Jiahui Plomp

The transition to a sustainable economy requires not only innovation and decisiveness, but also smart financing solutions. Two instruments that are playing an increasingly important role in this regard are green bonds and sustainability-linked loans (SLLs). In this blog, we explain what these forms of financing entail, what the legal considerations are and how we support our clients in this regard. What are green bonds? Green bonds are bonds whose proceeds are used exclusively for sustainable projects. Examples include the construction of a wind farm, making real estate more sustainable or investing in clean public transport. The issuer – often a company, bank or government – contractually commits to spending the money raised only on these green projects. A practical example: A Dutch developer issues a green bond to finance the construction of a new solar park. Investors, including local entrepreneurs and even private individuals, can thus be sure that their money is contributing to the (local) energy transition. Each year, the developer reports on progress and environmental gains, such as the amount of green electricity generated. What are sustainability-linked loans (SLLs)? SLLs are loans in which the interest rate or other conditions are linked to the borrower’s achievement of sustainability targets. What makes them special is that the borrowed money can be spent freely, but the borrower commits to achieving specific ESG targets, such as reducing CO2 emissions or increasing the proportion of women in management. Real-life example: An international manufacturing company takes out an SLL with a bank. The loan agreement stipulates that the interest rate will fall by 0.2% if the company manages to reduce its CO2 emissions by 15% within three years. If the target is not achieved, the interest rate will increase. This creates a financial incentive to do business sustainably. Legal considerations With both forms of financing, it is essential to set out the agreements clearly and in a verifiable manner. This includes: Clear definitions of ‘green’ projects or KPIs; Independent assessment and reporting; Consequences of not achieving the targets; Transparency towards investors and regulators. Our ESG team The lawyers in our ESG team are happy to advise on drafting and assessing these contracts, structuring the financing and complying with the increasingly stringent regulations in the field of sustainability. Our ESG project team combines in-depth knowledge of financing law with up-to-date insights into sustainability legislation. We advise on setting up green bonds and SLLs, from the initial exploration to closing and post-closing reporting. Want to know more? Would you like to know what green bonds or SLLs can do for your organisation, or do you have questions about the legal aspects? Feel free to contact our ESG project team. We are happy to work with you to find sustainable financing solutions that work in practice.

The European Data Act comes into force with effect from 12 September 2025. This Regulation creates new rights and obligations that cover not just personal data, but data in general. The practical implications are huge. The Data Act particularly affects parties offering connected or Internet of Things (IoT)) products and cloud services. What is not often mentioned is that the Regulation also contains rules on data sharing agreements. These rules apply to all businesses. Providers of connected devices and related services The first main topic in the Data Act concerns the rules on the sharing and use of usage data from connected products and related services. These include products and services such as smartwatches and smart speakers with a virtual assistant like Alexa, as well as agricultural machinery with internet access. Businesses must comply with new obligations regarding connected products and related services as a result of the Data Act. First, companies that produce connected products and provide related services should design the products and services so that users can easily access their data (data access by design). Moreover, the Data Act gives users an explicit right of access to usage data. This right of access means that users of connected products and related services can easily access their usage data where data access by design has not been provided for. In addition, enterprises should also allow users to easily share their usage data with another party. Finally, buyers of connected products and recipients of a related service from the seller and the provider, respectively, should also be given certain information about how the connected product collects data. The data holder (usually the provider of the connected product or a related service) may now use non-personal data only if the agreement with the user of the connected product or related service allows it. The data holder must not use the data to derive insights about the economic situation, assets and production methods of the user, or the user’s use of the product or service, in a manner that could undermine the commercial position of the user on the markets in which the user is active. Data may be shared with third parties only when necessary to perform the agreement with the user. From 12 September 2026, connected products sold and related services provided must comply with the data access by design obligation. The other rules on connected products and related services, including the explicit right of access, already apply from 12 September 2025. Cloud service providers The second main topic concerns the rules imposed on data processing services. The term data processing services refers to a wide range of cloud services. The preamble refers to infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS), storage as a service and database as a service. The term also covers what are known as edge services. The obligations imposed on data processing service providers relate to 1) facilitating switching, 2) facilitating interoperability between different data processing services and 3) preventing international governmental access. From 12 September 2025, data processing service providers will have to comply with these rules. Sharing of data with governments The third main topic concerns rules on mandatory data sharing with public sector bodies, the European Central Bank, the European Commission or any other European Union body. These bodies can request data on the basis of exceptional necessity. This can only be done if, in an emergency situation, the bodies cannot obtain the data in a proper and timely manner by other means. Bodies may also request non-personal data when such data is necessary for the performance of a specific task in the public interest, such as the compilation of official statistics. These rules will also apply from 12 September 2025. Unfair contractual terms between enterprises Perhaps the most surprising part of the Data Act is the provision on unfair contractual terms. It applies to data-sharing agreements made between enterprises (B2B). In short, the article provides that contractual terms on data are not binding on the other party if the terms have been unilaterally imposed by the provider and are labelled unfair. The article contains a list of provisions that are always unfair (a black list) and a list of provisions that are presumed to be unfair (a grey list). If an enterprise uses a grey list clause, this enterprise must prove that the clause is not unfair. What is striking about the article is that it is set up as a black and grey list between enterprises. Black and grey lists have long existed for general terms and conditions imposed on consumers by enterprises (see, for example, Articles 6:236 and 6:237 of the Civil Code), protecting consumers from unfair general terms and conditions. So now there is a similar list for business-to-business agreements. This provision applies regardless of the size of the enterprises concerned. The obligations in this article cover all contracts and clauses on data access and use concluded between enterprises. Any agreement or provision on data sharing and use will need to take this article into account. The article will often also apply when enterprises enter into contracts between themselves about personal data, such as a joint controller agreement under Article 26 of the General Data Protection Regulation (GDPR). The application of the article is mandatory law. This means that enterprises cannot agree that the article does not apply to their relationship and cannot deviate from it. It is important that enterprises are aware of this article when entering into agreements on (personal) data. For buyers, though, it is important to always try to negotiate the unfair contract terms imposed on them. If no attempt has been made to negotiate the unfair terms, an enterprise cannot invoke the protection of the article. The provision applies to all agreements concluded after 12 September 2025. For some agreements entered into before 13 September 2025, the provision applies from 12 September 2027. This applies to agreements entered into for an indefinite period and those expiring after 11 January 2034. Monitoring and enforcement of the Data Act The Data Act has direct effect in the Dutch legal order, leaving no or limited scope for divergent or additional national rules. For the matters to be regulated nationally, a national Implementation Act is pending. The Regulation gives Member States the freedom to decide themselves which supervisory authority is competent to enforce the Regulation’s provisions. In the Netherlands, the Lower House has yet to vote on the draft Dutch Implementation Act. The current draft Data Regulation Implementation Act designates the Data Protection Authority (AP) and the Consumer and Market Authority (ACM) as supervisors. Conclusion The Data Act will apply in the Netherlands from 12 September 2025. The Data Act creates new rights and obligations for enterprises in particular. In particular, all enterprises will have to be vigilant of the rules on unfair contractual terms when concluding agreements on (personal) data. The AP and the ACM are likely to be designated as supervisors for compliance with the Regulation. The Data Act is not applicable at present. Nevertheless, enterprises are advised to take measures in advance. This will allow timely adaptation of operations to the obligations imposed by the Regulation. Finally More blogs on this topic will follow. Keep an eye on our website for the latest news. This blog originally appeared on Privacy Web. If you have any questions about the Data Act, please contact Jan Baas, Jiahui Plomp or one of our other Data & Privacy specialists. This article was co-authored by Jolijn Gijsen.