On July 8, 2025, the European Data Protection Board (EDPB) issued an opinion on the Model Contractual Clauses (MCTs) that were published in May as a draft recommendation by the EU Commission’s expert group. While the EDPB generally welcomes the approach taken by the ex-pert group, it sees room for improvement.
Model Clauses Not Yet GDPR-Compliant
The MCTs were initially introduced in May 2025 in the report by the expert group appointed by the Commission and serve as the basis for the Commission's official recommendation under Article 41 of the Data Act. These clauses are intended to help businesses design contracts for data access and data use in a legally secure and transparent manner. An overview of the MCTs and the four main contractual scenarios can be found here: “EU Expert Group Publishes Model Contractual Clauses for the Data Act”
In its opinion, the EDPB notes that while the MCTs include many practical provisions, they do not yet fully comply with data protection requirements. In particular, the distinction between personal and non-personal data is not consistently implemented in the MCTs. Furthermore, it remains un-clear how the clauses should be applied in cases where the "user" under the Data Act is also the data subject under the GDPR.
The EDPB also recommends that the remuneration rules for data provision included in the MCTs should explicitly apply only to non-personal data. Moreover, the EDPB emphasizes that the use of the MCTs does not ensure compliance with the GDPR, and additional agreements, such as data processing agreements or standard contractual clauses, remain necessary.
Recommendations for Drafting Contracts under the Data Act
The following guidelines can be derived from the EDPB's opinion for drafting clauses related to the use of product and related service data under the Data Act:
• It must always be clarified which categories of data are affected, and a clear distinction must be made between personal and non-personal data.
• In addition to defining the roles of the parties under the Data Act (e.g., user, data holder, and data recipient), the roles of the parties under the GDPR (e.g., controller, processor) must also always be established.
• The MCTs must, where necessary, be supplemented in practice with agreements required under data protection law, such as a data processing agreement (DPA).
• The requirements of the GDPR and other relevant data protection laws must always take precedence over contractual provisions regarding the use of product and related service data.
Practical Tip
The MCTs provide a helpful starting point for contractual arrangements regarding the use of data covered by the Data Act. However, according to the EDPB, they do not represent a ready-made solution for GDPR-compliant contracts. In particular, data holders must critically review their con-tract templates against the requirements of the Data Act and, additionally, data protection laws, and adapt them to the legal specifics of each contractual scenario.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
