Concluding contracts in the era of the Data Act

The Data Act entered into force on 11 January 2024 and will become applicable on 12 September 2025. The Act aims to enhance the EU’s data economy and foster a competitive data market by establishing clear and fair rules for accessing and using data, while also ensuring the protection of fundamental rights.

For companies that offer products or services that generate data, the Data Act will mean plenty of new contractual obligations, namely regarding data sharing and switching between data processing services. The Data Act also lays rules for disclosing information before concluding a contract and prohibitions for certain contractual terms that are seen as unfair. To comply with these obligations, companies will need to update their model contracts in time for September 2025. Companies may also need to update their existing, long-term contracts to comply with the Data Act. 

So, what are the contractual obligations to look out for?
 

1.    Obligation to disclose information before concluding contracts for connected products or related services

The Data Act contains special obligations for the disclosure of information regarding the collection and processing of data before concluding contracts for connected products or related services. The seller or lessor of a connected product and the provider of a connected service are obliged to provide the information to the user in a clear and comprehensible manner.

The user of a connected product has to be informed of the type, format and estimated volume of the data that the connected product is capable to generate. It is also obligatory to disclose whether the connected product is capable of generating data continuously and in real-time, along with the data storing techniques and the intended duration of retention. The user also needs to be informed of how they can access, retrieve or erase the data, including the technical measures, terms of use and quality of service.

For related services, the obligations for disclosing information are more extensive. The user has to be informed of the nature, estimated volume and collection frequency of both the product data and related service data to be generated. Similarly, the user also needs to be informed about the arrangements for the user to access and retrieve the data, along with information on how the user can make requests for data sharing to third parties. The provider is obliged to disclose whether it expects to use the data itself and the purposes for the use, and whether it intends to allow one or more third parties to use the data for purposes agreed upon with the user. All the parties that have access to the data need to be identified and their contact information need to be provided to the user. If the user’s data contains trade secrets, it is also necessary to separately disclose the identity of the data holder that has access to them. Lastly, the user needs to be informed of the duration of the contracts and the arrangements for terminating the contract as well as their right to lodge a complaint to the competent authority for infringements of the Data Act’s rules.
 

2.    Prohibition to use unilaterally imposed unfair contractual terms

Unilaterally imposed contractual terms concerning 1) access to data; and 2) liability and remedies for the breach or the termination of data related obligations, are not binding, if they are unfair. 

Companies need to be especially mindful of contract terms that have the object or effect to:

• exclude or limit their own liability for intentional acts, gross negligence or non-performance or correspondingly extend the liability of the other contracting party in such cases;
   
• exclude the remedies available to the other party in the case of non-performance;
   
• give them the exclusive right to determine whether the data supplied are in conformity with the contract or to interpret any contractual term;
   
• allow them to access and use the data of the other party in a manner that is significantly detrimental to the legitimate interests of the other party, in particular when such data contain commercially sensitive data or are protected by trade secrets or by intellectual property rights;
   
• prevent or limit the other party from using, capturing, accessing, controlling or exploiting the value of the data provided or generated during the period of the contract;
   
• prevent the other party from obtaining a copy of the data during the period of the contract or within a reasonable period after the termination of the contract;    
   
• enable them to substantially change the price specified in the contract or any other substantive condition related to the nature, format, quality or quantity of the data to be shared, without a valid reason nor the possibility for the other party to terminate the contract in the situation; and
   
• allow them to terminate the contract at unreasonably short notice or correspondingly prevent the other party from terminating the contract within a reasonable period.

3.    Obligations and contractual needs for data sharing 

Data holders (providers of different products and services, who can access the data) are obliged to share the generated data with the users of their products or services. They can also be obliged to share the data with third parties upon the request of the user. Furthermore, data holders can also be obliged to share data with public sector bodies, when there is an exceptional need for the data to carry out a specific task for public interest.

While the Data Act lays these rights, it is up to the parties to further agree on the matter through contracts. Important things for the data holder to agree on would be the data holder’s right to use the generated data and how the data is intended to use, the scope of the data to be shared, terms on how the data will be shared (direct or indirect access), the protective measures for trade secrets and other confidential information and possible restrictions or prohibitions for accessing using or sharing the data for security purposes. Further things to agree on for, especially with third parties, would be confidentiality and disclosure of the data, non-competition regarding the use of the data, compensation for making the data available and liabilities. 
 

4.    Mandatory measures for switching between data processing services

Providers of data processing services are obliged to take measures to enable their customer to switch to another data processing service or to on-premises ICT infrastructure or to use several services at the same time. To ensure this, the providers need to remove pre-commercial, commercial, technical, contractual and organizational obstacles which inhibit customer from performing the switching process successfully. 

The rights of the customer and the obligations of the provider regarding the switching process need to be set out in a written contract. The contract needs to contain clauses on:

• how the customer can notify on its decision to perform a switch of services or erasure of data;
   
• the timeframe of the switching process;
   
• information, assistance and support obligations of the provider;
   
• data security and business continuity;
   
• the scope of the portable data;
   
• erasure of data;
   
• switching charges; and 
   
• the termination of the contract.

5.    What does the Data Act mean for existing contracts?

It is important to note that the rights and obligations created by the Data Act will apply, regardless of the existing contract’s content. Companies will need to prepare for the obligations by creating processes for data sharing and switching between services.

The Data Act’s provision on unfair contractual terms will apply to new contracts concluded after 12 September 2025. From 12 September 2027, the prohibition to use unfair contractual terms listed in the provision may also apply to existing, long-term contracts concluded on the 12 September 2025 or before the mentioned date, if the contract is either indefinite of nature or due to expire at least ten years from the Data Act’s entry into force on 11 January 2024 (after 11 January 2034). 

The Data Act will be applied along with other relevant EU and national legal acts, and it is without prejudice to them. This means, that the rights and obligations created by other regulations need to be noted. It is especially important to be mindful of the protection of intellectual property rights and trade secrets as well as the protection of personal data under the GDPR. The familiar obligations regarding the processing of personal data continue to apply under the Data Act, and contracting parties may need to update their existing contracts or enter into new ones to comply with both regulations.
 

Are you ready for the obligations?

The Data Act’s obligations are just around the corner. Now is the time to start creating the new mandatory data sharing processes and to prepare for the necessary contractual changes. Our team at Bird & Bird is ready to help you with the needed contractual updates and legal evaluations of process developments in time for the new era of data contracts.