Understanding Sui Generis Database Rights in the UK

If your business has invested time and money in building a customer list, product catalogue, pricing database, or a unique dataset that underpins your operations, you’ll want to protect it.

That’s where the UK’s “sui generis” database right comes in. It’s a powerful, but often misunderstood, intellectual property right that can stop competitors from extracting or reusing your data without permission.

In this guide, we’ll explain what the sui generis database right is, when it applies to small businesses, how it sits alongside GDPR and other laws, and practical steps to protect and monetise your data assets from day one.

What Is Sui Generis Database Right In The UK?

The sui generis database right is a UK IP right created by the Copyright and Rights in Databases Regulations 1997. It protects databases where there has been a “substantial investment” in obtaining, verifying or presenting the contents.

Think of it as protection for the “sweat of the brow” that goes into building and maintaining a database, even if the data itself isn’t original enough for copyright.

What Counts As A “Database”?

It’s broader than you might expect. A database is any collection of independent works, data or other materials arranged in a systematic or methodical way and individually accessible by electronic or other means. That can include:

• A structured CRM or customer list
• Product and pricing catalogues
• Event schedules or listings
• A SaaS platform’s curated dataset
• Aggregated market, property or recruitment data
• A carefully organised set of reviews or ratings

How Is It Different From Copyright?

Copyright in databases protects “original selection or arrangement” (creative choices about how content is selected or ordered). The sui generis database right, by contrast, protects the substantial investment in the contents themselves-even if there’s little creative flair.

Many databases enjoy both forms of protection, but they protect different things and can be infringed in different ways.

Post-Brexit Snapshot

The UK retains the sui generis right, but eligibility is now tied to UK (or qualifying) nationality or establishment. UK makers no longer automatically qualify for the EU’s equivalent right and vice versa. If your marketplace or user base spans the UK and EU, you’ll need a deliberate strategy that considers both regimes.

Do You Own A Protectable Database?

You’ll have a sui generis database right if, broadly, you (as the database “maker”) can show substantial investment in obtaining, verifying or presenting the contents.

Substantial Investment: What Does It Look Like In Practice?

Courts look at both quantitative and qualitative investment. For small businesses, that can include:

• Labour and cost spent collecting and cleaning data (e.g. sourcing supplier details, manually vetting leads)
• Verification and quality assurance processes to keep data accurate and up-to-date
• Technical spend on building the structure that makes items individually accessible (e.g. searchable fields, tagging, API endpoints)
• Ongoing curation or moderation to uphold reliability

Tip: Document the effort. Keep time logs, invoices, sprint tickets and change logs. Good records help prove your investment if you ever need to enforce your rights.

Who Is The “Maker” And Who Owns The Right?

The “maker” is the person or company that takes the initiative and assumes the risk in obtaining, verifying or presenting the contents. In a typical SME, that’s the company itself rather than an individual employee.

Where employees build the database in the course of their employment, ownership ordinarily sits with the employer. If you rely on freelancers or suppliers, get ownership and licensing nailed down in writing-don’t assume. If in doubt, use a clear Non-Disclosure Agreement during scoping and make sure your services contracts address database IP expressly.

How Long Does Protection Last?

The sui generis right lasts 15 years from completion of the database. Importantly, a “substantial change” to the contents that amounts to a further substantial investment can restart the 15‑year clock. If you’re continuously curating and expanding a live dataset, protection can effectively roll forward with each qualifying reinvestment.

What Rights Do You Get And When Is There Infringement?

The right lets you control two key acts in relation to the whole or a substantial part of the contents of your database:

• Extraction – permanent or temporary transfer of the contents to another medium by any means or in any form (e.g. scraping, copying, downloading)
• Re-utilisation – making the contents available to the public (e.g. publishing or selling the data, sharing via an API, or posting it online)

What Is A “Substantial Part”?

“Substantial” can be quantitative (a large portion of the data) or qualitative (the “crown jewels” that reflect a large segment of your investment). Importantly, repeated and systematic extraction of insubstantial parts can still infringe if it amounts to reconstituting a substantial part over time.

Typical Infringement Scenarios For SMEs

• A competitor scrapes your product listings and prices to seed their own catalogue
• A marketplace partner exports your full customer list in breach of your terms
• A former contractor duplicates your curated dataset to start a rival venture
• A third party republishes your location listings (or ratings) en masse

Defences And Exceptions

There are limited exceptions (for example, some uses for public security, or lawful users extracting insubstantial parts for permitted purposes). Contract terms can also shape what “lawful users” may do. That’s why you should pair database rights with strong, clear terms of use that prohibit scraping, bulk export and compilation for competitive purposes.

Practical Ways To Protect And Monetise Your Database

Legal rights are one part of the picture. Combine them with smart contracts, technical controls and commercial strategy to reduce risk and unlock value.

1) Use Contracts To Control Access And Use

• Confidentiality first: when discussing access to non-public datasets, require an executed Non-Disclosure Agreement before sharing samples or schema.
• Set the rules: if your database is surfaced through a website, put robust Website Terms and Conditions in place that explicitly ban scraping, bulk extraction and competitive reuse.
• For SaaS delivery: ensure your SaaS Terms cover permitted use, API limits, attribution, derivative data, and consequences for breach (suspension, termination, liquidated damages).
• Licensing model: if you license data to clients or partners, use a tailored IP Licence that defines scope (territory, users, fields of use), redistribution rules, audit rights, and pricing tiers for volume or refresh frequency.

2) Build Technical And Operational Defences

• Implement rate limiting, bot detection and anti-scraping measures (e.g., CAPTCHAs, rotating tokens, watermark “honeypot” entries)
• Deliver data via authenticated APIs with granular scopes and revocation
• Seed and track traceable data to spot leaks and prove source
• Use versioning and logs to evidence your ongoing verification and updates (supports “substantial investment”)

3) Make Your Investment Provable

Maintain a paper trail: internal policies, data collection playbooks, QA checklists, vendor invoices, engineering tickets and update journals. If a dispute arises, you’ll need to show what you put in and when.

4) Choose The Right Monetisation Route

• Subscriptions for access to live data feeds or periodic refreshes
• Tiered licences for different use cases (internal use vs redistribution)
• Value-add analytics that lean on your database but deliver insights, not raw data
• “Freemium” public excerpts with clear prohibitions on reuse beyond fair access

5) Align Employment And Contractor Terms

Make sure employment and contractor agreements say that any databases created in the course of work belong to your business, and that credentials, exports and backups must be returned or deleted on exit. Tie this back to confidentiality, restrictive covenants and post-termination obligations.

How Database Rights Interact With GDPR And Other Laws

Most commercial databases include personal data. That means your IP strategy needs to sit comfortably alongside UK data protection law.

UK GDPR And The Data Protection Act 2018

If your database contains personal data, you must have a lawful basis, comply with transparency and security obligations, and respect data subject rights. At a minimum, publish a clear, accurate Privacy Policy that tells people what you collect, why, and how long you keep it.

Where you share personal data with vendors or clients, put the right contracts in place:

• With processors handling personal data for you (e.g. hosting, enrichment): a tailored Data Processing Agreement with UK GDPR Article 28 clauses
• Between independent controllers (e.g. data collaborations): a clear data sharing arrangement setting roles, purposes and responsibilities

Data Subject Rights And Internal Readiness

Be prepared to handle access, deletion and objection requests that relate to your database. Map your data, set retention periods, and train staff on response timelines. If you need a refresher, it’s worth revisiting your process for handling a subject access request from start to finish.

Competition, Contract And Confidentiality

Database rights don’t override competition law-avoid licensing terms that unfairly restrict markets. At the same time, contract is your friend: clear usage terms and confidentiality provisions fill gaps and make enforcement cleaner. For non-public datasets, traditional confidentiality and trade secret protections may apply even where database rights are uncertain.

Territory And Cross-Border Issues

UK sui generis rights protect you in the UK. If your dataset is used or distributed in the EU, consider parallel measures (contract terms, technical controls, and-if eligible-EU database right via an EU-established entity). For global licensing, geo-fence access where appropriate and craft jurisdiction clauses with care.

Enforcing Database Rights: A Sensible Action Plan

You don’t need to jump straight into litigation. A measured approach often resolves issues quickly and cost‑effectively.

1) Spot The Issue And Preserve Evidence

• Collect URLs, screenshots, API logs, export timestamps and change diffs
• Record how much of your database has been taken (quantitative and qualitative)
• Note the damage: lost sales, undercut pricing, server strain, reputational harm

2) Check Your Rights And Contracts

Confirm that your dataset qualifies (substantial investment), that you own the right, and whether your Website Terms and Conditions, SaaS Terms or licence agreements were in place and accepted. Contract breaches can provide faster, clearer remedies alongside database right claims.

3) Send A Clear, Proportionate Letter

A well-crafted letter before action can demand removal, deletion of copies, undertakings not to repeat, and compensation or an account of profits. Include evidence, specify deadlines, and state the legal bases (sui generis right, copyright if relevant, breach of contract, passing off if applicable).

4) Consider Settlement And Future-Proofing

In many cases, you’ll want practical commitments (takedown, purge, audit rights) documented in a binding settlement instrument with appropriate releases and confidentiality. If commercial terms make sense, you might convert a dispute into a paid licence on your terms.

5) Escalate If Needed

If the matter doesn’t resolve, you can seek injunctions and damages in the courts. Because evidence of “substantial investment” and “substantial part” is key, preparation pays off. This is also where expert advice can make the difference between a swift result and a drawn-out dispute.

Practical Red Flags To Watch

• Sudden spikes in traffic consistent with scraping activity
• Clients asking for unrestricted export capabilities outside scope
• Former staff or contractors launching suspiciously familiar offerings
• Marketplaces mirroring your listings without attribution or consent

Common Small Business Scenarios

• Ecommerce: curated product specs and pricing-deploy strong terms and anti-scraping, and license feeds instead of “open” bulk access
• SaaS: user-generated and curated operational data-pin down ownership, derivative data rights and API scope in your SaaS Terms
• Lead brokers: verified lead lists-use layered protection (NDA, limited-use licence, watermarking, seeded entries to trace leaks)
• Market intelligence: aggregated public data-database rights can still bite if your investment in verification/presentation is substantial

Key Takeaways

• The sui generis database right protects substantial investment in collecting, verifying and presenting database contents-separate from copyright.
• SMEs often qualify: curated customer lists, product catalogues, SaaS datasets and verified lead lists can all be protected when built with real effort and spend.
• Infringement includes extraction or re-utilisation of all or a substantial part-and repeated scraping of small parts can still infringe.
• Pair legal rights with practical tools: use a Non-Disclosure Agreement, robust Website Terms and Conditions, clear SaaS Terms and a tailored IP Licence for paid access.
• If your database includes personal data, comply with UK GDPR: publish a transparent Privacy Policy, put a Data Processing Agreement in place where required, and be ready to meet SAR timelines.
• For enforcement, preserve evidence early and start with a proportionate letter before action. Many disputes settle quickly with the right approach.
• Because details are fact-specific (especially around “substantial investment”), getting tailored advice before you share or license your dataset is a smart move.

If you’d like help protecting or licensing your database, or you need support responding to scraping or misuse, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.