EU expert group publishes sample contract for the Data Act

With the Data Act, the EU is creating binding rules for access to and use of data generated by networked products and associated services for the first time. From 15 September 2025, users will be entitled to access this data and can request that it be passed on to third parties. Manufacturers and providers of such products are obliged to provide this access in a fair, non-discriminatory and technically accessible manner. To support the implementation of these requirements, a group of experts appointed by the EU Commission has now published a comprehensive report with specific sample contracts.

Legal basis: Article 41 Data Act

Article 41 of the Data Act obliges the EU Commission to develop voluntary standard contractual terms for data sharing and cloud services. The model contractual clauses (MCTs) and standard contractual clauses (SCCs) published in the final report are the first concrete implementation of this mandate. They are intended to help companies draft legally compliant, transparent and practicable contracts.

Four practical scenarios

The MCTs are based on four central contractual situations that are particularly relevant to the Data Act in the opinion of the expert group:

• Contract between user and data holder on the provision of usage data by the data holder to the user (data holder to user). 
• Contract between user and data recipient on the transfer of usage data by the data holder to the data recipient at the user's request. 
• Contract between data holder and data recipient for the transfer of data by the data holder to the data recipient at the request of the user.
• Contract for the (voluntary) provision of data between a data provider and the data recipient. 

These scenarios reflect typical constellations in the sale and use of networked products, for example in the fields of mechanical engineering, smart homes or mobility.

What exactly do the model contract clauses (MCTs) regulate?

The MCTs contain detailed regulations on the description of the data scope, the provision in machine-readable form, the technical interface description (e.g. API documentation), and requirements for confidentiality, security and transparency.

In addition, options for the remuneration of data provision are explained, for example according to the type of data or user group. Important clauses also concern the obligation not to use the data for profiling, responsibility for GDPR compliance and the handling of business secrets.

Standard contractual clauses (SSCs) for cloud services

In addition to the MCTs, the report also contains SCCs for cloud and platform contracts. These are aimed in particular at facilitating a change of provider or the return of data at the end of a contract in technical and organisational terms. Among other things, they regulate exit plans, migration deadlines, access to self-service tools, the continuation of critical services, and protective mechanisms against lock-in effects. They therefore also specifically address operators of hybrid or cloud-based product infrastructures.

Flexibility through modularity 

The templates have a modular structure and are designed for customisation. Users can combine, shorten or add clauses. However, the report also contains information on which changes may have legal implications - in particular with regard to the use of data by third parties, data protection obligations, or the delimitation of responsibilities. Companies should adapt the templates specifically to their use case.

Limited applicability in consumer relationships

The MCTs are designed for B2B contracts. They are not directly suitable for use in a B2C context, as consumer protection law elements such as cancellation rights, transparency requirements, and information obligations are not included as standard. Anyone wishing to use the templates for end customers will need to carry out additional checks and adaptations.

Recommendation: Check, structure and prepare now

The Commission is expected to turn the report into an official recommendation. However, it is already advisable for companies to review the content and integrate it into their own contract architecture. In particular, providers of networked products should analyse how they can ensure data access technically and organisationally, which clauses are mandatory, and how existing contracts need to be adapted. We would be happy to support you in drafting legally compliant contracts based on the Data Act.