keyboard_tab Digital Governance Act 2022/0868 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Art. 12 Conditions for providing data intermediation services
- 1 Art. 21 Specific requirements to safeguard rights and interests of data subjects and data holders with regard to their data
- 9 Art. 31 International access and transfer
CHAPTER I
General provisions
CHAPTER II
Re-use of certain categories of protected data held by public sector bodies
CHAPTER III
Requirements applicable to data intermediation services
CHAPTER IV
Data altruism
CHAPTER V
Competent authorities and procedural provisions
CHAPTER VI
European Data Innovation Board
CHAPTER VII
International access and transfer
CHAPTER VIII
Delegation and committee procedure
CHAPTER IX
Final and transitional provisions
- data
- re-use
- personal data
- non-personal data
- consent
- permission
- data subject
- data holder
- data user
- data sharing
- data intermediation service
- processing
- access
- main establishment
- services of data cooperatives
- data altruism
- public sector body
- bodies governed by public law
- public undertaking
- secure processing environment
- legal representative
- data 139
- intermediation 35
- services 35
- shall 34
- provider 21
- recognised 15
- altruism 15
- which 15
- such 14
- organisation 14
- subjects 14
- access 13
- holders 13
- legal 12
- third-country 11
- transfer 10
- union 10
- tools 9
- decision 9
- under 8
- non-personal 8
- processing 8
- take 8
- person 8
- ensure 8
- natural 7
- holder 7
- relevant 7
- request 7
- consent 6
- chapter 6
- the 6
- place 6
- third 5
- granted 5
- measures 5
- judgment 5
- only 5
- storage 5
- user 5
- subject 5
- international 5
- provision 5
- specific 5
- authority 5
- re-use 5
- service 5
- users 5
- public_sector_body 5
- including 5
Article 12
Conditions for providing data intermediation services
The provision of data intermediation services referred in Article 10 shall be subject to the following conditions:
| (a) | the data intermediation services provider shall not use the data for which it provides data intermediation services for purposes other than to put them at the disposal of data users and shall provide data intermediation services through a separate legal person; |
| (b) | the commercial terms, including pricing, for the provision of data intermediation services to a data holder or data user shall not be dependent upon whether the data holder or data user uses other services provided by the same data intermediation services provider or by a related entity, and if so to what degree the data holder or data user uses such other services; |
| (c) | the data collected with respect to any activity of a natural or legal person for the purpose of the provision of the data intermediation service, including the date, time and geolocation data, duration of activity and connections to other natural or legal persons established by the person who uses the data intermediation service, shall be used only for the development of that data intermediation service, which may entail the use of data for the detection of fraud or cybersecurity, and shall be made available to the data holders upon request; |
| (d) | the data intermediation services provider shall facilitate the exchange of the data in the format in which it receives it from a data subject or a data holder, shall convert the data into specific formats only to enhance interoperability within and across sectors or if requested by the data user or where mandated by Union law or to ensure harmonisation with international or European data standards and shall offer an opt-out possibility regarding those conversions to data subjects or data holders, unless the conversion is mandated by Union law; |
| (e) | data intermediation services may include offering additional specific tools and services to data holders or data subjects for the specific purpose of facilitating the exchange of data, such as temporary storage, curation, conversion, anonymisation and pseudonymisation, such tools being used only at the explicit request or approval of the data holder or data subject and third-party tools offered in that context not being used for other purposes; |
| (f) | the data intermediation services provider shall ensure that the procedure for access to its service is fair, transparent and non-discriminatory for both data subjects and data holders, as well as for data users, including with regard to prices and terms of service; |
| (g) | the data intermediation services provider shall have procedures in place to prevent fraudulent or abusive practices in relation to parties seeking access through its data intermediation services; |
| (h) | the data intermediation services provider shall, in the event of its insolvency, ensure a reasonable continuity of the provision of its data intermediation services and, where such data intermediation services ensure the storage of data, shall have mechanisms in place to allow data holders and data users to obtain access to, to transfer or to retrieve their data and, where such data intermediation services are provided between data subjects and data users, to allow data subjects to exercise their rights; |
| (i) | the data intermediation services provider shall take appropriate measures to ensure interoperability with other data intermediation services, inter alia, by means of commonly used open standards in the sector in which the data intermediation services provider operates; |
| (j) | the data intermediation services provider shall put in place adequate technical, legal and organisational measures in order to prevent the transfer of or access to non-personal data that is unlawful under Union law or the national law of the relevant Member State; |
| (k) | the data intermediation services provider shall without delay inform data holders in the event of an unauthorised transfer, access or use of the non-personal data that it has shared; |
| (l) | the data intermediation services provider shall take necessary measures to ensure an appropriate level of security for the storage, processing and transmission of non-personal data, and the data intermediation services provider shall further ensure the highest level of security for the storage and transmission of competitively sensitive information; |
| (m) | the data intermediation services provider offering services to data subjects shall act in the data subjects’ best interest where it facilitates the exercise of their rights, in particular by informing and, where appropriate, advising data subjects in a concise, transparent, intelligible and easily accessible manner about intended data uses by data users and standard terms and conditions attached to such uses before data subjects give consent; |
| (n) | where a data intermediation services provider provides tools for obtaining consent from data subjects or permissions to process data made available by data holders, it shall, where relevant, specify the third-country jurisdiction in which the data use is intended to take place and provide data subjects with tools to both give and withdraw consent and data holders with tools to both give and withdraw permissions to process data; |
| (o) | the data intermediation services provider shall maintain a log record of the data intermediation activity. |
Article 21
Specific requirements to safeguard rights and interests of data subjects and data holders with regard to their data
1. A recognised data altruism organisation shall inform data subjects or data holders prior to any processing of their data in a clear and easily comprehensible manner of:
| (a) | the objectives of general interest and, if applicable, the specified, explicit and legitimate purpose for which personal data is to be processed, and for which it permits the processing of their data by a data user; |
| (b) | the location of and the objectives of general interest for which it permits any processing carried out in a third country, where the processing is carried out by the recognised data altruism organisation. |
2. The recognised data altruism organisation shall not use the data for other objectives than those of general interest for which the data subject or data holder allows the processing. The recognised data altruism organisation shall not use misleading marketing practices to solicit the provision of data.
3. The recognised data altruism organisation shall provide tools for obtaining consent from data subjects or permissions to process data made available by data holders. The recognised data altruism organisation shall also provide tools for easy withdrawal of such consent or permission.
4. The recognised data altruism organisation shall take measures to ensure an appropriate level of security for the storage and processing of non-personal data that it has collected based on data altruism.
5. The recognised data altruism organisation shall, without delay, inform data holders in the event of any unauthorised transfer, access or use of the non-personal data that it has shared.
6. Where the recognised data altruism organisation facilitates data processing by third parties, including by providing tools for obtaining consent from data subjects or permissions to process data made available by data holders, it shall, where relevant, specify the third-country jurisdiction in which the data use is intended to take place.
Article 31
International access and transfer
1. The public_sector_body, the natural or legal person to which the right to re-use data was granted under Chapter II, the data intermediation services provider or the recognised data altruism organisation shall take all reasonable technical, legal and organisational measures, including contractual arrangements, in order to prevent international transfer or governmental access to non-personal data held in the Union where such transfer or access would create a conflict with Union law or the national law of the relevant Member State, without prejudice to paragraph 2 or 3.
2. Any decision or judgment of a third-country court or tribunal and any decision of a third-country administrative authority requiring a public_sector_body, a natural or legal person to which the right to re-use data was granted under Chapter II, a data intermediation services provider or recognised data altruism organisation to transfer or give access to non-personal data within the scope of this Regulation held in the Union shall be recognised or enforceable in any manner only if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or any such agreement between the requesting third country and a Member State.
3. In the absence of an international agreement as referred to in paragraph 2 of this Article, where a public_sector_body, a natural or legal person to which the right to re-use data was granted under Chapter II, a data intermediation services provider or recognised data altruism organisation is the addressee of a decision or judgment of a third-country court or tribunal or a decision of a third-country administrative authority to transfer or give access to non-personal data within the scope of this Regulation held in the Union and compliance with such a decision would risk putting the addressee in conflict with Union law or with the national law of the relevant Member State, transfer to or access to such data by that third-country authority shall take place only where:
| (a) | the third-country system requires the reasons and proportionality of such a decision or judgment to be set out and requires such a decision or judgment to be specific in character, for instance by establishing a sufficient link to certain suspected persons or infringements; |
| (b) | the reasoned objection of the addressee is subject to a review by a competent third-country court or tribunal; and |
| (c) | the competent third-country court or tribunal issuing the decision or judgment or reviewing the decision of an administrative authority is empowered under the law of that third country to take duly into account the relevant legal interests of the provider of the data protected under Union law or the national law of the relevant Member State. |
4. If the conditions laid down in paragraph 2 or 3 are met, the public_sector_body, the natural or legal person to which the right to re-use data was granted under Chapter II, the data intermediation services provider or the recognised data altruism organisation shall provide the minimum amount of data permissible in response to a request, based on a reasonable interpretation of the request.
5. The public_sector_body, the natural or legal person to which the right to re-use data was granted under Chapter II, the data intermediation services provider and the recognised data altruism organisation shall inform the data holder about the existence of a request of a third-country administrative authority to access its data before complying with that request, except where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity.
CHAPTER VIII
Delegation and committee procedure
whereas