Numerique
In today's digital economy, databases constitute a major strategic asset for companies. These structured sets of information, the result of often considerable investments, represent a growing commercial value that organisations legitimately seek to
Reading time:
17 min
In today's digital economy, databases constitute a major strategic asset for companies. These structured sets of information, the result of often considerable investments, represent a growing commercial value that organisations legitimately seek to monetise.
However, the commercial exploitation of databases falls within a complex legal framework, at the crossroads of intellectual property law and personal data protection law. Mastering these two dimensions is now essential to develop a value-creation strategy that is both effective and compliant with the legal framework.
If you wish to call upon a lawyer specialising in software and database law, contact me!
The legal framework surrounding databases has a remarkable particularity: the same object can simultaneously benefit from two distinct and complementary protection regimes. This duality, enshrined by European Directive 96/9/EC of 11 March 1996 and transposed into the French Intellectual Property Code, offers reinforced protection but also requires mastering the subtleties of each regime.
The first, classic form of protection falls under copyright. It applies when the structure of the database – the selection or arrangement of the elements that compose it – has an original character reflecting the imprint of its author's personality. This originality lies not in the data itself, but in their organisation, their arrangement or the selection criteria used.
This protection grants its holder the usual prerogatives of copyright: moral rights (in particular the right of attribution) and economic rights (reproduction, performance, adaptation) for a duration corresponding to the author's lifetime plus 70 years after their death. It is acquired automatically, without any particular formality, from the creation of the database, provided that it satisfies the originality criterion.
In practice, this requirement of originality can prove difficult to establish, particularly for databases with a technical or professional purpose whose structure often responds to functional imperatives leaving little room for creativity. The courts are generally restrictive in assessing this criterion, thus limiting the effective scope of this protection for many commercial databases.
Faced with the limitations of copyright, the European legislator created a second specific protection regime, known as sui generis, intended to protect the substantial investment made by the producer of the database, regardless of any originality. This right, codified in Articles L.341-1 et seq. of the Intellectual Property Code, constitutes a major innovation in the intellectual property legal landscape.
The sui generis right protects against the extraction or re-use of all or a qualitatively or quantitatively substantial part of the content of the database. It thus grants the producer – the natural or legal person who takes the initiative and the risk of the investments – an exploitation monopoly over the content of their database.
To benefit from this protection, the producer must demonstrate a substantial investment, whether financial, material or human, in obtaining, verifying or presenting the content. The case law of the Court of Justice of the European Union has clarified that investment in the creation of the data itself could not be taken into account, only the investment in the constitution of the database being relevant. This distinction, subtle but fundamental, can prove problematic for databases whose producer is also the creator of the data they contain.
The initial duration of protection is 15 years from the completion of the manufacture of the database, but any new substantial investment in updating the database triggers a renewal of this protection. This mechanism allows, in practice, potentially perpetual protection of databases that are regularly updated, as is the case for most databases with a commercial purpose.
The commercial value-creation of a database can take different paths, each raising specific legal issues. The most common economic models include the granting of usage licences, the provision of value-added services based on the data, or even indirect monetisation via targeted advertising.
The granting of usage licences constitutes the most classic mode of commercial exploitation for databases. These agreements precisely determine the rights granted to the licensee, their limits, and the associated financial considerations. Several aspects deserve particular attention during their drafting:
These agreements must also specify whether the licence relates to the structure of the database (protected by copyright), to its content (protected by the sui generis right), or to both, this distinction directly influencing the extent of the rights granted and the associated value-creation.
Defining the pricing model is a delicate exercise, requiring a balance between fair remuneration for the investment made and sufficient commercial appeal. Several approaches can be envisaged:
A flat-rate price for access to the entire database, suited to uses involving regular consultation of all the data.
Volume-based pricing based on the quantity of data consulted or extracted, particularly relevant for one-off or specific uses.
A periodic subscription model, guaranteeing continuous access to a regularly updated database and ensuring the producer a predictable revenue stream.
Differentiated pricing according to the purpose of use, distinguishing for example between internal, commercial or academic uses, with financial conditions adapted to each category.
These models can be combined or adjusted according to the specificities of the target market and the nature of the data marketed. Whatever approach is chosen, the contract should provide for transparent and balanced pricing-adjustment mechanisms to adapt to market conditions.
The commercial exploitation of a database engages the liability of its producer on several levels. The accuracy, completeness and updating of the data constitute obligations whose intensity varies according to the nature of the database and the use made of it. This liability may be contractual, towards licensees, or tortious, towards third parties who suffer harm linked to the use of the data.
Licence agreements generally contain clauses limiting or excluding liability, whose legal effectiveness depends largely on their proportionality and the status of the contracting party (professional or consumer). These clauses must be carefully calibrated to offer real protection to the producer without falling into the excess that would render them unenforceable.
To limit these risks, a rigorous data quality control policy and precise documentation of the recommended limits of use constitute essential preventive measures. Taking out specific insurance covering the risks linked to the commercial exploitation of data may also prove judicious for databases presenting significant stakes.
The marketing of databases raises complex legal issues, at the intersection of intellectual property law and personal data protection. A software and database law lawyer can advise you on the optimal strategy to create value from your data assets while complying with the legal framework.
Let's discuss your needs for 15 min!
The presence of personal data within a marketed database raises major regulatory questions, particularly since the entry into application of the General Data Protection Regulation (GDPR). This fundamental text does not prohibit the commercial exploitation of personal data, but strictly frames it through a set of principles and obligations that directly impact the methods of value-creation.
The first step is to precisely determine the status of each party in the value chain. The producer of the database marketing personal data generally acts as a data controller, while the licensee may be qualified either as a separate data controller (if it determines its own purposes of use), or as a processor (if it processes the data on behalf of the producer).
This qualification is decisive because it conditions the respective obligations of the parties and the contractual structure to be put in place: a licence agreement supplemented by specific clauses relating to data protection in the first case, or a processing agreement compliant with Article 28 of the GDPR in the second. In all cases, the roles and responsibilities of each party must be explicitly defined and documented.
The marketing of a database containing personal information cannot be envisaged without ensuring the lawfulness of the processing. Among the six legal bases provided for by the GDPR, two are particularly relevant in this context:
The consent of the data subjects, which must be freely given, specific, informed and unambiguous. While this legal basis offers great legal security, it has the major drawback of being revocable at any time, creating potential instability in the exploitation of the database.
The legitimate interest of the data controller, which requires a balancing exercise against the fundamental rights and freedoms of the data subjects. This more flexible legal basis nevertheless requires reinforced documentation, in particular through a data protection impact assessment (DPIA) for large-scale processing.
Whatever legal basis is chosen, the purpose limitation principle requires that the data only be used for objectives compatible with those initially communicated to the data subjects. This constraint can significantly limit the potential for re-use of the data in multiple or evolving commercial contexts.
The GDPR grants individuals extensive rights over their personal data: access, rectification, erasure, restriction, portability and objection. The exercise of these rights can have a direct impact on the commercial value of a database, particularly in the case of a right to erasure or objection that would reduce the volume of exploitable data.
The marketing of a database containing personal data must therefore be accompanied by robust operational processes allowing:
These operational constraints must be integrated from the design of the commercial strategy and the associated technical tools, according to the "Privacy by Design" approach promoted by the regulation. The support of a lawyer specialising in data protection is essential to put in place these compliant processes.
Faced with the legal complexity of the commercial exploitation of databases, several approaches can be adopted to maximise their value while ensuring regulatory compliance.
The complete anonymisation of data, when technically feasible, makes it possible to fall outside the scope of the GDPR, thus offering considerably increased freedom of exploitation. To be legally valid, this anonymisation must be irreversible, making any re-identification of the data subjects impossible, even by cross-referencing with other available sources of information.
This strict requirement is difficult to satisfy in practice, particularly for databases rich in descriptive attributes. A more accessible alternative consists of the pseudonymisation of data, which maintains the possibility of re-identification but significantly reduces the risks for the data subjects. Although remaining subject to the GDPR, pseudonymised data benefit from a more flexible exploitation framework, particularly in terms of compatible purposes and retention period.
The combination of partial anonymisation (for the most sensitive data) and pseudonymisation (for the attributes requiring traceability) can constitute an effective compromise, preserving the analytical value of the database while reducing the compliance burden.
The contractual framing of the marketing of a database containing personal information must incorporate specific clauses meeting the requirements of the GDPR. Among the essential provisions are:
These clauses must be adapted to the nature of the data, the technical ecosystem and the commercial relationship envisaged. Their design requires specific legal expertise, at the crossroads of contract law, intellectual property and data protection. A lawyer specialising in digital law can support you in this process.
Faced with growing regulatory constraints, new value-creation models are emerging, favouring controlled access to data rather than its direct transfer. These approaches include:
Secure APIs allowing the database to be queried without accessing its raw content, thus reducing the risks linked to the uncontrolled duplication of personal data.
Sandbox analysis environments where clients can exploit the data without extracting it, within a technical framework controlled by the producer who thus maintains effective control over their database.
Data enrichment services, where only the result of the processing is provided to the client, without transmission of the underlying personal data used to generate this result.
The marketing of aggregated and anonymised insights, exploiting the collective value of the data without exposing individual information.
These models, although sometimes more complex to implement technically, have the advantage of better compatibility with the principles of data minimisation and purpose limitation borne by the GDPR.
I want reliable legal documents!
The commercial exploitation of databases frequently takes place in an international context, raising specific questions of applicable law and data transfer.
The protection regimes for databases vary considerably depending on the jurisdiction. While the sui generis right is harmonised within the European Union, it does not exist or exists in very different forms in many third countries. In the United States in particular, protection rests essentially on copyright (the equivalent of copyright), with originality criteria that are sometimes less demanding, supplemented by contractual mechanisms and protection against unfair appropriation ("misappropriation").
This diversity requires a protection strategy adapted to each territory of exploitation, ideally combining:
For databases exploited internationally, a precise mapping of the rights recognised in each jurisdiction should guide the commercial and pricing strategy, with potentially differentiated conditions according to the level of effective legal protection.
For databases containing personal data, their marketing outside the European Economic Area comes up against the restrictions imposed by the GDPR regarding international transfers. Since the invalidation of the Privacy Shield by the "Schrems II" ruling of the Court of Justice of the European Union, these transfers to third countries not benefiting from an adequacy decision prove particularly complex.
The available legal mechanisms mainly include:
The growing complexity of these mechanisms may justify data localisation strategies, consisting of duplicating the database in different regions and limiting cross-border transfers, despite the operational additional cost that this entails.
The commercial exploitation of databases now requires a comprehensive approach, simultaneously integrating the legal, technical and commercial dimensions. This holistic vision makes it possible to transform regulatory constraints into competitive advantages and to maximise the value extracted from the investments made in the constitution and maintenance of databases.
Before any marketing initiative, a complete audit of the database is required to identify:
This initial assessment makes it possible to develop a realistic and compliant commercial strategy, adapted to the specific characteristics of the database and its legal environment.
The implementation of structured data governance constitutes a key success factor for the commercial exploitation of databases. This governance must cover the entire life cycle of the data, from their collection to their deletion, including their enrichment, updating and exploitation.
Rigorous documentation of the processes, data flows and protection measures implemented facilitates the demonstration of compliance required by the accountability principle of the GDPR. This transparency also reinforces the confidence of commercial partners and end users, which has become a differentiating factor in a market increasingly sensitive to ethical and regulatory issues.
Beyond strict compliance with legal obligations, the commercial exploitation of databases raises ethical questions whose consideration is becoming a distinctive element. A responsible approach to creating value from data may include:
These considerations, initially perceived as additional constraints, are progressively revealing themselves to be commercial assets in a context of growing awareness of the issues linked to the exploitation of data.
The complex legal environment surrounding the commercial exploitation of databases may seem restrictive at first glance. Yet, this very complexity creates barriers to entry which, for the players who fully master the regulatory subtleties, turn into significant competitive advantages.
GDPR compliance, often perceived as a burden, now constitutes a decisive commercial argument, particularly for institutional or regulated clients. The ability to demonstrate effective protection of intellectual property rights similarly reassures partners about the durability and legitimacy of the offer.
The investment in a rigorous legal structuring of the commercial exploitation of databases should not be seen as a compliance cost, but as a strategic investment in building an asset that can create value over the long term, protected both by legal mechanisms and by the operational excellence of its management.
To learn more
A database can benefit from dual protection: copyright, for the originality of its structure, and the sui generis right, for the investment made in its constitution. The same object can thus combine these two distinct and complementary regimes under French and European law.
Sui generis protection rewards the substantial investment made to constitute, verify and present a database. It allows the producer to prohibit the extraction or re-use of a substantial part of the content, regardless of the originality of the structure.
Yes, when the database contains personal data. Commercial exploitation is then at the crossroads of intellectual property and data protection. Mastering these two dimensions is essential to create value from the database while remaining compliant with the GDPR.
Monetisation is possible but regulated. If the database contains personal data, their exploitation must comply with the GDPR: legal basis, information of the persons, security and respect for their rights. Value-creation must therefore reconcile sui generis protection and GDPR compliance.
The sui generis right protects the database as an investment, while the GDPR governs the personal data it contains. The two regimes apply simultaneously: the company must secure its rights over the database while complying with the obligations relating to personal data.
Under the sui generis right, the producer can prohibit the extraction or re-use of a substantial part of the content of the database. This right nevertheless has legal limits and does not extend to the legitimate uses of the user under the conditions provided for by the contract.
Non-compliant exploitation exposes one to an infringement action under the sui generis right and to GDPR sanctions if personal data are mishandled. The dual legal dimension requires particular vigilance to secure the value-creation of the database.
A lawyer specialising in software and database law helps to secure the rights over the database, to reconcile sui generis protection and the GDPR and to frame its commercial exploitation. This support enables effective value-creation that complies with the legal framework.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin