DA Article 4. The rights and obligations of users and data holders with regard to access, use and making available product data and related service data

This Regulation should not be understood to confer any new right on data holders to use product data or related service data. Where the manufacturer of a connected product is a data holder, the basis for the manufacturer to use non-personal data should be a contract between the manufacturer and the user. Such a contract could be part of an agreement for the provision of the related service, which could be concluded together with the purchase, rent or lease agreement relating to the connected product. Any contractual term stipulating that the data holder may use product data or related service data should be transparent to the user, including regarding the purposes for which the data holder intends to use the data. Such purposes could include improving the functioning of the connected product or related services, developing new products or services, or aggregating data with the aim of making available the resulting derived data to third parties, provided that such derived data do not allow the identification of specific data transmitted to the data holder from the connected product, or allow a third party to derive those data from the dataset. Any change of the contract should depend on the informed agreement of the user. This Regulation does not prevent parties from agreeing on contractual terms the effect of which is to exclude or limit the use of non-personal data, or certain categories of non-personal data, by a data holder. Neither does it prevent parties from agreeing to make product data or related service data available to third parties, directly or indirectly, including, where applicable, via another data holder. Moreover, this Regulation does not prevent sector-specific regulatory requirements under Union law, or national law compatible with Union law, which would exclude or limit the use of certain such data by the data holder on well-defined public policy grounds. This Regulation does not prevent users, in the case of business-to-business relations, from making data available to third parties or data holders under any lawful contractual term, including by agreeing to limit or restrict further sharing of such data, or from being compensated proportionately, for example in exchange for waiving their right to use or share such data. While the notion of ‘data holder’ generally does not include public sector bodies, it may include public undertakings.

To foster the emergence of liquid, fair and efficient markets for non-personal data, users of connected products should be able to share data with others, including for commercial purposes, with minimal legal and technical effort. It is currently often difficult for businesses to justify the personnel or computing costs that are necessary for preparing non-personal datasets or data products and to offer them to potential counterparties via data intermediation services, including data marketplaces. A substantial hurdle to the sharing of non-personal data by businesses therefore results from the lack of predictability of economic returns from investing in the curation and making available of datasets or data products. In order to allow for the emergence of liquid, fair and efficient markets for non-personal data in the Union, the party that has the right to offer such data on a market must be clarified. Users should therefore have the right to share non-personal data with data recipients for commercial and non-commercial purposes. Such data sharing could be performed directly by the user, upon the request of the user via a data holder, or through data intermediation services. Data intermediation services, as regulated by Regulation (EU) 2022/868 of the European Parliament and of the Council could facilitate a data economy by establishing commercial relationships between users, data recipients and third parties and may support users in exercising their right to use data, such as ensuring the anonymisation of personal data or aggregation of access to data from multiple individual users. Where data are excluded from a data holder’s obligation to make them available to users or third parties, the scope of such data could be specified in the contract between the user and the data holder for the provision of a related service so that users can easily determine which data are available to them for sharing with data recipients or third parties. Data holders should not make available non-personal product data to third parties for commercial or non-commercial purposes other than the fulfilment of their contract with the user, without prejudice to legal requirements pursuant to Union or national law for a data holder to make data available. Where relevant, data holders should contractually bind third parties not to further share data received from them.

In sectors characterised by the concentration of a small number of manufacturers supplying connected products to end users, there may only be limited options available to users for the access to and the use and sharing of data. In such circumstances, contracts may be insufficient to achieve the objective of user empowerment, making it difficult for users to obtain value from the data generated by the connected product they purchase, rent or lease. Consequently, there is limited potential for innovative smaller businesses to offer data-based solutions in a competitive manner and for a diverse data economy in the Union. This Regulation should therefore build on recent developments in specific sectors, such as the Code of Conduct on agricultural data sharing by contract. Union or national law may be adopted to address sector-specific needs and objectives. Furthermore, data holders should not use any readily available data that is non-personal data in order to derive insights about the economic situation of the user or its assets or production methods or about such use by the user in any other manner that could undermine the commercial position of that user on the markets in which it is active. This could include using knowledge about the overall performance of a business or a farm in contractual negotiations with the user on the potential acquisition of the user’s products or agricultural produce to the user’s detriment, or using such information to feed into larger databases on certain markets in the aggregate, for example databases on crop yields for the upcoming harvesting season, as such use could affect the user negatively in an indirect manner. The user should be given the necessary technical interface to manage permissions, preferably with granular permission options such as ‘allow once’ or ‘allow while using this app or service’, including the option to withdraw such permissions.

In contracts between a data holder and a consumer as user of a connected product or related service generating data, Union consumer law, in particular Directives 93/13/EEC and 2005/29/EC, applies to ensure that a consumer is not subject to unfair contractual terms. For the purposes of this Regulation, unfair contractual terms unilaterally imposed on an enterprise should not be binding on that enterprise.

Data holders may require appropriate user identification to verify a user’s entitlement to access the data. In the case of personal data processed by a processor on behalf of the controller, data holders should ensure that the access request is received and handled by the processor.

A third party to whom data is made available may be a natural or legal person, such as a consumer, an enterprise, a research organisation, a not-for-profit organisation or an entity acting in a professional capacity. In making the data available to the third party, a data holder should not abuse its position to seek a competitive advantage in markets where the data holder and the third party may be in direct competition. The data holder should not therefore use any readily available data in order to derive insights about the economic situation, assets or production methods of, or the use by, the third party in any other manner that could undermine the commercial position of the third party on the markets in which the third party is active. The user should be able to share non-personal data with third parties for commercial purposes. Upon the agreement with the user, and subject to the provisions of this Regulation, third parties should be able to transfer the data access rights granted by the user to other third parties, including in exchange for compensation. Business-to-business data intermediaries and personal information management systems (PIMS), referred to as data intermediation services in Regulation (EU) 2022/868, may support users or third parties in establishing commercial relations with an undetermined number of potential counterparties for any lawful purpose falling within the scope of this Regulation. They could play an instrumental role in aggregating access to data so that big data analyses or machine learning can be facilitated, provided that users remain in full control of whether to provide their data to such aggregation and the commercial terms under which their data are to be used.

The use of a connected product or related service may, in particular when the user is a natural person, generate data that relates to the data subject. Processing of such data is subject to the rules established under Regulation (EU) 2016/679, including where personal and non-personal data in a dataset are inextricably linked. The data subject may be the user or another natural person. Personal data may only be requested by a controller or a data subject. A user who is the data subject is, under certain circumstances, entitled under Regulation (EU) 2016/679 to access personal data concerning that user and such rights are unaffected by this Regulation. Under this Regulation, the user who is a natural person is further entitled to access all data generated by the use of a connected product, whether personal or non-personal. Where the user is not the data subject but an enterprise, including a sole trader, and not in cases of shared household use of the connected product, the user is considered to be a controller. Accordingly, such a user who as controller intends to request personal data generated by the use of a connected product or related service is required to have a legal basis for processing the data as required by Article 6(1) of Regulation (EU) 2016/679, such as the consent of the data subject or the performance of a contract to which the data subject is a party. Such user should ensure that the data subject is appropriately informed of the specified, explicit and legitimate purposes for processing those data, and of how the data subject may exercise their rights effectively. Where the data holder and the user are joint controllers within the meaning of Article 26 of Regulation (EU) 2016/679, they are required to determine, in a transparent manner by means of an arrangement between them, their respective responsibilities for compliance with that Regulation. It should be understood that such a user, once data has been made available, may in turn become a data holder if that user meets the criteria under this Regulation and thus becomes subject to the obligations to make data available under this Regulation.

Product data or related service data should only be made available to a third party at the request of the user. This Regulation complements accordingly the right, provided for in Article 20 of Regulation (EU) 2016/679, of data subjects to receive personal data concerning them in a structured, commonly used and machine-readable format, as well as to port those data to another controller, where those data are processed by automated means on the basis of Article 6(1), point (a), or Article 9(2), point (a), or of a contract pursuant to Article 6(1), point (b) of that Regulation. Data subjects also have the right to have the personal data transmitted directly from one controller to another, but only where that is technically feasible. Article 20 of Regulation (EU) 2016/679 specifies that it pertains to data provided by the data subject but does not specify whether this necessitates active behaviour on the side of the data subject or whether it also applies to situations where a connected product or related service, by its design, observes the behaviour of a data subject or other information in relation to a data subject in a passive manner. The rights provided for under this Regulation complement the right to receive and port personal data under Article 20 of Regulation (EU) 2016/679 in a number of ways. This Regulation grants users the right to access and make available to a third party any product data or related service data, irrespective of their nature as personal data, of the distinction between actively provided or passively observed data, and irrespective of the legal basis of processing. Unlike Article 20 of Regulation (EU) 2016/679, this Regulation mandates and ensures the technical feasibility of third party access for all types of data falling within its scope, whether personal or non-personal, thereby ensuring that technical obstacles no longer hinder or prevent access to such data. It also allows data holders to set reasonable compensation to be met by third parties, but not by the user, for costs incurred in providing direct access to the data generated by the user’s connected product. If a data holder and a third party are unable to agree on terms for such direct access, the data subject should in no way be prevented from exercising the rights laid down in Regulation (EU) 2016/679, including the right to data portability, by seeking remedies in accordance with that Regulation. It is to be understood in this context that, in accordance with Regulation (EU) 2016/679, a contract does not allow for the processing of special categories of personal data by the data holder or the third party.

Access to any data stored in and accessed from terminal equipment is subject to Directive 2002/58/EC and requires the consent of the subscriber or user within the meaning of that Directive unless it is strictly necessary for the provision of an information society service explicitly requested by the user or by the subscriber or for the sole purpose of the transmission of a communication. Directive 2002/58/EC protects the integrity of a user’s terminal equipment regarding the use of processing and storage capabilities and the collection of information. Internet of Things equipment is considered to be terminal equipment if it is directly or indirectly connected to a public communications network.