The European Commission has released a package of non-binding model contractual terms (MCTs) and standard contractual clauses (SCCs) intended to simplify and harmonise how organisations contract for data access, data sharing and data processing services under the Data Act (Regulation (EU) 2023/2854).
The package aims to reduce fragmentation, strengthen legal certainty, minimise negotiation friction and bring consistency across the wide range of contracts governed by the Data Act, including B2B data-sharing arrangements and cloud-service agreements.
Model Contractual Terms (MCTs) include four packages on:
- Contracts between Data Holder and User (Annex II): provides a full contractual framework for cases where users are granted the right to access and use data generated by a connected product or related service.
- Contracts between User and Third-Party Data Recipient (Annex III): intended for scenarios where the user instructs the data holder to provide data to a selected data recipient under Article 5.
- Contracts between Data Holder and Third-Party Data Recipient (Annex IV): applies when the data holder is legally required to make data available to a third-party data recipient (who is a business) at a user’s request.
- Voluntary B2B Data-Sharing Contracts (Annex V): designed for fully voluntary data exchanges outside user-initiated access mechanisms.
Standard Contractual Clauses (SCCs) for Data-Processing Services applicable for:
- SCCs for Switching, Exit and Termination (Annexes VI–VII): remove contractual barriers to switching cloud providers or moving to on-premises infrastructure, prohibit switching fees beyond strictly cost-based compensation and ban obstacles to data portability.
- SCCs on Security, Business Continuity and Non-Dispersion (Annexes VIII–IX): ensure high security and service continuity throughout the switching process, address specific risks during transfer and retrieval, require due care and risk-based safeguards, and consolidate all relevant contractual information in one accessible place to guarantee transparency and prevent scattered documentation.
- SCCs on Liability and Non-Amendment (Annexes X–XI): provide balanced, fair and non-discriminatory liability frameworks aligned with the Data Act, including unlimited liability for intent and gross negligence and structured options for liability limitation; prevent unilateral contractual changes except under strict, predefined conditions that improve the customer’s position and require at least 30 days’ notice.
Most of the definitions in SCCs are referring to the Data Act directly, copied verbatim, or paraphrased without materially changing the scope. For example, according to the Data Act,
- ‘user’ is a person that owns or rightfully uses a connected product or receives related services (e.g., a customer)
- ‘data holder’ is a person that has the right or obligation to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a connected product or a related service (e.g., the manufacturer of the product or provider of the relevant related service)
- ‘data recipient’ means a third party, acting for commercial purposes to whom the data holder makes data available at a user’s request
- ‘data processing service’ as a digital service that is provided to a customer and that enables network access to a shared pool of computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction (e.g., service providers of SaaS, IaaS or PaaS).
Additionally, SCCs include definitions of Source and Destination providers, which the Data Act mentions in recitals but does not define.
Another nuance concerns the definition of ‘incident’. The SCCs introduce this term and define it as a physical, technical or organisational security breach, incident or similar event that may have a significant impact in relation to security and business continuity. It covers events that have caused, or are capable of causing, severe disruption of any applicable IT systems and operations used between the provider and the customer during the switching process, or with respect to the customer’s use of the services, the customer’s exportable data and digital assets.
The MCTs and SCCs will now be translated into all EU languages, with publication expected within three to four months. The package forms part of the Commission’s continuing implementation guidance for the Data Act, following earlier materials such as the FAQ document and the Guidance on access to vehicle data.
Further details on the proposed contractual terms are available in the Commission’s press release.
