precedence, user and third-party access, trade-secret limits, and evidence records.
EU Data Act Penalties and Enforcement
Grounded guide to Data Act penalties under Article 40, Member State enforcement, penalty factors, complaints, judicial remedies, and the GDPR enforcement boundary.
EU Data Act Pre-Contractual Information FAQ
FAQ on EU Data Act Article 3 pre-contract information for connected products and related services, including data categories, access methods, data holder identity, third-party sharing, and GDPR boundaries.
EU Data Act Product Data vs Related Service Data FAQ
FAQ explaining how the EU Data Act separates connected product data, related service data, readily available raw and pre-processed data, metadata, and inferred or derived outputs.
EU Data Act Readily Available Data FAQ
FAQ on what counts as readily available data under the EU Data Act, including product data, related service data, metadata, inferred data, and access mechanics.
EU Data Act Related Services FAQ
FAQ explaining when software is a Data Act related service, how it links to connected products, which product and service data are in scope, and what exclusions apply.
EU Data Act requirements
Source-grounded EU Data Act requirements for connected-product data access, B2B sharing terms, B2G exceptional needs, cloud switching, smart contracts, interoperability, GDPR boundaries, and records.
EU Data Act Smart Contracts for Data Sharing FAQ
Answers on Article 36 Data Act smart-contract requirements for data sharing: scope, robustness, access control, termination, archiving, conformity assessment, contract terms, and standards status.
EU Data Act Third-Party Data Sharing FAQ
FAQ on user-directed third-party data sharing under the EU Data Act, covering data holder duties, recipient limits, trade secrets, security, GDPR, and gatekeepers.
EU Data Act Trade Secret Safeguards FAQ
FAQ on protecting trade secrets when handling EU Data Act user and third-party data access requests, including safeguards, withholding, suspension, refusal, notices, and records.
EU Data Act Unfair Contractual Terms FAQ
FAQ on Article 13 of the EU Data Act: B2B unfair contract terms, unilateral take-it-or-leave-it clauses, always-unfair terms, presumed-unfair terms, SMEs, model terms, and review evidence.
EU Data Act User Access and Portability Rights
Practical guide to EU Data Act user access, connected-product data portability, third-party sharing, trade secret safeguards, and the GDPR boundary.
EU Data Act Users, Data Holders, and Recipients FAQ
FAQ explaining Data Act users, data holders, data recipients, connected products, related services, user access, third-party limits, and GDPR boundaries.
EU Data Act Vehicle Data Guidance FAQ
FAQ on EU Data Act vehicle data guidance for connected vehicles, aftermarket repair, mobility services, third-party access, trade secrets, security, and GDPR boundaries.
EU Data Act vs Data Governance Act
Compare the EU Data Act with the Data Governance Act: connected-product access, cloud switching, B2B/B2G duties, protected public-sector reuse, intermediaries, altruism, governance, and enforcement.