§ Data Act · Article 4
Data Act Article 4: Obligations, Deadlines & Penalties
At a glance
Article 4 of the Data Act imposes 17 obligations on data holder, user. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 4
Obligation 1
Data holders shall make readily available data and relevant metadata accessible to the user without undue delay, of the same quality, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and where relevant and technically feasible, continuously and in real-time.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
data holder
- Action required
-
make available
- Deadline
-
without undue delay
- Penalty
-
—
Obligation 2
Data holders shall provide access to data on the basis of a simple request through electronic means where technically feasible.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
data holder
- Action required
-
provide access
- Deadline
-
—
- Penalty
-
—
Obligation 3
Where the data holder refuses to share data pursuant to this Article due to security concerns, it shall notify the competent authority designated pursuant to Article 37.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
data holder
- Action required
-
notify
- Deadline
-
—
- Penalty
-
—
Obligation 4
Data holders shall not make the exercise of choices or rights under this Article by the user unduly difficult, including by offering choices in a non-neutral manner or by subverting or impairing the autonomy, decision-making or choices of the user via the structure, design, function or manner of operation of a user digital interface.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
data holder
- Action required
-
refrain from
- Deadline
-
—
- Penalty
-
—
Obligation 5
A data holder shall not require a person to provide any information beyond what is necessary for verifying whether they qualify as a user for the purposes of paragraph 1.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
data holder
- Action required
-
refrain from requiring
- Deadline
-
—
- Penalty
-
—
Obligation 6
Data holders shall not keep any information, in particular log data, on the user’s access to the data requested beyond what is necessary for the sound execution of the user’s access request and for the security and maintenance of the data infrastructure.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
data holder
- Action required
-
refrain from keeping
- Deadline
-
—
- Penalty
-
—
Obligation 7
The data holder or, where they are not the same person, the trade secret holder shall identify the data which are protected as trade secrets, including in the relevant metadata.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
data holder
- Action required
-
identify
- Deadline
-
—
- Penalty
-
—
Obligation 8
The data holder shall agree with the user proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data, in particular in relation to third parties.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
data holder
- Action required
-
agree
- Deadline
-
—
- Penalty
-
—
Obligation 9
The decision of the data holder to withhold or suspend sharing of data identified as trade secrets shall be duly substantiated and provided in writing to the user without undue delay.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
data holder
- Action required
-
provide
- Deadline
-
without undue delay
- Penalty
-
—
Obligation 10
In cases where data sharing is withheld or suspended, the data holder shall notify the competent authority designated pursuant to Article 37 that it has withheld or suspended data sharing and identify which measures have not been agreed or implemented and, where relevant, which trade secrets have had their confidentiality undermined.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
data holder
- Action required
-
notify
- Deadline
-
—
- Penalty
-
—
Obligation 11
Where a data holder refuses access to specific data due to risk of serious economic damage from trade secret disclosure, that demonstration shall be duly substantiated on the basis of objective elements and shall be provided in writing to the user without undue delay.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
data holder
- Action required
-
provide
- Deadline
-
without undue delay
- Penalty
-
—
Obligation 12
Where the data holder refuses to share data pursuant to paragraph 8, it shall notify the competent authority designated pursuant to Article 37.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
data holder
- Action required
-
notify
- Deadline
-
—
- Penalty
-
—
Obligation 13
The user shall not use the data obtained pursuant to a request referred to in paragraph 1 to develop a connected product that competes with the connected product from which the data originate.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
user
- Action required
-
refrain from using
- Deadline
-
—
- Penalty
-
—
Obligation 14
The user shall not share the data with a third party with the intent to develop a connected product that competes with the connected product from which the data originate.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
user
- Action required
-
refrain from sharing
- Deadline
-
—
- Penalty
-
—
Obligation 15
The user shall not use such data to derive insights about the economic situation, assets and production methods of the manufacturer or, where applicable the data holder.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
user
- Action required
-
refrain from using
- Deadline
-
—
- Penalty
-
—
Obligation 16
The user shall not use coercive means or abuse gaps in the technical infrastructure of a data holder which is designed to protect the data in order to obtain access to data.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
user
- Action required
-
refrain from using
- Deadline
-
—
- Penalty
-
—
Obligation 17
Any personal data generated by the use of a connected product or related service shall be made available by the data holder to the user only where there is a valid legal basis for processing under Article 6 of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of that Regulation and of Article 5(3) of Directive 2002/58/EC are fulfilled.
Regulation (EU) 2023/2854, Article 4, Article 4
- Obligated entity
-
data holder
- Action required
-
ensure legal basis
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 4
Who must comply with Article 4 of the Data Act?
+
data holder, user.
What does Article 4 of the Data Act require?
+
make available provide access notify
What is the compliance deadline for Data Act Article 4?
+
without undue delay