On November 19, 2025, the European Commission published comprehensive Model Contractual Terms. These model contracts serve as practical tools for companies to implement the complex requirements of the EU Data Act (Regulation (EU) 2023/2854) in contractual relationships concerning data licenses. In particular, the Model Contractual Terms provide a comprehensive practical framework for complying with the abstract FRAND requirements of the Data Act. The MCTs are deliberately designed as non-binding, voluntary models that companies can adapt to their specific needs. Theyhave been drafted so they can be amended by the
parties. Nevertheless, when making changes the parties have to consider that then the contract might not be in line with EU law. These model terms are primarily intended for business-to-business (B2B) arrangements.
Four different types of Model Contractual Terms
There are four sets of Model Contractual Terms, each addressing the relationship between the different parties, namely the user of a connected product or related service, the data holder, or in general: a data sharer, on the one hand and the data recipient on the other hand. Each of the the four sets comprises appendixes with forms that illustrate possible details/modalities.
Annex I – Contracts between data holders and users of connected products: This type of contract governs the relationship between a manufacturer oder data holder (data holder) and the user of a connected product or related service. It concerns the use of data generated by the product by the data owner itself.
Annex II – Contracts between Data holders and data recipients: These Model Contractual Terms govern the relationship between data holders and data recipients when the data holder is obliged to provide data at the request of a user. This is the central contractual constellation for enforcing the right of access to data in accordance with Article 5 of the Data Act.
Annex III – Contracts between users and data recipients (third parties): These Model Contractual Terms govern contracts between a user of a connected product and a designated third party (data recipient). The user requests the data holder to transfer the data to this third party (in accordance with Article 5 of the Data Act). The provision of data is free of charge for the user, but fees may be agreed between the data user and the data recipient.
Annex IV – Contracts on voluntary data sharing: These Model Contractual Terms address scenarios in which a data owner voluntarily shares data with a data recipient, regardless of a user request or any other mandatory data sharing obligation. They cover flexible business models outside the traditional compulsory market access.
Protection of trade secrets
A major issue of compulsory data sharing pursuant to the EU Data Act is the potential disclosure of trade secrets of the IoT manufacturer (or manufacturer of other goods where compulsory data sharing applies pursuant to EU laws). The Model Contractual Terms try to mitigate this issue by imposing specific measures to protect trade secrets in parallel with data sharing:
Right of refusal in the event of significant risk: The data holder can refuse to provide data if disclosure is highly likely to result in serious economic damage and such likelyhood can be shown by objective and comprehensible factors. This is essential in order not to completely destroy incentives for innovation.
Confidentiality agreements: The Model Contractual Terms contain extensive clauses on technical and organizational protective measures that must be agreed between the data holder and the data recipient. This includes access rights management, encryption, anonymization and pseudonymization techniques, access logging, and regular audits.