Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Source
:
EU law
Code/RS
:
2023/2854
-
Abbreviation
:
Data Act
-
Provision
:
Art. 4
-
Short description
:
The rights and obligations of users and data holders with regard to access, use and making available product data and related service data
-
Nature of the provision
:
Right to request data (Right to access and use data)
-
Status
:
Transitional period Note: Applicable from 12 September 2025.
-
Sector
:
All
Legal text :
1. Where data cannot be directly accessed by the user from the connected product or related service, data holders shall make readily available data, as well as the relevant metadata necessary to interpret and use those data, accessible to the user without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. This shall be done on the basis of a simple request through electronic means where technically feasible.
2. Users and data holders may contractually restrict or prohibit accessing, using or further sharing data, if such processing could undermine security requirements of the connected product, as laid down by Union or national law, resulting in a serious adverse effect on the health, safety or security of natural persons. Sectoral authorities may provide users and data holders with technical expertise in that context. Where the data holder refuses to share data pursuant to this Article, it shall notify the competent authority designated pursuant to Article 37.
3. Without prejudice to the user’s right to seek redress at any stage before a court or tribunal of a Member State, the user may, in relation to any dispute with the data holder concerning the contractual restrictions or prohibitions referred to in paragraph 2:
a) lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority; or
b) agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1).
4. Data holders shall not make the exercise of choices or rights under this Article by the user unduly difficult, including by offering choices to the user in a non-neutral manner or by subverting or impairing the autonomy, decision-making or choices of the user via the structure, design, function or manner of operation of a user digital interface or a part thereof.
5. For the purpose of verifying whether a natural or legal person qualifies as a user for the purposes of paragraph 1, a data holder shall not require that person to provide any information beyond what is necessary. Data holders shall not keep any information, in particular log data, on the user’s access to the data requested beyond what is necessary for the sound execution of the user’s access request and for the security and maintenance of the data infrastructure.
6. Trade secrets shall be preserved and shall be disclosed only where the data holder and the user take all necessary measures prior to the disclosure to preserve their confidentiality in particular regarding third parties. The data holder or, where they are not the same person, the trade secret holder shall identify the data which are protected as trade secrets, including in the relevant metadata, and shall agree with the user proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data, in particular in relation to third parties, such as model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.
7. Where there is no agreement on the necessary measures referred to in paragraph 6, or if the user fails to implement the measures agreed pursuant to paragraph 6 or undermines the confidentiality of the trade secrets, the data holder may withhold or, as the case may be, suspend the sharing of data identified as trade secrets. The decision of the data holder shall be duly substantiated and provided in writing to the user without undue delay. In such cases, the data holder shall notify the competent authority designated pursuant to Article 37 that it has withheld or suspended data sharing and identify which measures have not been agreed or implemented and, where relevant, which trade secrets have had their confidentiality undermined.
8. In exceptional circumstances, where the data holder who is a trade secret holder is able to demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets, despite the technical and organisational measures taken by the user pursuant to paragraph 6 of this Article, that data holder may refuse on a case- by-case basis a request for access to the specific data in question. That demonstration shall be duly substantiated on the basis of objective elements, in particular the enforceability of trade secrets protection in third countries, the nature and level of confidentiality of the data requested, and the uniqueness and novelty of the connected product, and shall be provided in writing to the user without undue delay. Where the data holder refuses to share data pursuant to this paragraph, it shall notify the competent authority designated pursuant to Article 37.
9. Without prejudice to a user’s right to seek redress at any stage before a court or tribunal of a Member State, a user wishing to challenge a data holder’s decision to refuse or to withhold or suspend data sharing pursuant to paragraphs 7 and 8 may:
a) lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority, which shall, without undue delay, decide whether and under which conditions data sharing is to start or resume; or
b) agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1).
10. The user shall not use the data obtained pursuant to a request referred to in paragraph 1 to develop a connected product that competes with the connected product from which the data originate, nor share the data with a third party with that intent and shall not use such data to derive insights about the economic situation, assets and production methods of the manufacturer or, where applicable the data holder.
11. The user shall not use coercive means or abuse gaps in the technical infrastructure of a data holder which is designed to protect the data in order to obtain access to data.
12. Where the user is not the data subject whose personal data is requested, any personal data generated by the use of a connected product or related service shall be made available by the data holder to the user only where there is a valid legal basis for processing under Article 6 of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of that Regulation and of Article 5(3) of Directive 2002/58/EC are fulfilled.
13. A data holder shall only use any readily available data that is non-personal data on the basis of a contract with the user. A data holder shall not use such data to derive insights about the economic situation, assets and production methods of, or the use by, the user in any other manner that could undermine the commercial position of that user on the markets in which the user is active.
14. Data holders shall not make available non-personal product data to third parties for commercial or non-commercial purposes other than the fulfilment of their contract with the user. Where relevant, data holders shall contractually bind third parties not to further share data received from them.
2. Users and data holders may contractually restrict or prohibit accessing, using or further sharing data, if such processing could undermine security requirements of the connected product, as laid down by Union or national law, resulting in a serious adverse effect on the health, safety or security of natural persons. Sectoral authorities may provide users and data holders with technical expertise in that context. Where the data holder refuses to share data pursuant to this Article, it shall notify the competent authority designated pursuant to Article 37.
3. Without prejudice to the user’s right to seek redress at any stage before a court or tribunal of a Member State, the user may, in relation to any dispute with the data holder concerning the contractual restrictions or prohibitions referred to in paragraph 2:
a) lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority; or
b) agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1).
4. Data holders shall not make the exercise of choices or rights under this Article by the user unduly difficult, including by offering choices to the user in a non-neutral manner or by subverting or impairing the autonomy, decision-making or choices of the user via the structure, design, function or manner of operation of a user digital interface or a part thereof.
5. For the purpose of verifying whether a natural or legal person qualifies as a user for the purposes of paragraph 1, a data holder shall not require that person to provide any information beyond what is necessary. Data holders shall not keep any information, in particular log data, on the user’s access to the data requested beyond what is necessary for the sound execution of the user’s access request and for the security and maintenance of the data infrastructure.
6. Trade secrets shall be preserved and shall be disclosed only where the data holder and the user take all necessary measures prior to the disclosure to preserve their confidentiality in particular regarding third parties. The data holder or, where they are not the same person, the trade secret holder shall identify the data which are protected as trade secrets, including in the relevant metadata, and shall agree with the user proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data, in particular in relation to third parties, such as model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.
7. Where there is no agreement on the necessary measures referred to in paragraph 6, or if the user fails to implement the measures agreed pursuant to paragraph 6 or undermines the confidentiality of the trade secrets, the data holder may withhold or, as the case may be, suspend the sharing of data identified as trade secrets. The decision of the data holder shall be duly substantiated and provided in writing to the user without undue delay. In such cases, the data holder shall notify the competent authority designated pursuant to Article 37 that it has withheld or suspended data sharing and identify which measures have not been agreed or implemented and, where relevant, which trade secrets have had their confidentiality undermined.
8. In exceptional circumstances, where the data holder who is a trade secret holder is able to demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets, despite the technical and organisational measures taken by the user pursuant to paragraph 6 of this Article, that data holder may refuse on a case- by-case basis a request for access to the specific data in question. That demonstration shall be duly substantiated on the basis of objective elements, in particular the enforceability of trade secrets protection in third countries, the nature and level of confidentiality of the data requested, and the uniqueness and novelty of the connected product, and shall be provided in writing to the user without undue delay. Where the data holder refuses to share data pursuant to this paragraph, it shall notify the competent authority designated pursuant to Article 37.
9. Without prejudice to a user’s right to seek redress at any stage before a court or tribunal of a Member State, a user wishing to challenge a data holder’s decision to refuse or to withhold or suspend data sharing pursuant to paragraphs 7 and 8 may:
a) lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority, which shall, without undue delay, decide whether and under which conditions data sharing is to start or resume; or
b) agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1).
10. The user shall not use the data obtained pursuant to a request referred to in paragraph 1 to develop a connected product that competes with the connected product from which the data originate, nor share the data with a third party with that intent and shall not use such data to derive insights about the economic situation, assets and production methods of the manufacturer or, where applicable the data holder.
11. The user shall not use coercive means or abuse gaps in the technical infrastructure of a data holder which is designed to protect the data in order to obtain access to data.
12. Where the user is not the data subject whose personal data is requested, any personal data generated by the use of a connected product or related service shall be made available by the data holder to the user only where there is a valid legal basis for processing under Article 6 of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of that Regulation and of Article 5(3) of Directive 2002/58/EC are fulfilled.
13. A data holder shall only use any readily available data that is non-personal data on the basis of a contract with the user. A data holder shall not use such data to derive insights about the economic situation, assets and production methods of, or the use by, the user in any other manner that could undermine the commercial position of that user on the markets in which the user is active.
14. Data holders shall not make available non-personal product data to third parties for commercial or non-commercial purposes other than the fulfilment of their contract with the user. Where relevant, data holders shall contractually bind third parties not to further share data received from them.
Actor with an obligation to share data
‘Data holder’ = a natural or legal person that, in accordance with this regulation, applicable EU law or national legislation adopted in accordance with EU law, has the right or obligation to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service.
Beneficiaries
‘User of connected products or related services’ = a natural or legal person that owns a connected product or to whom temporary rights to use this connected product have been contractually assigned, or that receives related services.
Linking criteria for Switzerland
Linking criteria for Switzerland
Financial aspects
Free
Binding and/or enforceable
Binding obligation; enforceable right
Conditions for accessing data
A request from the user sent electronically where technically possible
Exceptions and limitations
Exceptions applicable to obliged persons: Art. 7: Business-to-consumer and business-to-business data sharing obligations do not apply to data generated through the use of connected products manufactured or designed or related services provided by: - a microenterprise or small enterprise, or by - a company that has qualified as a medium-sized enterprise for less than one year and for connected products for one year after the date on which they were placed on the market by a medium-sized enterprise
Dynamic data (where relevant and technically feasible)
Format
Comprehensive, structured, commonly used and machine-readable format
Plateform
n/a
Actor with an obligation to share data
‘Data holder’ = a natural or legal person that, in accordance with this regulation, applicable EU law or national legislation adopted in accordance with EU law, has the right or obligation to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service.
Beneficiaries
‘User of connected products or related services’ = a natural or legal person that owns a connected product or to whom temporary rights to use this connected product have been contractually assigned, or that receives related services.
Linking criteria for Switzerland
Art. 1(3):
The obligation applies to:
- Swiss data holders that make data available to data recipients in the EU.
Beneficiaries:
- Swiss users of connected products and related services located in the EU;
- Swiss data recipients located in the EU to whom the data is made available.
Financial aspects
Free
Binding and/or enforceable
Binding obligation;
enforceable right
Conditions for accessing data
A request from the user sent electronically where technically possible
Exceptions and limitations
Exceptions applicable to obliged persons:
Art. 7: Business-to-consumer and business-to-business data sharing obligations do not apply to data generated through the use of connected products manufactured or designed or related services provided by:
- a microenterprise or small enterprise, or by
- a company that has qualified as a medium-sized enterprise for less than one year and for connected products for one year after the date on which they were placed on the market by a medium-sized enterprise
Time component
Dynamic data (where relevant and technically feasible)
Format
Comprehensive, structured, commonly used and machine-readable format
Plateform
n/a
Compilation and Disclaimer
This index was prepared on behalf of the IPI by the law firm id est avocats Sàrl (for the section on Swiss law) and the law firm Pierstone (for the section on European law).
This index does not constitute legal advice, and no guarantee is given regarding its completeness.
Neither id est avocats Sàrl, nor Pierstone, nor the IPI or the FDJP can be held liable for any decisions or actions taken on the basis of this index.