When the EU Data Use and Access Act (DUAA) 2025 enforcement window opened in Q1 2026, the immediate conversation focused on buyers: AI labs, fintech platforms, and enterprise data teams rushing to audit their training datasets. What received far less attention is the parallel set of obligations placed on the organisations supplying that data.
If you collect, hold, or process data as part of your core business — and you sell access to it, licence it to third parties, or share it for commercial purposes — DUAA 2025 applies to you directly. Non-compliance on the supply side carries the same penalty exposure as the buyer side: up to 4% of global annual turnover. And because suppliers sit at the top of the data chain, a compliance failure on your end can trigger cascading liability for every buyer downstream.
Why Sellers Are Directly in Scope
DUAA 2025 explicitly covers "data holders" and "data intermediaries" — terms broad enough to capture any organisation that transfers datasets to third parties for consideration, whether financial or otherwise. Article 3 defines a data holder as any entity that has the right to grant access to data it collects or generates. Article 11 extends compliance obligations to cover the act of making that data available, not just its original collection.
The practical consequence: compliance is not something you hand off to your buyer via a standard data-sharing agreement. You are responsible for the state of the data at the point of transfer. A buyer who subsequently discovers a compliance gap in data you sold them has grounds to bring a claim against you, in addition to any regulatory action taken by the relevant supervisory authority.
Regulators have confirmed they will pursue supply-side enforcement where data sold for AI training purposes fails DUAA standards. The supervisory authority in the jurisdiction where the data was collected has primary jurisdiction — not the jurisdiction of the buyer's AI deployment.
The Three Core Obligations for Data Sellers
1. Provenance documentation (Article 12)
You must be able to produce a complete provenance record for any dataset you sell. This means documenting not just where the data came from, but the entire chain: original collection source, legal basis for collection, any intermediate processing steps, who processed it, when, and what was changed.
If your dataset has been enriched, cleaned, merged with external sources, or transformed in any way since original collection, every step must be recorded. A buyer purchasing data for AI training is legally required to obtain this chain-of-custody documentation from you — and "we don't have those records" will not satisfy a regulator.
For organisations that have been selling data commercially for years without formal provenance tracking, this is typically the largest gap to close. The requirement is not retrospective in the sense that you cannot be fined for historical gaps, but any dataset sold after the enforcement window opened must meet the standard — which means retroactively documenting the provenance of existing datasets before they are sold again.
2. Lawful basis validity at point of transfer (Articles 14–17)
Where your dataset contains or was derived from personal data, you must warrant to the buyer that the original lawful basis for processing that data is still valid at the time of sale. This is a living obligation, not a one-time check at collection.
Consent obtained years ago under pre-GDPR terms does not satisfy DUAA's requirements. Consent that has since been withdrawn invalidates the dataset for re-sale purposes even if the data appears fully anonymised at the time of transfer. And consent obtained for a specific purpose does not automatically extend to AI training — Article 15 requires an explicit compatibility assessment before a dataset collected under legitimate interests or consent can be resold for AI purposes.
| Original Collection Basis | Valid for AI Training Re-Sale? | What's Required |
|---|---|---|
| Explicit consent (GDPR Art. 6(1)(a)) | Conditional | Consent must not have been withdrawn; explicit AI training purpose or Art. 15 compatibility assessment required |
| Legitimate interests (GDPR Art. 6(1)(f)) | Conditional | LIA must be re-run for AI training purpose; buyer's purpose must be compatible |
| Contractual necessity (GDPR Art. 6(1)(b)) | High risk | AI training is almost never covered; new lawful basis required or full anonymisation to DUAA Art. 19 standard |
| Public task / statutory function (Art. 6(1)(e)) | Restricted | Re-sale typically outside scope of public task; specific legal authority required |
| Fully anonymised to Art. 19 standard | Compliant | No personal data processing — GDPR lawful basis requirements do not apply |
3. Anonymisation to Article 19 standard before transfer
This is where most data sellers face the most significant technical challenge. DUAA's anonymisation requirements are stricter than what most organisations currently apply — and as the supplier, you bear the obligation to meet them before your dataset leaves your possession.
Article 19 does not permit you to sell a dataset with PII present and rely on the buyer to anonymise it. The standard must be met at source. If a buyer subsequently re-identifies individuals from data you supplied, regulatory exposure comes back to you, not just them, unless you can demonstrate that the anonymisation you applied was sufficient at the time of transfer and that re-identification was only possible through means not reasonably foreseeable.
The Article 19 technical annex specifies minimum standards by data category:
| Data Category | Minimum Standard Required | Seller Responsibility |
|---|---|---|
| Direct identifiers (names, NI numbers, passport numbers, device IDs) | Removal or pseudonymisation with key stored separately from dataset | Pre-transfer |
| Quasi-identifiers (DOB, postcode, occupation, gender combinations) | k-anonymity (k≥5) or differential privacy (ε≤1.0) | Pre-transfer |
| Behavioural / transactional patterns | Aggregation to group level or differential privacy | Pre-transfer |
| Financial records with individual-level detail | Full anonymisation + re-identification risk assessment | Pre-transfer |
| Aggregate or cohort-level statistics (no individual records) | Documented generation methodology | Compliant on transfer |
What Your Buyer Agreements Need to Include
Even when your data meets DUAA's technical standards, your contractual documentation must reflect that. Standard data licensing agreements typically don't cover DUAA-specific representations. If you are selling datasets for AI training purposes, your agreements need to include — at minimum:
- A provenance warranty. An express representation that you have and can produce a complete chain-of-custody record for the dataset, including original collection source and any intermediate processing steps.
- A lawful basis warranty. Confirmation that the original legal basis for collection remains valid as of the date of transfer and that it extends, or has been assessed as compatible with, the buyer's intended AI training use.
- An anonymisation warranty. Representation that the dataset meets Article 19 standards at point of transfer, specifying the technique applied and the assessed re-identification risk.
- Audit rights for the buyer. DUAA requires buyers to be able to verify your compliance representations. Your agreements should anticipate this and define the scope and timeline for any compliance audit the buyer may exercise.
- A notification obligation. If you subsequently discover that data you sold contains a compliance gap — a consent withdrawal, a provenance error, an anonymisation failure — you are obligated to notify affected buyers. Your agreement should formalise this.
Many organisations are treating their existing data licence agreements as compliant by adding a single DUAA addendum. That approach is insufficient where the base agreement does not include audit rights and notification obligations. In most cases, a full amendment or new agreement is necessary for datasets sold for AI training after Q1 2026.
The Documentation You Must Be Able to Produce in 72 Hours
DUAA enforcement practice is modelled on GDPR's Subject Access Request framework: regulators expect to receive documentation quickly once a complaint or investigation is triggered. For data sellers, the practical requirement is that you can produce the following within 72 hours of a regulator request:
- Original collection methodology and legal basis documentation for the dataset in question
- Consent records or legitimate interests assessment (where applicable)
- Anonymisation log: technique applied, version of dataset, assessed re-identification risk at time of processing, name of the individual or system responsible
- Transfer records: date of sale, buyer identity, dataset version, contractual representations made
- Any subsequent modifications to the dataset after original anonymisation
If any of these records do not currently exist for datasets you are actively selling, that is a gap you need to close before the next transfer.
The Commercial Opportunity in Getting This Right
The compliance burden on data sellers is real — but so is the commercial opportunity for those who get there first. Buyers are increasingly demanding verified, provenance-documented datasets with explicit DUAA compliance representations. Datasets that cannot provide this documentation are becoming unsellable to serious enterprise buyers, regardless of their content quality.
Organisations that build the infrastructure to automate PII detection, anonymisation, and provenance tracking are not just reducing their compliance risk — they are creating a durable competitive advantage in a market where compliant data is genuinely scarce. The same infrastructure that protects you from regulatory exposure is the thing that lets you command a premium for your data assets.
The adamn marketplace operates on this principle: every dataset listed has passed automated anonymisation checks and carries provenance documentation. Buyers exploring our catalogue can access compliance documentation directly, which means sellers on our platform spend less time responding to buyer due diligence requests and more time growing their data revenue.
Where to Start
If you are a data seller trying to assess your current DUAA readiness, the audit sequence that most reliably surfaces gaps is:
- Inventory your datasets. List every dataset you currently sell or licence. Include datasets sold infrequently or under custom agreements — they are in scope.
- Audit provenance records. For each dataset, determine whether you have complete chain-of-custody documentation. Flag any dataset where original collection records are incomplete or unavailable.
- Assess lawful basis validity. For any dataset derived from personal data, confirm that the original legal basis remains valid and extends to AI training purposes. This is a legal assessment, not a technical one — involve your DPO or legal team.
- Run Article 19 anonymisation checks. Test your existing datasets against the Article 19 technical annex requirements. Many datasets that passed GDPR anonymisation standards will fail here, particularly transactional and behavioural datasets where quasi-identifier combinations create re-identification risk.
- Update your agreements. Review your standard data licence agreement against the contractual requirements above. Amend or replace where needed before your next sale.
- Implement ongoing monitoring. Compliance is not static. Consent withdrawals, new external datasets that create re-identification risk when combined with yours, changes to your own data processing — all of these can create compliance gaps after the initial audit. Build monitoring into your data operations, not just a one-time review.
The organisations that will navigate DUAA with the least disruption are those that treat data compliance as an infrastructure question rather than a legal one. The legal framework tells you what outcome you need to achieve; the infrastructure determines whether you can actually achieve it at scale, consistently, and with the documentation trail that enforcement will demand.