Data Act 2023/2854 EN

1. Connected products shall be designed and manufactured, and related_services shall be designed and provided, in such a manner that product data and related_service data, including the relevant meta data necessary to interpret and use those data, are, by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user.

2. before concluding a contract for the purchase, rent or lease of a connected_product, the seller, rentor or lessor, which may be the manufacturer, shall provide at least the following information to the user, in a clear and comprehensible manner:

(a)	the type, format and estimated volume of product data which the connected_product is capable of generating;

(b)	whether the connected_product is capable of generating data continuously and in real-time;

(c)	whether the connected_product is capable of storing data on-device or on a remote server, including, where applicable, the intended duration of retention;

(d)	how the user may access, retrieve or, where relevant, erase the data, including the technical means to do so, as well as their terms of use and quality of service.

3. before concluding a contract for the provision of a related_service, the provider of such related_service shall provide at least the following information to the user, in a clear and comprehensible manner:

(a)

the nature, estimated volume and collection frequency of product data that the prospective data holder is expected to obtain and, where relevant, the arrangements for the user to access or retrieve such data, including the prospective data holder’s data storage arrangements and the duration of retention;

(b)	the nature and estimated volume of related_service data to be generated, as well as the arrangements for the user to access or retrieve such data, including the prospective data holder’s data storage arrangements and the duration of retention;

(c)	whether the prospective data holder expects to use readily available data itself and the purposes for which those data are to be used, and whether it intends to allow one or more third parties to use the data for purposes agreed upon with the user;

(d)	the identity of the prospective data holder, such as its trading name and the geographical address at which it is established and, where applicable, of other data processing parties;

(e)	the means of communication which make it possible to contact the prospective data holder quickly and communicate with that data holder efficiently;

(f)	how the user can request that the data are shared with a third party and, where applicable, end the data sharing;

(g)	the user’s right to lodge a complaint alleging an infringement of any of the provisions of this Chapter with the competent authority designated pursuant to Article 37;

(h)

whether a prospective data holder is the holder of trade_secrets contained in the data that is accessible from the connected_product or generated during the provision of a related_service, and, where the prospective data holder is not the trade_secret holder, the identity of the trade_secret holder;

(i)	the duration of the contract between the user and the prospective data holder, as well as the arrangements for terminating such a contract.

Article 4

The rights and obligations of users and data holders with regard to access, use and making available product data and related_service data

1. Where data cannot be directly accessed by the user from the connected_product or related_service, data holders shall make readily available data, as well as the relevant meta data necessary to interpret and use those data, accessible to the user without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. This shall be done on the basis of a simple request through electronic means where technically feasible.

2. Users and data holders may contractually restrict or prohibit accessing, using or further sharing data, if such processing could undermine security requirements of the connected_product, as laid down by Union or national law, resulting in a serious adverse effect on the health, safety or security of natural persons. Sectoral authorities may provide users and data holders with technical expertise in that context. Where the data holder refuses to share data pursuant to this Article, it shall notify the competent authority designated pursuant to Article 37.

3. Without prejudice to the user’s right to seek redress at any stage before a court or tribunal of a Member State, the user may, in relation to any dispute with the data holder concerning the contractual restrictions or prohibitions referred to in paragraph 2:

(a)	lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority; or

(b)	agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1).

4. Data holders shall not make the exercise of choices or rights under this Article by the user unduly difficult, including by offering choices to the user in a non-neutral manner or by subverting or impairing the autonomy, decision-making or choices of the user via the structure, design, function or manner of operation of a user digital interface or a part thereof.

5. For the purpose of verifying whether a natural or legal person qualifies as a user for the purposes of paragraph 1, a data holder shall not require that person to provide any information beyond what is necessary. Data holders shall not keep any information, in particular log data, on the user’s access to the data requested beyond what is necessary for the sound execution of the user’s access request and for the security and maintenance of the data infrastructure.

6. Trade secrets shall be preserved and shall be disclosed only where the data holder and the user take all necessary measures prior to the disclosure to preserve their confidentiality in particular regarding third parties. The data holder or, where they are not the same person, the trade_secret holder shall identify the data which are protected as trade_secrets, including in the relevant meta data, and shall agree with the user proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data, in particular in relation to third parties, such as model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.

7. Where there is no agreement on the necessary measures referred to in paragraph 6, or if the user fails to implement the measures agreed pursuant to paragraph 6 or undermines the confidentiality of the trade_secrets, the data holder may withhold or, as the case may be, suspend the sharing of data identified as trade_secrets. The decision of the data holder shall be duly substantiated and provided in writing to the user without undue delay. In such cases, the data holder shall notify the competent authority designated pursuant to Article 37 that it has withheld or suspended data sharing and identify which measures have not been agreed or implemented and, where relevant, which trade_secrets have had their confidentiality undermined.

8. In exceptional circumstances, where the data holder who is a trade_secret holder is able to demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade_secrets, despite the technical and organisational measures taken by the user pursuant to paragraph 6 of this Article, that data holder may refuse on a case-by-case basis a request for access to the specific data in question. That demonstration shall be duly substantiated on the basis of objective elements, in particular the enforceability of trade_secrets protection in third countries, the nature and level of confidentiality of the data requested, and the uniqueness and novelty of the connected_product, and shall be provided in writing to the user without undue delay. Where the data holder refuses to share data pursuant to this paragraph, it shall notify the competent authority designated pursuant to Article 37.

9. Without prejudice to a user’s right to seek redress at any stage before a court or tribunal of a Member State, a user wishing to challenge a data holder’s decision to refuse or to withhold or suspend data sharing pursuant to paragraphs 7 and 8 may:

(a)	lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority, which shall, without undue delay, decide whether and under which conditions data sharing is to start or resume; or

(b)	agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1).

10. The user shall not use the data obtained pursuant to a request referred to in paragraph 1 to develop a connected_product that competes with the connected_product from which the data originate, nor share the data with a third party with that intent and shall not use such data to derive insights about the economic situation, assets and production methods of the manufacturer or, where applicable the data holder.

11. The user shall not use coercive means or abuse gaps in the technical infrastructure of a data holder which is designed to protect the data in order to obtain access to data.

12. Where the user is not the data subject whose personal data is requested, any personal data generated by the use of a connected_product or related_service shall be made available by the data holder to the user only where there is a valid legal basis for processing under Article 6 of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of that Regulation and of Article 5(3) of Directive 2002/58/EC are fulfilled.

13. A data holder shall only use any readily available data that is non-personal data on the basis of a contract with the user. A data holder shall not use such data to derive insights about the economic situation, assets and production methods of, or the use by, the user in any other manner that could undermine the commercial position of that user on the markets in which the user is active.

14. Data holders shall not make available non-personal product data to third parties for commercial or non-commercial purposes other than the fulfilment of their contract with the user. Where relevant, data holders shall contractually bind third parties not to further share data received from them.

Article 5

Right of the user to share data with third parties

1. Upon request by a user, or by a party acting on behalf of a user, the data holder shall make available readily available data, as well as the relevant meta data necessary to interpret and use those data, to a third party without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge to the user, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. The data shall be made available by the data holder to the third party in accordance with Articles 8 and 9.

2. Paragraph 1 shall not apply to readily available data in the context of the testing of new connected_products, substances or processes that are not yet placed on the market unless their use by a third party is contractually permitted.

3. Any undertaking designated as a gatekeeper, pursuant to Article 3 of Regulation (EU) 2022/1925, shall not be an eligible third party under this Article and therefore shall not:

(a)	solicit or commercially incentivise a user in any manner, including by providing monetary or any other compensation, to make data available to one of its services that the user has obtained pursuant to a request under Article 4(1);

(b)	solicit or commercially incentivise a user to request the data holder to make data available to one of its services pursuant to paragraph 1 of this Article;

(c)	receive data from a user that the user has obtained pursuant to a request under Article 4(1).

4. For the purpose of verifying whether a natural or legal person qualifies as a user or as a third party for the purposes of paragraph 1, the user or the third party shall not be required to provide any information beyond what is necessary. Data holders shall not keep any information on the third party’s access to the data requested beyond what is necessary for the sound execution of the third party’s access request and for the security and maintenance of the data infrastructure.

5. The third party shall not use coercive means or abuse gaps in the technical infrastructure of a data holder which is designed to protect the data in order to obtain access to data.

6. A data holder shall not use any readily available data to derive insights about the economic situation, assets and production methods of, or the use by, the third party in any other manner that could undermine the commercial position of the third party on the markets in which the third party is active, unless the third party has given permission to such use and has the technical possibility to easily withdraw that permission at any time.

7. Where the user is not the data subject whose personal data is requested, any personal data generated by the use of a connected_product or related_service shall be made available by the data holder to the third party only where there is a valid legal basis for processing under Article 6 of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of that Regulation and of Article 5(3) of Directive 2002/58/EC are fulfilled.

8. Any failure on the part of the data holder and the third party to agree on arrangements for transmitting the data shall not hinder, prevent or interfere with the exercise of the rights of the data subject under Regulation (EU) 2016/679 and, in particular, with the right to data portability under Article 20 of that Regulation.

9. Trade secrets shall be preserved and shall be disclosed to third parties only to the extent that such disclosure is strictly necessary to fulfil the purpose agreed between the user and the third party. The data holder or, where they are not the same person, the trade_secret holder shall identify the data which are protected as trade_secrets, including in the relevant meta data, and shall agree with the third party all proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data, such as model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.

10. Where there is no agreement on the necessary measures referred to in paragraph 9 of this Article or if the third party fails to implement the measures agreed pursuant to paragraph 9 of this Article or undermines the confidentiality of the trade_secrets, the data holder may withhold or, as the case may be, suspend the sharing of data identified as trade_secrets. The decision of the data holder shall be duly substantiated and provided in writing to the third party without undue delay. In such cases, the data holder shall notify the competent authority designated pursuant to Article 37 that it has withheld or suspended data sharing and identify which measures have not been agreed or implemented and, where relevant, which trade_secrets have had their confidentiality undermined.

11. In exceptional circumstances, where the data holder who is a trade_secret holder is able to demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade_secrets, despite the technical and organisational measures taken by the third party pursuant to paragraph 9 of this Article, that data holder may refuse on a case-by-case basis a request for access to the specific data in question. That demonstration shall be duly substantiated on the basis of objective elements, in particular the enforceability of trade_secrets protection in third countries, the nature and level of confidentiality of the data requested, and the uniqueness and novelty of the connected_product, and shall be provided in writing to the third party without undue delay. Where the data holder refuses to share data pursuant to this paragraph, it shall notify the competent authority designated pursuant to Article 37.

12. Without prejudice to the third party’s right to seek redress at any stage before a court or tribunal of a Member State, a third party wishing to challenge a data holder’s decision to refuse or to withhold or suspend data sharing pursuant to paragraphs 10 and 11 may:

(a)	lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority, which shall, without undue delay, decide whether and under which conditions the data sharing is to start or resume; or

(b)	agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1).

13. The right referred to in paragraph 1 shall not adversely affect the rights of data subjects pursuant to the applicable Union and national law on the protection of personal data.

Article 10

Dispute settlement

1. Users, data holders and data recipients shall have access to a dispute settlement body, certified in accordance with paragraph 5 of this Article, to settle disputes pursuant to Article 4(3) and (9) and Article 5(12) as well as disputes relating to the fair, reasonable and non-discriminatory terms and conditions for, and transparent manner of, making data available in accordance with this Chapter and Chapter IV.

2. Dispute settlement bodies shall make the fees, or the mechanisms used to determine the fees, known to the parties concerned before those parties request a decision.

3. For disputes referred to a dispute settlement body pursuant to Article 4(3) and (9) and Article 5(12), where the dispute settlement body decides a dispute in favour of the user or of the data recipient, the data holder shall bear all the fees charged by the dispute settlement body and shall reimburse that user or that data recipient for any other reasonable expenses that it has incurred in relation to the dispute settlement. If the dispute settlement body decides a dispute in favour of the data holder, the user or the data recipient shall not be required to reimburse any fees or other expenses that the data holder paid or is to pay in relation to the dispute settlement, unless the dispute settlement body finds that the user or the data recipient manifestly acted in bad faith.

4. Customers and providers of data processing services shall have access to a dispute settlement body, certified in accordance with paragraph 5 of this Article, to settle disputes relating to breaches of the rights of customers and the obligations of providers of data processing services, in accordance with Articles 23 to 31.

5. The Member State where the dispute settlement body is established shall, at the request of that body, certify that body where it has demonstrated that it meets all of the following conditions:

(a)	it is impartial and independent, and it is to issue its decisions in accordance with clear, non-discriminatory and fair rules of procedure;

(b)	it has the necessary expertise, in particular in relation to fair, reasonable and non-discriminatory terms and conditions, including compensation, and on making data available in a transparent manner, allowing the body to effectively determine those terms and conditions;

(c)	it is easily accessible through electronic communication technology;

(d)	it is capable of adopting its decisions in a swift, efficient and cost-effective manner in at least one official language of the Union.

6. Member States shall notify to the Commission the dispute settlement bodies certified in accordance with paragraph 5. The Commission shall publish a list of those bodies on a dedicated website and keep it updated.

7. A dispute settlement body shall refuse to deal with a request to resolve a dispute that has already been brought before another dispute settlement body or before a court or tribunal of a Member State.

8. A dispute settlement body shall grant parties the possibility, within a reasonable period of time, to express their points of view on the matters those parties have brought before that body. In that context, each party to a dispute shall be provided with the submissions of the other party to their dispute and any statements made by experts. The parties shall be given the possibility to comment on those submissions and statements.

9. A dispute settlement body shall adopt its decision on a matter referred to it within 90 days of receipt of a request pursuant to paragraphs 1 and 4. That decision shall be in writing or on a durable medium and shall be supported by a statement of reasons.

10. Dispute settlement bodies shall draw up and make publicly available annual activity reports. Such annual reports shall include, in particular, the following general information:

(a)	an aggregation of the outcomes of disputes;

(b)	the average time taken to resolve disputes;

(c)	the most common reasons for disputes.

11. In order to facilitate the exchange of information and best practices, a dispute settlement body may decide to include recommendations in the report referred to in paragraph 10 as to how problems can be avoided or resolved.

12. The decision of a dispute settlement body shall be binding on the parties only if the parties have explicitly consented to its binding nature prior to the start of the dispute settlement proceedings.

13. This Article does not affect the right of parties to seek an effective remedy before a court or tribunal of a Member State.

Article 17

Requests for data to be made available

1. When requesting data pursuant to Article 14, a public_sector_body, the Commission, the European Central Bank or a Union body shall:

(a)	specify the data required, including the relevant meta data necessary to interpret and use those data;

(b)	demonstrate that the conditions necessary for the existence of an exceptional need as referred to in Article 15 for the purpose of which the data are requested are met;

(c)	explain the purpose of the request, the intended use of the data requested, including, where applicable, by a third party in accordance with paragraph 4 of this Article, the duration of that use, and, where relevant, how the processing of personal data is to address the exceptional need;

(d)	specify, if possible, when the data are expected to be erased by all parties that have access to them;

(e)	justify the choice of data holder to which the request is addressed;

(f)	specify any other public sector bodies or the Commission, European Central Bank or Union_bodies and the third parties with which the data requested is expected to be shared with;

(g)	where personal data are requested, specify any technical and organisational measures necessary and proportionate to implement data protection principles and necessary safeguards, such as pseudonymisation, and whether anonymisation can be applied by the data holder before making the data available;

(h)	state the legal provision allocating to the requesting public_sector_body, the Commission, the European Central Bank or the Union body the specific task carried out in the public interest relevant for requesting the data;

(i)	specify the deadline by which the data are to be made available and the deadline referred to in Article 18(2) by which the data holder may decline or seek modification of the request;

(j)	make its best efforts to avoid compliance with the data request resulting in the data holders’ liability for infringement of Union or national law.

2. A request for data made pursuant to paragraph 1 of this Article shall:

(a)	be made in writing and expressed in clear, concise and plain language understandable to the data holder;

(b)	be specific regarding the type of data requested and correspond to data which the data holder has control over at the time of the request;

(c)	be proportionate to the exceptional need and duly justified, regarding the granularity and volume of the data requested and frequency of access of the data requested;

(d)	respect the legitimate aims of the data holder, committing to ensuring the protection of trade_secrets in accordance with Article 19(3), and the cost and effort required to make the data available;

(e)

concern non-personal data, and only if this is demonstrated to be insufficient to respond to the exceptional need to use data, in accordance with Article 15(1), point (a), request personal data in pseudonymised form and establish the technical and organisational measures that are to be taken to protect the data;

(f)	inform the data holder of the penalties that are to be imposed pursuant to Article 40 by the competent authority designated pursuant to Article 37 in the event of non-compliance with the request;

(g)

where the request is made by a public_sector_body, be transmitted to the data coordinator referred to in Article 37 of the Member State where the requesting public_sector_body is established, who shall make the request publicly available online without undue delay unless the data coordinator considers that such publication would create a risk for public security;

(h)	where the request is made by the Commission, the European Central Bank or a Union body, be made available online without undue delay;

(i)	where personal data are requested, be notified without undue delay to the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679 in the Member State where the public_sector_body is established.

The European Central Bank and Union_bodies shall inform the Commission of their requests.

3. A public_sector_body, the Commission, the European Central Bank or a Union body shall not make data obtained pursuant to this Chapter available for reuse as defined in Article 2, point (2), of Regulation (EU) 2022/868 or Article 2, point (11), of Directive (EU) 2019/1024. Regulation (EU) 2022/868 and Directive (EU) 2019/1024 shall not apply to the data held by public sector bodies obtained pursuant to this Chapter.

4. Paragraph 3 of this Article does not preclude a public_sector_body, the Commission, the European Central Bank or a Union body to exchange data obtained pursuant to this Chapter with another public_sector_body or the Commission, the European Central Bank or a Union body in view of completing the tasks referred to in Article 15, as specified in the request in accordance with paragraph 1, point (f), of this Article or to make the data available to a third party where it has delegated, by means of a publicly available agreement, technical inspections or other functions to that third party. The obligations on public sector bodies pursuant to Article 19, in particular safeguards to preserve the confidentiality of trade_secrets, shall apply also to such third parties. Where a public_sector_body, the Commission, the European Central Bank or a Union body transmits or makes data available under this paragraph, it shall notify the data holder from whom the data was received without undue delay.

5. Where the data holder considers that its rights under this Chapter have been infringed by the transmission or making available of data, it may lodge a complaint with the competent authority designated pursuant to Article 37 of the Member State where the data holder is established.

6. The Commission shall develop a model template for requests pursuant to this Article.

Article 22

Mutual assistance and cross-border cooperation

1. Public sector bodies, the Commission, the European Central Bank and Union_bodies shall cooperate and assist one another, to implement this Chapter in a consistent manner.

2. Any data exchanged in the context of assistance requested and provided pursuant to paragraph 1 shall not be used in a manner incompatible with the purpose for which they were requested.

3. Where a public_sector_body intends to request data from a data holder established in another Member State, it shall first notify the competent authority designated pursuant to Article 37 in that Member State of that intention. This requirement shall also apply to requests by the Commission, the European Central Bank and Union_bodies. The request shall be examined by the competent authority of the Member State where the data holder is established.

4. After having examined the request in light of the requirements laid down in Article 17, the relevant competent authority shall, without undue delay, take one of the following actions:

(a)

transmit the request to the data holder and, if applicable, advise the requesting public_sector_body, the Commission, the European Central Bank or the Union body of the need, if any, to cooperate with public sector bodies of the Member State in which the data holder is established with the aim of reducing the administrative burden on the data holder in complying with the request;

(b)	reject the request on duly substantiated grounds in accordance with this Chapter.

The requesting public_sector_body, the Commission, the European Central Bank and the Union body shall take into account the advice of and the grounds provided by the relevant competent authority pursuant to the first subparagraph before taking any further action such as resubmitting the request, if applicable.

CHAPTER VI

SWITCHING BETWEEN DATA PROCESSING SERVICES

Article 29

Gradual withdrawal of switching charges

1. From 12 January 2027, providers of data processing services shall not impose any switching charges on the customer for the switching process.

2. From 11 January 2024 to 12 January 2027, providers of data processing services may impose reduced switching charges on the customer for the switching process.

3. The reduced switching charges referred to in paragraph 2 shall not exceed the costs incurred by the provider of data processing services that are directly linked to the switching process concerned.

4. before entering into a contract with a customer, providers of data processing services shall provide the prospective customer with clear information on the standard service fees and early termination penalties that might be imposed, as well as on the reduced switching charges that might be imposed during the timeframe referred to in paragraph 2.

5. Where relevant, providers of data processing services shall provide information to a customer on data processing services that involve highly complex or costly switching or for which it is impossible to switch without significant interference in the data, digital_assets or service architecture.

6. Where applicable, providers of data processing services shall make the information referred to in paragraphs 4 and 5 publicly available to customers via a dedicated section of their website or in any other easily accessible way.

7. The Commission is empowered to adopt delegated acts in accordance with Article 45 to supplement this Regulation by establishing a monitoring mechanism for the Commission to monitor switching charges, imposed by providers of data processing services on the market to ensure that the withdrawal and reduction of switching charges, pursuant to paragraphs 1 and 2 of this Article are to be attained in accordance with the deadlines laid down in those paragraphs.

Article 32

International governmental access and transfer

1. Providers of data processing services shall take all adequate technical, organisational and legal measures, including contracts, in order to prevent international and third-country governmental access and transfer of non-personal data held in the Union where such transfer or access would create a conflict with Union law or with the national law of the relevant Member State, without prejudice to paragraph 2 or 3.

2. Any decision or judgment of a third-country court or tribunal and any decision of a third-country administrative authority requiring a provider of data processing services to transfer or give access to non-personal data falling within the scope of this Regulation held in the Union shall be recognised or enforceable in any manner only if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union, or any such agreement between the requesting third country and a Member State.

3. In the absence of an international agreement as referred to in paragraph 2, where a provider of data processing services is the addressee of a decision or judgment of a third-country court or tribunal or a decision of a third-country administrative authority to transfer or give access to non-personal data falling within the scope of this Regulation held in the Union and compliance with such a decision would risk putting the addressee in conflict with Union law or with the national law of the relevant Member State, transfer to or access to such data by that third-country authority shall take place only where:

(a)	the third-country system requires the reasons and proportionality of such a decision or judgment to be set out and requires such a decision or judgment to be specific in character, for instance by establishing a sufficient link to certain suspected persons or infringements;

(b)	the reasoned objection of the addressee is subject to a review by a competent third-country court or tribunal; and

(c)

the competent third-country court or tribunal issuing the decision or judgment or reviewing the decision of an administrative authority is empowered under the law of that third country to take duly into account the relevant legal interests of the provider of the data protected by Union law or by the national law of the relevant Member State.

The addressee of the decision or judgment may ask the opinion of the relevant national body or authority competent for international cooperation in legal matters, in order to determine whether the conditions laid down in the first subparagraph are met, in particular when it considers that the decision may relate to trade_secrets and other commercially sensitive data as well as to content protected by intellectual property rights or the transfer may lead to re-identification. The relevant national body or authority may consult the Commission. If the addressee considers that the decision or judgment may impinge on the national security or defence interests of the Union or its Member States, it shall ask the opinion of the relevant national body or authority in order to determine whether the data requested concerns national security or defence interests of the Union or its Member States. If the addressee has not received a reply within one month, or if the opinion of such body or authority concludes that the conditions laid down in the first subparagraph are not met, the addressee may reject the request for transfer or access, to non-personal data, on those grounds.

The EDIB referred to in Article 42 shall advise and assist the Commission in developing guidelines on the assessment of whether the conditions laid down in the first subparagraph of this paragraph are met.

4. If the conditions laid down in paragraph 2 or 3 are met, the provider of data processing services shall provide the minimum amount of data permissible in response to a request, on the basis of the reasonable interpretation of that request by the provider or relevant national body or authority referred to in paragraph 3, second subparagraph.

5. The provider of data processing services shall inform the customer about the existence of a request of a third-country authority to access its data before complying with that request, except where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity.

CHAPTER VIII

INTEROPERABILITY

Article 33

Essential requirements regarding interoperability of data, of data sharing mechanisms and services, as well as of common European data spaces

1. Participants in data spaces that offer data or data services to other participants shall comply with the following essential requirements to facilitate the interoperability of data, of data sharing mechanisms and services, as well as of common European data spaces which are purpose- or sector-specific or cross-sectoral interoperable frameworks for common standards and practices to share or jointly process data for, inter alia, the development of new products and services, scientific research or civil society initiatives:

(a)	the dataset content, use restrictions, licences, data collection methodology, data quality and uncertainty shall be sufficiently described, where applicable, in a machine-readable format, to allow the recipient to find, access and use the data;

(b)	the data structures, data formats, vocabularies, classification schemes, taxonomies and code lists, where available, shall be described in a publicly available and consistent manner;

(c)

the technical means to access the data, such as application programming interfaces, and their terms of use and quality of service shall be sufficiently described to enable automatic access and transmission of data between parties, including continuously, in bulk download or in real-time in a machine-readable format where that is technically feasible and does not hamper the good functioning of the connected_product;

(d)	where applicable, the means to enable the interoperability of tools for automating the execution of data sharing agreements, such as smart_contracts shall be provided.

The requirements can have a generic nature or concern specific sectors, while taking fully into account the interrelation with requirements arising from other Union or national law.

2. The Commission is empowered to adopt delegated acts, in accordance with Article 45 of this Regulation to supplement this Regulation by further specifying the essential requirements laid down in paragraph 1 of this Article, in relation to those requirements that, by their nature, cannot produce the intended effect unless they are further specified in binding Union legal acts and in order to properly reflect technological and market developments.

The Commission shall when adopting delegated acts take into account the advice of the EDIB in accordance with Article 42, point (c)(iii).

3. The participants in data spaces that offer data or data services to other participants in data spaces which meet the harmonised_standards or parts thereof, the references of which are published in the Official Journal of the European Union, shall be presumed to be in conformity with the essential requirements laid down in paragraph 1 to the extent that those requirements are covered by such harmonised_standards or parts thereof.

4. The Commission shall, pursuant to Article 10 of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft harmonised_standards that satisfy the essential requirements laid down in paragraph 1 of this Article.

5. The Commission may, by means of implementing acts, adopt common_specifications covering any or all of the essential requirements laid down in paragraph 1 where the following conditions have been fulfilled:

(a)

the Commission has requested, pursuant to Article 10(1) of Regulation (EU) No 1025/2012, one or more European standardisation organisations to draft a harmonised_standard that satisfies the essential requirements laid down in paragraph 1 of this Article and:

(i)	the request has not been accepted;

(ii)	the harmonised_standards addressing that request are not delivered within the deadline set in accordance with Article 10(1) of Regulation (EU) No 1025/2012; or

(iii)

the harmonised_standards do not comply with the request; and

(b)

no reference to harmonised_standards covering the relevant essential requirements laid down in paragraph 1 of this Article is published in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012 and no such reference is expected to be published within a reasonable period.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 46(2).

6. before preparing a draft implementing act referred to in paragraph 5 of this Article, the Commission shall inform the committee referred to in Article 22 of Regulation (EU) No 1025/2012 that it considers that the conditions in paragraph 5 of this Article have been fulfilled.

7. When preparing the draft implementing act referred to in paragraph 5, the Commission shall take into account the advice of the EDIB and views of other relevant bodies or expert groups and shall duly consult all relevant stakeholders.

8. The participants in data spaces that offer data or data services to other participants in data spaces that meet the common_specifications established by implementing acts referred to in paragraph 5 or parts thereof shall be presumed to be in conformity with the essential requirements laid down in paragraph 1 to the extent that those requirements are covered by such common_specifications or parts thereof.

9. Where a harmonised_standard is adopted by a European standardisation organisation and proposed to the Commission for the purpose of publishing its reference in the Official Journal of the European Union, the Commission shall assess the harmonised_standard in accordance with Regulation (EU) No 1025/2012. Where the reference of a harmonised_standard is published in the Official Journal of the European Union, the Commission shall repeal the implementing acts referred to in paragraph 5 of this Article, or parts thereof which cover the same essential requirements as those covered by that harmonised_standard.

10. When a Member State considers that a common specification does not entirely satisfy the essential requirements laid down in paragraph 1, it shall inform the Commission thereof by submitting a detailed explanation. The Commission shall assess that detailed explanation and may, if appropriate, amend the implementing act establishing the common specification in question.

11. The Commission may adopt guidelines taking into account the proposal of the EDIB in accordance with Article 30, point (h), of Regulation (EU) 2022/868 laying down interoperable frameworks for common standards and practices for the functioning of common European data spaces.

Article 36

Essential requirements regarding smart_contracts for executing data sharing agreements

1. The vendor of an application using smart_contracts or, in the absence thereof, the person whose trade, business or profession involves the deployment of smart_contracts for others in the context of executing an agreement or part of it, to make data available shall ensure that those smart_contracts comply with the following essential requirements of:

(a)	robustness and access control, to ensure that the smart_contract has been designed to offer access control mechanisms and a very high degree of robustness to avoid functional errors and to withstand manipulation by third parties;

(b)

safe termination and interruption, to ensure that a mechanism exists to terminate the continued execution of transactions and that the smart_contract includes internal functions which can reset or instruct the contract to stop or interrupt the operation, in particular to avoid future accidental executions;

(c)	data archiving and continuity, to ensure, in circumstances in which a smart_contract must be terminated or deactivated, there is a possibility to archive the transactional data, smart_contract logic and code in order to keep the record of operations performed on the data in the past (auditability);

(d)	access control, to ensure that a smart_contract is protected through rigorous access control mechanisms at the governance and smart_contract layers; and

(e)	consistency, to ensure consistency with the terms of the data sharing agreement that the smart_contract executes.

2. The vendor of a smart_contract or, in the absence thereof, the person whose trade, business or profession involves the deployment of smart_contracts for others in the context of executing an agreement or part of it, to make data available shall perform a conformity assessment with a view to fulfilling the essential requirements laid down in paragraph 1 and, on the fulfilment of those requirements, issue an EU declaration of conformity.

3. By drawing up the EU declaration of conformity, the vendor of an application using smart_contracts or, in the absence thereof, the person whose trade, business or profession involves the deployment of smart_contracts for others in the context of executing an agreement or part of it, to make data available shall be responsible for compliance with the essential requirements laid down in paragraph 1.

4. A smart_contract that meets the harmonised_standards or the relevant parts thereof, the references of which are published in the Official Journal of the European Union, shall be presumed to be in conformity with the essential requirements laid down in paragraph 1 to the extent that those requirements are covered by such harmonised_standards or parts thereof.

5. The Commission shall, pursuant to Article 10 of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft harmonised_standards that satisfy the essential requirements laid down in paragraph 1 of this Article.

6. The Commission may, by means of implementing acts, adopt common_specifications covering any or all of the essential requirements laid down in paragraph 1 where the following conditions have been fulfilled:

(a)

(i)	the request has not been accepted;

(ii)	the harmonised_standards addressing that request are not delivered within the deadline set in accordance with Article 10(1) of Regulation (EU) No 1025/2012; or

(iii)

the harmonised_standards do not comply with the request; and

(b)

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 46(2).

7. before preparing a draft implementing act referred to in paragraph 6 of this Article, the Commission shall inform the committee referred to in Article 22 of Regulation (EU) No 1025/2012 that it considers that the conditions in paragraph 6 of this Article have been fulfilled.

8. When preparing the draft implementing act referred to in paragraph 6, the Commission shall take into account the advice of the EDIB and views of other relevant bodies or expert groups and shall duly consult all relevant stakeholders.

9. The vendor of a smart_contract or, in the absence thereof, the person whose trade, business or profession involves the deployment of smart_contracts for others in the context of executing an agreement or part of it, to make data available that meet the common_specifications established by implementing acts referred to in paragraph 6 or parts thereof shall be presumed to be in conformity with the essential requirements laid down in paragraph 1 to the extent that those requirements are covered by such common_specifications or parts thereof.

10. Where a harmonised_standard is adopted by a European standardisation organisation and proposed to the Commission for the purpose of publishing its reference in the Official Journal of the European Union, the Commission shall assess the harmonised_standard in accordance with Regulation (EU) No 1025/2012. Where the reference of a harmonised_standard is published in the Official Journal of the European Union, the Commission shall repeal the implementing acts referred to in paragraph 6 of this Article, or parts thereof which cover the same essential requirements as those covered by that harmonised_standard.

11. When a Member State considers that a common specification does not entirely satisfy the essential requirements laid down in paragraph 1, it shall inform the Commission thereof by submitting a detailed explanation. The Commission shall assess that detailed explanation and may, if appropriate, amend the implementing act establishing the common specification in question.

CHAPTER IX

IMPLEMENTATION AND ENFORCEMENT

Article 39

Right to an effective judicial remedy

1. Notwithstanding any administrative or other non-judicial remedy, any affected natural and legal person shall have the right to an effective judicial remedy with regard to legally binding decisions taken by competent authorities.

2. Where a competent authority fails to act on a complaint, any affected natural and legal person shall, in accordance with national law, either have the right to an effective judicial remedy or access to review by an impartial body with the appropriate expertise.

3. Proceedings pursuant to this Article shall be brought before the courts or tribunals of the Member State of the competent authority against which the judicial remedy is sought individually or, where relevant, collectively by the representatives of one or more natural or legal persons.

Article 41

Model contractual terms and standard contractual clauses

The Commission, before 12 September 2025, shall develop and recommend non-binding model contractual terms on data access and use, including terms on reasonable compensation and the protection of trade_secrets, and non-binding standard contractual clauses for cloud computing contracts to assist parties in drafting and negotiating contracts with fair, reasonable and non-discriminatory contractual rights and obligations.

Article 44

Other Union legal acts governing rights and obligations on data access and use

1. The specific obligations for the making available of data between businesses, between businesses and consumers, and on exceptional basis between businesses and public bodies, in Union legal acts that entered into force on or before 11 January 2024, and delegated or implementing acts pursuant thereto, shall remain unaffected.

2. This Regulation is without prejudice to Union law specifying, in light of the needs of a sector, a common European data space, or an area of public interest, further requirements, in particular in relation to:

(a)	technical aspects of data access;

(b)	limits on the rights of data holders to access or use certain data provided by users;

(c)	aspects going beyond data access and use.

3. This Regulation, with the exception of Chapter V, is without prejudice to Union and national law providing for access to and authorising the use of data for scientific research purposes.

Article 45

Exercise of the delegation

1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2. The power to adopt delegated acts referred to in Article 29(7) and Article 33(2) shall be conferred on the Commission for an indeterminate period of time from 11 January 2024.

3. The delegation of power referred to in Article 29(7) and Article 33(2) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4. before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

6. A delegated act adopted pursuant to Article 29(7) or Article 33(2) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of three months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.

Article 50

Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from 12 September 2025.

The obligation resulting from Article 3(1) shall apply to connected_products and the services related to them placed on the market after 12 September 2026.

Chapter III shall apply in relation to obligations to make data available under Union law or national legislation adopted in accordance with Union law, which enters into force after 12 September 2025.

Chapter IV shall apply to contracts concluded after 12 September 2025.

Chapter IV shall apply from 12 September 2027 to contracts concluded on or before 12 September 2025 provided that they are:

(a)	of indefinite duration; or

(b)	due to expire at least 10 years from 11 January 2024.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Strasbourg, 13 December 2023.

For the European Parliament

The President

R. METSOLA

For the Council

The President

P. NAVARRO RÍOS

(1) OJ C 402, 19.10.2022, p. 5.

(2) OJ C 365, 23.9.2022, p. 18.

(3) OJ C 375, 30.9.2022, p. 112.

(4) Position of the European Parliament of 9 November 2023 (not yet published in the Official Journal) and decision of the Council of 27 November 2023.

(5) Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).

(6) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(7) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

(8) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).

(9) Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29).

(10) Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to- consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’) (OJ L 149, 11.6.2005, p. 22).

(11) Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council (OJ L 304, 22.11.2011, p. 64).

(12) Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online (OJ L 172, 17.5.2021, p. 79).

(13) Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (OJ L 277, 27.10.2022, p. 1).

(14) Regulation (EU) 2023/1543 of the European Parliament and of the Council of 12 July 2023 on European Production Orders and European Preservation Orders for electronic evidence in criminal proceedings and for the execution of custodial sentences following criminal proceedings (OJ L 191, 28.7.2023, p. 118).

(15) Directive (EU) 2023/1544 of the European Parliament and of the Council of 12 July 2023 laying down harmonised rules on the designation of designated establishments and the appointment of legal representatives for the purpose of gathering electronic evidence in criminal proceedings (OJ L 191, 28.7.2023, p. 181).

(16) Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (OJ L 141, 5.6.2015, p. 1).

(17) Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73).

(18) Directive (EU) 2019/882 of the European Parliament and of the Council of 17 April 2019 on the accessibility requirements for products and services (OJ L 151, 7.6.2019, p. 70).

(19) Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society (OJ L 167, 22.6.2001, p. 10).

(20) Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights (OJ L 157, 30.4.2004, p. 45).

(21) Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC (OJ L 130, 17.5.2019, p. 92).

(22) Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (OJ L 152, 3.6.2022, p. 1).

(23) Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information ( trade_secrets) against their unlawful acquisition, use and disclosure (OJ L 157, 15.6.2016, p. 1).

(24) Directive 98/6/EC of the European Parliament and of the Council of 16 February 1998 on consumer protection in the indication of the prices of products offered to consumers (OJ L 80, 18.3.1998, p. 27).

(25) Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1).

(26) Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (OJ L 265, 12.10.2022, p. 1).

(27) Regulation (EC) No 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities (OJ L 87, 31.3.2009, p. 164).

(28) Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (OJ L 172, 26.6.2019, p. 56).

(29) Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases (OJ L 77, 27.3.1996, p. 20).

(30) Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union (OJ L 303, 28.11.2018, p. 59).

(31) Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services (OJ L 136, 22.5.2019, p. 1).

(32) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1).

(33) Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).

(34) Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).

(35) Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC (OJ L 218, 13.8.2008, p. 82).

(36) Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws and repealing Regulation (EC) No 2006/2004 (OJ L 345, 27.12.2017, p. 1).

(37) Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, 4.12.2020, p. 1).

(38) OJ L 123, 12.5.2016, p. 1.

(39) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).

ELI: http:// data.europa.eu/eli/reg/2023/2854/oj

ISSN 1977-0677 (electronic edition)

whereas

keyboard_tab Data Act 2023/2854 EN

Data Act 2023/2854 EN