Skip to main content

21. Is a manufacturer always a data holder?

Even though manufacturers will typically be data holders, this is not always the case. The Data Act allows an entity to ’outsource’ the role of ‘data holder’. For example, a manufacturer may contract out to another entity the role of ‘data holder’ for all or part of the manufacturer’s connected products. In addition, a data holder who is not a manufacturer might be a company that provides a related service linked to a connected product. This means that the business offering the related service might be a data holder and be different from the company that actually made the connected product.

Determining who the data holder is does not depend on who produced the hardware or software, but on who controls access to the readily available data. See the flowchart below for an example of role distribution.

Who can become a data holder?

The flowchart illustrates a situation where a user enters into two contracts (e.g. for the sale of the connected product and for the provision of the related service) that establish a legal relationship (in red) between the user and three separate data holders (circled in blue). The user must always be informed of the identity of the data holder(s) before signing such contracts.

  • The manufacturer is interested in receiving and using the data and therefore establishes itself as a data holder in the sales contract, in line with Articles 3(2) and 4(13) of the Data Act.

  • Both component supplier A and component supplier B deliver data-generating components. However, only supplier A receives data directly from the component via an embedded SIM card and is identified as a data holder in the pre-contractual information given in accordance with article 3(2) of the Data Act. If supplier A desires to use that data, this needs to happen on the basis of an agreement with the user in accordance with Article 4(13). At the point of sale/rent/lease, the manufacturer or distributor facilitates this agreement from which supplier A is notified of the identity of the user. Supplier B receives its component data from the manufacturer in accordance with their individual agreement which is subject to the user’s approval. In this scenario, supplier A is a data holder and supplier B is a third party.

  • Whenever a user also acquires a related service linked to the connected product, the related service provider must necessarily enter into a contract with the user, in line with Articles 3(3) and 4(13) of the Data Act. The related service provider therefore becomes a data holder.

In order for there to be an obligation on a data holder under Chapter II of the Data Act, there must always be a user. It is nevertheless possible under the Data Act for a person to be a user without there being a data holder. This situation could occur, for example, if a user acquires a connected product where the data are stored directly on the device or transferred from the device to the user’s computer, and the manufacturer does not have access to any of the data. In this scenario there is no data holder, since only the user has access to the data.