FAQEUData Act

EU Data Act International Government Access FAQ

How Article 32 protects non-personal data held in the Union from unlawful third-country government access.

Use this FAQ to triage foreign authority requests, check conflicts with EU or Member State law, document provider safeguards, and preserve customer-notice and minimisation evidence.

Back to main artifactReview sources
Author
Sorena AI
Published
May 6, 2026
Updated
May 6, 2026
Questions
12

Structured answer sets in this page tree.

Primary sources
9

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 6, 2026
Updated May 6, 2026
Overview

Article 32 of the EU Data Act applies to providers of data processing services when a third-country court, tribunal, or administrative authority seeks access to or transfer of non-personal data held in the Union. It is not a general ban on international cooperation; it is a conflict-of-law safeguard with specific checks, customer-notice expectations, and minimisation duties.

Search this module

Find a question or answer quickly

12 of 12 questions
Question 1

Who is covered by the Data Act rule on third-country government access?

The Article 32 safeguard is aimed at providers of data processing services, including cloud and edge service contexts covered by the Data Act's data processing services chapter. The protected data is non-personal data held in the Union and falling within the scope of the Regulation.

This is narrower than every foreign authority request a company might receive. A product manufacturer, connected-product data holder, support team, or ordinary business system owner should first ask whether the request is addressed to the provider of a data processing service and whether the requested material is non-personal data held in the Union.

  • Confirm the recipient of the request is the provider of a data processing service.
  • Confirm the requested data is non-personal data held in the Union.
  • Separate this Article 32 analysis from GDPR, criminal-law, customs, taxation, and sector-specific access regimes that may have their own rules.
Citations
Question 2

What must providers do before a foreign government request ever arrives under the Data Act?

The Data Act context is the starting point for this answer. Providers must maintain technical, organisational, and legal measures, including contractual measures, to prevent third-country governmental access or transfer where the access or transfer would conflict with Union law or the national law of the relevant Member State. The Commission's explainer gives implementation examples such as encryption, audits, and adherence to certification schemes.

Article 28 also creates a transparency obligation: providers must publish and keep updated the jurisdictions whose authorities could seek access through the provider's ICT infrastructure, and must describe the technical, organisational, and contractual measures used to prevent conflicting international governmental access or transfer.

  • Publish the provider infrastructure jurisdictions that may create exposure to third-country authority requests.
  • Publish a general description of preventive technical, organisational, and contractual measures.
  • Keep the public information current and list the relevant website in contracts for data processing services.
Citations
Recommended next step

Data Act Operationalise Article 32 Request Handling

Turn Data Act international government access safeguards into an intake, escalation, minimisation, customer-notice, and evidence workflow for data processing services.

Research workflow
Open Research Copilot

Get cited answers on Article 32 safeguards, Article 28 transparency duties, and adjacent Data Act obligations.

Explore next step
Talk to Sorena
Discuss Data Act Access Controls

Review how foreign authority request handling affects cloud contracts, customer notice, data minimisation, and evidence records.

Explore next step
Question 3

Does a third-country court order or authority decision automatically work in the EU under the Data Act?

The Data Act context is the starting point for this answer. No. A third-country court judgment, tribunal decision, or administrative authority decision requiring access to or transfer of covered non-personal data is recognised or enforceable only if it is based on an international agreement in force between the requesting third country and the Union or a Member State, such as a mutual legal assistance treaty.

The intake question should therefore be: what is the exact legal instrument, and what international agreement does it rely on? Without that link, the provider moves to the fallback Article 32 conditions rather than treating the request as automatically enforceable.

  • Capture the decision, judgment, subpoena, warrant, or administrative order as received.
  • Identify the requesting authority and the third country.
  • Verify whether an in-force international agreement covers the request before recognising or enforcing it.
Citations
Question 4

What happens if there is no international agreement and compliance may conflict with EU or Member State law under the Data Act?

The Data Act context is the starting point for this answer. Article 32 allows access or transfer without an international agreement only if defined safeguards are met. The third-country system must require reasons and proportionality, the decision must be specific, the provider's reasoned objection must be reviewable by a competent third-country court or tribunal, and that court or tribunal must be empowered to take account of relevant legal interests protected by Union or Member State law.

This is the core conflict analysis. A provider should not answer only with a business approval or general law-enforcement cooperation statement; it needs a record showing how each Article 32 condition was checked for the request.

  • Check whether the request states reasons, proportionality, and a specific link to suspected persons, infringements, or another sufficiently specific matter.
  • Check whether a reasoned objection by the provider can be reviewed by a competent third-country court or tribunal.
  • Check whether that court or tribunal can consider the relevant EU or Member State legal interests.
Citations
Question 5

When should the provider ask a national authority for an opinion under the Data Act?

The Data Act context is the starting point for this answer. The provider may ask the relevant national body or authority competent for international cooperation in legal matters for an opinion on whether the Article 32 conditions are met. Article 32 specifically calls out this route where the decision may relate to trade secrets, commercially sensitive data, intellectual property-protected content, or transfer that may lead to re-identification.

The provider must ask that national body or authority for an opinion if it considers that the decision or judgment may affect national security or defence interests of the Union or its Member States. If there is no reply within one month, or the opinion says the conditions are not met, the provider may reject the access or transfer request on those grounds.

  • Escalate for an opinion when trade secrets, commercially sensitive data, intellectual property, or re-identification risk are part of the request.
  • Request an opinion when national security or defence interests may be affected.
  • Record the date of the opinion request, any response, and whether the one-month no-reply rule became relevant.
Citations
Question 6

If the request can be complied with, how much data may be provided under the Data Act?

The Data Act context is the starting point for this answer. Article 32 requires minimisation. If the conditions for access or transfer are met, the provider must provide the minimum amount of data permissible in response to the request, based on the provider's reasonable interpretation of the request or the interpretation of the relevant national body or authority.

The evidence file should therefore include both the requested data and the data actually disclosed. That lets a later reviewer see why excluded fields, logs, metadata, backups, or derived records were outside the minimum permissible response.

  • Translate the foreign request into a specific data inventory before disclosure.
  • Remove data categories not necessary for the permissible response.
  • Keep a disclosure log showing the request, interpretation, data supplied, data withheld, and approver.
Citations
Question 7

Must the provider tell the customer before complying under the Data Act?

The Data Act context is the starting point for this answer. Yes, Article 32 requires the provider to inform the customer about the existence of a third-country authority request before complying with that request. The exception is where the request serves law-enforcement purposes and withholding notice is necessary to preserve the effectiveness of the law-enforcement activity.

Customer notice should be a controlled workflow, not an informal support message. The record should show whether notice was given, what was said, when it was sent, and, if notice was delayed or withheld, the documented law-enforcement reason.

  • Notify the customer before compliance unless the law-enforcement exception applies.
  • Keep the notification content, timestamp, recipient, and channel.
  • Document the reason and duration for any delayed or withheld notice.
Citations
Question 8

How does this differ from EU public-sector access under the Data Act?

The Data Act context is the starting point for this answer. International government access under Article 32 is not the same as Chapter V business-to-government data sharing. Chapter V concerns EU public sector bodies, the Commission, the European Central Bank, and Union bodies accessing privately held data where there is an exceptional need. Article 32 concerns third-country governmental access or transfer of non-personal data held in the Union by providers of data processing services.

Keeping those workflows separate matters because their triggers, requesters, data categories, and safeguards differ. A provider receiving a non-EU authority request should not reuse an EU public-emergency request template without checking Article 32.

  • Use Chapter V workflows for qualifying EU public-sector exceptional-need requests.
  • Use Article 32 workflows for third-country governmental access or transfer requests to providers of data processing services.
  • Do not mix EU public-body request evidence with third-country conflict-of-law evidence.
Citations
Question 9

What evidence should a provider retain for an Article 32 request under the Data Act?

The Data Act context is the starting point for this answer. The minimum useful evidence set is the received request, the identity and authority of the requester, the requested data inventory, the EU or Member State conflict assessment, any international-agreement analysis, any national-authority opinion request or response, the customer-notice record, the minimisation analysis, and the final disclosure or refusal log.

For standing compliance, keep the published Article 28 web disclosure, contract references to that web page, safeguard descriptions, control-owner assignments, and change history for technical, organisational, legal, and contractual measures. These records show that the provider had preventive controls before the request, not only a one-off response after escalation.

  • Retain the request and legal-basis analysis.
  • Retain the conflict, opinion, notice, minimisation, and outcome records.
  • Retain public transparency and contract evidence for the provider's preventive measures.
Citations
Question 10

What is the practical intake checklist for a non-EU government access request under the Data Act?

The Data Act context is the starting point for this answer. Start by freezing the request record and routing it to legal, security, cloud operations, and the customer account owner. Then confirm whether Article 32 applies, whether an international agreement supports recognition or enforceability, whether no-agreement safeguards are met, whether a national-authority opinion is needed, whether customer notice is required or temporarily restricted, and what minimum data can be disclosed if compliance is allowed.

The highest-risk shortcut is treating the request as an ordinary support ticket. The Data Act expects a provider-level conflict review, not only identity verification of the requester.

  • Log requester, authority, country, legal instrument, deadline, customer, service, and data location.
  • Assess Article 32 scope, agreement basis, no-agreement safeguards, national-authority opinion route, customer notice, and minimisation.
  • Close the record with a disclosure, partial disclosure, rejection, escalation, or deferred-notice outcome.
Citations
Question 11

What does a clean EU Data Act Article 32 decision record look like when the provider must respond?

Under the Data Act, record the legal basis first: whether the request is enforceable under an in-force international agreement or must pass the Article 32(3) conflict checks. If there is doubt, document the national-body opinion request, the one-month reply window, and the final reason for accepting or rejecting access.

Then keep the record narrow. Note the minimum amount of data disclosed under Article 32(4), the date and method of customer notice under Article 32(5), and the safeguard controls used to prevent broader access than the Regulation allows.

  • Keep one file for the legal basis and another for the disclosure scope.
  • Note whether the customer was notified before access and whether a law-enforcement exception applied.
  • Store the final acceptance, refusal, or partial disclosure decision with the cited Article 32 clause.
Citations
Question 12

Does the EU Data Act Article 32 rule cover personal data, or only non-personal data held in the EU?

Under the Data Act, Article 32 governs third-country governmental access to non-personal data held in the Union by providers of data processing services, while access requests touching personal data are governed by the GDPR and its international-transfer rules. A request spanning a mixed dataset can engage both regimes at once.

A provider should therefore separate the personal and non-personal elements of a foreign request, applying the Article 32 safeguards to the non-personal data and the GDPR transfer analysis to any personal data involved.

  • Apply Article 32 safeguards to non-personal data held in the Union by data processing services.
  • Route personal-data elements of a foreign request through the GDPR international-transfer analysis.
Primary sources

References and citations

Regulation (EU) 2023/2854 (Data Act)
eur-lex.europa.eu
Referenced sections
  • Binding Data Act text for Article 28 contractual transparency and Article 32 international governmental access and transfer safeguards.
Related guides

Explore more topics

Data Act and Common European Data Spaces
How Data Act Article 33 connects data-space participation with metadata, vocabularies, APIs, access terms, data quality, governance, and standards monitoring.
Data Act and Data Governance Act Overlap FAQ
FAQ explaining where the EU Data Act and Data Governance Act overlap, how they differ, and how to route product, cloud, public-sector reuse, intermediary, and data altruism workflows.
Data Act and GDPR Personal Data Overlap FAQ
FAQ on how the EU Data Act works when connected-product or related-service data includes personal data, mixed datasets, GDPR roles, lawful basis, trade secrets, and third-party sharing.
Data Act Audit Evidence And Request Logs FAQ
FAQ for Data Act request logs covering user and third-party access, B2G exceptional need requests, cloud switching records, contract terms, trade secrets, and GDPR boundaries.
Data Act B2B Data-Sharing Contract Clauses
Clause guide for EU Data Act B2B data sharing: FRAND terms, compensation, trade secret safeguards, recipient limits, termination, logs, and GDPR boundaries.
Data Act B2B Data-Sharing Contract Template
A usable EU Data Act B2B data-sharing template outline covering access requests, data schedules, permitted use, trade secrets, security, compensation, GDPR boundaries, audit records, and termination.
Data Act B2G Exceptional-Need Requests
A grounded guide to EU Data Act Chapter V requests from public bodies: exceptional need, public emergencies, request contents, limits, safeguards, costs, and records.
Data Act Cloud Switching Compliance Checklist
A grounded EU Data Act checklist for cloud and data processing service providers covering switching clauses, notices, export formats, charges, interoperability, and evidence.
Data Act Cloud Switching Contract Terms FAQ
FAQ on EU Data Act cloud switching contract terms: Article 25 clauses, assistance, notice, transition, charges, export, termination, interoperability, and records.
Data Act Cloud Switching Fees And Deadlines FAQ
FAQ on EU Data Act cloud switching charges, 2027 fee removal, notice periods, transition windows, data retrieval, contract terms, and evidence records.
Data Act Complaints and Dispute Settlement FAQ
FAQ on EU Data Act complaints, competent authorities, dispute settlement bodies, B2B data-sharing disputes, B2G requests, cloud switching disputes, and evidence records.
Data Act Exportable Data and Metadata FAQ
FAQ explaining which product, related service, metadata, and cloud switching data must be exportable under the EU Data Act, and which data can be excluded.
Data Act FAQ for Aftermarket Repair and Mobility Services
FAQ on EU Data Act vehicle-data access for repairers, independent service providers, fleets, insurers, and mobility services.
Data Act Functional Equivalence FAQ
FAQ on Data Act functional equivalence for cloud switching: IaaS scope, customer outcomes, export support, interoperability duties, limits, and evidence.
Data Act Indirect Access Request Flows FAQ
FAQ for Data Act teams handling user and third-party data requests when direct connected-product access is unavailable, incomplete, or limited.
Data Act Interoperability Standards FAQ
FAQ on EU Data Act interoperability standards for data spaces, cloud switching, smart contracts, harmonised standards, common specifications, and M/614.
Data Act Model Contractual Terms FAQ
FAQ on the EU Data Act non-binding model contractual terms for data access and use, cloud switching clauses, B2B use, unfair terms, and evidence.
Data Act Public Emergency Requests FAQ
FAQ on EU Data Act public emergency requests: exceptional need, request content, timing, data holder response, compensation, confidentiality, and records.
Data Act Smart Contracts for Data Sharing
Data Act Article 36 smart contract guide for data-sharing agreements: scope, robustness, access control, termination, interruption, archiving, standards status, and conformity evidence.
Data Act SME Exceptions and Startups FAQ
FAQ on where the EU Data Act gives micro, small, medium-sized, startup, and SME actors narrower treatment for access duties, compensation, and B2B terms.
Data Act Trade Secret Technical Protection Measures FAQ
FAQ on how EU Data Act data holders can protect trade secrets with confidentiality safeguards, technical measures, limited withholding, suspension, refusal, and evidence.
Data Act Trade Secrets and Protection Measures
Data Act guide for protecting trade secrets during access and sharing: classification, safeguards, refusal thresholds, notices, evidence records, and reviews.
Data Act Unfair Contractual Terms | Article 13 B2B Contract Review
Review B2B data-sharing clauses under EU Data Act Article 13: unilateral terms, always unfair examples, presumed unfair terms, model clauses, evidence, and remediation.
Data Act Vehicle Data Guidance
Commission-grounded guide to Data Act vehicle data access: connected vehicles, vehicle-related services, raw and pre-processed data, aftermarket use cases, access routes, safeguards, and GDPR boundaries.
Data Act vs GDPR: connected-product data access
Compare EU Data Act connected-product access duties with GDPR personal-data rules: scope, roles, lawful basis, data subject rights, third-party sharing, trade secrets, and conflicts.
EU Data Act and Common European Data Spaces FAQ
FAQ on how EU Data Act interoperability duties, Data Governance Act rules, and sector data-space governance fit together without treating participation as a general obligation.
EU Data Act Applicability Test
Check whether a product, related service, data holder, cloud service, data-space role, smart contract, or B2G request is in scope of the EU Data Act.
EU Data Act Application Dates And Transition FAQ
FAQ on when the EU Data Act applies, which obligations are delayed, and what product, contract, cloud, and evidence records teams should maintain.
EU Data Act Article 3 Pre-Contract Information
What Article 3 of the EU Data Act requires before connected-product purchase, rent, lease, or related-service contracting: data categories, access, data holder identity, third-party sharing, complaints, and evidence.
EU Data Act Article 36 Smart Contract Controls FAQ
FAQ explaining when EU Data Act Article 36 applies to smart contracts for data-sharing agreements and what controls, conformity evidence, and limits it requires.
EU Data Act B2B Data Sharing Compensation FAQ
FAQ on when Data Act data holders may charge B2B data recipients, what reasonable compensation can include, SME limits, unfair terms, disputes, and trade secret safeguards.
EU Data Act B2G Compensation and Costs FAQ
FAQ on when Data Act B2G exceptional-need requests are free, when fair compensation may be claimed, which costs can be included, and what records to keep.
EU Data Act B2G Exceptional Need FAQ
When public-sector bodies can request business-held data under the EU Data Act, what a valid request must contain, and how data holders handle limits, trade secrets, compensation, and evidence.
EU Data Act Checklist for Product, Cloud, and Contract Teams
A grounded EU Data Act checklist for connected-product data access, third-party sharing, B2G requests, cloud switching, unfair terms, smart contracts, personal data boundaries, evidence, and owners.
EU Data Act Cloud Switching and Exit Plans
A grounded EU Data Act guide for data processing service exit plans: switching contracts, exportable data, assistance, charges, interoperability, retrieval, erasure, and records.
EU Data Act Cloud Switching Procurement FAQ
Procurement checklist FAQ for EU Data Act cloud switching: contract terms, exit support, exportable data, switching charges, interoperability, termination, and supplier evidence.
EU Data Act Compliance Program
Build a Data Act compliance program for connected-product data access, contracts, B2G requests, cloud switching, smart contracts, GDPR boundaries, records, and ownership.
EU Data Act Connected Product Scope and Data Types
Classify EU Data Act connected products, related services, product data, related-service data, readily available data, metadata, and excluded derived outputs.
EU Data Act Connected Product Scope FAQ
FAQ explaining when connected products, related services, generated data, EU market placement, and SME exceptions fall within EU Data Act scope.
EU Data Act Data Processing Service Switching
A grounded EU Data Act guide for provider and customer switching duties: exit assistance, exportable data, contract clauses, charges, interoperability, retrieval, and erasure.
EU Data Act data spaces interoperability FAQ
FAQ explaining Article 33 Data Act interoperability requirements for data-space participants, common European data spaces, standards, APIs, metadata, and architecture evidence.
EU Data Act deadlines and compliance calendar
A source-linked calendar for EU Data Act application dates, product design timing, contract remediation, cloud switching charges, response periods, standards work, and evidence records.
EU Data Act Direct Access by Design FAQ
FAQ for product and legal teams designing user access to connected-product and related-service data under the EU Data Act.
EU Data Act Enforcement And Competent Authorities FAQ
FAQ on who enforces the EU Data Act, how complaints work, how Member States set penalties, when dispute settlement can be used, and when GDPR authorities remain responsible.
EU Data Act FAQ: scope, access rights, B2G, cloud switching, GDPR, and dates
Grounded EU Data Act FAQ index covering connected-product data access, third-party sharing, B2G exceptional need, cloud switching, smart contracts, GDPR boundaries, unfair terms, trade secrets, and application dates.
EU Data Act Non-Emergency Public-Sector Requests FAQ
FAQ on EU Data Act requests where a public body claims exceptional need outside a public emergency, including scope, request contents, limits, compensation, confidentiality, and evidence.
EU Data Act Non-Personal Data and Mixed Datasets FAQ
FAQ on how the EU Data Act treats non-personal data, mixed datasets, GDPR precedence, user and third-party access, trade-secret limits, and evidence records.
EU Data Act Penalties and Enforcement
Grounded guide to Data Act penalties under Article 40, Member State enforcement, penalty factors, complaints, judicial remedies, and the GDPR enforcement boundary.
EU Data Act Pre-Contractual Information FAQ
FAQ on EU Data Act Article 3 pre-contract information for connected products and related services, including data categories, access methods, data holder identity, third-party sharing, and GDPR boundaries.
EU Data Act Product Data vs Related Service Data FAQ
FAQ explaining how the EU Data Act separates connected product data, related service data, readily available raw and pre-processed data, metadata, and inferred or derived outputs.
EU Data Act Readily Available Data FAQ
FAQ on what counts as readily available data under the EU Data Act, including product data, related service data, metadata, inferred data, and access mechanics.
EU Data Act Related Services FAQ
FAQ explaining when software is a Data Act related service, how it links to connected products, which product and service data are in scope, and what exclusions apply.
EU Data Act requirements
Source-grounded EU Data Act requirements for connected-product data access, B2B sharing terms, B2G exceptional needs, cloud switching, smart contracts, interoperability, GDPR boundaries, and records.
EU Data Act Smart Contracts for Data Sharing FAQ
Answers on Article 36 Data Act smart-contract requirements for data sharing: scope, robustness, access control, termination, archiving, conformity assessment, contract terms, and standards status.
EU Data Act Third-Party Data Sharing FAQ
FAQ on user-directed third-party data sharing under the EU Data Act, covering data holder duties, recipient limits, trade secrets, security, GDPR, and gatekeepers.
EU Data Act Trade Secret Safeguards FAQ
FAQ on protecting trade secrets when handling EU Data Act user and third-party data access requests, including safeguards, withholding, suspension, refusal, notices, and records.
EU Data Act Unfair Contractual Terms FAQ
FAQ on Article 13 of the EU Data Act: B2B unfair contract terms, unilateral take-it-or-leave-it clauses, always-unfair terms, presumed-unfair terms, SMEs, model terms, and review evidence.
EU Data Act User Access and Portability Rights
Practical guide to EU Data Act user access, connected-product data portability, third-party sharing, trade secret safeguards, and the GDPR boundary.
EU Data Act Users, Data Holders, and Recipients FAQ
FAQ explaining Data Act users, data holders, data recipients, connected products, related services, user access, third-party limits, and GDPR boundaries.
EU Data Act Vehicle Data Guidance FAQ
FAQ on EU Data Act vehicle data guidance for connected vehicles, aftermarket repair, mobility services, third-party access, trade secrets, security, and GDPR boundaries.
EU Data Act vs Data Governance Act
Compare the EU Data Act with the Data Governance Act: connected-product access, cloud switching, B2B/B2G duties, protected public-sector reuse, intermediaries, altruism, governance, and enforcement.