Review public-sector requests under Data Act Chapter V before exporting data: identify the exceptional need, check the requester, narrow the dataset, protect personal data and trade secrets, and record the response.
Grounded in Regulation (EU) 2023/2854, the Commission Data Act explainer, and Commission Data Act FAQs. Use it as implementation support, not for legal interpretation.
Structured answer sets in this page tree.
Cited legal and guidance references.
Chapter V of the EU Data Act lets public sector bodies, the Commission, the European Central Bank, and Union bodies request data from data holders only where an exceptional need exists. The route is narrow: the request must be written, justified, proportionate, purpose-limited, protective of confidentiality and trade secrets, and closed with deletion or onward-sharing records.
A Data Act B2G request starts with Article 14: the requester must demonstrate an exceptional need for certain data, including metadata needed to interpret and use it, to carry out statutory duties in the public interest. The data holder must be a legal person other than a public sector body and must hold the requested data.
Article 15 limits exceptional need to two routes. The first is data necessary to respond to a public emergency when the requester cannot obtain it by alternative means in a timely and effective way under equivalent conditions. The second is a non-emergency route for non-personal data only, where a legally assigned public-interest task cannot be fulfilled without specific data and the requester has exhausted other means, including market purchase where available.
Article 17 makes the request itself the control point. It must identify the data required, the metadata needed to interpret it, the exceptional need, the purpose and intended use, the expected duration of use, the data holder chosen, any onward recipients, the legal provision assigning the public task, and the deadlines for both delivery and any decline or modification response.
The request must be written in clear, concise, plain language. It must be specific about data type, correspond to data the holder controls at the time of the request, and be proportionate in granularity, volume, and frequency. It must also address trade secrets, cost and effort, penalties for non-compliance, publication by the relevant data coordinator or EU body, and supervisory-authority notice where personal data is requested.
For public emergency response, the request should seek non-personal data first. Personal data may be requested only if non-personal data is shown to be insufficient for the emergency need, and the request must specify necessary and proportionate technical and organisational measures, including pseudonymisation and whether anonymisation can be applied before disclosure.
For non-emergency exceptional need, Chapter V is limited to non-personal data. The request should therefore be narrowed to the specific data and metadata needed for the public-interest task, with unsuitable fields removed before extraction.
Article 18 requires the data holder to make data available without undue delay, taking account of technical, organisational, and legal measures. It also gives a controlled route to decline or seek modification where the holder does not control the data, a similar same-purpose request is already outstanding without erasure notice, or the request does not meet Article 17 requirements.
The response window is shorter for public emergencies: a decline or modification request must be made without undue delay and no later than five working days after receipt. For other exceptional-need requests, the outer limit is 30 working days. If the matter cannot be resolved by modification, either side may refer it to the competent authority in the Member State where the data holder is established.
Use this guide to structure intake, legal review, data scoping, safeguard terms, delivery or refusal records, compensation notes, and deletion evidence for Data Act B2G requests.
Data received under Chapter V does not become open public-sector information. Article 17 bars reuse under the Data Governance Act and Open Data Directive frameworks, and Article 19 limits use to the purpose stated in the request. The receiving body must protect confidentiality, integrity, transfer security, personal data rights, and trade secrets.
Trade secrets may be disclosed only to the extent strictly necessary for the Article 15 purpose. The data holder or trade secret holder should identify protected data, including relevant metadata. Before disclosure, the public body or EU body must take necessary and appropriate technical and organisational measures to preserve confidentiality.
For public emergency response, Article 20 requires data holders other than microenterprises and small enterprises to provide the necessary data free of charge, with public acknowledgement if requested. The Commission explainer says micro and small companies may ask for remuneration that does not exceed technical and organisational costs, plus acknowledgement on request.
For non-emergency exceptional-need requests under Article 15(1)(b), the data holder is entitled to fair compensation covering technical and organisational costs, including anonymisation, pseudonymisation, aggregation, technical adaptation, and a reasonable margin. No compensation is due for official-statistics tasks where national law does not allow purchase of the data.
The response file should close the loop. Article 19 requires the public body or EU body to erase data once it is no longer necessary for the stated purpose and to inform the data holder and onward recipients without undue delay, unless archiving is required under public-access-to-documents law.
Onward sharing is possible only within Chapter V limits. Article 21 allows sharing for compatible scientific research or analytics, or with national statistical institutes and Eurostat for official statistics. The data holder must be notified of onward sharing, including recipient identity, purpose, use period, and protection measures. Research or statistical recipients must follow the same core obligations and may keep the data for up to six months after the original recipient erases it.