search

keyboard_tab Digital Governance Act 2022/0868 EN

 BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf

2022/0868 EN Art. 2 cercato: 'secure processing environment' . Output generated live by software developed by IusOnDemand srl


expand index secure processing environment:

    CHAPTER I
    General provisions

    CHAPTER II
    Re-use of certain categories of protected data held by public sector bodies
  • 2 Art. 2 Definitions
    •
  • 3 Art. 5 Conditions for re-use
    •
  • 1 Art. 6 Fees
    •
  • 1 Art. 7 Competent bodies

    • CHAPTER III
    Requirements applicable to data intermediation services

    CHAPTER IV
    Data altruism

    CHAPTER V
    Competent authorities and procedural provisions

    CHAPTER VI
    European Data Innovation Board

    CHAPTER VII
    International access and transfer

    CHAPTER VIII
    Delegation and committee procedure

    CHAPTER IX
    Final and transitional provisions


whereas secure processing environment:


definitions:


cloud tag: and the number of total unique words without stopwords is: 645

 

Article 2

Definitions

For the purposes of this Regulation, the following definitions apply:

(1)

datameans any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording;

(2)

re-usemeans the use by natural or legal persons of data held by public sector bodies, for commercial or non-commercial purposes other than the initial purpose within the public task for which the data were produced, except for the exchange of data between public sector bodies purely in pursuit of their public tasks;

(3)

‘personal datameans personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;

(4)

‘non-personal datameans data other than personal data;

(5)

consentmeans consent as defined in Article 4, point (11), of Regulation (EU) 2016/679;

(6)

permissionmeans giving data users the right to the processing of non-personal data;

(7)

data subjectmeans data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679;

(8)

data holder’ means a legal person, including public sector bodies and international organisations, or a natural person who is not a data subject with respect to the specific data in question, which, in accordance with applicable Union or national law, has the right to grant access to or to share certain personal data or non-personal data;

(9)

data user’ means a natural or legal person who has lawful access to certain personal or non-personal data and has the right, including under Regulation (EU) 2016/679 in the case of personal data, to use that data for commercial or non-commercial purposes;

(10)

data sharing’ means the provision of data by a data subject or a data holder to a data user for the purpose of the joint or individual use of such data, based on voluntary agreements or Union or national law, directly or through an intermediary, for example under open or commercial licences subject to a fee or free of charge;

(11)

data intermediation service’ means a service which aims to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal or other means, including for the purpose of exercising the rights of data subjects in relation to personal data, excluding at least the following:

(a)

services that obtain data from data holders and aggregate, enrich or transform the data for the purpose of adding substantial value to it and license the use of the resulting data to data users, without establishing a commercial relationship between data holders and data users;

(b)

services that focus on the intermediation of copyright-protected content;

(c)

services that are exclusively used by one data holder in order to enable the use of the data held by that data holder, or that are used by multiple legal persons in a closed group, including supplier or customer relationships or collaborations established by contract, in particular those that have as a main objective to ensure the functionalities of objects and devices connected to the Internet of Things;

(d)

data sharing services offered by public sector bodies that do not aim to establish commercial relationships;

(12)

processingmeans processing as defined in Article 4, point (2), of Regulation (EU) 2016/679 with regard to personal data or Article 3, point (2), of Regulation (EU) 2018/1807 with regard to non-personal data;

(13)

accessmeans data use, in accordance with specific technical, legal or organisational requirements, without necessarily implying the transmission or downloading of data;

(14)

main_establishment’ of a legal person means the place of its central administration in the Union;

(15)

‘services of data cooperatives’ means data intermediation services offered by an organisational structure constituted by data subjects, one-person undertakings or SMEs who are members of that structure, having as its main objectives to support its members in the exercise of their rights with respect to certain data, including with regard to making informed choices before they consent to data processing, to exchange views on data processing purposes and conditions that would best represent the interests of its members in relation to their data, and to negotiate terms and conditions for data processing on behalf of its members before giving permission to the processing of non-personal data or before they consent to the processing of personal data;

(16)

data altruism’ means the voluntary sharing of data on the basis of the consent of data subjects to process personal data pertaining to them, or permissions of data holders to allow the use of their non-personal data without seeking or receiving a reward that goes beyond compensation related to the costs that they incur where they make their data available for objectives of general interest as provided for in national law, where applicable, such as healthcare, combating climate change, improving mobility, facilitating the development, production and dissemination of official statistics, improving the provision of public services, public policy making or scientific research purposes in the general interest;

(17)

public_sector_bodymeans the State, regional or local authorities, bodies_governed_by_public_law or associations formed by one or more such authorities, or one or more such bodies_governed_by_public_law;

(18)

bodies_governed_by_public_lawmeans bodies that have the following characteristics:

(a)

they are established for the specific purpose of meeting needs in the general interest, and do not have an industrial or commercial character;

(b)

they have legal personality;

(c)

they are financed, for the most part, by the State, regional or local authorities, or other bodies_governed_by_public_law, are subject to management supervision by those authorities or bodies, or have an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional or local authorities, or by other bodies_governed_by_public_law;

(19)

public_undertakingmeans any undertaking over which the public sector bodies may exercise directly or indirectly a dominant influence by virtue of their ownership of it, their financial participation therein, or the rules which govern it; for the purposes of this definition, a dominant influence on the part of the public sector bodies shall be presumed in any of the following cases in which those bodies, directly or indirectly:

(a)

hold the majority of the undertaking’s subscribed capital;

(b)

control the majority of the votes attaching to shares issued by the undertaking;

(c)

can appoint more than half of the undertaking’s administrative, management or supervisory body;

(20)

‘secure processing environment’ means the physical or virtual environment and organisational means to ensure compliance with Union law, such as Regulation (EU) 2016/679, in particular with regard to data subjectsrights, intellectual property rights, and commercial and statistical confidentiality, integrity and accessibility, as well as with applicable national law, and to allow the entity providing the secure processing environment to determine and supervise all data processing actions, including the display, storage, download and export of data and the calculation of derivative data through computational algorithms;

(21)

legal_representativemeans a natural or legal person established in the Union explicitly designated to act on behalf of a data intermediation services provider or an entity that collects data for objectives of general interest made available by natural or legal persons on the basis of data altruism not established in the Union, which may be addressed by the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations in addition to or instead of the data intermediation services provider or entity with regard to the obligations under this Regulation, including with regard to initiating enforcement proceedings against a non-compliant data intermediation services provider or entity not established in the Union.

CHAPTER II

Re-use of certain categories of protected data held by public sector bodies

Article 2

Definitions

For the purposes of this Regulation, the following definitions apply:

(1)

data’ means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording;

(2)

re-use’ means the use by natural or legal persons of data held by public sector bodies, for commercial or non-commercial purposes other than the initial purpose within the public task for which the data were produced, except for the exchange of data between public sector bodies purely in pursuit of their public tasks;

(3)

‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;

(4)

‘non-personal data’ means data other than personal data;

(5)

consent’ means consent as defined in Article 4, point (11), of Regulation (EU) 2016/679;

(6)

permission’ means giving data users the right to the processing of non-personal data;

(7)

data subject’ means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679;

(8)

data holder’ means a legal person, including public sector bodies and international organisations, or a natural person who is not a data subject with respect to the specific data in question, which, in accordance with applicable Union or national law, has the right to grant access to or to share certain personal data or non-personal data;

(9)

data user’ means a natural or legal person who has lawful access to certain personal or non-personal data and has the right, including under Regulation (EU) 2016/679 in the case of personal data, to use that data for commercial or non-commercial purposes;

(10)

data sharing’ means the provision of data by a data subject or a data holder to a data user for the purpose of the joint or individual use of such data, based on voluntary agreements or Union or national law, directly or through an intermediary, for example under open or commercial licences subject to a fee or free of charge;

(11)

data intermediation service’ means a service which aims to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal or other means, including for the purpose of exercising the rights of data subjects in relation to personal data, excluding at least the following:

(a)

services that obtain data from data holders and aggregate, enrich or transform the data for the purpose of adding substantial value to it and license the use of the resulting data to data users, without establishing a commercial relationship between data holders and data users;

(b)

services that focus on the intermediation of copyright-protected content;

(c)

services that are exclusively used by one data holder in order to enable the use of the data held by that data holder, or that are used by multiple legal persons in a closed group, including supplier or customer relationships or collaborations established by contract, in particular those that have as a main objective to ensure the functionalities of objects and devices connected to the Internet of Things;

(d)

data sharing services offered by public sector bodies that do not aim to establish commercial relationships;

(12)

processing’ means processing as defined in Article 4, point (2), of Regulation (EU) 2016/679 with regard to personal data or Article 3, point (2), of Regulation (EU) 2018/1807 with regard to non-personal data;

(13)

access’ means data use, in accordance with specific technical, legal or organisational requirements, without necessarily implying the transmission or downloading of data;

(14)

main_establishment’ of a legal person means the place of its central administration in the Union;

(15)

‘services of data cooperatives’ means data intermediation services offered by an organisational structure constituted by data subjects, one-person undertakings or SMEs who are members of that structure, having as its main objectives to support its members in the exercise of their rights with respect to certain data, including with regard to making informed choices before they consent to data processing, to exchange views on data processing purposes and conditions that would best represent the interests of its members in relation to their data, and to negotiate terms and conditions for data processing on behalf of its members before giving permission to the processing of non-personal data or before they consent to the processing of personal data;

(16)

data altruism’ means the voluntary sharing of data on the basis of the consent of data subjects to process personal data pertaining to them, or permissions of data holders to allow the use of their non-personal data without seeking or receiving a reward that goes beyond compensation related to the costs that they incur where they make their data available for objectives of general interest as provided for in national law, where applicable, such as healthcare, combating climate change, improving mobility, facilitating the development, production and dissemination of official statistics, improving the provision of public services, public policy making or scientific research purposes in the general interest;

(17)

public_sector_body’ means the State, regional or local authorities, bodies_governed_by_public_law or associations formed by one or more such authorities, or one or more such bodies_governed_by_public_law;

(18)

bodies_governed_by_public_law’ means bodies that have the following characteristics:

(a)

they are established for the specific purpose of meeting needs in the general interest, and do not have an industrial or commercial character;

(b)

they have legal personality;

(c)

they are financed, for the most part, by the State, regional or local authorities, or other bodies_governed_by_public_law, are subject to management supervision by those authorities or bodies, or have an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional or local authorities, or by other bodies_governed_by_public_law;

(19)

public_undertaking’ means any undertaking over which the public sector bodies may exercise directly or indirectly a dominant influence by virtue of their ownership of it, their financial participation therein, or the rules which govern it; for the purposes of this definition, a dominant influence on the part of the public sector bodies shall be presumed in any of the following cases in which those bodies, directly or indirectly:

(a)

hold the majority of the undertaking’s subscribed capital;

(b)

control the majority of the votes attaching to shares issued by the undertaking;

(c)

can appoint more than half of the undertaking’s administrative, management or supervisory body;

(20)

‘secure processing environment’ means the physical or virtual environment and organisational means to ensure compliance with Union law, such as Regulation (EU) 2016/679, in particular with regard to data subjects’ rights, intellectual property rights, and commercial and statistical confidentiality, integrity and accessibility, as well as with applicable national law, and to allow the entity providing the secure processing environment to determine and supervise all data processing actions, including the display, storage, download and export of data and the calculation of derivative data through computational algorithms;

(21)

legal_representative’ means a natural or legal person established in the Union explicitly designated to act on behalf of a data intermediation services provider or an entity that collects data for objectives of general interest made available by natural or legal persons on the basis of data altruism not established in the Union, which may be addressed by the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations in addition to or instead of the data intermediation services provider or entity with regard to the obligations under this Regulation, including with regard to initiating enforcement proceedings against a non-compliant data intermediation services provider or entity not established in the Union.

CHAPTER II

Re-use of certain categories of protected data held by public sector bodies

Article 5

Conditions for re-use

1.   Public sector bodies which are competent under national law to grant or refuse access for the re-use of one or more of the categories of data referred to in Article 3(1) shall make publicly available the conditions for allowing such re-use and the procedure to request the re-use via the single information point referred to in Article 8. Where they grant or refuse access for re-use, they may be assisted by the competent bodies referred to in Article 7(1).

Member States shall ensure that public sector bodies are equipped with the necessary resources to comply with this Article.

2.   Conditions for re-use shall be non-discriminatory, transparent, proportionate and objectively justified with regard to the categories of data and the purposes of re-use and the nature of the data for which re-use is allowed. Those conditions shall not be used to restrict competition.

3.   Public sector bodies shall, in accordance with Union and national law, ensure that the protected nature of data is preserved. They may provide for the following requirements:

(a)

to grant access for the re-use of data only where the public_sector_body or the competent body, following the request for re-use, has ensured that data has been:

(i)

anonymised, in the case of personal data; and

(ii)

modified, aggregated or treated by any other method of disclosure control, in the case of commercially confidential information, including trade secrets or content protected by intellectual property rights;

(b)

to access and re-use the data remotely within a secure processing environment that is provided or controlled by the public_sector_body;

(c)

to access and re-use the data within the physical premises in which the secure processing environment is located in accordance with high security standards, provided that remote access cannot be allowed without jeopardising the rights and interests of third parties.

4.   In the case of re-use allowed in accordance with paragraph 3, points (b) and (c), the public sector bodies shall impose conditions that preserve the integrity of the functioning of the technical systems of the secure processing environment used. The public_sector_body shall reserve the right to verify the process, the means and any results of processing of data undertaken by the re-user to preserve the integrity of the protection of the data and reserve the right to prohibit the use of results that contain information jeopardising the rights and interests of third parties. The decision to prohibit the use of the results shall be comprehensible and transparent to the re-user.

5.   Unless national law provides for specific safeguards on applicable confidentiality obligations relating to the re-use of data referred to in Article 3(1), the public_sector_body shall make the re-use of data provided in accordance with paragraph 3 of this Article conditional on the adherence by the re-user to a confidentiality obligation that prohibits the disclosure of any information that jeopardises the rights and interests of third parties that the re-user may have acquired despite the safeguards put in place. Re-users shall be prohibited from re-identifying any data subject to whom the data relates and shall take technical and operational measures to prevent re-identification and to notify any data breach resulting in the re-identification of the data subjects concerned to the public_sector_body. In the event of the unauthorised re-use of non-personal data, the re-user shall, without delay, where appropriate with the assistance of the public_sector_body, inform the legal persons whose rights and interests may be affected.

6.   Where the re-use of data cannot be allowed in accordance with the obligations laid down in paragraphs 3 and 4 of this Article and there is no legal basis for transmitting the data under Regulation (EU) 2016/679, the public_sector_body shall make best efforts, in accordance with Union and national law, to provide assistance to potential re-users in seeking consent of the data subjects or permission from the data holders whose rights and interests may be affected by such re-use, where it is feasible without a disproportionate burden on the public_sector_body. Where it provides such assistance, the public_sector_body may be assisted by the competent bodies referred to in Article 7(1).

7.   Re-use of data shall be allowed only in compliance with intellectual property rights. The right of the maker of a database as provided for in Article 7(1) of Directive 96/9/EC shall not be exercised by public sector bodies in order to prevent the re-use of data or to restrict re-use beyond the limits set by this Regulation.

8.   Where data requested is considered to be confidential, in accordance with Union or national law on commercial or statistical confidentiality, the public sector bodies shall ensure that the confidential data is not disclosed as a result of allowing re-use, unless such re-use is allowed in accordance with paragraph 6.

9.   Where a re-user intends to transfer non-personal data protected on the grounds set out in Article 3(1) to a third country, it shall inform the public_sector_body of its intention to transfer such data and the purpose of such transfer at the time of requesting the re-use of such data. In the case of re-use in accordance with paragraph 6 of this Article, the re-user shall, where appropriate with the assistance of the public_sector_body, inform the legal person whose rights and interests may be affected of that intention, purpose and the appropriate safeguards. The public_sector_body shall not allow the re-use unless the legal person gives permission for the transfer.

10.   Public sector bodies shall transmit non-personal confidential data or data protected by intellectual property rights to a re-user which intends to transfer those data to a third country other than a country designated in accordance with paragraph 12 only if the re-user contractually commits to:

(a)

complying with the obligations imposed in accordance with paragraphs 7 and 8 even after the data is transferred to the third country; and

(b)

accepting the jurisdiction of the courts or tribunals of the Member State of the transmitting public_sector_body with regard to any dispute related to compliance with paragraphs 7 and 8.

11.   Public sector bodies shall, where relevant and to the extent of their capabilities, provide guidance and assistance to re-users in complying with the obligations referred to in paragraph 10 of this Article.

In order to assist public sector bodies and re-users, the Commission may adopt implementing acts establishing model contractual clauses for complying with the obligations referred to in paragraph 10 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 33(3).

12.   Where justified because of the substantial number of requests across the Union concerning the re-use of non-personal data in specific third countries, the Commission may adopt implementing acts declaring that the legal, supervisory and enforcement arrangements of a third country:

(a)

ensure protection of intellectual property and trade secrets in a way that is essentially equivalent to the protection ensured under Union law;

(b)

are being effectively applied and enforced; and

(c)

provide effective judicial redress.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 33(3).

13.   Specific Union legislative acts may deem certain non-personal data categories held by public sector bodies to be highly sensitive for the purposes of this Article where their transfer to third countries may put at risk Union public policy objectives, such as safety and public health or may lead to the risk of re-identification of non-personal, anonymised data. Where such an act is adopted, the Commission shall adopt delegated acts in accordance with Article 32 supplementing this Regulation by laying down special conditions applicable to the transfers of such data to third countries.

Those special conditions shall be based on the nature of the non-personal data categories identified in the specific Union legislative act and on the grounds for deeming those categories to be highly sensitive, taking into account the risks of re-identification of non-personal, anonymised data. They shall be non-discriminatory and limited to what is necessary to achieve the Union public policy objectives identified in that act, in accordance with the Union’s international obligations.

If required by specific Union legislative acts as referred to in the first subparagraph, such special conditions may include terms applicable for the transfer or technical arrangements in this regard, limitations with regard to the re-use of data in third countries or categories of persons entitled to transfer such data to third countries or, in exceptional cases, restrictions with regard to transfers to third countries.

14.   The natural or legal person to which the right to re-use non-personal data was granted may transfer the data only to those third countries for which the requirements in paragraphs 10, 12 and 13 are met.

Article 6

Fees

1.   Public sector bodies which allow re-use of the categories of data referred to in Article 3(1) may charge fees for allowing the re-use of such data.

2.   Any fees charged pursuant to paragraph 1 shall be transparent, non-discriminatory, proportionate and objectively justified and shall not restrict competition.

3.   Public sector bodies shall ensure that any fees can also be paid online through widely available cross-border payment services, without discrimination based on the place of establishment of the payment service provider, the place of issue of the payment instrument or the location of the payment account within the Union.

4.   Where public sector bodies charge fees, they shall take measures to provide incentives for the re-use of the categories of data referred to in Article 3(1) for non-commercial purposes, such as scientific research purposes, and by SMEs and start-ups in accordance with State aid rules. In that regard, public sector bodies may also make the data available at a discounted fee or free of charge, in particular to SMEs and start-ups, civil society and educational establishments. To that end, public sector bodies may establish a list of categories of re-users to which data for re-use is made available at a discounted fee or free of charge. That list, together with the criteria used to establish it, shall be made public.

5.   Any fees shall be derived from the costs related to conducting the procedure for requests for the re-use of the categories of data referred to in Article 3(1) and limited to the necessary costs in relation to:

(a)

the reproduction, provision and dissemination of data;

(b)

the clearance of rights;

(c)

anonymisation or other forms of preparation of personal data and commercially confidential data as provided for in Article 5(3);

(d)

the maintenance of the secure processing environment;

(e)

the acquisition of the right to allow re-use in accordance with this Chapter by third parties outside the public sector; and

(f)

assisting re-users in seeking consent from data subjects and permission from data holders whose rights and interests may be affected by such re-use.

6.   The criteria and methodology for calculating fees shall be laid down by the Member States and published. The public_sector_body shall publish a description of the main categories of costs and the rules used for the allocation of costs.

Article 7

Competent bodies

1.   For the purpose of carrying out the tasks referred to in this Article, each Member State shall designate one or more competent bodies, which may be competent for particular sectors, to assist the public sector bodies which grant or refuse access for the re-use of the categories of data referred to in Article 3(1). Member States may either establish one or more new competent bodies or rely on existing public sector bodies or on internal services of public sector bodies that fulfil the conditions laid down in this Regulation.

2.   The competent bodies may be empowered to grant access for the re-use of the categories of data referred to in Article 3(1) pursuant to Union or national law which provides for such access to be granted. Where they grant or refuse access for the re-use, Articles 4, 5, 6 and 9 shall apply to those competent bodies.

3.   The competent bodies shall have adequate legal, financial, technical and human resources to carry out the tasks assigned to them, including the necessary technical knowledge to be able to comply with relevant Union or national law concerning the access regimes for the categories of data referred to in Article 3(1).

4.   The assistance provided for in paragraph 1 shall include, where necessary:

(a)

providing technical support by making available a secure processing environment for providing access for the re-use of data;

(b)

providing guidance and technical support on how to best structure and store data to make that data easily accessible;

(c)

providing technical support for pseudonymisation and ensuring data processing in a manner that effectively preserves the privacy, confidentiality, integrity and accessibility of the information contained in the data for which re-use is allowed, including techniques for the anonymisation, generalisation, suppression and randomisation of personal data or other state-of-the-art privacy-preserving methods, and the deletion of commercially confidential information, including trade secrets or content protected by intellectual property rights;

(d)

assisting the public sector bodies, where relevant, to provide support to re-users in requesting consent for re-use from data subjects or permission from data holders in line with their specific decisions, including on the jurisdiction in which the data processing is intended to take place and assisting the public sector bodies in establishing technical mechanisms that allow the transmission of requests for consent or permission from re-users, where practically feasible;

(e)

providing public sector bodies with assistance in assessing the adequacy of contractual commitments made by a re-user pursuant to Article 5(10).

5.   Each Member State shall notify the Commission of the identity of the competent bodies designated pursuant to paragraph 1 by 24 September 2023. Each Member State shall also notify the Commission of any subsequent change to the identity of those competent bodies.


whereas
keyboard_arrow_down