Numerique

Commercial exploitation of databases: between sui generis protection and GDPR compliance

In today's digital economy, databases constitute a major strategic asset for companies. These structured sets of information, the result of often considerable investments, represent a growing commercial value that organisations legitimately seek to

Contents
Schedule a discussion

Reading time:

17 min

In today's digital economy, databases constitute a major strategic asset for companies. These structured sets of information, the result of often considerable investments, represent a growing commercial value that organisations legitimately seek to monetise.

However, the commercial exploitation of databases falls within a complex legal framework, at the crossroads of intellectual property law and personal data protection law. Mastering these two dimensions is now essential to develop a value-creation strategy that is both effective and compliant with the legal framework.

If you wish to call upon a lawyer specialising in software and database law, contact me!

The dual legal protection of databases under French and European law

The legal framework surrounding databases has a remarkable particularity: the same object can simultaneously benefit from two distinct and complementary protection regimes. This duality, enshrined by European Directive 96/9/EC of 11 March 1996 and transposed into the French Intellectual Property Code, offers reinforced protection but also requires mastering the subtleties of each regime.

Protection through copyright: rewarding originality

The first, classic form of protection falls under copyright. It applies when the structure of the database – the selection or arrangement of the elements that compose it – has an original character reflecting the imprint of its author's personality. This originality lies not in the data itself, but in their organisation, their arrangement or the selection criteria used.

This protection grants its holder the usual prerogatives of copyright: moral rights (in particular the right of attribution) and economic rights (reproduction, performance, adaptation) for a duration corresponding to the author's lifetime plus 70 years after their death. It is acquired automatically, without any particular formality, from the creation of the database, provided that it satisfies the originality criterion.

In practice, this requirement of originality can prove difficult to establish, particularly for databases with a technical or professional purpose whose structure often responds to functional imperatives leaving little room for creativity. The courts are generally restrictive in assessing this criterion, thus limiting the effective scope of this protection for many commercial databases.

The producer's sui generis right: protecting the investment

Faced with the limitations of copyright, the European legislator created a second specific protection regime, known as sui generis, intended to protect the substantial investment made by the producer of the database, regardless of any originality. This right, codified in Articles L.341-1 et seq. of the Intellectual Property Code, constitutes a major innovation in the intellectual property legal landscape.

The sui generis right protects against the extraction or re-use of all or a qualitatively or quantitatively substantial part of the content of the database. It thus grants the producer – the natural or legal person who takes the initiative and the risk of the investments – an exploitation monopoly over the content of their database.

To benefit from this protection, the producer must demonstrate a substantial investment, whether financial, material or human, in obtaining, verifying or presenting the content. The case law of the Court of Justice of the European Union has clarified that investment in the creation of the data itself could not be taken into account, only the investment in the constitution of the database being relevant. This distinction, subtle but fundamental, can prove problematic for databases whose producer is also the creator of the data they contain.

The initial duration of protection is 15 years from the completion of the manufacture of the database, but any new substantial investment in updating the database triggers a renewal of this protection. This mechanism allows, in practice, potentially perpetual protection of databases that are regularly updated, as is the case for most databases with a commercial purpose.

The specific challenges of marketing databases

The commercial value-creation of a database can take different paths, each raising specific legal issues. The most common economic models include the granting of usage licences, the provision of value-added services based on the data, or even indirect monetisation via targeted advertising.

Licence agreements: the cornerstone of commercial exploitation

The granting of usage licences constitutes the most classic mode of commercial exploitation for databases. These agreements precisely determine the rights granted to the licensee, their limits, and the associated financial considerations. Several aspects deserve particular attention during their drafting:

  • The precise delimitation of the scope of authorised use (consultation, extraction, re-use)
  • The applicable geographical and temporal restrictions
  • The technical arrangements for accessing the database
  • The exclusive or non-exclusive nature of the rights granted
  • The possibilities of sub-licensing or redistribution
  • The mechanisms for monitoring and auditing compliance with the conditions of use
  • The guarantees offered as to the quality and lawfulness of the data

These agreements must also specify whether the licence relates to the structure of the database (protected by copyright), to its content (protected by the sui generis right), or to both, this distinction directly influencing the extent of the rights granted and the associated value-creation.

Pricing models: reflecting value without hindering use

Defining the pricing model is a delicate exercise, requiring a balance between fair remuneration for the investment made and sufficient commercial appeal. Several approaches can be envisaged:

A flat-rate price for access to the entire database, suited to uses involving regular consultation of all the data.

Volume-based pricing based on the quantity of data consulted or extracted, particularly relevant for one-off or specific uses.

A periodic subscription model, guaranteeing continuous access to a regularly updated database and ensuring the producer a predictable revenue stream.

Differentiated pricing according to the purpose of use, distinguishing for example between internal, commercial or academic uses, with financial conditions adapted to each category.

These models can be combined or adjusted according to the specificities of the target market and the nature of the data marketed. Whatever approach is chosen, the contract should provide for transparent and balanced pricing-adjustment mechanisms to adapt to market conditions.

The producer's liability: an often underestimated issue

The commercial exploitation of a database engages the liability of its producer on several levels. The accuracy, completeness and updating of the data constitute obligations whose intensity varies according to the nature of the database and the use made of it. This liability may be contractual, towards licensees, or tortious, towards third parties who suffer harm linked to the use of the data.

Licence agreements generally contain clauses limiting or excluding liability, whose legal effectiveness depends largely on their proportionality and the status of the contracting party (professional or consumer). These clauses must be carefully calibrated to offer real protection to the producer without falling into the excess that would render them unenforceable.

To limit these risks, a rigorous data quality control policy and precise documentation of the recommended limits of use constitute essential preventive measures. Taking out specific insurance covering the risks linked to the commercial exploitation of data may also prove judicious for databases presenting significant stakes.

The marketing of databases raises complex legal issues, at the intersection of intellectual property law and personal data protection. A software and database law lawyer can advise you on the optimal strategy to create value from your data assets while complying with the legal framework.

Let's discuss your needs for 15 min!

The delicate interplay with the GDPR: compliance and value-creation

The presence of personal data within a marketed database raises major regulatory questions, particularly since the entry into application of the General Data Protection Regulation (GDPR). This fundamental text does not prohibit the commercial exploitation of personal data, but strictly frames it through a set of principles and obligations that directly impact the methods of value-creation.

The legal status of the actors: an essential clarification

The first step is to precisely determine the status of each party in the value chain. The producer of the database marketing personal data generally acts as a data controller, while the licensee may be qualified either as a separate data controller (if it determines its own purposes of use), or as a processor (if it processes the data on behalf of the producer).

This qualification is decisive because it conditions the respective obligations of the parties and the contractual structure to be put in place: a licence agreement supplemented by specific clauses relating to data protection in the first case, or a processing agreement compliant with Article 28 of the GDPR in the second. In all cases, the roles and responsibilities of each party must be explicitly defined and documented.

The lawfulness of processing: the foundation of any exploitation

The marketing of a database containing personal information cannot be envisaged without ensuring the lawfulness of the processing. Among the six legal bases provided for by the GDPR, two are particularly relevant in this context:

The consent of the data subjects, which must be freely given, specific, informed and unambiguous. While this legal basis offers great legal security, it has the major drawback of being revocable at any time, creating potential instability in the exploitation of the database.

The legitimate interest of the data controller, which requires a balancing exercise against the fundamental rights and freedoms of the data subjects. This more flexible legal basis nevertheless requires reinforced documentation, in particular through a data protection impact assessment (DPIA) for large-scale processing.

Whatever legal basis is chosen, the purpose limitation principle requires that the data only be used for objectives compatible with those initially communicated to the data subjects. This constraint can significantly limit the potential for re-use of the data in multiple or evolving commercial contexts.

The rights of data subjects: an operational management to anticipate

The GDPR grants individuals extensive rights over their personal data: access, rectification, erasure, restriction, portability and objection. The exercise of these rights can have a direct impact on the commercial value of a database, particularly in the case of a right to erasure or objection that would reduce the volume of exploitable data.

The marketing of a database containing personal data must therefore be accompanied by robust operational processes allowing:

  • To respond effectively to requests to exercise rights within the legal time limits
  • To propagate modifications or deletions to all the licensees concerned
  • To maintain complete traceability of the processing carried out on each piece of data
  • To proactively inform data subjects in accordance with Articles 13 and 14 of the GDPR

These operational constraints must be integrated from the design of the commercial strategy and the associated technical tools, according to the "Privacy by Design" approach promoted by the regulation. The support of a lawyer specialising in data protection is essential to put in place these compliant processes.

Optimisation strategies for a compliant and value-creating exploitation

Faced with the legal complexity of the commercial exploitation of databases, several approaches can be adopted to maximise their value while ensuring regulatory compliance.

Anonymisation and pseudonymisation: strategic levers

The complete anonymisation of data, when technically feasible, makes it possible to fall outside the scope of the GDPR, thus offering considerably increased freedom of exploitation. To be legally valid, this anonymisation must be irreversible, making any re-identification of the data subjects impossible, even by cross-referencing with other available sources of information.

This strict requirement is difficult to satisfy in practice, particularly for databases rich in descriptive attributes. A more accessible alternative consists of the pseudonymisation of data, which maintains the possibility of re-identification but significantly reduces the risks for the data subjects. Although remaining subject to the GDPR, pseudonymised data benefit from a more flexible exploitation framework, particularly in terms of compatible purposes and retention period.

The combination of partial anonymisation (for the most sensitive data) and pseudonymisation (for the attributes requiring traceability) can constitute an effective compromise, preserving the analytical value of the database while reducing the compliance burden.

Licence agreements adapted to the GDPR context

The contractual framing of the marketing of a database containing personal information must incorporate specific clauses meeting the requirements of the GDPR. Among the essential provisions are:

  • The precise legal qualification of the parties and the allocation of their responsibilities
  • The authorised purposes and the expressly prohibited processing
  • The technical and organisational security measures required of the licensee
  • The arrangements for managing data breaches and the notification obligations
  • The procedures for auditing and monitoring compliance
  • The guarantees concerning the exercise of the rights of data subjects
  • The conditions for transferring data outside the European Economic Area

These clauses must be adapted to the nature of the data, the technical ecosystem and the commercial relationship envisaged. Their design requires specific legal expertise, at the crossroads of contract law, intellectual property and data protection. A lawyer specialising in digital law can support you in this process.

Alternative economic models: rethinking the value of data

Faced with growing regulatory constraints, new value-creation models are emerging, favouring controlled access to data rather than its direct transfer. These approaches include:

Secure APIs allowing the database to be queried without accessing its raw content, thus reducing the risks linked to the uncontrolled duplication of personal data.

Sandbox analysis environments where clients can exploit the data without extracting it, within a technical framework controlled by the producer who thus maintains effective control over their database.

Data enrichment services, where only the result of the processing is provided to the client, without transmission of the underlying personal data used to generate this result.

The marketing of aggregated and anonymised insights, exploiting the collective value of the data without exposing individual information.

These models, although sometimes more complex to implement technically, have the advantage of better compatibility with the principles of data minimisation and purpose limitation borne by the GDPR.

I want reliable legal documents!

International challenges and cross-border transfers

The commercial exploitation of databases frequently takes place in an international context, raising specific questions of applicable law and data transfer.

The territorial applicability of legal protections

The protection regimes for databases vary considerably depending on the jurisdiction. While the sui generis right is harmonised within the European Union, it does not exist or exists in very different forms in many third countries. In the United States in particular, protection rests essentially on copyright (the equivalent of copyright), with originality criteria that are sometimes less demanding, supplemented by contractual mechanisms and protection against unfair appropriation ("misappropriation").

This diversity requires a protection strategy adapted to each territory of exploitation, ideally combining:

  • The legal protections available locally
  • Robust contractual mechanisms supplementing or replacing exclusive rights
  • Technical measures of protection against unauthorised extraction
  • Active monitoring of the market to detect unlawful uses

For databases exploited internationally, a precise mapping of the rights recognised in each jurisdiction should guide the commercial and pricing strategy, with potentially differentiated conditions according to the level of effective legal protection.

International transfers of personal data

For databases containing personal data, their marketing outside the European Economic Area comes up against the restrictions imposed by the GDPR regarding international transfers. Since the invalidation of the Privacy Shield by the "Schrems II" ruling of the Court of Justice of the European Union, these transfers to third countries not benefiting from an adequacy decision prove particularly complex.

The available legal mechanisms mainly include:

  • The standard contractual clauses adopted by the European Commission, which must now be accompanied by an assessment of the level of protection offered by the recipient country and additional measures if necessary
  • Binding corporate rules for intra-group transfers, whose approval process remains long and costly
  • The derogations provided for in Article 49 of the GDPR, including explicit consent, usable only for non-massive, occasional and necessary transfers

The growing complexity of these mechanisms may justify data localisation strategies, consisting of duplicating the database in different regions and limiting cross-border transfers, despite the operational additional cost that this entails.

Towards a strategic approach to creating value from data assets

The commercial exploitation of databases now requires a comprehensive approach, simultaneously integrating the legal, technical and commercial dimensions. This holistic vision makes it possible to transform regulatory constraints into competitive advantages and to maximise the value extracted from the investments made in the constitution and maintenance of databases.

The preliminary audit: the foundation of a solid strategy

Before any marketing initiative, a complete audit of the database is required to identify:

  • The components protectable by copyright and/or the sui generis right
  • The presence of personal data and their sensitivity
  • The sources of the data and the lawfulness of their collection
  • The investments made and that can be documented
  • The specific legal risks
  • The value-creation potential according to different models

This initial assessment makes it possible to develop a realistic and compliant commercial strategy, adapted to the specific characteristics of the database and its legal environment.

Data governance: a prerequisite for value-creation

The implementation of structured data governance constitutes a key success factor for the commercial exploitation of databases. This governance must cover the entire life cycle of the data, from their collection to their deletion, including their enrichment, updating and exploitation.

Rigorous documentation of the processes, data flows and protection measures implemented facilitates the demonstration of compliance required by the accountability principle of the GDPR. This transparency also reinforces the confidence of commercial partners and end users, which has become a differentiating factor in a market increasingly sensitive to ethical and regulatory issues.

The ethical dimension: beyond legal compliance

Beyond strict compliance with legal obligations, the commercial exploitation of databases raises ethical questions whose consideration is becoming a distinctive element. A responsible approach to creating value from data may include:

  • Greater transparency on the sources and quality of the data
  • A fair sharing of value with the contributors or the data subjects
  • Particular vigilance regarding potential biases contained in the data
  • Reflection on the societal impact of the uses encouraged

These considerations, initially perceived as additional constraints, are progressively revealing themselves to be commercial assets in a context of growing awareness of the issues linked to the exploitation of data.

Turning constraints into strategic opportunities

The complex legal environment surrounding the commercial exploitation of databases may seem restrictive at first glance. Yet, this very complexity creates barriers to entry which, for the players who fully master the regulatory subtleties, turn into significant competitive advantages.

GDPR compliance, often perceived as a burden, now constitutes a decisive commercial argument, particularly for institutional or regulated clients. The ability to demonstrate effective protection of intellectual property rights similarly reassures partners about the durability and legitimacy of the offer.

The investment in a rigorous legal structuring of the commercial exploitation of databases should not be seen as a compliance cost, but as a strategic investment in building an asset that can create value over the long term, protected both by legal mechanisms and by the operational excellence of its management.

To learn more

How is a database legally protected?

A database can benefit from dual protection: copyright, for the originality of its structure, and the sui generis right, for the investment made in its constitution. The same object can thus combine these two distinct and complementary regimes under French and European law.

What is the sui generis protection of a database?

Sui generis protection rewards the substantial investment made to constitute, verify and present a database. It allows the producer to prohibit the extraction or re-use of a substantial part of the content, regardless of the originality of the structure.

Is the exploitation of a database subject to the GDPR?

Yes, when the database contains personal data. Commercial exploitation is then at the crossroads of intellectual property and data protection. Mastering these two dimensions is essential to create value from the database while remaining compliant with the GDPR.

Can a database containing personal data be monetised?

Monetisation is possible but regulated. If the database contains personal data, their exploitation must comply with the GDPR: legal basis, information of the persons, security and respect for their rights. Value-creation must therefore reconcile sui generis protection and GDPR compliance.

How to reconcile the sui generis right and the GDPR?

The sui generis right protects the database as an investment, while the GDPR governs the personal data it contains. The two regimes apply simultaneously: the company must secure its rights over the database while complying with the obligations relating to personal data.

What can the producer of a database prohibit?

Under the sui generis right, the producer can prohibit the extraction or re-use of a substantial part of the content of the database. This right nevertheless has legal limits and does not extend to the legitimate uses of the user under the conditions provided for by the contract.

What risks arise in the event of non-compliant exploitation of a database?

Non-compliant exploitation exposes one to an infringement action under the sui generis right and to GDPR sanctions if personal data are mishandled. The dual legal dimension requires particular vigilance to secure the value-creation of the database.

Is a lawyer useful for exploiting a database?

A lawyer specialising in software and database law helps to secure the rights over the database, to reconcile sui generis protection and the GDPR and to frame its commercial exploitation. This support enables effective value-creation that complies with the legal framework.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

4 min

Website creation contract by an attorney - Romain Mirabile
The website creation contract is an essential document for web agencies and e-commerce sites. It establishes the working basis between the service provider and the client, and defines the commitments of each party. In this article, we will address the different phases of this contract, e

6 min

EAA: which products and services are concerned?
Accessibility is a fundamental issue in our modern society, affecting users as well as service and product providers alike. The European legislative framework, in particular the European Accessibility Act (EAA), seeks to ensure that a range of products and services are accessible to

6 min

How to legally secure the launch of your B2B SaaS solution?
Legally securing the launch of your B2B SaaS solution is a fundamental pillar of your project's success.

7 min

Adoption of the bill on consent-based telephone canvassing: what protections for consumers?
Telephone canvassing is a major concern for many consumers, who are often confronted with intrusive and sometimes misleading practices.

15 min

Cloud outsourcing and GDPR: the 7 key points to watch for flawless compliance
The massive adoption of cloud solutions is profoundly transforming the IT landscape of companies. This outsourcing offers flexibility, scalability and often cost reduction, but raises major challenges in terms of data protection.

8 min

Essential list of IT contracts
In our increasingly digital world, IT contracts have become a cornerstone of commercial relations. It is important to draw up an essential list of all existing IT contracts. They govern everything, from the creation of websites to the operation of dat
Prendre rendez-vous
Book an appointment