The Data Act, which entered into force on 11 January 2024 and became applicable on 12 September 2025, marks a significant shift in how businesses must handle data-sharing obligations with public authorities. Specifically, it introduces new rules for data access requests on the basis of an exceptional need, aiming to formalize and streamline requests from EU institutions, agencies and Member State bodies.
Understanding these obligations is critical, especially as the framework for such requests becomes more structured and legally binding.
Who can ask, who must share, and what is included?
Under Chapter V of the Data Act, public sector bodies, such as the EU Commission or the European Central Bank may request access to data held by private entities for specific public interest purposes. For instance, a public agency could request rainfall and water level data from private organisations during a major flooding event in order to respond to the disaster.
Where a public authority requests access to data from a data holder established in another Member State, the Data Act foresees that such requests are submitted to and examined by the competent authority of the Member State where the data holder is established. The competent authority will then either reject the request or transmit it to the data holder. The Data Act thereby suggests that cross-border data requests are channelled through and communicated to the data holder by the relevant competent authority, which might need to be reflected in internal processes for assessing data access requests from public authorities.
Requests from law enforcement agencies are excluded and remain governed by local laws and by the new e-Evidence Regulation.
The obligation to disclose data applies to data holders, that are legal persons (other than public sector bodies) which hold private sector data. To this end, the Data Act suggests that the relevant business not only must be technically able to access the relevant data but also have the right to do so (Article 2(13) Data Act), which may not be the case where access to the data is effectively controlled by the user. Accordingly, the EU Commission has clarified in its FAQ that the qualification as a ‘data holder’ does not depend on who produced the hardware or software, but on who controls access to the relevant data and that the role of a ‘data holder’ can in fact be contracted out to another entity (Question 21 of the FAQ). Therefore, a case-by-case assessment is needed, taking into account the technical and contractual set-up, in order to establish whether the relevant business can be considered a ‘data holder’ with regard to the specific data at hand.
In instances, where there is no data holder and only the user has access to the data, the manufacturer is not required to provide access in response to a data request from a public authority. This is, for example, the case where the user acquires a connected product and the data are only stored locally – either directly on the device itself or transferred to the user’s personal devices, with no access by the manufacturer.
The scope of data that can be requested includes ‘any private sector data’, generally covering both personal and non-personal data, although access to personal data can only be requested in cases of a public emergency, subject to more stringent requirements to be met by the requesting public sector body (see below).
“Exceptional need”, legal trigger for public authorities to request data
Public authorities can request data from private entities when an ‘exceptional need’ arises.
Exceptional need scenarios refer to situations that are unforeseeable and time-limited, as opposed to situations that are planned, scheduled, periodic or frequent. They can include both emergency situations, such as major natural or human-induced disasters, pandemics, cybersecurity incidents, as well as non-emergency situations. Examples of non-emergency situations includes the production of official statistics or the mitigation of or recovery from a public emergency. The EU Commission points to national laws that are supposed to provide further detail on the relevant factors to be considered when identifying an activity as ‘mitigation or recovery from a public emergency’.
To justify the exceptional need, the authority must demonstrate it:
- is acting on the basis of Union or national law,
- has identified specific data, the lack of which prevents it from fulfilling a specific task carried out in the public interest, and
- has exhausted all other means to obtain such data, including purchasing it at market price.
The Data Act further sets out detailed requirements for the data request. These include formal requirements (e.g. written form, using clear, concise and plain language, specifying the deadline by which data shall be made available, specifying the legal provision allocating the specific task carried out in the public interest to the requesting authority), but also substantive requirements (e.g. justification of the choice of the data holder to which the request is addressed, substantiating that the conditions necessary for the existence of an exceptional need are met). The EU Commission is expected to develop a model template for requests from public authorities, which is intended to facilitate a harmonized approach for the requesting authorities, but also simplify the review process for data holders.
Business response timelines and grounds for refusal
Businesses must comply without undue delay, but may refuse or request modification within 30 working days if:
- They do not have control over the requested data,
- A similar request has been previously submitted by another public authority and the business has not been notified of the erasure of the data (‘once-only principle’), or
- The request fails to meet Data Act requirements (e.g. does not sufficiently specify the data requested or does not explain the purpose of the request).
Emergency requests: a faster clock
In the event of public emergencies (including health crises, natural disasters, as well as human-induced events, such as cybersecurity incidents), authorities may request all relevant business-held data, including personal data. However, personal data can only be requested if
- Non-personal data is insufficient to respond to the public emergency, and
- The public sector body is unable to obtain such data by alternative means in a timely and effective manner under equivalent means.
Even in emergencies, businesses retain the right to refuse or seek modifications, but the timeline shortens significantly: 5 working days to respond.
To the extent access to personal data is facilitated in response to a data request from a public authority, the data holder may need to assess whether affected individuals need to be informed, in accordance with the requirements set out in the GDPR, before any such disclosure takes place.
How to assess and comply
The burden of assessing the validity of a request lies with the recipient business. While some formalities are straightforward, such as written format and citation of legal provisions, others require deeper scrutiny:
- Is the scope of the request proportionate?
- Is the necessity clearly justified?
Verifying that these requirements are met for each specific request will require significant resources.
Further, while the Data Act does not specify how to comply in practice, businesses should proactively establish internal processes to review and fulfil data requests from public sector bodies. This includes check lists outlining relevant review criteria, internal policies ensuring involvement of relevant stakeholders and adherence to applicable timelines, processes for anonymising or pseudonymising data before it is disclosed to the requesting authority, and (where applicable) informing affected users about the disclosure of their data, to the extent personal data is involved.
Penalties in case of non-compliance
Navigating enforcement under the Data Act may also be particularly complex.
Since the Data Act delegates enforcement to individual Member States, allowing each to define its own fines and corrective measures, provided sanctions are effective, proportionate, and dissuasive, the Data Act opts for a decentralised approach. This opens the door to regulatory fragmentation, as both the structure and number of competent authorities will vary across jurisdictions. Data coordinators, designated to oversee and facilitate cooperation where multiple authorities are involved, will definitely help but navigating the landscape will remain challenging.
This blog post is part of a series. To see other blog posts related to the Data Act, please click below.