keyboard_tab Digital Governance Act 2022/0868 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Art. 8 Single information points
- 5 Art. 11 Notification by data intermediation services providers
- 1 Art. 14 Monitoring of compliance
- 6 Art. 17 Public registers of recognised data altruism organisations
- 1 Art. 18 General requirements for registration
- 10 Art. 19 Registration of recognised data altruism organisations
- 1 Art. 23 Competent authorities for the registration of data altruism organisations
- 2 Art. 24 Monitoring of compliance
- 1 Art. 35 Evaluation and review
- 1 Art. 36 Amendment to Regulation (EU) 2018/1724
CHAPTER I
General provisions
CHAPTER II
Re-use of certain categories of protected data held by public sector bodies
CHAPTER III
Requirements applicable to data intermediation services
CHAPTER IV
Data altruism
CHAPTER V
Competent authorities and procedural provisions
CHAPTER VI
European Data Innovation Board
CHAPTER VII
International access and transfer
CHAPTER VIII
Delegation and committee procedure
CHAPTER IX
Final and transitional provisions
- data
- re-use
- personal data
- non-personal data
- consent
- permission
- data subject
- data holder
- data user
- data sharing
- data intermediation service
- processing
- access
- main establishment
- services of data cooperatives
- data altruism
- public sector body
- bodies governed by public law
- public undertaking
- secure processing environment
- legal representative
- data 169
- shall 89
- intermediation 89
- services 86
- altruism 62
- competent 62
- organisations 49
- registration 47
- authority 41
- information 38
- recognised 36
- provider 31
- article 29
- public 25
- notification 24
- register 24
- member state 23
- referred 23
- which 22
- entity 21
- request 20
- union 20
- authorities 20
- the 19
- legal_representative 19
- commission 18
- national 18
- compliance 17
- paragraph 14
- requirements 14
- providers 13
- relevant 13
- notify 13
- such 12
- regulation 12
- member states 11
- single 11
- point 10
- organisation 10
- under 10
- without 10
- points 9
- chapter 9
- activities 9
- accordance 9
- confirmation 9
- provided 9
- from 9
- receipt 9
- legal 8
Article 8
Single information points
1. Member States shall ensure that all relevant information concerning the application of Articles 5 and 6 is available and easily accessible through a single information point. Member States shall establish a new body or designate an existing body or structure as the single information point. The single information point may be linked to sectoral, regional or local information points. The functions of the single information point may be automated provided that the public_sector_body ensures adequate support.
2. The single information point shall be competent to receive enquiries or requests for the re-use of the categories of data referred to in Article 3(1) and shall transmit them, where possible and appropriate by automated means, to the competent public sector bodies, or the competent bodies referred to in Article 7(1), where relevant. The single information point shall make available by electronic means a searchable asset list containing an overview of all available data resources including, where relevant, those data resources that are available at sectoral, regional or local information points, with relevant information describing the available data, including at least the data format and size and the conditions for their re-use.
3. The single information point may establish a separate, simplified and well-documented information channel for SMEs and start-ups, addressing their needs and capabilities in requesting the re-use of the categories of data referred to in Article 3(1).
4. The Commission shall establish a European single access point offering a searchable electronic register of data available in the national single information points and further information on how to request data via those national single information points.
Article 11
Notification by data intermediation services providers
1. Any data intermediation services provider who intends to provide the data intermediation services referred to in Article 10 shall submit a notification to the competent authority for data intermediation services.
2. For the purposes of this Regulation, a data intermediation services provider with establishments in more than one Member State shall be deemed to be under the jurisdiction of the Member State in which it has its main_establishment, without prejudice to Union law regulating cross-border actions for damages and related proceedings.
3. A data intermediation services provider that is not established in the Union, but which offers the data intermediation services referred to in Article 10 within the Union, shall designate a legal_representative in one of the Member States in which those services are offered.
For the purpose of ensuring compliance with this Regulation, the legal_representative shall be mandated by the data intermediation services provider to be addressed in addition to or instead of it by competent authorities for data intermediation services or data subjects and data holders, with regard to all issues related to the data intermediation services provided. The legal_representative shall cooperate with and comprehensively demonstrate to the competent authorities for data intermediation services, upon request, the actions taken and provisions put in place by the data intermediation services provider to ensure compliance with this Regulation.
The data intermediation services provider shall be deemed to be under the jurisdiction of the Member State in which the legal_representative is located. The designation of a legal_representative by the data intermediation services provider shall be without prejudice to any legal actions which could be initiated against the data intermediation services provider.
4. After having submitted a notification in accordance with paragraph 1, the data intermediation services provider may start the activity subject to the conditions laid down in this Chapter.
5. The notification referred to in paragraph 1 shall entitle the data intermediation services provider to provide data intermediation services in all Member States.
6. The notification referred to in paragraph 1 shall include the following information:
| (a) | the name of the data intermediation services provider; |
| (b) | the data intermediation services provider’s legal status, form, ownership structure, relevant subsidiaries and, where the data intermediation services provider is registered in a trade or other similar public national register, registration number; |
| (c) | the address of the data intermediation services provider’s main_establishment in the Union, if any, and, where applicable, of any secondary branch in another Member State or that of the legal_representative; |
| (d) | a public website where complete and up-to-date information on the data intermediation services provider and the activities can be found, including as a minimum the information referred to in points (a), (b), (c) and (f); |
| (e) | the data intermediation services provider’s contact persons and contact details; |
| (f) | a description of the data intermediation service the data intermediation services provider intends to provide, and an indication of the categories listed in Article 10 under which such data intermediation service falls; |
| (g) | the estimated date for starting the activity, if different from the date of the notification. |
7. The competent authority for data intermediation services shall ensure that the notification procedure is non-discriminatory and does not distort the competition.
8. At the request of the data intermediation services provider, the competent authority for data intermediation services shall, within one week of a duly and fully completed notification, issue a standardised declaration, confirming that the data intermediation services provider has submitted the notification referred to in paragraph 1 and that the notification contains the information referred to in paragraph 6.
9. At the request of the data intermediation services provider, the competent authority for data intermediation services shall confirm that the data intermediation services provider complies with this Article and Article 12. Upon receipt of such a confirmation, that data intermediation services provider may use the label ‘ data intermediation services provider recognised in the Union’ in its written and spoken communication, as well as a common logo.
In order to ensure that data intermediation services providers recognised in the Union are easily identifiable throughout the Union, the Commission shall, by means of implementing acts, establish a design for the common logo. Data intermediation services providers recognised in the Union shall display the common logo clearly on every online and offline publication that relates to their data intermediation activities.
Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 33(2).
10. The competent authority for data intermediation services shall notify the Commission of each new notification by electronic means without delay. The Commission shall keep and regularly update a public register of all data intermediation services providers providing their services in the Union. The information referred to in paragraph 6, points (a), (b), (c), (d), (f) and (g), shall be published in the public register.
11. The competent authority for data intermediation services may charge fees for the notification in accordance with national law. Such fees shall be proportionate and objective and be based on the administrative costs related to the monitoring of compliance and other market control activities of the competent authority for data intermediation services in relation to notifications of data intermediation services providers. In the case of SMEs and start-ups, the competent authority for data intermediation services may charge a discounted fee or waive the fee.
12. Data intermediation services providers shall notify the competent authority for data intermediation services of any changes to the information provided pursuant to paragraph 6 within 14 days of the date of the change.
13. Where a data intermediation services provider ceases its activities, it shall notify the relevant competent authority for data intermediation services determined pursuant to paragraphs 1, 2 and 3 within 15 days.
14. The competent authority for data intermediation services shall notify the Commission of each notification referred to in paragraphs 12 and 13 by electronic means without delay. The Commission shall update the public register of the data intermediation services providers in the Union accordingly.
Article 14
Monitoring of compliance
1. The competent authorities for data intermediation services shall monitor and supervise compliance of data intermediation services providers with the requirements of this Chapter. The competent authorities for data intermediation services may also monitor and supervise the compliance of data intermediation services providers, on the basis of a request by a natural or legal person.
2. The competent authorities for data intermediation services shall have the power to request from data intermediation services providers or their legal_representatives all the information that is necessary to verify compliance with the requirements of this Chapter. Any request for information shall be proportionate to the performance of the task and shall be reasoned.
3. Where the competent authority for data intermediation services finds that a data intermediation services provider does not comply with one or more of the requirements of this Chapter, it shall notify that data intermediation services provider of those findings and give it the opportunity to state its views, within 30 days of the receipt of the notification.
4. The competent authority for data intermediation services shall have the power to require the cessation of the infringement referred to in paragraph 3 within a reasonable time limit or immediately in the case of a serious infringement and shall take appropriate and proportionate measures with the aim of ensuring compliance. In that regard, the competent authority for data intermediation services shall have the power, where appropriate:
| (a) | to impose, through administrative procedures, dissuasive financial penalties, which may include periodic penalties and penalties with retroactive effect, to initiate legal proceedings for the imposition of fines, or both; |
| (b) | to require a postponement of the commencement or a suspension of the provision of the data intermediation service until any changes to the conditions requested by the competent authority for data intermediation services have been made; or |
| (c) | to require the cessation of the provision of the data intermediation service in the event that serious or repeated infringements have not been remedied despite prior notification in accordance with paragraph 3. |
The competent authority for data intermediation services shall request the Commission to remove the data intermediation services provider from the register of data intermediation services providers once it has ordered the cessation of the provision of the data intermediation service in accordance with the first subparagraph, point (c).
If a data intermediation services provider remedies infringements, that data intermediation services provider shall re-notify the competent authority for data intermediation services. The competent authority for data intermediation services shall notify the Commission of each new re-notification.
5. Where a data intermediation services provider that is not established in the Union fails to designate a legal_representative or the legal_representative fails, upon request of the competent authority for data intermediation services, to provide the necessary information that comprehensively demonstrates compliance with this Regulation, the competent authority for data intermediation services shall have the power to postpone the commencement of or to suspend the provision of the data intermediation service until the legal_representative is designated or the necessary information is provided.
6. The competent authorities for data intermediation services shall notify the data intermediation services provider concerned of the measures imposed pursuant to paragraphs 4 and 5 and the reasons on which they are based, as well as the necessary steps to be taken to rectify the relevant shortcomings, without delay, and shall stipulate a reasonable period, which shall not be longer than 30 days, for the data intermediation services provider to comply with those measures.
7. If a data intermediation services provider has its main_establishment or its legal_representative in a Member State but provides services in other Member States, the competent authority for data intermediation services of the Member State of the main_establishment or where the legal_representative is located and the competent authorities for data intermediation services of those other Member States shall cooperate and assist each other. Such assistance and cooperation may cover information exchanges between the competent authorities for data intermediation services concerned for the purposes of their tasks under this Regulation and reasoned requests to take the measures referred to in this Article.
Where a competent authority for data intermediation services in one Member State requests assistance from a competent authority for data intermediation services in another Member State, it shall submit a reasoned request. The competent authority for data intermediation services shall, upon such a request, provide a response without delay and within a timeframe proportionate to the urgency of the request.
Any information exchanged in the context of assistance requested and provided under this paragraph shall be used only in respect of the matter for which it was requested.
Article 17
Public registers of recognised data altruism organisations
1. Each competent authority for the registration of data altruism organisations shall keep and regularly update a public national register of recognised data altruism organisations.
2. The Commission shall maintain a public Union register of recognised data altruism organisations for information purposes. Provided that an entity is registered in the public national register of recognised data altruism organisations in accordance with Article 18, it may use the label ‘ data altruism organisation recognised in the Union’ in its written and spoken communication, as well as a common logo.
In order to ensure that recognised data altruism organisations are easily identifiable throughout the Union, the Commission shall, by means of implementing acts, establish a design for the common logo. Recognised data altruism organisations shall display the common logo clearly on every online and offline publication that relates to their data altruism activities. The common logo shall be accompanied by a QR code with a link to the public Union register of recognised data altruism organisations.
Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 33(2).
Article 18
General requirements for registration
In order to qualify for registration in a public national register of recognised data altruism organisations, an entity shall:
| (a) | carry out data altruism activities; |
| (b) | be a legal person established pursuant to national law to meet objectives of general interest as provided for in national law, where applicable; |
| (c) | operate on a not-for-profit basis and be legally independent from any entity that operates on a for-profit basis; |
| (d) | carry out its data altruism activities through a structure that is functionally separate from its other activities; |
| (e) | comply with the rulebook referred to Article 22(1), at the latest 18 months after the date of entry into force of the delegated acts referred to in that paragraph. |
Article 19
Registration of recognised data altruism organisations
1. An entity which meets the requirements of Article 18 may submit an application for registration in the public national register of recognised data altruism organisations in the Member State in which it is established.
2. An entity which meets the requirements of Article 18 and has establishments in more than one Member State may submit an application for registration in the public national register of recognised data altruism organisations in the Member State in which it has its main_establishment.
3. An entity which meets the requirements of Article 18 but which is not established in the Union shall designate a legal_representative in one of the Member States in which the data altruism services are offered.
For the purpose of ensuring compliance with this Regulation, the legal_representative shall be mandated by the entity to be addressed in addition to or instead of it by competent authorities for the registration of data altruism organisations or data subjects and data holders, with regard to all issues related to that entity. The legal_representative shall cooperate with and comprehensively demonstrate to the competent authorities for the registration of data altruism organisations, upon request, the actions taken and provisions put in place by the entity to ensure compliance with this Regulation.
The entity shall be deemed to be under the jurisdiction of the Member State in which the legal_representative is located. Such an entity may submit an application for registration in the public national register of recognised data altruism organisations in that Member State. The designation of a legal_representative by the entity shall be without prejudice to any legal actions which could be initiated against the entity.
4. Applications for registration referred to in paragraphs 1, 2 and 3 shall contain the following information:
| (a) | the name of the entity; |
| (b) | the entity’s legal status, form and, where the entity is registered in a public national register, registration number; |
| (c) | the statutes of the entity, where appropriate; |
| (d) | the entity’s sources of income; |
| (e) | the address of the entity’s main_establishment in the Union, if any, and, where applicable, any secondary branch in another Member State or that of the legal_representative; |
| (f) | a public website where complete and up-to-date information on the entity and the activities can be found, including as a minimum the information referred to in points (a), (b), (d), (e) and (h); |
| (g) | the entity’s contact persons and contact details; |
| (h) | the objectives of general interest it intends to promote when collecting data; |
| (i) | the nature of the data that the entity intends to control or process, and, in the case of personal data, an indication of the categories of personal data; |
| (j) | any other documents which demonstrate that the requirements of Article 18 are met. |
5. Where the entity has submitted all necessary information pursuant to paragraph 4 and after the competent authority for the registration of data altruism organisations has evaluated the application for registration and found that the entity complies with the requirements of Article 18, it shall register the entity in the public national register of recognised data altruism organisations within 12 weeks after the receipt of the application for registration. The registration shall be valid in all Member States.
The competent authority for the registration of data altruism organisations shall notify the Commission of any registration. The Commission shall include that registration in the public Union register of recognised data altruism organisations.
6. The information referred to in paragraph 4, points (a), (b), (f), (g) and (h), shall be published in the relevant public national register of recognised data altruism organisations.
7. A recognised data altruism organisation shall notify the relevant competent authority for the registration of data altruism organisations of any changes to the information provided pursuant to paragraph 4 within 14 days of the date of the change.
The competent authority for the registration of data altruism organisations shall notify the Commission of each such notification by electronic means without delay. Based on such a notification, the Commission shall update the public Union register of recognised data altruism organisations without delay.
Article 23
Competent authorities for the registration of data altruism organisations
1. Each Member State shall designate one or more competent authorities responsible for its public national register of recognised data altruism organisations.
The competent authorities for the registration of data altruism organisations shall comply with the requirements set out in Article 26.
2. Each Member State shall notify the Commission of the identity of their competent authorities for the registration of data altruism organisations by 24 September 2023. Each Member State shall also notify the Commission of any subsequent change to the identity of those competent authorities.
3. The competent authority for the registration of data altruism organisations of a Member State shall undertake its tasks in cooperation with the relevant data protection authority, where such tasks are related to processing of personal data, and with relevant sectoral authorities of that Member State.
Article 24
Monitoring of compliance
1. The competent authorities for the registration of data altruism organisations shall monitor and supervise compliance of recognised data altruism organisations with the requirements laid down in this Chapter. The competent authority for the registration of data altruism organisations may also monitor and supervise the compliance of such recognised data altruism organisations, on the basis of a request by a natural or legal person.
2. The competent authorities for the registration of data altruism organisations shall have the power to request information from recognised data altruism organisations that is necessary to verify compliance with the requirements of this Chapter. Any request for information shall be proportionate to the performance of the task and shall be reasoned.
3. Where the competent authority for the registration of data altruism organisations finds that a recognised data altruism organisation does not comply with one or more of the requirements of this Chapter, it shall notify the recognised data altruism organisation of those findings and give it the opportunity to state its views within 30 days of the receipt of the notification.
4. The competent authority for the registration of data altruism organisations shall have the power to require the cessation of the infringement referred to in paragraph 3 either immediately or within a reasonable time limit and shall take appropriate and proportionate measures with the aim of ensuring compliance.
5. If a recognised data altruism organisation does not comply with one or more of the requirements of this Chapter even after having been notified in accordance with paragraph 3 by the competent authority for the registration of data altruism organisations, that recognised data altruism organisation shall:
| (a) | lose its right to use the label ‘ data altruism organisation recognised in the Union’ in any written and spoken communication; |
| (b) | be removed from the relevant public national register of recognised data altruism organisations and the public Union register of recognised data altruism organisations. |
Any decision revoking the right to use the label ‘ data altruism organisation recognised in the Union’ under the first subparagraph, point (a), shall be made public by the competent authority for the registration of data altruism organisations.
6. If a recognised data altruism organisation has its main_establishment or its legal_representative in a Member State but is active in other Member States, the competent authority for the registration of data altruism organisations of the Member State of the main_establishment or where the legal_representative is located and the competent authorities for the registration of data altruism organisations of those other Member States shall cooperate and assist each other. Such assistance and cooperation may cover information exchanges between the competent authorities for the registration of data altruism organisations concerned for the purposes of their tasks under this Regulation and reasoned requests to take the measures referred to in this Article.
Where a competent authority for the registration of data altruism organisations in one Member State requests assistance from a competent authority for the registration of data altruism organisations in another Member State, it shall submit a reasoned request. The competent authority for the registration of data altruism organisations shall, upon such a request, provide a response without delay and within a timeframe proportionate to the urgency of the request.
Any information exchanged in the context of assistance requested and provided under this paragraph shall be used only in respect of the matter for which it was requested.
Article 35
Evaluation and review
By 24 September 2025, the Commission shall carry out an evaluation of this Regulation and submit a report on its main findings to the European Parliament and to the Council as well as to the European Economic and Social Committee. The report shall be accompanied, where necessary, by legislative proposals.
The report shall assess, in particular:
| (a) | the application and functioning of the rules on penalties laid down by the Member States pursuant to Article 34; |
| (b) | the level of compliance of the legal_representatives of data intermediation services providers and recognised data altruism organisations that are not established in the Union with this Regulation and the level of enforceability of penalties imposed on those providers and organisations; |
| (c) | the type of data altruism organisations registered under Chapter IV and an overview of the objectives of general interests for which data are shared in view of establishing clear criteria in that respect. |
Member States shall provide the Commission with the information necessary for the preparation of that report.
Article 36
Amendment to Regulation (EU) 2018/1724
In the table in Annex II to Regulation (EU) 2018/1724, the entry ‘Starting, running and closing a business’ is replaced by the following:
| Life events | Procedures | Expected output subject to an assessment of the application by the competent authority in accordance with national law, where relevant |
| Starting, running and closing a business | Notification of business activity, permission for exercising a business activity, changes of business activity and the termination of a business activity not involving insolvency or liquidation procedures, excluding the initial registration of a business activity with the business register and excluding procedures concerning the constitution of or any subsequent filing by companies or firms within the meaning of the second paragraph of Article 54 TFEU | Confirmation of the receipt of notification or change, or of the request for permission for business activity |
|
| Registration of an employer (a natural person) with compulsory pension and insurance schemes | Confirmation of registration or social security registration number |
| Registration of employees with compulsory pension and insurance schemes | Confirmation of registration or social security registration number | |
| Submitting a corporate tax declaration | Confirmation of the receipt of the declaration | |
| Notification to the social security schemes of the end of contract with an employee, excluding procedures for the collective termination of employee contracts | Confirmation of the receipt of the notification | |
| Payment of social contributions for employees | Receipt or other form of confirmation of payment of social contributions for employees | |
| Notification of a data intermediation services provider | Confirmation of the receipt of notification | |
| Registration as a data altruism organisation recognised in the Union | Confirmation of the registration |
whereas