From Sept. 12, 2025, the European Data Regulation will apply. This regulation creates new rights and obligations that relate not only to personal data, but to data in general. The practical implications are vast.
In particular, the Data Regulation affects parties offering connected ("connected" or Internet of Things ("IoT")) products and cloud services. Underexposed is that the regulation also contains rules on contracting over data exchange. These rules apply to all companies.
The first main topic in the Data Regulation concerns the rules on sharing and using usage data from connected products and related services. These include products and services such as smartwatches and smart speakers with a virtual assistant like Alexa, as well as Internet-connected agricultural machinery. Companies must meet new obligations regarding connected products and related services as a result of the Data Regulation. First, companies that produce connected products and provide related services must design the products and services so that users can easily access their data ("data access by design"). In addition, the Data Regulation gives users an explicit right of access to usage data. This right of access means that users of connected products and related services can easily access their usage data when data access by design is not regulated. In addition, companies should also allow users to easily share their usage data with another party. Finally, buyers of connected products and recipients of a related service should also receive certain information from the vendor and supplier, respectively, about how the connected product collects data.
The data holder (usually the provider of the connected product or a related service) may now use non-personal data only if the agreement with the user of the connected product or related service allows it. The data holder may not use the data to understand the user's economic situation, assets or production methods, or the user's use of the product or service, in a way that may undermine the user's commercial position in the markets in which it operates. Data may be shared with third parties only when necessary to execute the agreement with the user.
As of Sept. 12, 2026, connected products sold and related services provided must comply with thedata access by design requirement. The other rules on connected products and related services, including the explicit right of access, already apply from Sept. 12, 2025.
The second main topic concerns the rules imposed on "data processing services." "Data processing services" refers to a wide range of cloud services. The preamble refers to "infrastructure-as-a-service" (IaaS), "platform-as-a-service" (PaaS), "software-as-a-service" (SaaS), "storage-as-a-service" and "database-as-a-service." In addition, the term also includes so-called edge services. The obligations imposed on data processing service providers are about 1) facilitating switching, 2) facilitating interoperability between different data processing services and 3) preventing international government access. As of Sept. 12, 2025, data processing service providers must comply with these rules.
The third main topic concerns rules on the mandatory sharing of data with public authorities, the European Central Bank, the European Commission or any other body of the European Union. These bodies can request data based on an exceptional need. This can only be done if, in an emergency situation, the authorities cannot obtain the data in a proper and timely manner by other means. Authorities can also request non-personal data when the data is needed to perform a specific task in the public interest, such as to compile official statistics. These rules also apply as of Sept. 12, 2025.
Perhaps the most surprising part of the Data Regulation is the provision on unfair contract terms. This applies to agreements made between companies ("B2B") on data sharing. In a nutshell, the article regulates that contractual terms on data are not binding on the other party when the terms are unilaterally imposed by the provider and are deemed "unfair." The article contains a list of clauses that are always unfair (a "black list") and a list of clauses that are presumed to be unfair (a "gray list"). If a company uses a grey list clause, the company must prove that the clause is not unfair.
What is striking about the article is that it was drafted as a black and gray list between companies. Black and gray lists for general terms and conditions imposed by companies on consumers have existed for much longer (see, for example, Articles 6:236 and 6:237 of the Civil Code), protecting consumers from unfair general terms and conditions. So now there is a similar list for business-to-business contracts. This provision applies regardless of the size of the companies involved.
The obligations in this article cover all contracts and clauses on data access and use that are concluded between companies. Any agreement or provision on data sharing and use will need to take this article into account. The article will usually also apply when companies enter into contracts between themselves about personal data, such as a joint data controller agreement under Article 26 of the General Data Protection Regulation ("AVG"). The application of the article is of mandatory law. This means that companies cannot agree that the article does not apply to their relationship and cannot deviate from it.
It is important for companies to be aware of this article when concluding agreements on (personal) data. Incidentally, it is important for buyers to always try to negotiate the unfair contract terms imposed on them. If no attempt has been made to negotiate the unfair terms, a company cannot invoke the protection of the article.
The provision applies to all agreements entered into after Sept. 12, 2025. For some contracts entered into before Sept. 13, 2025, the provision applies as of Sept. 12, 2027. This applies to agreements entered into for an indefinite period of time and to agreements expiring after Jan. 11, 2034.
The Data Regulation has direct effect in the Dutch legal order, leaving no or limited room for divergent or additional national rules. For the subjects that must be regulated nationally, a national Implementation Act pending. The regulation gives member states the freedom to determine themselves which regulator is authorized to enforce the provisions of the regulation. In the Netherlands, the Lower House has yet to vote on the draft Dutch Implementation Act. The current draft of the Data Regulation Implementation Act designates the Personal Data Authority ("AP") and the Consumer and Market Authority ("ACM") as supervisors.
The Data Regulation is applicable in the Netherlands as of September 12, 2025. The Data Regulation creates new rights and obligations for companies in particular. In particular, all companies will have to be vigilant for the rules on unfair contractual terms when concluding agreements on (personal) data. The AP and the ACM will likely be designated as supervisors for compliance with the regulation.
The Data Regulation is not applicable at this time. Nevertheless, companies are advised to take measures in advance. In this way, business operations can be adapted in a timely manner to the obligations imposed by the regulation.
La Gro is hosting a knowledge event on the Data Regulation this fall on Nov. 14. More blogs on this topic will follow in addition. Keep our website for more information.
Do you have questions about the Data Regulation or would you like to (pre-)register for our event on Nov. 14? Please contact Jan Baas , Jolijn Gijsen or Jiahui Plomp or one of our other Data & Privacy specialists .
