How can a data holder protect this type of information, and what challenges does this present? We will examine three scenarios involving exercise of the right of access to data from a connected product or related service:

1. The user obtains the data directly from the product or service, using the functionalities of the product or service (without separate, active involvement of the data holder)
2. The data holder provides the data to the user at the user’s request
3. The data holder provides the data to a third party indicated by the user, at the user’s request.

Trade secrets under the Data Act—what the data holder can protect

The rights of the data holder in this respect extend only to information which constitutes a trade secret under the Data Act. Under the Data Act, a “trade secret” is information which:

• Is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question
• Has commercial value because it is secret, and
• Has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.

Consequently, the protection under the Data Act can be exercised by data holders only with respect to information that meets all of the above conditions, which means in particular that it cannot be asserted for example with respect to data that are not secret or as to which reasonable steps have not previously been taken to keep the information secret.

Thus, a data holder intending to exercise the information protection mechanisms provided for in the Data Act must first determine which information that might be accessed meets the conditions for being regarded as a trade secret.

What protective measures can be applied by data holders?

The protective solutions that may be used by a data holder will depend on the scenario in which the right of data access is exercised.

Scenario 1. The user obtains the data directly from the product or service, using their functionalities

The Data Act provides no legal mechanisms for protecting data obtained by users directly and automatically from a connected product or related service, using the functionalities of the product or service (e.g. if the user can launch the process of accessing the data via the control panel of the device). Data holders need to take this into account when designing solutions for access to data and the scope of the accessible data.

The Data Act defines the main scope of categories of data which must be accessible to the user, so sometimes it may not be possible to avoid providing access to information covered by trade secrecy. But the data holder is not helpless in this situation. As the European Commission has explained, the manufacturer of a connected product could contractually oblige the user to protect certain data that are made directly accessible, in order to ensure the protection of trade secrets, or prohibit certain use cases such as manufacturing a competing product (see “Frequently Asked Questions, Data Act, 12 September 2025, Version 1.3”). However, such contractual restrictions must not infringe Art. 7(2) of the act, under which “Any contractual term which, to the detriment of the user, excludes the application of, derogates from or varies the effect of the user’s rights … shall not be binding on the user.”

Thus, to protect information important to the data holder, a data holder introducing a functionality providing the user direct access to data from a connected product or related service should:

• Determine whether the accessible data includes data constituting a trade secret under the Data Act (and if so, what sort of data)
• Contractually require the user to take actions, or refrain from taking actions, which the data holder regards as essential to protect its trade secrets (e.g. obtain an undertaking from the user to maintain the confidentiality of certain data).

But in practice it may be hard to develop and implement such contractual provisions. The data holder must consider:

• Where to include contractual provisions so that they are legally effective in binding the user accessing the data? (In an undertaking obtained each time the user accesses the data? In the general conditions for using the service?)
• In light of the provisions on protection of personal data, can and should the data holder obtain personal details from the user needed for the data holder to pursue potential claims for breach of the contractual terms, and in what scope?
• How to obtain an undertaking from the user, and in what wording, so as not to infringe Art. 7(2) of the act?
• How to phrase undertakings obtained from users who are consumer, so as not to infringe consumer protection laws?

Implementation of these solutions will require caution on the part of the data holder, suited to the nature of the product or service.

Scenario 2. The data holder provides the data to the user at the user’s request

Scenario 2 assumes that to obtain access to data, the user must submit a request to the data holder, and the data holder will consider and respond to each request individually. Depending on the situation, the data holder may use any of the four mechanisms discussed below:

The first protective mechanism involves “agreeing” between the data holder and the user. In that case, under the Data Act, after submission of the request for access to data, data holders should identify trade secrets (including the relevant metadata) prior to the disclosure, and agree with the user on proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data. Typical measures that could be applied, as indicated in the Data Act, include model contractual terms (developed by the Commission), confidentiality agreements, strict access protocols, technical standards, and codes of conduct.

Applying the agreement mechanism may pose challenges in practice. First, the data holder must verify whether the information it would like to protect meets the conditions for a trade secret for purposes of the Data Act. Second, the data holder must set protective measures that:

• Fulfil the protective function and secure the data holders’ interests
• Are “proportionate” within the meaning of the Data Act and thus, it seems, appropriate to the quantity, type and objective value of the data
• Are consistent with the general principle favouring disclosure and the ability to use data, arising under the Data Act.

Significantly, the user will be entitled to challenge the justification for applying a given protective mechanism, for example before the court or the regulator (the detailed scope of these rights will be set forth in national law). In this respect, it would be reasonable for data holders to develop in advance the right approach to considering requests for access to data, so that requests can be handled more efficiently. To this end, they may prepare an explanation for implementing certain measures, document templates, and procedures for handling requests. Adopting such solutions would be recommended with respect to all four of the protective mechanisms.

The data holder may apply the second protective mechanism in a situation where after the user’s submission of the request for access to data, no agreement is reached between the data holder and the user on the measures for protection of the data.

The Data Act does not specify whether application of this mechanism requires the data holder to attempt to agree on appropriate measures with the user—nonetheless, it seems that as a rule, such an attempt should be made.

Under the Data Act, where there is no agreement on the necessary measures, the data holder may withhold or suspend the sharing of data identified as trade secrets. The decision of the data holder shall be duly substantiated and provided in writing to the user without undue delay. The data holder must also notify the regulator of its decision not to share the data and identify the measures that were not agreed.

From a practical point of view, particularly considering that the data holder will have to notify the regulator of a refusal to share the requested data, it would be warranted for data holders to develop certain solutions in advance, as in the case of the first mechanism. This involves such issues as:

• How the data holder will show that the information sought by the user constitutes a trade secret for purposes of the Data Act
• How to document attempts to reach agreement and failure to agree
• What arguments to use to justify the data holder’s decision to refuse to share the data.

The third protective mechanism may be applied by the data holder in a situation where after the user submits a request, the data holder determines that it is not possible to agree with the user on appropriate measures for protection of the data.

Under Art. 4(8) of the Data Act, “In exceptional circumstances, where the data holder who is a trade secret holder is able to demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets, despite the technical and organisational measures taken…, that data holder may refuse on a case-by-case basis a request for access to the specific data in question.”

Under the Data Act, a refusal to share data requested by the user must be duly substantiated on the basis of objective elements, “in particular the enforceability of trade secrets protection in third countries, the nature and level of confidentiality of the data requested, and the uniqueness and novelty of the connected product.” The justification should demonstrate a concrete risk of serious economic damage if the data were disclosed, and why the measures to be taken to protect the requested data are regarded as insufficient.

In this situation, the Data Act requires the data holder to provide the justification for its decision to the user in writing without undue delay, and also to inform the regulator appointed under national law of the refusal to share the data.

As with the other protective mechanisms, it would make sense for the data holder to draw up certain solutions in advance to facilitate its exercise of this mechanism, for example:

• How the data holder will demonstrate that the data requested by the user constitutes a trade secret within the meaning of the Data Act
• How to demonstrate a high likelihood of “serious economic damage from the disclosure of trade secrets”
• How to demonstrate the objective inability to implement appropriate measures to protect the data.

The justification for the existence of a risk of “serious economic damage” seems particularly important, especially because this is such a vague notion. The Data Act does not define this term, but only states in the preamble, “Serious economic damage implies serious and irreparable economic loss.” It may also prove difficult to demonstrate an objective inability to implement the relevant protective measures, which would seem to require addressing the circumstances of the particular request, including potentially such issues as:

• The identity of the applicant
• The applicant’s corporate group
• The jurisdiction whose laws govern the applicant
• The characteristics of the product.

The fourth protective mechanism may be applied by the data holder after disclosing product data to the user at the user’s request.

Under Art. 4(7) of the Data Act, if the user fails to implement the agreed measures, or undermines the confidentiality of the trade secrets, the data holder may withhold or suspend the sharing of data identified as trade secrets.

In that situation, the Data Act requires the data holder to duly substantiate its decision and provide it to the user in writing without delay. The data holder must also notify the regulator that it has withheld or suspended data-sharing, and identify which measures have not been agreed or implemented and which trade secrets have had their confidentiality undermined.

Here also it is recommended that the data holder develop certain solutions in advance to facilitate its use of this protective mechanism, considering such issues as:

• How to demonstrate that the data requested by the user constitutes a trade secret within the meaning of the Data Act
• How to show the failure to comply with the agreed measures, or the threat to the confidentiality of trade secrets.

In this context, it may be helpful to implement organisational and technical solutions allowing the data holder to verify that the user is applying the agreed protective measures (e.g. the right to conduct an audit or monitor the user’s actions relevant to the provided data).

Apart from the foregoing mechanisms, the Data Act imposes an obligation on a user who has requested and obtained data:

• Not to use the data obtained pursuant to the request to develop a connected product competing with the connected product from which the data originate
• Not to share the data with a third party with the intent of developing a competing product
• Not to use such data to derive insights about the economic situation, assets and production methods of the manufacturer or, where applicable, the data holder.

Scenario 3. The data holder provides the data to a third party indicated by the user, at the user’s request

Scenario 3 assumes that the user will submit the relevant request to the data holder to make the data available to a third party, and the data holder will respond to the user’s request on a case-by-case basis.

In scenario 3 the protective mechanisms available to the data holder are essentially the same as in scenario 2, but in this case the data holder’s rights will be exercised with respect to the third party indicated by the user, not the user itself.

Obligations of the data recipient

Apart from the foregoing mechanisms, the Data Act prohibits the recipient of the requested data from:

• Making the data it receives available to another third party, unless the data is made available on the basis of a contract with the user, and provided that the other third party takes all necessary measures agreed between the data holder and the third party to preserve the confidentiality of trade secrets
• Using the data obtained pursuant to the request to develop a connected product competing with the connected product from which the data originates, or sharing the data with another third party with that intent
• Using any non-personal product data or related service data made available to them to derive insights about the economic situation, assets and production methods of, or use by, the data holder
• Disregarding the specific measures agreed with a data holder or with the trade secrets holder, or undermining the confidentiality of trade secret.

Summary

It is apparent that holders of data from connected products or related services have tools at their disposal to protect trade secrets when users exercise their right to access such data. For now it is hard to assess the effectiveness of these tools, as the Data Act is a new regulation and national regulations supplementing it have yet to be adopted.

Nonetheless, it appears that smooth and efficient use of these tools will largely depend on the data holders’ degree of readiness. Therefore, it would be indicated to consider proactive steps such as:

• Inventorying the information covered by trade secrets
• Developing appropriate procedures and document templates
• Training personnel
• Allocating responsibility for specific activities when responding to requests for access to data
• Drafting templates for the justifications for particular actions, so that the data holder can respond to users’ requests while protecting vital business information.

Łukasz Rutkowski