EU Data Act Third-Party Data Sharing FAQ

The Data Act context is the starting point for this answer. User-directed sharing is the Article 5 route where the user, or someone acting on the user's behalf, asks the data holder to make readily available data and the metadata needed to interpret and use it available to a third party. The data holder must make the data available without undue delay, with the same quality as is available to the data holder, easily, securely, in a comprehensive, structured, commonly used and machine-readable format, and where relevant and technically feasible continuously and in real time.

This is not an open data-publication duty. It depends on a user request, a qualifying user, a qualifying third party, and data generated by the connected product or related service that is readily available to the data holder.

The Data Act context is the starting point for this answer. For Chapter II sharing, the practical scope is raw and pre-processed data generated from the use of a connected product or related service that is readily available to the data holder, plus relevant metadata. Commission guidance gives examples such as sensor data on temperature, pressure, flow rate, audio, pH value, liquid level, position, acceleration, or speed.

Do not include inferred or derived information merely because it came from the same product ecosystem. The Commission explains that inferred or derived data, highly enriched data, and content such as audiovisual material are outside the Chapter II scope.

Before users need to exercise the right, Data Act transparency rules require information on how the user can request that data be shared with a third party and, where applicable, end that sharing. During the request, the data holder may verify user or third-party status, but it must not require more information than necessary and must not keep third-party access information beyond what is needed for execution, security, and infrastructure maintenance.

Where the data holder is obliged to make data available to a data recipient, Article 8 requires fair, reasonable, non-discriminatory, and transparent terms. The data holder cannot make data available to a data recipient on an exclusive basis unless the user requested it under Chapter II.

The Data Act context is the starting point for this answer. The third party may process the data only for the purposes and under the conditions agreed with the user, and must erase the data once it is no longer necessary for the agreed purpose unless the user agreed otherwise for non-personal data. If personal data is involved, Union and national data-protection law and data-subject rights still apply.

Article 6 also blocks several recipient behaviours: manipulating the user interface or user choices, profiling unless necessary to provide the service requested by the user, onward sharing without a user contract and trade-secret measures, sharing with a designated gatekeeper, using the data to develop a competing connected product, harming security, undermining trade-secret safeguards, or preventing a consumer user from sharing the data with others.

The Data Act context is the starting point for this answer. No, not through Article 5 user-directed sharing. An undertaking designated as a gatekeeper under the Digital Markets Act is not an eligible third party for Article 5. The gatekeeper also must not solicit or commercially incentivise a user to make data available to one of its services or ask the data holder to do so.

Article 6 adds a downstream control: a third party that received the data must not make the data available to a designated gatekeeper.

The Data Act context is the starting point for this answer. Trade secrets are not a blanket reason to ignore Article 5. They must be preserved and may be disclosed to third parties only to the extent strictly necessary for the purpose agreed between the user and the third party. The data holder or trade secret holder must identify protected data, including relevant metadata, and agree proportionate technical and organisational confidentiality measures with the third party.

If measures are not agreed, the third party fails to implement them, or confidentiality is undermined, the data holder may withhold or suspend sharing of the identified trade-secret data, give a duly substantiated written decision to the third party without undue delay, and notify the competent authority. Refusal is reserved for exceptional case-by-case circumstances where the trade secret holder can demonstrate a high likelihood of serious economic damage despite the measures.

Security is relevant, but the Data Act frames it narrowly. Users and data holders may contractually restrict or prohibit access, use, or further sharing where the processing could undermine security requirements of the connected product laid down by Union or national law and result in serious adverse effects on the health, safety, or security of natural persons.

A recipient also must not use the data in a way that adversely affects the security of the connected product or related service. Security controls should therefore be tied to legal security requirements and the specific risk, not used as a generic objection to third-party access.

The Data Act does not supersede GDPR. It complements Union data-protection and privacy law and does not create a new legal basis for providing access to personal data where the user is not the data subject. If personal data generated by a connected product or related service is to be made available to a third party and the user is not the data subject, the data holder needs a valid Article 6 GDPR legal basis and, where relevant, conditions for special-category data and ePrivacy terminal-equipment rules.

Where data contains several people's personal data, teams should separate, anonymise, pseudonymise, or otherwise control delivery as needed. The Commission FAQ also warns that privacy-enhancing technologies should not be used simply to circumvent Data Act sharing obligations where data remains readily available.

The Data Act context is the starting point for this answer. Article 5 says the data must be made available to the third party free of charge to the user. Separately, Article 9 allows reasonable and non-discriminatory compensation agreed between a data holder and a data recipient in business-to-business relations, and says compensation may include a margin.

There is a special cap for SME data recipients and not-for-profit research organisations that do not have linked or partner enterprises outside the SME category: compensation must not exceed the costs incurred for making the data available. The data holder must provide enough detail on the calculation basis for the data recipient to assess whether Article 9 requirements are met.

Use a simple sequence: first confirm the request comes from the user or someone acting on the user's behalf, then confirm the recipient is eligible, then check the data scope and any GDPR issues. If the request is valid, make the data available without undue delay and in the required format. If trade secrets or security concerns apply, use the Article 5 or Article 4 safeguards, and if the issue cannot be resolved, withhold, suspend, or refuse only within the conditions in the Data Act.

A good internal workflow also records the request, the data categories shared, the legal checks performed, the confidentiality measures agreed, the delivery date, and any authority notification or dispute route used.

The Data Act context is the starting point for this answer. Keep a request record that shows the user authority, recipient identity and eligibility, requested data categories, personal-data assessment, trade-secret and security assessment, recipient purpose, delivery route, delivery format, compensation position if any, and final outcome. These records should be enough to explain why data was shared, limited, suspended, withheld, or refused.

For recipient misuse, Article 11 supports remedies such as erasure of data and copies, ending production or use of goods or services produced from unlawfully used data where the legal test is met, informing the user of unauthorised use or disclosure, and compensation for misuse or disclosure of unlawfully accessed or used data.

Assign one accountable owner for the Data Act request workflow, with clear support from legal, privacy, security, product, and operations as needed. The owner should be the person who can actually change the affected process and decide whether the request is fulfilled, limited, suspended, or refused.

Keep consulted teams and evidence dependencies separate from the accountable owner so the process stays traceable without creating overlapping ownership.