--- title: "EU Data Act FAQ: scope, access rights, B2G, cloud switching, GDPR, and dates" canonical_url: "https://www.sorena.io/artifacts/eu/data-act/faq" source_url: "https://www.sorena.io/artifacts/eu/data-act/faq/items/page/21" author: "Sorena AI" description: "Grounded EU Data Act FAQ index covering connected-product data access, third-party sharing, B2G exceptional need, cloud switching, smart contracts, GDPR boundaries, unfair terms, trade secrets, and application dates." published_at: "2026-05-06" updated_at: "2026-05-25" keywords: - "EU Data Act FAQ" - "Data Act scope" - "connected product data" - "B2G data sharing" - "cloud switching" - "GDPR Data Act" - "EU Data Act" - "Data Act FAQ" - "Regulation (EU) 2023/2854" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU Data Act FAQ: scope, access rights, B2G, cloud switching, GDPR, and dates Grounded EU Data Act FAQ index covering connected-product data access, third-party sharing, B2G exceptional need, cloud switching, smart contracts, GDPR boundaries, unfair terms, trade secrets, and application dates. *FAQ* *EU* *Data Act* ## EU Data Act FAQ hub Answers to the recurring EU Data Act questions that decide whether connected-product data, related-service data, B2G requests, cloud contracts, or smart-contract tooling need a compliance review. Use this index to orient product, legal, cloud, procurement, data protection, security, and public-sector request teams before opening the deeper topic modules. The EU Data Act, Regulation (EU) 2023/2854, creates horizontal rules for fair access to and use of data. Its FAQ set is not only about IoT data portability: it also covers mandatory B2B sharing terms, unfair contractual terms, public-sector access in exceptional need, cloud and edge switching, safeguards against unlawful third-country government access to non-personal data, interoperability, smart contracts, enforcement, and the boundary with GDPR. ## Browse sub-FAQ modules ### [Data Act and Data Governance Act Overlap FAQ](/artifacts/eu/data-act/faq/data-governance-act-overlap.md) FAQ explaining where the EU Data Act and Data Governance Act overlap, how they differ, and how to route product, cloud, public-sector reuse, intermediary, and data altruism workflows. - 12 items ### [Data Act and GDPR Personal Data Overlap FAQ](/artifacts/eu/data-act/faq/gdpr-personal-data-overlap.md) FAQ on how the EU Data Act works when connected-product or related-service data includes personal data, mixed datasets, GDPR roles, lawful basis, trade secrets, and third-party sharing. - 12 items ### [Data Act Audit Evidence And Request Logs FAQ](/artifacts/eu/data-act/faq/audit-evidence-and-request-logs.md) FAQ for Data Act request logs covering user and third-party access, B2G exceptional need requests, cloud switching records, contract terms, trade secrets, and GDPR boundaries. - 12 items ### [Data Act Cloud Switching Contract Terms FAQ](/artifacts/eu/data-act/faq/cloud-switching-contract-terms.md) FAQ on EU Data Act cloud switching contract terms: Article 25 clauses, assistance, notice, transition, charges, export, termination, interoperability, and records. - 12 items ### [Data Act Cloud Switching Fees And Deadlines FAQ](/artifacts/eu/data-act/faq/cloud-switching-fees-and-deadlines.md) FAQ on EU Data Act cloud switching charges, 2027 fee removal, notice periods, transition windows, data retrieval, contract terms, and evidence records. - 12 items ### [Data Act Complaints and Dispute Settlement FAQ](/artifacts/eu/data-act/faq/complaints-and-dispute-settlement.md) FAQ on EU Data Act complaints, competent authorities, dispute settlement bodies, B2B data-sharing disputes, B2G requests, cloud switching disputes, and evidence records. - 12 items ### [Data Act Exportable Data and Metadata FAQ](/artifacts/eu/data-act/faq/exportable-data-and-metadata.md) FAQ explaining which product, related service, metadata, and cloud switching data must be exportable under the EU Data Act, and which data can be excluded. - 12 items ### [Data Act FAQ for Aftermarket Repair and Mobility Services](/artifacts/eu/data-act/faq/aftermarket-repair-and-mobility-services.md) FAQ on EU Data Act vehicle-data access for repairers, independent service providers, fleets, insurers, and mobility services. - 12 items ### [Data Act Functional Equivalence FAQ](/artifacts/eu/data-act/faq/functional-equivalence.md) FAQ on Data Act functional equivalence for cloud switching: IaaS scope, customer outcomes, export support, interoperability duties, limits, and evidence. - 12 items ### [Data Act Indirect Access Request Flows FAQ](/artifacts/eu/data-act/faq/indirect-access-request-flows.md) FAQ for Data Act teams handling user and third-party data requests when direct connected-product access is unavailable, incomplete, or limited. - 12 items ### [Data Act International Government Access FAQ](/artifacts/eu/data-act/faq/international-government-access.md) FAQ on EU Data Act safeguards for non-EU government access to non-personal data held in the Union by data processing service providers. - 12 items ### [Data Act Interoperability Standards FAQ](/artifacts/eu/data-act/faq/interoperability-standards.md) FAQ on EU Data Act interoperability standards for data spaces, cloud switching, smart contracts, harmonised standards, common specifications, and M/614. - 12 items ### [Data Act Model Contractual Terms FAQ](/artifacts/eu/data-act/faq/model-contractual-terms.md) FAQ on the EU Data Act non-binding model contractual terms for data access and use, cloud switching clauses, B2B use, unfair terms, and evidence. - 12 items ### [Data Act Public Emergency Requests FAQ](/artifacts/eu/data-act/faq/public-emergency-requests.md) FAQ on EU Data Act public emergency requests: exceptional need, request content, timing, data holder response, compensation, confidentiality, and records. - 12 items ### [Data Act SME Exceptions and Startups FAQ](/artifacts/eu/data-act/faq/sme-exceptions-and-startups.md) FAQ on where the EU Data Act gives micro, small, medium-sized, startup, and SME actors narrower treatment for access duties, compensation, and B2B terms. - 12 items ### [Data Act Trade Secret Technical Protection Measures FAQ](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md) FAQ on how EU Data Act data holders can protect trade secrets with confidentiality safeguards, technical measures, limited withholding, suspension, refusal, and evidence. - 12 items ### [EU Data Act and Common European Data Spaces FAQ](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md) FAQ on how EU Data Act interoperability duties, Data Governance Act rules, and sector data-space governance fit together without treating participation as a general obligation. - 12 items ### [EU Data Act Application Dates And Transition FAQ](/artifacts/eu/data-act/faq/application-dates-and-transition.md) FAQ on when the EU Data Act applies, which obligations are delayed, and what product, contract, cloud, and evidence records teams should maintain. - 12 items ### [EU Data Act Article 36 Smart Contract Controls FAQ](/artifacts/eu/data-act/faq/article-36-smart-contract-controls.md) FAQ explaining when EU Data Act Article 36 applies to smart contracts for data-sharing agreements and what controls, conformity evidence, and limits it requires. - 12 items ### [EU Data Act B2B Data Sharing Compensation FAQ](/artifacts/eu/data-act/faq/compensation-for-b2b-data-sharing.md) FAQ on when Data Act data holders may charge B2B data recipients, what reasonable compensation can include, SME limits, unfair terms, disputes, and trade secret safeguards. - 12 items ### [EU Data Act B2G Compensation and Costs FAQ](/artifacts/eu/data-act/faq/b2g-compensation-and-costs.md) FAQ on when Data Act B2G exceptional-need requests are free, when fair compensation may be claimed, which costs can be included, and what records to keep. - 12 items ### [EU Data Act B2G Exceptional Need FAQ](/artifacts/eu/data-act/faq/b2g-exceptional-need.md) When public-sector bodies can request business-held data under the EU Data Act, what a valid request must contain, and how data holders handle limits, trade secrets, compensation, and evidence. - 13 items ### [EU Data Act Cloud Switching Procurement FAQ](/artifacts/eu/data-act/faq/cloud-switching-procurement-checklist.md) Procurement checklist FAQ for EU Data Act cloud switching: contract terms, exit support, exportable data, switching charges, interoperability, termination, and supplier evidence. - 12 items ### [EU Data Act Connected Product Scope FAQ](/artifacts/eu/data-act/faq/scope-connected-products.md) FAQ explaining when connected products, related services, generated data, EU market placement, and SME exceptions fall within EU Data Act scope. - 12 items ### [EU Data Act data spaces interoperability FAQ](/artifacts/eu/data-act/faq/data-spaces-interoperability.md) FAQ explaining Article 33 Data Act interoperability requirements for data-space participants, common European data spaces, standards, APIs, metadata, and architecture evidence. - 12 items ### [EU Data Act Direct Access by Design FAQ](/artifacts/eu/data-act/faq/direct-access-by-design.md) FAQ for product and legal teams designing user access to connected-product and related-service data under the EU Data Act. - 12 items ### [EU Data Act Enforcement And Competent Authorities FAQ](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md) FAQ on who enforces the EU Data Act, how complaints work, how Member States set penalties, when dispute settlement can be used, and when GDPR authorities remain responsible. - 12 items ### [EU Data Act Non-Emergency Public-Sector Requests FAQ](/artifacts/eu/data-act/faq/non-emergency-public-sector-requests.md) FAQ on EU Data Act requests where a public body claims exceptional need outside a public emergency, including scope, request contents, limits, compensation, confidentiality, and evidence. - 12 items ### [EU Data Act Non-Personal Data and Mixed Datasets FAQ](/artifacts/eu/data-act/faq/non-personal-data-and-mixed-datasets.md) FAQ on how the EU Data Act treats non-personal data, mixed datasets, GDPR precedence, user and third-party access, trade-secret limits, and evidence records. - 12 items ### [EU Data Act Pre-Contractual Information FAQ](/artifacts/eu/data-act/faq/pre-contractual-information.md) FAQ on EU Data Act Article 3 pre-contract information for connected products and related services, including data categories, access methods, data holder identity, third-party sharing, and GDPR boundaries. - 12 items ### [EU Data Act Product Data vs Related Service Data FAQ](/artifacts/eu/data-act/faq/product-data-and-service-data.md) FAQ explaining how the EU Data Act separates connected product data, related service data, readily available raw and pre-processed data, metadata, and inferred or derived outputs. - 12 items ### [EU Data Act Readily Available Data FAQ](/artifacts/eu/data-act/faq/readily-available-data.md) FAQ on what counts as readily available data under the EU Data Act, including product data, related service data, metadata, inferred data, and access mechanics. - 12 items ### [EU Data Act Related Services FAQ](/artifacts/eu/data-act/faq/related-services.md) FAQ explaining when software is a Data Act related service, how it links to connected products, which product and service data are in scope, and what exclusions apply. - 12 items ### [EU Data Act Smart Contracts for Data Sharing FAQ](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md) Answers on Article 36 Data Act smart-contract requirements for data sharing: scope, robustness, access control, termination, archiving, conformity assessment, contract terms, and standards status. - 12 items ### [EU Data Act Third-Party Data Sharing FAQ](/artifacts/eu/data-act/faq/third-party-data-sharing.md) FAQ on user-directed third-party data sharing under the EU Data Act, covering data holder duties, recipient limits, trade secrets, security, GDPR, and gatekeepers. - 12 items ### [EU Data Act Trade Secret Safeguards FAQ](/artifacts/eu/data-act/faq/trade-secrets-safeguards.md) FAQ on protecting trade secrets when handling EU Data Act user and third-party data access requests, including safeguards, withholding, suspension, refusal, notices, and records. - 12 items ### [EU Data Act Unfair Contractual Terms FAQ](/artifacts/eu/data-act/faq/unfair-contractual-terms.md) FAQ on Article 13 of the EU Data Act: B2B unfair contract terms, unilateral take-it-or-leave-it clauses, always-unfair terms, presumed-unfair terms, SMEs, model terms, and review evidence. - 12 items ### [EU Data Act Users, Data Holders, and Recipients FAQ](/artifacts/eu/data-act/faq/users-data-holders-and-recipients.md) FAQ explaining Data Act users, data holders, data recipients, connected products, related services, user access, third-party limits, and GDPR boundaries. - 12 items ### [EU Data Act Vehicle Data Guidance FAQ](/artifacts/eu/data-act/faq/vehicle-data-guidance.md) FAQ on EU Data Act vehicle data guidance for connected vehicles, aftermarket repair, mobility services, third-party access, trade secrets, security, and GDPR boundaries. - 12 items Browse all indexed questions: [/artifacts/eu/data-act/faq/items](/artifacts/eu/data-act/faq/items.md) ## All FAQ items *Page 21 of 24. Showing 20 of 469 items.* ### [Does the Data Act make smart-contract code the legal agreement for Smart Contracts For Data Sharing implementation evidence?](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md#does-the-data-act-make-smart-contract-code-the-legal-agreement-for-smart-contracts-for-data-sharing-implementation-evidence) *Module: [EU Data Act Smart Contracts for Data Sharing](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md)* No. The Commission FAQ states that Article 36 does not affect national contract law and that the Data Act regulates the computer programs used to execute agreements, not the agreements as such. - Keep the signed data sharing agreement as the legal source for the parties' terms. - Use Article 36 evidence to show how the smart contract executes those terms. - Escalate mismatches between the agreement and deployed logic before relying on automation. Sources for this answer: - [European Commission Data Act FAQs](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - The Commission FAQ answers that Article 36 essential requirements do not affect national contract law. - [Regulation (EU) 2023/2854 (Data Act), Article 36](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 36 requires consistency with the terms of the data sharing agreement executed by the smart contract. ### [How should Article 36 robustness and access control be implemented in practice under the Data Act?](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md#how-should-article-36-robustness-and-access-control-be-implemented-in-practice-under-the-data-act) *Module: [EU Data Act Smart Contracts for Data Sharing](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md)* The Data Act context is the starting point for this answer. Robustness should be treated as both reliability and abuse-resistance. Before deployment, the team should test error handling, boundary conditions, manipulation attempts, dependency failures, and upgrade or migration paths that could change execution outcomes. - Record the threat model and manipulation tests for the smart-contract deployment. - Require approval and logging for privileged governance actions. - Verify role, key, token, and permission controls before each material release. - Retest controls when the data sharing agreement, protocol, access model, or deployment environment changes. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act), Article 36](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 36 requires a very high degree of robustness and rigorous access controls at governance and smart-contract layers. ### [What should safe termination, interruption, archiving, and continuity controls cover under the Data Act?](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md#what-should-safe-termination-interruption-archiving-and-continuity-controls-cover-under-the-data-act) *Module: [EU Data Act Smart Contracts for Data Sharing](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md)* The Data Act context is the starting point for this answer. The smart contract should include internal functions that can reset, stop, or interrupt operation, especially to avoid accidental future executions. The stop mechanism should be tested before production use and documented so authorized personnel know when and how it can be used. - Document who can trigger stop, reset, interruption, termination, and deactivation functions, and where the parties' consent is recorded. - Test that stopping the contract prevents unwanted future executions without destroying audit records. - Archive transactional data, code, and logic for the terminated or deactivated version. - Keep continuity notes for pending transactions, data access rights, and post-termination retrieval obligations created by the agreement. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act), Article 36](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 36 requires safe termination and interruption functions plus archiving of data, logic, and code for auditability. ### [How do smart contracts relate to Data Act data sharing agreements and model terms?](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md#how-do-smart-contracts-relate-to-data-act-data-sharing-agreements-and-model-terms) *Module: [EU Data Act Smart Contracts for Data Sharing](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md)* The Data Act context is the starting point for this answer. A smart contract can automate execution of a data sharing agreement, but it should not be treated as a substitute for the agreement. The agreement should still state the parties, data, use conditions, access limits, compensation if relevant, trade-secret measures, remedies, and termination terms. - Compare each automated function with a specific agreement term. - Keep trade-secret safeguards, access conditions, and termination terms visible outside the code. - Use model terms as drafting support where suitable, not as evidence that the smart-contract controls are compliant. Sources for this answer: - [European Commission - Model Contractual Terms and Standard Contractual Clauses](https://digital-strategy.ec.europa.eu/en/library/draft-recommendation-non-binding-model-contractual-terms-data-access-and-use-and-non-binding?ref=sorena.io) - The Commission page describes non-binding model contractual terms for Data Act data sharing and states that their use is voluntary. - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - The Data Act separately addresses data sharing agreements, unfair terms, and smart-contract consistency with the agreement. ### [What is the current standards and common-specifications position for Article 36 under the Data Act?](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md#what-is-the-current-standards-and-common-specifications-position-for-article-36-under-the-data-act) *Module: [EU Data Act Smart Contracts for Data Sharing](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md)* The Data Act context is the starting point for this answer. Article 36 creates two conformity routes that may matter over time. A smart contract that meets harmonised standards cited in the Official Journal is presumed to conform to the covered Article 36 requirements. If the standards route is unavailable under Article 36 conditions, the Commission may adopt common specifications by implementing act, and meeting those specifications can also create a presumption of conformity for the covered requirements. - Do not claim presumption of conformity unless the relevant harmonised standard or common specification covers the Article 36 requirement at issue. - Track Official Journal citations and any Commission implementing acts before updating declarations or release gates. - Use Data Act trusted-data-transaction standardisation materials as implementation context, not as a replacement for Article 36 text. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act), Article 36](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 36 sets the presumption-of-conformity rules for harmonised standards and common specifications. - [Commission Implementing Decision C(2025) 4135](https://ec.europa.eu/transparency/documents-register/api/files/C(2025)4135_1/de00000001072897?rendition=false&ref=sorena.io) - The standardisation request annex lists trusted data transaction and data-space deliverables supporting the Data Act standardisation programme. - [CEN and CENELEC - Data Act Standardization Request Officially Accepted](https://www.cencenelec.eu/news-events/news/2025/brief-news/2025-07-11-data-act-standardization-request/?ref=sorena.io) - CEN and CENELEC announced acceptance of the European Trusted Data Framework standardization request under Mandate M/614. ### [What evidence should a team keep for an Article 36 smart-contract deployment under the Data Act?](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md#what-evidence-should-a-team-keep-for-an-article-36-smart-contract-deployment-under-the-data-act) *Module: [EU Data Act Smart Contracts for Data Sharing](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md)* The Data Act context is the starting point for this answer. Keep a small but complete Article 36 evidence pack for each smart-contract deployment used to execute a data sharing agreement. The pack should let a reviewer connect the legal agreement, deployed code, controls, tests, conformity assessment, declaration, and later termination or archiving event without reconstructing the story from tickets. - Agreement-to-code traceability table. - Robustness, manipulation-resistance, and error-handling test records. - Governance-layer and smart-contract-layer access-control evidence. - Stop, reset, interruption, termination, and deactivation test evidence. - Archive package for transactional data, smart-contract logic, code, and execution history. - Conformity assessment and EU declaration of conformity. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act), Article 36](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - The evidence list maps directly to Article 36 requirements and conformity-assessment duties. ### [What unsupported claims should teams avoid on Data Act smart contracts?](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md#what-unsupported-claims-should-teams-avoid-on-data-act-smart-contracts) *Module: [EU Data Act Smart Contracts for Data Sharing](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md)* The Data Act context is the starting point for this answer. Avoid saying that Article 36 validates the legal agreement, replaces national contract law, certifies a blockchain protocol, requires a particular ledger technology, or makes all automated data-sharing controls smart contracts. The grounded rule is more specific: it applies essential requirements to smart contracts used by the relevant vendor or professional deployer to execute a data sharing agreement or part of one. - Do not claim legal effect beyond the Article 36 smart-contract requirements. - Do not call a smart contract compliant without conformity assessment and declaration evidence. - Do not use automated controls to frustrate Data Act access or sharing rights. Sources for this answer: - [European Commission Data Act FAQs](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - The Commission FAQ limits Article 36's effect on contract law and distinguishes programs from agreements. - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - The Data Act allows technical protection measures, including smart contracts, but says they must not hinder protected access and sharing rights. ### [What Data Act source evidence should teams keep for the Smart Contracts For Data Sharing FAQ decision?](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md#what-data-act-source-evidence-should-teams-keep-for-the-smart-contracts-for-data-sharing-faq-decision) *Module: [EU Data Act Smart Contracts for Data Sharing](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md)* For smart contracts for data sharing, the Data Act record should identify the source clause, Commission guidance, actor role, dataset, request or contract trigger, and the owner who approved the interpretation. - Record the source clause and Commission guidance that support the decision. - Capture the responsible owner, reviewer, and decision date. - Link the decision to the contract version, deployment environment, and implementation artifact. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Article 36 scope, essential requirements, conformity assessment, EU declaration of conformity, harmonised standards, common specifications, and related Data Act technical-protection limits. - [European Commission Data Act FAQs](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ support for the point that Article 36 regulates smart-contract programs and does not change national contract law. - [European Commission - Model Contractual Terms and Standard Contractual Clauses](https://digital-strategy.ec.europa.eu/en/library/draft-recommendation-non-binding-model-contractual-terms-data-access-and-use-and-non-binding?ref=sorena.io) - Commission source for voluntary model contractual terms for Data Act data access and use, relevant to the underlying agreement that smart-contract code may execute. - [Commission Implementing Decision C(2025) 4135](https://ec.europa.eu/transparency/documents-register/api/files/C(2025)4135_1/de00000001072897?rendition=false&ref=sorena.io) - Commission standardisation request annex showing Data Act standardisation work on trusted data transactions and data-space interoperability. - [CEN and CENELEC - Data Act Standardization Request Officially Accepted](https://www.cencenelec.eu/news-events/news/2025/brief-news/2025-07-11-data-act-standardization-request/?ref=sorena.io) - Standardisation-body source confirming acceptance of the Data Act European Trusted Data Framework request under Mandate M/614. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission overview for Data Act chapters, connected-product access, B2G requests, cloud switching, interoperability, and implementation support. ### [How should teams assign ownership for Data Act Smart Contracts For Data Sharing implementation work?](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md#how-should-teams-assign-ownership-for-data-act-smart-contracts-for-data-sharing-implementation-work) *Module: [EU Data Act Smart Contracts for Data Sharing](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md)* For smart contracts for data sharing, the Data Act workflow should name the legal, product, procurement, cloud, support, or security owner who can change the affected process. - Record the accountable owner for each Article 36 action. - List consulted teams separately from the decision owner. - Track evidence dependencies, standards updates, and contract changes together with the implementation owner. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Article 36 scope, essential requirements, conformity assessment, EU declaration of conformity, harmonised standards, common specifications, and related Data Act technical-protection limits. - [European Commission Data Act FAQs](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ support for the point that Article 36 regulates smart-contract programs and does not change national contract law. - [European Commission - Model Contractual Terms and Standard Contractual Clauses](https://digital-strategy.ec.europa.eu/en/library/draft-recommendation-non-binding-model-contractual-terms-data-access-and-use-and-non-binding?ref=sorena.io) - Commission source for voluntary model contractual terms for Data Act data access and use, relevant to the underlying agreement that smart-contract code may execute. - [Commission Implementing Decision C(2025) 4135](https://ec.europa.eu/transparency/documents-register/api/files/C(2025)4135_1/de00000001072897?rendition=false&ref=sorena.io) - Commission standardisation request annex showing Data Act standardisation work on trusted data transactions and data-space interoperability. - [CEN and CENELEC - Data Act Standardization Request Officially Accepted](https://www.cencenelec.eu/news-events/news/2025/brief-news/2025-07-11-data-act-standardization-request/?ref=sorena.io) - Standardisation-body source confirming acceptance of the Data Act European Trusted Data Framework request under Mandate M/614. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission overview for Data Act chapters, connected-product access, B2G requests, cloud switching, interoperability, and implementation support. ### [What does user-directed third-party sharing mean under the EU Data Act?](/artifacts/eu/data-act/faq/third-party-data-sharing.md#what-does-user-directed-third-party-sharing-mean-under-the-eu-data-act) *Module: [EU Data Act Third-Party Data Sharing](/artifacts/eu/data-act/faq/third-party-data-sharing.md)* The Data Act context is the starting point for this answer. User-directed sharing is the Article 5 route where the user, or someone acting on the user's behalf, asks the data holder to make readily available data and the metadata needed to interpret and use it available to a third party. The data holder must make the data available without undue delay, with the same quality as is available to the data holder, easily, securely, in a comprehensive, structured, commonly used and machine-readable format, and where relevant and technically feasible continuously and in real time. - Confirm the requester is the user or a party acting on the user's behalf. - Confirm the target recipient is an eligible third party, not an excluded gatekeeper. - Limit the export to readily available product data, related-service data, and relevant metadata. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 5 sets the user-requested third-party sharing right and delivery conditions. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer describes users, third parties, data holders, and Chapter II sharing in connected-product and related-service contexts. ### [Which data is in scope for a third-party sharing request under the Data Act?](/artifacts/eu/data-act/faq/third-party-data-sharing.md#which-data-is-in-scope-for-a-third-party-sharing-request-under-the-data-act) *Module: [EU Data Act Third-Party Data Sharing](/artifacts/eu/data-act/faq/third-party-data-sharing.md)* The Data Act context is the starting point for this answer. For Chapter II sharing, the practical scope is raw and pre-processed data generated from the use of a connected product or related service that is readily available to the data holder, plus relevant metadata. Commission guidance gives examples such as sensor data on temperature, pressure, flow rate, audio, pH value, liquid level, position, acceleration, or speed. - Include raw and pre-processed data that the data holder can access without disproportionate effort. - Include relevant metadata needed to interpret and use the data. - Separate out inferred, derived, highly enriched, content, IP-protected, or unavailable material before delivery. Sources for this answer: - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission source for Chapter II data categories, readily available data, metadata, and exclusions for inferred or derived data. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ explains connected-product, related-service, readily available data, and privacy-enhancing technology boundaries. ### [What must the data holder do before and during third-party sharing under the Data Act?](/artifacts/eu/data-act/faq/third-party-data-sharing.md#what-must-the-data-holder-do-before-and-during-third-party-sharing-under-the-data-act) *Module: [EU Data Act Third-Party Data Sharing](/artifacts/eu/data-act/faq/third-party-data-sharing.md)* Before users need to exercise the right, Data Act transparency rules require information on how the user can request that data be shared with a third party and, where applicable, end that sharing. During the request, the data holder may verify user or third-party status, but it must not require more information than necessary and must not keep third-party access information beyond what is needed for execution, security, and infrastructure maintenance. - Publish a clear route for requesting and ending third-party sharing. - Collect only verification information needed for the request. - Keep recipient terms fair, reasonable, non-discriminatory, transparent, and non-exclusive unless user-directed sharing justifies the transfer. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 3, 5, and 8 support transparency, verification limits, access logging limits, and FRAND-style conditions for data recipients. ### [What may the third-party recipient do with data received under Article 5 under the Data Act?](/artifacts/eu/data-act/faq/third-party-data-sharing.md#what-may-the-third-party-recipient-do-with-data-received-under-article-5-under-the-data-act) *Module: [EU Data Act Third-Party Data Sharing](/artifacts/eu/data-act/faq/third-party-data-sharing.md)* The Data Act context is the starting point for this answer. The third party may process the data only for the purposes and under the conditions agreed with the user, and must erase the data once it is no longer necessary for the agreed purpose unless the user agreed otherwise for non-personal data. If personal data is involved, Union and national data-protection law and data-subject rights still apply. - Bind the recipient purpose to the user's agreed purpose. - Require deletion when the data is no longer needed for that purpose, except where the user agreed otherwise for non-personal data. - Prohibit onward sharing, profiling, security-harming use, competing connected-product development, gatekeeper sharing, and trade-secret breaches where Article 6 applies. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 6 lists obligations and prohibited uses for third parties receiving data at the user's request. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission overview confirms limits on using obtained data for competing connected products while preserving aftermarket and related-service competition. ### [Can a Digital Markets Act gatekeeper receive the data under the Data Act?](/artifacts/eu/data-act/faq/third-party-data-sharing.md#can-a-digital-markets-act-gatekeeper-receive-the-data-under-the-data-act) *Module: [EU Data Act Third-Party Data Sharing](/artifacts/eu/data-act/faq/third-party-data-sharing.md)* The Data Act context is the starting point for this answer. No, not through Article 5 user-directed sharing. An undertaking designated as a gatekeeper under the Digital Markets Act is not an eligible third party for Article 5. The gatekeeper also must not solicit or commercially incentivise a user to make data available to one of its services or ask the data holder to do so. - Screen the named recipient against the Digital Markets Act gatekeeper exclusion. - Block Article 5 sharing where the recipient is a designated gatekeeper. - Include a no-gatekeeper onward-sharing term in recipient commitments. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 5 and 6 exclude designated Digital Markets Act gatekeepers from Article 5 receipt and onward sharing. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer summarizes the third-party sharing right and notes the gatekeeper exclusion. ### [How do trade secrets affect third-party sharing under the Data Act?](/artifacts/eu/data-act/faq/third-party-data-sharing.md#how-do-trade-secrets-affect-third-party-sharing-under-the-data-act) *Module: [EU Data Act Third-Party Data Sharing](/artifacts/eu/data-act/faq/third-party-data-sharing.md)* The Data Act context is the starting point for this answer. Trade secrets are not a blanket reason to ignore Article 5. They must be preserved and may be disclosed to third parties only to the extent strictly necessary for the purpose agreed between the user and the third party. The data holder or trade secret holder must identify protected data, including relevant metadata, and agree proportionate technical and organisational confidentiality measures with the third party. - Identify trade-secret data and metadata before disclosure. - Agree proportionate measures such as confidentiality terms, strict access protocols, technical standards, model contractual terms, or codes of conduct. - Use withholding, suspension, or refusal only within the Article 5 trade-secret conditions and keep the written substantiation and authority notification record. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 5 sets trade-secret identification, confidentiality measures, withholding, suspension, refusal, notification, and challenge mechanics. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission overview explains that trade-secret measures should protect confidentiality without undermining the Data Act's data-availability goal. ### [Can security risks limit or block third-party data sharing under the EU Data Act access rights?](/artifacts/eu/data-act/faq/third-party-data-sharing.md#can-security-risks-limit-or-block-third-party-data-sharing-under-the-eu-data-act-access-rights) *Module: [EU Data Act Third-Party Data Sharing](/artifacts/eu/data-act/faq/third-party-data-sharing.md)* Security is relevant, but the Data Act frames it narrowly. Users and data holders may contractually restrict or prohibit access, use, or further sharing where the processing could undermine security requirements of the connected product laid down by Union or national law and result in serious adverse effects on the health, safety, or security of natural persons. - Identify the Union or national-law security requirement relied on. - Explain the serious adverse effect on health, safety, or security of natural persons. - Apply proportionate technical controls without turning security into an unsupported refusal. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 4 and 6 ground security restrictions and recipient duties not to harm connected-product or related-service security. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission overview explains the security limitation and its link to serious adverse effects and legal security requirements. ### [How does GDPR affect third-party sharing under the Data Act for third-party sharing requests?](/artifacts/eu/data-act/faq/third-party-data-sharing.md#how-does-gdpr-affect-third-party-sharing-under-the-data-act-for-third-party-sharing-requests) *Module: [EU Data Act Third-Party Data Sharing](/artifacts/eu/data-act/faq/third-party-data-sharing.md)* The Data Act does not supersede GDPR. It complements Union data-protection and privacy law and does not create a new legal basis for providing access to personal data where the user is not the data subject. If personal data generated by a connected product or related service is to be made available to a third party and the user is not the data subject, the data holder needs a valid Article 6 GDPR legal basis and, where relevant, conditions for special-category data and ePrivacy terminal-equipment rules. - Classify whether the requested dataset contains personal data and whether the user is the data subject. - Document the GDPR legal basis before sharing personal data with the third party. - Use anonymisation, pseudonymisation, or data separation where needed, but do not use privacy measures as a pretext to avoid Article 5 when the data remains readily available. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Recital 7 and Article 5 explain that the Data Act is without prejudice to data-protection law and does not itself create a GDPR legal basis where the user is not the data subject. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ explains GDPR portability overlap and how anonymisation, pseudonymisation, and privacy-enhancing technologies interact with Data Act access requests. ### [Can the data holder charge for third-party sharing under the Data Act?](/artifacts/eu/data-act/faq/third-party-data-sharing.md#can-the-data-holder-charge-for-third-party-sharing-under-the-data-act) *Module: [EU Data Act Third-Party Data Sharing](/artifacts/eu/data-act/faq/third-party-data-sharing.md)* The Data Act context is the starting point for this answer. Article 5 says the data must be made available to the third party free of charge to the user. Separately, Article 9 allows reasonable and non-discriminatory compensation agreed between a data holder and a data recipient in business-to-business relations, and says compensation may include a margin. - Do not charge the user for Article 5 third-party sharing. - If charging a data recipient, keep compensation reasonable, non-discriminatory, and documented. - Apply the Article 9 cost-only cap where the recipient is an eligible SME or not-for-profit research organisation. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 5 and 9 support free-of-charge sharing to the user, reasonable recipient compensation, SME and research-organisation caps, and calculation transparency. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission overview explains reasonable compensation and cost limits for micro companies, SMEs, and not-for-profit research organisations. ### [What practical workflow should teams follow for a third-party sharing request under the Data Act?](/artifacts/eu/data-act/faq/third-party-data-sharing.md#what-practical-workflow-should-teams-follow-for-a-third-party-sharing-request-under-the-data-act) *Module: [EU Data Act Third-Party Data Sharing](/artifacts/eu/data-act/faq/third-party-data-sharing.md)* Use a simple sequence: first confirm the request comes from the user or someone acting on the user's behalf, then confirm the recipient is eligible, then check the data scope and any GDPR issues. If the request is valid, make the data available without undue delay and in the required format. If trade secrets or security concerns apply, use the Article 5 or Article 4 safeguards, and if the issue cannot be resolved, withhold, suspend, or refuse only within the conditions in the Data Act. - Intake: verify user authority, recipient eligibility, and the specific request. - Review: check scope, GDPR, trade secrets, and security limits before releasing data. - Action: share, or if the legal test is not met, withhold, suspend, or refuse and document why. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 3, 5, 6, 8, and 9 provide the request, eligibility, use, trade-secret, security, and compensation steps. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission overview supports a practical request workflow from user request to sharing, suspension, or refusal. ### [What records should teams keep for a third-party sharing request under the Data Act?](/artifacts/eu/data-act/faq/third-party-data-sharing.md#what-records-should-teams-keep-for-a-third-party-sharing-request-under-the-data-act) *Module: [EU Data Act Third-Party Data Sharing](/artifacts/eu/data-act/faq/third-party-data-sharing.md)* The Data Act context is the starting point for this answer. Keep a request record that shows the user authority, recipient identity and eligibility, requested data categories, personal-data assessment, trade-secret and security assessment, recipient purpose, delivery route, delivery format, compensation position if any, and final outcome. These records should be enough to explain why data was shared, limited, suspended, withheld, or refused. - Log the Article 5 request, verification facts, data scope, and recipient commitments. - Keep written substantiation for trade-secret withholding, suspension, or refusal and any competent-authority notice. - Record misuse response steps if a recipient uses deceptive means, unauthorised purposes, unlawful onward disclosure, or removes agreed protection measures. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 5, 6, 8, 9, and 11 ground request evidence, recipient terms, misuse remedies, and trade-secret escalation records. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission overview summarizes remedies for unlawful access or use by third parties or users. ## FAQ Pagination - Canonical index (page 1): [/artifacts/eu/data-act/faq/items](/artifacts/eu/data-act/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 21 of 24 Pages: [1](/artifacts/eu/data-act/faq/items.md) | [2](/artifacts/eu/data-act/faq/items/page/2.md) | [3](/artifacts/eu/data-act/faq/items/page/3.md) | [4](/artifacts/eu/data-act/faq/items/page/4.md) | [5](/artifacts/eu/data-act/faq/items/page/5.md) | [6](/artifacts/eu/data-act/faq/items/page/6.md) | [7](/artifacts/eu/data-act/faq/items/page/7.md) | [8](/artifacts/eu/data-act/faq/items/page/8.md) | [9](/artifacts/eu/data-act/faq/items/page/9.md) | [10](/artifacts/eu/data-act/faq/items/page/10.md) | [11](/artifacts/eu/data-act/faq/items/page/11.md) | [12](/artifacts/eu/data-act/faq/items/page/12.md) | [13](/artifacts/eu/data-act/faq/items/page/13.md) | [14](/artifacts/eu/data-act/faq/items/page/14.md) | [15](/artifacts/eu/data-act/faq/items/page/15.md) | [16](/artifacts/eu/data-act/faq/items/page/16.md) | [17](/artifacts/eu/data-act/faq/items/page/17.md) | [18](/artifacts/eu/data-act/faq/items/page/18.md) | [19](/artifacts/eu/data-act/faq/items/page/19.md) | [20](/artifacts/eu/data-act/faq/items/page/20.md) | [21](/artifacts/eu/data-act/faq/items/page/21.md) | [22](/artifacts/eu/data-act/faq/items/page/22.md) | [23](/artifacts/eu/data-act/faq/items/page/23.md) | [24](/artifacts/eu/data-act/faq/items/page/24.md) [Previous page](/artifacts/eu/data-act/faq/items/page/20.md) | [Next page](/artifacts/eu/data-act/faq/items/page/22.md) *Recommended next step* *Placement: before sources* ## Turn a Data Act FAQ answer into a scoped review Review one product, dataset, cloud contract, public-sector request, or smart-contract deployment against the cited Data Act source and keep the scope, role, evidence, and unresolved questions together. - [Open Research Copilot](/solutions/research-copilot.md): Check Data Act scope, GDPR boundaries, cloud switching, and contract questions with cited source outputs. - [Talk through Data Act implementation](/contact.md): Review one connected product, data-sharing contract, cloud switch, or public-sector request before committing to an implementation path. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/data-act/faq/items/page/21