Data Holder

A data holder is the organisation or person that controls access to data from a connected product. Under the Data Act, the data holder is obliged to make data available to users and third parties on fair terms.

Back to Dictionary

What is a data holder?

The concept of data holder is central to the Data Act. A data holder is a natural or legal person that has the right or obligation to make certain data available. In practice, this is almost always the manufacturer of a connected product or the provider of a related service.

Consider a manufacturer of industrial sensors. The sensors generate operational data, temperature readings and error codes. The manufacturer is the data holder because they technically control access to these data. Under the Data Act, the manufacturer must make data available to the organisation that owns and uses the sensors.

The role of data holder is not voluntary. If your organisation manufactures connected products or provides related services, you are automatically a data holder for the data your products generate. The Data Act imposes concrete obligations regardless of whether you actively wish to share data.

Data holder vs. data controller

It is important to distinguish between a data holder under the Data Act and a data controller under GDPR. The two concepts overlap but cover different things:

Data controller (GDPR): The entity that determines the purpose of and means for processing personal data. The focus is on protecting individuals' rights.
Data holder (Data Act): The entity that controls access to data from connected products. The focus is on fair access to data, regardless of whether the data are personal data or not.

An organisation can readily be both. If your smart machine collects data that include personal information about the operator, you are both a data holder under the Data Act and a data controller under GDPR. This means you must comply with both regulatory frameworks.

The distinction also matters for whom you share data with. As a data controller, you may use a data processor to handle personal data. As a data holder, you must share data with users and third parties who request it, on FRAND terms.

Obligations and rights

As a data holder, you have a number of concrete obligations under the Data Act:

**Obligations:**

You must make data available to the user of the connected product without undue delay and in a structured, machine-readable format
If the user requests it, you must share data with a third party. Sharing must take place on FRAND terms (Fair, Reasonable and Non-Discriminatory)
You must inform the user about which data are generated and how the user can access them
You must protect data against unauthorised access with appropriate technical measures, including encryption and access control

**Rights:**

You may charge reasonable compensation from third parties receiving data (not from the user)
You may protect trade secrets by imposing confidentiality obligations on the recipient
You may refuse data sharing if it would reveal trade secrets, but only to a limited extent and with justification
You may require that the recipient does not use data to develop a competing connected product

Practical management

If you are a data holder, you need to prepare for handling data requests. Here are the key steps:

**Map your data.** Start by identifying precisely which data your connected products generate. Categorise them by type (operational data, usage data, sensor data) and whether they contain personal data.

**Build technical infrastructure.** You must be able to deliver data in standardised formats via APIs or other technical interfaces. Ensure that data support interoperability so the recipient can use them without depending on your proprietary systems.

**Establish processes for data requests.** You need clear procedures for receiving, assessing and honouring data-sharing requests. This includes assessing whether the request is legitimate and whether trade secrets need protection.

**Ensure security.** Data must be protected throughout the process. An ISMS gives you a structured approach. You should also ensure your practices meet the requirements of NIS2 if your organisation is covered.

The role of data holder requires investment in technology, law and processes. But it also offers an opportunity to create value. Organisations that effectively manage B2B data sharing can build stronger partner relationships and new data-driven business models.

Frequently Asked Questions about Data Holder

What is a data holder under the Data Act?

A data holder is the person or organisation that has the right or obligation to make data available under the Data Act. This is typically the manufacturer of a connected product or the provider of a related service that controls access to the data the product generates.

What is the difference between a data holder and a data controller?

A data controller (under GDPR) determines the purpose of processing personal data. A data holder (under the Data Act) controls access to data from connected products. An organisation can be both, but the roles have different obligations and fall under different regulatory frameworks.

What obligations does a data holder have?

A data holder must make data available to users and third parties on FRAND terms, provide data in standardised and machine-readable formats, inform users about data access rights, and protect trade secrets without blocking legitimate data access.

Can a data holder refuse to share data?

A data holder may only refuse data sharing in narrow exceptional cases, e.g. to protect trade secrets. The refusal must be proportionate and justified. The Data Act is designed to prevent data holders from using exceptions as a general block on data access.