§ Data Act · Article 5

Data Act Article 5: Obligations, Deadlines & Penalties

Regulation (EU) 2023/2854, Article 5 · All obligations · Data Act
At a glance
Article 5 of the Data Act imposes 13 obligations on data holder, gatekeeper, third party. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 5

Obligation 1
Upon request by a user or their representative, the data holder shall make readily available data and relevant metadata available to a third party without undue delay, of the same quality, easily, securely, free of charge, in a structured format, and continuously where feasible. Regulation (EU) 2023/2854, Article 5, Article 5
Obligated entity
data holder
Action required
make available
Deadline
without undue delay
Penalty
Exemptions
readily available data in the context of testing new connected products, substances or processes not yet placed on the market unless contractually permitted
Obligation 2
Any undertaking designated as a gatekeeper shall not solicit or commercially incentivise a user to make data available to its services obtained pursuant to Article 4(1). Regulation (EU) 2023/2854, Article 5, Article 5
Obligated entity
gatekeeper
Action required
refrain from soliciting
Deadline
Penalty
Obligation 3
Any undertaking designated as a gatekeeper shall not solicit or commercially incentivise a user to request the data holder to make data available to its services pursuant to paragraph 1. Regulation (EU) 2023/2854, Article 5, Article 5
Obligated entity
gatekeeper
Action required
refrain from soliciting
Deadline
Penalty
Obligation 4
Any undertaking designated as a gatekeeper shall not receive data from a user that the user has obtained pursuant to a request under Article 4(1). Regulation (EU) 2023/2854, Article 5, Article 5
Obligated entity
gatekeeper
Action required
refrain from receiving
Deadline
Penalty
Obligation 5
Data holders shall not keep any information on the third party’s access to the data requested beyond what is necessary for the sound execution of the access request and for security and maintenance of the data infrastructure. Regulation (EU) 2023/2854, Article 5, Article 5
Obligated entity
data holder
Action required
refrain from keeping
Deadline
Penalty
Obligation 6
The third party shall not use coercive means or abuse gaps in the technical infrastructure of a data holder designed to protect data in order to obtain access to data. Regulation (EU) 2023/2854, Article 5, Article 5
Obligated entity
third party
Action required
refrain from using
Deadline
Penalty
Obligation 7
A data holder shall not use readily available data to derive insights about the economic situation, assets, production methods, or use by the third party in a manner that could undermine the third party's commercial position, unless permission is given. Regulation (EU) 2023/2854, Article 5, Article 5
Obligated entity
data holder
Action required
refrain from using
Deadline
Penalty
Exemptions
where the third party has given permission and has the technical possibility to easily withdraw that permission
Obligation 8
Where the user is not the data subject, the data holder shall make personal data available to the third party only where there is a valid legal basis for processing under GDPR Article 6 and relevant conditions of Article 9 and Directive 2002/58/EC are fulfilled. Regulation (EU) 2023/2854, Article 5, Article 5
Obligated entity
data holder
Action required
verify legal basis
Deadline
Penalty
Obligation 9
The data holder or trade secret holder shall identify data protected as trade secrets, including in metadata, and agree with the third party on proportionate technical and organisational measures to preserve confidentiality. Regulation (EU) 2023/2854, Article 5, Article 5
Obligated entity
data holder
Action required
identify and agree
Deadline
Penalty
Obligation 10
If there is no agreement on measures or the third party fails to implement them, the data holder may withhold or suspend sharing of trade secrets, provided the decision is duly substantiated and provided in writing to the third party without undue delay. Regulation (EU) 2023/2854, Article 5, Article 5
Obligated entity
data holder
Action required
notify in writing
Deadline
without undue delay
Penalty
Obligation 11
In cases of withholding or suspending data sharing due to trade secret issues, the data holder shall notify the competent authority designated pursuant to Article 37 that it has withheld or suspended data sharing and identify which measures have not been agreed or implemented. Regulation (EU) 2023/2854, Article 5, Article 5
Obligated entity
data holder
Action required
notify
Deadline
Penalty
Obligation 12
Where a data holder refuses access to specific data due to high likelihood of serious economic damage from trade secret disclosure, it shall provide a duly substantiated demonstration in writing to the third party without undue delay. Regulation (EU) 2023/2854, Article 5, Article 5
Obligated entity
data holder
Action required
notify in writing
Deadline
without undue delay
Penalty
Obligation 13
Where the data holder refuses to share data pursuant to paragraph 11, it shall notify the competent authority designated pursuant to Article 37. Regulation (EU) 2023/2854, Article 5, Article 5
Obligated entity
data holder
Action required
notify
Deadline
Penalty
§ Frequently asked

Questions about Article 5

Who must comply with Article 5 of the Data Act? +
data holder, gatekeeper, third party.
What does Article 5 of the Data Act require? +
make available refrain from soliciting refrain from receiving
What is the compliance deadline for Data Act Article 5? +
without undue delay
Need a cross-border briefing on Data Act Article 5?
Search Fontvera ↵
All EU obligation pages  ·  All Data Act articles