§ Data Act · Article 6
Data Act Article 6: Obligations, Deadlines & Penalties
At a glance
Article 6 of the Data Act imposes 11 obligations on third party. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 6
Obligation 1
A third party shall process the data made available to it only for the purposes and under the conditions agreed with the user and subject to Union and national law on the protection of personal data.
Regulation (EU) 2023/2854, Article 6, Article 6
- Obligated entity
-
third party
- Action required
-
process
- Deadline
-
—
- Penalty
-
—
Obligation 2
The third party shall erase the data when they are no longer necessary for the agreed purpose, unless otherwise agreed with the user in relation to non-personal data.
Regulation (EU) 2023/2854, Article 6, Article 6
- Obligated entity
-
third party
- Action required
-
erase
- Deadline
-
when no longer necessary for the agreed purpose
- Penalty
-
—
- Exemptions
- non-personal data if otherwise agreed with the user
Obligation 3
The third party shall not make the exercise of choices or rights under Article 5 and this Article by the user unduly difficult, including by offering choices in a non-neutral manner, or by coercing, deceiving or manipulating the user.
Regulation (EU) 2023/2854, Article 6, Article 6
- Obligated entity
-
third party
- Action required
-
refrain from making difficult
- Deadline
-
—
- Penalty
-
—
Obligation 4
The third party shall not use the data it receives for profiling, unless it is necessary to provide the service requested by the user.
Regulation (EU) 2023/2854, Article 6, Article 6
- Obligated entity
-
third party
- Action required
-
refrain from profiling
- Deadline
-
—
- Penalty
-
—
- Exemptions
- if necessary to provide the service requested by the user
Obligation 5
The third party shall not make the data it receives available to another third party, unless the data is made available on the basis of a contract with the user and the other third party takes necessary measures to preserve confidentiality of trade secrets.
Regulation (EU) 2023/2854, Article 6, Article 6
- Obligated entity
-
third party
- Action required
-
refrain from sharing
- Deadline
-
—
- Penalty
-
—
- Exemptions
- if based on contract with user and confidentiality measures are taken
Obligation 6
The third party shall not make the data it receives available to an undertaking designated as a gatekeeper pursuant to Article 3 of Regulation (EU) 2022/1925.
Regulation (EU) 2023/2854, Article 6, Article 6
- Obligated entity
-
third party
- Action required
-
refrain from sharing
- Deadline
-
—
- Penalty
-
—
Obligation 7
The third party shall not use the data it receives to develop a product that competes with the connected product from which the accessed data originate or share the data with another third party for that purpose.
Regulation (EU) 2023/2854, Article 6, Article 6
- Obligated entity
-
third party
- Action required
-
refrain from using for competition
- Deadline
-
—
- Penalty
-
—
Obligation 8
Third parties shall not use any non-personal product data or related service data made available to them to derive insights about the economic situation, assets and production methods of, or use by, the data holder.
Regulation (EU) 2023/2854, Article 6, Article 6
- Obligated entity
-
third party
- Action required
-
refrain from deriving insights
- Deadline
-
—
- Penalty
-
—
Obligation 9
The third party shall not use the data it receives in a manner that has an adverse impact on the security of the connected product or related service.
Regulation (EU) 2023/2854, Article 6, Article 6
- Obligated entity
-
third party
- Action required
-
refrain from adverse security impact
- Deadline
-
—
- Penalty
-
—
Obligation 10
The third party shall not disregard the specific measures agreed with a data holder or with the trade secrets holder pursuant to Article 5(9) and undermine the confidentiality of trade secrets.
Regulation (EU) 2023/2854, Article 6, Article 6
- Obligated entity
-
third party
- Action required
-
refrain from undermining confidentiality
- Deadline
-
—
- Penalty
-
—
Obligation 11
The third party shall not prevent the user that is a consumer, including on the basis of a contract, from making the data it receives available to other parties.
Regulation (EU) 2023/2854, Article 6, Article 6
- Obligated entity
-
third party
- Action required
-
refrain from preventing sharing
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 6
Who must comply with Article 6 of the Data Act?
+
third party.
What does Article 6 of the Data Act require?
+
process erase refrain from making difficult
What is the compliance deadline for Data Act Article 6?
+
when no longer necessary for the agreed purpose