← Back to all briefings

Data Strategy · Credibility 85/100 · · 2 min read

Data sharing governance — Data Act public-sector access obligations

From 12 September 2025, data holders must respond to EU public-sector requests made under the Data Act’s exceptional-need provisions, requiring legal, security, and engineering teams to codify intake and extraction workflows.

Executive briefing: Chapter V of Regulation (EU) 2023/2854 grants public-sector bodies and EU institutions the right to request access to privately held data in cases of exceptional need—natural disasters, public health emergencies, or enforcing legal obligations. The rules apply from 12 September 2025. Enterprises holding mobility, energy, health, agriculture, or platform data must establish procedures to evaluate requests, supply information securely, and respect confidentiality limits.

Compliance checkpoints

  • Legal assessment. Article 17 requires authorities to demonstrate exceptional need; data holders must verify scope, proportionality, and purpose limitations before disclosure.
  • Delivery safeguards. Article 20 compels use of secure technical interfaces, integrity checks, and logging to ensure data is transferred safely and only for the specified duration.
  • Compensation and confidentiality. Article 21 allows reasonable cost recovery and mandates protection of trade secrets, demanding contractual templates and redaction tooling.

Operational build

  • Stand up intake desks integrating legal, privacy, and security review to triage governmental requests within statutory timelines.
  • Develop extraction playbooks with data catalogues, transformation scripts, and approval checkpoints so datasets reach authorities in compliant formats.
  • Instrument monitoring and retention controls to prove that data provided under exceptional-need requests is deleted or returned when obligations expire.

Enablement moves

  • Maintain inventories of sensitive data, trade secrets, and third-party obligations to streamline proportionality assessments.
  • Embed contractual clauses with partners covering downstream sharing triggered by Data Act requests.
  • Align disclosures with GDPR accountability artefacts, ensuring lawful basis and impact assessments are recorded.

Sources

Zeph Tech helps data holders operationalise Data Act exceptional-need workflows—building request triage, extraction, and accountability controls.

  • EU Data Act
  • Public sector data requests
  • Data governance
  • Exceptional need
Back to curated briefings