Search every question across sub-FAQs

Yes, but the Data Act starts from non-personal data. Article 17 says requests should concern non-personal data, and personal data may be requested only if non-personal data are shown to be insufficient for the exceptional need and the request establishes the necessary technical and organisational protection measures.

Article 18 adds a data holder duty: where requested data include personal data, the data holder must properly anonymise the data unless compliance requires disclosure of personal data; in that case the data holder must pseudonymise the data.

The Data Act context is the starting point for this answer. A public emergency does not erase confidentiality duties. Article 17 requires requests to respect the legitimate aims of the data holder, including trade secret protection and the cost and effort needed to make data available. Article 19 says trade secrets must be disclosed only to the extent strictly necessary for the Article 15 purpose.

Before trade secrets are disclosed, the data holder or trade secret holder must identify the protected data, including in metadata. The receiving public body or EU body must take necessary and appropriate technical and organisational measures to preserve confidentiality and is responsible for the security of the data it receives.

The Data Act context is the starting point for this answer. For data necessary to respond to a public emergency under Article 15(1)(a), Article 20 says data holders other than microenterprises and small enterprises must make the data available free of charge. They can request public acknowledgement from the receiving public body or EU body.

The Commission explainer distinguishes micro and small companies: for public emergency requests, it says they may ask for reasonable remuneration not exceeding the technical and organisational costs incurred, plus public acknowledgement upon request. For non-emergency exceptional-need requests under Article 15(1)(b), Article 20 provides fair compensation covering technical and organisational costs and a reasonable margin, with specific rules for micro and small enterprises and official statistics.

The Data Act context is the starting point for this answer. Data obtained under Chapter V do not become open public-sector information. Article 17 says data obtained under Chapter V must not be made available for reuse under the Data Governance Act or Open Data Directive definitions. Article 19 also bars use in a manner incompatible with the request purpose.

Sharing is allowed only within the controlled routes in the Data Act. Article 17 allows exchange with other public bodies or named third parties for the Article 15 task when specified in the request, and Article 21 allows sharing with qualifying research or statistical bodies under conditions. The data holder must be notified without undue delay for Article 21 transfers.

The Data Act context is the starting point for this answer. Keep enough evidence to prove the request was assessed under the correct Chapter V branch and handled within the required time. The file should include the written request, receipt timestamp, requester identity, asserted public emergency, Article 15 exceptional-need analysis, Article 17 completeness check, data-control analysis, data scope, personal-data and trade-secret treatment, delivery record, and any refusal or modification notice.

Also keep records that prove what happened after delivery: public acknowledgement request, compensation position if relevant, recipients identified in the request, confidentiality and security measures, erasure notice from the public body, and any notice of Article 21 sharing with research or statistical bodies.

Keep the legal basis and the implementation evidence together. For a Chapter V public emergency workflow, the most useful sources are the Data Act itself, the Commission explainer, and any internal note showing why the request met Article 15 and Article 17. Link those sources to the final decision so a reviewer can see whether the request was accepted, modified, or declined.

The record should also show whether the team used the five-working-day refusal window, whether personal data were anonymised or pseudonymised, and whether any trade secret or confidentiality measures were agreed before disclosure.

Assign one accountable owner for the Data Act legal assessment and one for the operational response, then keep the rest of the stakeholders as consulted teams. The legal owner should assess Article 15, Article 17, Article 18, and Article 19 issues; the operational owner should coordinate data extraction, security controls, delivery, and recordkeeping.

If the request is cross-border or involves personal data, the ownership file should also show who is responsible for notifying the competent authority or supervisory authority and who tracks the response deadline.

Data Act evidence should show the full chain from request to response. The most useful artifacts are the written request, the Article 17 completeness check, the decision memo on Article 15 exceptional need, the refusal or modification notice if any, the delivery log, and the notices sent to the competent authority or other authorities.

Teams should also keep any data inventory, redaction or anonymisation notes, trade secret protection measures, compensation note, and erasure or onward-sharing notices so that a later reviewer can reconstruct how the request was handled.

No. The Data Act gives targeted size-based treatment, not a general exemption for startups or SMEs. The answer depends on the chapter, the actor's role, and whether the company is the manufacturer, designer, related-service provider, data holder, data recipient, user, or contracting party.

Startups should not rely on the word startup alone. The binding Chapter II carve-out is framed around microenterprises, small enterprises, and a limited transition for medium-sized enterprises by reference to Commission Recommendation 2003/361/EC, not around venture stage, funding round, age of incorporation, or headcount labels used in sales systems. If a company wants to document its size position, it should record the Commission Recommendation 2003/361/EC test it used and the legal entity, partner-enterprise, and linked-enterprise facts behind the conclusion.

The Data Act context is the starting point for this answer. Article 7 says Chapter II business-to-consumer and business-to-business access obligations do not apply to data generated through connected products manufactured or designed by a microenterprise or small enterprise, or related services provided by one, when the Article 7 conditions are met.

The carve-out is narrow. It is lost if the micro or small enterprise has a partner or linked enterprise that does not itself qualify as a microenterprise or small enterprise. It also does not apply where the micro or small enterprise is subcontracted to manufacture or design the connected product or provide the related service.

The Data Act context is the starting point for this answer. Article 7 also gives limited treatment to data generated through connected products manufactured by, or related services provided by, an enterprise that has qualified as medium-sized for less than one year. For connected products, the same treatment applies for one year after the product was placed on the market by the medium-sized enterprise.

This should be managed as a dated transition record, not as a permanent SME exception. The file should show when the enterprise first qualified as medium-sized, which connected products or related services are affected, and when the transition ends for each product or service.

Yes. The Chapter II carve-out is not a whole-Regulation exclusion. Recital 41 states that a microenterprise or small enterprise may still be subject to Data Act requirements as a data holder where it is not the manufacturer of the connected product or the provider of related services.

For implementation, avoid writing contract language that says a small supplier is exempt from the Data Act. Write the exact role: for example, small related-service provider for its own service, SME data recipient seeking data under Chapter III, or enterprise challenging a unilaterally imposed data clause under Chapter IV.

The Data Act context is the starting point for this answer. In mandatory B2B data sharing, Article 9 allows agreed compensation to be reasonable and non-discriminatory and to include a margin. The SME protection is on the data-recipient side: if the data recipient is an SME or a not-for-profit research organisation, and it does not have partner or linked enterprises that do not qualify as SMEs, compensation must not exceed the Article 9(2)(a) costs.

The Commission FAQ explains the practical effect: there is no general upper or lower compensation number, but reasonable compensation cannot include a profit margin when the recipient is an SME or a non-profit research organisation. Data holders must also provide enough calculation information for the recipient to assess whether Article 9 is met.

The Data Act context is the starting point for this answer. No. Article 13 applies to covered terms unilaterally imposed by one enterprise on another enterprise. The Commission FAQ says Chapter IV does not specifically address SMEs, even though it is expected to particularly support SMEs because they often have weaker negotiating positions.

The rule is about the term and how it was imposed. It covers terms concerning access to and use of data, or liability and remedies for breach or termination of data-related obligations. It does not turn every unfavorable commercial term into a Data Act issue.

The Data Act context is the starting point for this answer. Keep evidence that the challenged clause is in Article 13 scope: the contract, negotiation history, requested changes, the final refused or imposed wording, and the link between the clause and data access, data use, or data-related liability or remedies.

Then classify the term. Some terms are always unfair under Article 13(4), such as excluding liability for intentional acts or gross negligence by the imposing party. Others are presumed to be unfair under Article 13(5), such as inappropriate remedy limits, significantly detrimental access to the other party's data, or unilateral changes to substantive data-sharing conditions without a valid reason and termination right.

The Data Act context is the starting point for this answer. Chapter V has a different size rule. Article 15(2) says the non-emergency exceptional-need route in Article 15(1)(b) does not apply to microenterprises and small enterprises. That means a non-emergency public-sector request under that route should not be treated like an ordinary obligation for a micro or small company.

For public emergencies, Article 20 treats micro and small enterprises differently on compensation. Data holders other than micro and small enterprises must make data necessary for public-emergency response available free of charge, but Article 20(3) allows the fair-compensation rule to apply where a microenterprise or small enterprise claims compensation.

Create one status file per Data Act workflow, not one generic SME certificate for the whole company. The useful record names the legal entity, partner and linked-enterprise position, Data Act role, affected product or related service, data request or contract, chapter relied on, date of status review, and source used.

For startup teams, the file should also note that startup status is not itself a legal category in the Data Act. The practical question is whether the entity qualifies as a microenterprise, small enterprise, or medium-sized enterprise under Commission Recommendation 2003/361/EC, and whether the Article 7 or Article 9 conditions actually apply.

For SME exceptions and startups, the Data Act record should identify the source clause, Commission guidance, actor role, dataset, request or contract trigger, and the owner who approved the interpretation.

For SME exceptions and startups, keep the cited external URL, decision date, reviewer, unresolved assumptions, and implementation artifact together so the answer remains auditable.

For SME exceptions and startups, the Data Act workflow should name the legal, product, procurement, cloud, support, or security owner who can change the affected process.

For SME exceptions and startups, use one accountable owner per action, then record consulted teams and evidence dependencies separately.

For SME exceptions and startups, the Data Act evidence should be concrete enough for a later reviewer to reconstruct why the team classified the product, service, request, or contract in scope.

For SME exceptions and startups, useful evidence includes source URLs, data inventories, contract clauses, request logs, technical controls, customer notices, and approval records.