keyboard_tab Digital Governance Act 2022/0868 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Art. 5 Conditions for re-use
- 1 Art. 6 Fees
- 1 Art. 25 European data altruism consent form
- 5 Art. 30 Tasks of the European Data Innovation Board
- 1 Art. 31 International access and transfer
- 2 Art. 34 Penalties
CHAPTER I
General provisions
CHAPTER II
Re-use of certain categories of protected data held by public sector bodies
CHAPTER III
Requirements applicable to data intermediation services
CHAPTER IV
Data altruism
CHAPTER V
Competent authorities and procedural provisions
CHAPTER VI
European Data Innovation Board
CHAPTER VII
International access and transfer
CHAPTER VIII
Delegation and committee procedure
CHAPTER IX
Final and transitional provisions
- data
- re-use
- personal data
- non-personal data
- consent
- permission
- data subject
- data holder
- data user
- data sharing
- data intermediation service
- processing
- access
- main establishment
- services of data cooperatives
- data altruism
- public sector body
- bodies governed by public law
- public undertaking
- secure processing environment
- legal representative
- data 137
- shall 53
- re-use 42
- article 30
- such 24
- union 22
- altruism 22
- bodies 20
- third 20
- accordance 20
- referred 19
- public_sector_body 19
- access 19
- services 19
- regard 18
- sector 18
- which 17
- transfer 17
- public 16
- non-personal 16
- intermediation 16
- commission 15
- european 15
- legal 14
- competent 14
- categories 13
- recognised 13
- rights 12
- account 11
- conditions 11
- paragraph 11
- right 10
- consent 10
- provider 10
- decision 10
- under 10
- into 10
- acts 10
- chapter 9
- national 9
- third-country 9
- countries 9
- organisation 9
- standards 9
- international 9
- re-user 9
- assist 9
- from 9
- advise 9
- person 8
Article 5
Conditions for re-use
1. Public sector bodies which are competent under national law to grant or refuse access for the re-use of one or more of the categories of data referred to in Article 3(1) shall make publicly available the conditions for allowing such re-use and the procedure to request the re-use via the single information point referred to in Article 8. Where they grant or refuse access for re-use, they may be assisted by the competent bodies referred to in Article 7(1).
Member States shall ensure that public sector bodies are equipped with the necessary resources to comply with this Article.
2. Conditions for re-use shall be non-discriminatory, transparent, proportionate and objectively justified with regard to the categories of data and the purposes of re-use and the nature of the data for which re-use is allowed. Those conditions shall not be used to restrict competition.
3. Public sector bodies shall, in accordance with Union and national law, ensure that the protected nature of data is preserved. They may provide for the following requirements:
| (a) | to grant access for the re-use of data only where the public_sector_body or the competent body, following the request for re-use, has ensured that data has been:
|
| (b) | to access and re-use the data remotely within a secure processing environment that is provided or controlled by the public_sector_body; |
| (c) | to access and re-use the data within the physical premises in which the secure processing environment is located in accordance with high security standards, provided that remote access cannot be allowed without jeopardising the rights and interests of third parties. |
4. In the case of re-use allowed in accordance with paragraph 3, points (b) and (c), the public sector bodies shall impose conditions that preserve the integrity of the functioning of the technical systems of the secure processing environment used. The public_sector_body shall reserve the right to verify the process, the means and any results of processing of data undertaken by the re-user to preserve the integrity of the protection of the data and reserve the right to prohibit the use of results that contain information jeopardising the rights and interests of third parties. The decision to prohibit the use of the results shall be comprehensible and transparent to the re-user.
5. Unless national law provides for specific safeguards on applicable confidentiality obligations relating to the re-use of data referred to in Article 3(1), the public_sector_body shall make the re-use of data provided in accordance with paragraph 3 of this Article conditional on the adherence by the re-user to a confidentiality obligation that prohibits the disclosure of any information that jeopardises the rights and interests of third parties that the re-user may have acquired despite the safeguards put in place. Re-users shall be prohibited from re-identifying any data subject to whom the data relates and shall take technical and operational measures to prevent re-identification and to notify any data breach resulting in the re-identification of the data subjects concerned to the public_sector_body. In the event of the unauthorised re-use of non-personal data, the re-user shall, without delay, where appropriate with the assistance of the public_sector_body, inform the legal persons whose rights and interests may be affected.
6. Where the re-use of data cannot be allowed in accordance with the obligations laid down in paragraphs 3 and 4 of this Article and there is no legal basis for transmitting the data under Regulation (EU) 2016/679, the public_sector_body shall make best efforts, in accordance with Union and national law, to provide assistance to potential re-users in seeking consent of the data subjects or permission from the data holders whose rights and interests may be affected by such re-use, where it is feasible without a disproportionate burden on the public_sector_body. Where it provides such assistance, the public_sector_body may be assisted by the competent bodies referred to in Article 7(1).
7. Re-use of data shall be allowed only in compliance with intellectual property rights. The right of the maker of a database as provided for in Article 7(1) of Directive 96/9/EC shall not be exercised by public sector bodies in order to prevent the re-use of data or to restrict re-use beyond the limits set by this Regulation.
8. Where data requested is considered to be confidential, in accordance with Union or national law on commercial or statistical confidentiality, the public sector bodies shall ensure that the confidential data is not disclosed as a result of allowing re-use, unless such re-use is allowed in accordance with paragraph 6.
9. Where a re-user intends to transfer non-personal data protected on the grounds set out in Article 3(1) to a third country, it shall inform the public_sector_body of its intention to transfer such data and the purpose of such transfer at the time of requesting the re-use of such data. In the case of re-use in accordance with paragraph 6 of this Article, the re-user shall, where appropriate with the assistance of the public_sector_body, inform the legal person whose rights and interests may be affected of that intention, purpose and the appropriate safeguards. The public_sector_body shall not allow the re-use unless the legal person gives permission for the transfer.
10. Public sector bodies shall transmit non-personal confidential data or data protected by intellectual property rights to a re-user which intends to transfer those data to a third country other than a country designated in accordance with paragraph 12 only if the re-user contractually commits to:
| (a) | complying with the obligations imposed in accordance with paragraphs 7 and 8 even after the data is transferred to the third country; and |
| (b) | accepting the jurisdiction of the courts or tribunals of the Member State of the transmitting public_sector_body with regard to any dispute related to compliance with paragraphs 7 and 8. |
11. Public sector bodies shall, where relevant and to the extent of their capabilities, provide guidance and assistance to re-users in complying with the obligations referred to in paragraph 10 of this Article.
In order to assist public sector bodies and re-users, the Commission may adopt implementing acts establishing model contractual clauses for complying with the obligations referred to in paragraph 10 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 33(3).
12. Where justified because of the substantial number of requests across the Union concerning the re-use of non-personal data in specific third countries, the Commission may adopt implementing acts declaring that the legal, supervisory and enforcement arrangements of a third country:
| (a) | ensure protection of intellectual property and trade secrets in a way that is essentially equivalent to the protection ensured under Union law; |
| (b) | are being effectively applied and enforced; and |
| (c) | provide effective judicial redress. |
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 33(3).
13. Specific Union legislative acts may deem certain non-personal data categories held by public sector bodies to be highly sensitive for the purposes of this Article where their transfer to third countries may put at risk Union public policy objectives, such as safety and public health or may lead to the risk of re-identification of non-personal, anonymised data. Where such an act is adopted, the Commission shall adopt delegated acts in accordance with Article 32 supplementing this Regulation by laying down special conditions applicable to the transfers of such data to third countries.
Those special conditions shall be based on the nature of the non-personal data categories identified in the specific Union legislative act and on the grounds for deeming those categories to be highly sensitive, taking into account the risks of re-identification of non-personal, anonymised data. They shall be non-discriminatory and limited to what is necessary to achieve the Union public policy objectives identified in that act, in accordance with the Union’s international obligations.
If required by specific Union legislative acts as referred to in the first subparagraph, such special conditions may include terms applicable for the transfer or technical arrangements in this regard, limitations with regard to the re-use of data in third countries or categories of persons entitled to transfer such data to third countries or, in exceptional cases, restrictions with regard to transfers to third countries.
14. The natural or legal person to which the right to re-use non-personal data was granted may transfer the data only to those third countries for which the requirements in paragraphs 10, 12 and 13 are met.
Article 6
Fees
1. Public sector bodies which allow re-use of the categories of data referred to in Article 3(1) may charge fees for allowing the re-use of such data.
2. Any fees charged pursuant to paragraph 1 shall be transparent, non-discriminatory, proportionate and objectively justified and shall not restrict competition.
3. Public sector bodies shall ensure that any fees can also be paid online through widely available cross-border payment services, without discrimination based on the place of establishment of the payment service provider, the place of issue of the payment instrument or the location of the payment account within the Union.
4. Where public sector bodies charge fees, they shall take measures to provide incentives for the re-use of the categories of data referred to in Article 3(1) for non-commercial purposes, such as scientific research purposes, and by SMEs and start-ups in accordance with State aid rules. In that regard, public sector bodies may also make the data available at a discounted fee or free of charge, in particular to SMEs and start-ups, civil society and educational establishments. To that end, public sector bodies may establish a list of categories of re-users to which data for re-use is made available at a discounted fee or free of charge. That list, together with the criteria used to establish it, shall be made public.
5. Any fees shall be derived from the costs related to conducting the procedure for requests for the re-use of the categories of data referred to in Article 3(1) and limited to the necessary costs in relation to:
| (a) | the reproduction, provision and dissemination of data; |
| (b) | the clearance of rights; |
| (c) | anonymisation or other forms of preparation of personal data and commercially confidential data as provided for in Article 5(3); |
| (d) | the maintenance of the secure processing environment; |
| (e) | the acquisition of the right to allow re-use in accordance with this Chapter by third parties outside the public sector; and |
| (f) | assisting re-users in seeking consent from data subjects and permission from data holders whose rights and interests may be affected by such re-use. |
6. The criteria and methodology for calculating fees shall be laid down by the Member States and published. The public_sector_body shall publish a description of the main categories of costs and the rules used for the allocation of costs.
Article 25
European data altruism consent form
1. In order to facilitate the collection of data based on data altruism, the Commission shall adopt implementing acts establishing and developing a European data altruism consent form, after consulting the European Data Protection Board, taking into account the advice of the European Data Innovation Board and duly involving relevant stakeholders. The form shall allow the collection of consent or permission across Member States in a uniform format. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 33(2).
2. The European data altruism consent form shall use a modular approach allowing customisation for specific sectors and for different purposes.
3. Where personal data are provided, the European data altruism consent form shall ensure that data subjects are able to give consent to and withdraw consent from a specific data processing operation in compliance with the requirements of Regulation (EU) 2016/679.
4. The form shall be available in a manner that can be printed on paper and is easily understandable as well as in an electronic, machine-readable form.
CHAPTER V
Competent authorities and procedural provisions
Article 30
Tasks of the European Data Innovation Board
The European Data Innovation Board shall have the following tasks:
| (a) | to advise and assist the Commission with regard to developing a consistent practice of public sector bodies and competent bodies referred to in Article 7(1) in handling requests for the re-use of the categories of data referred to in Article 3(1); |
| (b) | to advise and assist the Commission with regard to developing a consistent practice for data altruism across the Union; |
| (c) | to advise and assist the Commission with regard to developing a consistent practice of the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations in the application of requirements applicable to data intermediation services providers and recognised data altruism organisations; |
| (d) | to advise and assist the Commission with regard to developing consistent guidelines on how to best protect, in the context of this Regulation, commercially sensitive non-personal data, in particular trade secrets, but also non-personal data representing content protected by intellectual property rights from unlawful access that risks intellectual property theft or industrial espionage; |
| (e) | to advise and assist the Commission with regard to developing consistent guidelines for cybersecurity requirements for the exchange and storage of data; |
| (f) | to advise the Commission, in particular taking into account the input from standardisation organisations, on the prioritisation of cross-sector standards to be used and developed for data use and cross-sector data sharing between emerging common European data spaces, cross-sectoral comparison and exchange of best practices with regard to sectoral requirements for security and access procedures, taking into account sector-specific standardisation activities, in particular clarifying and distinguishing which standards and practices are cross-sectoral and which are sectoral; |
| (g) | to assist the Commission, in particular taking into account the input from standardisation organisations, in addressing fragmentation of the internal market and the data economy in the internal market by enhancing cross-border, cross-sector interoperability of data as well as data sharing services between different sectors and domains, building on existing European, international or national standards, inter alia with the aim of encouraging the creation of common European data spaces; |
| (h) | to propose guidelines for common European data spaces, namely purpose- or sector-specific or cross-sectoral interoperable frameworks of common standards and practices to share or jointly process data for, inter alia, the development of new products and services, scientific research or civil society initiatives, such common standards and practices taking into account existing standards, complying with the competition rules and ensuring non-discriminatory access to all participants, for the purpose of facilitating data sharing in the Union and reaping the potential of existing and future data spaces, addressing, inter alia:
|
| (i) | to facilitate cooperation between Member States with regard to setting harmonised conditions allowing for the re-use of the categories of data referred to in Article 3(1) held by public sector bodies across the internal market; |
| (j) | to facilitate cooperation between competent authorities for data intermediation services and competent authorities for the registration of data altruism organisations through capacity-building and the exchange of information, in particular by establishing methods for the efficient exchange of information relating to the notification procedure for data intermediation services providers and the registration and monitoring of recognised data altruism organisations, including coordination with regard to the setting of fees or penalties, as well as facilitate cooperation between competent authorities for data intermediation services and competent authorities for the registration of data altruism organisations with regard to international access and transfer of data; |
| (k) | to advise and assist the Commission with regard to evaluating whether the implementing acts referred to in Article 5(11) and (12) are to be adopted; |
| (l) | to advise and assist the Commission with regard to developing the European data altruism consent form in accordance with Article 25(1); |
| (m) | to advise the Commission on improving the international regulatory environment for non-personal data, including standardisation. |
CHAPTER VII
International access and transfer
Article 31
International access and transfer
1. The public_sector_body, the natural or legal person to which the right to re-use data was granted under Chapter II, the data intermediation services provider or the recognised data altruism organisation shall take all reasonable technical, legal and organisational measures, including contractual arrangements, in order to prevent international transfer or governmental access to non-personal data held in the Union where such transfer or access would create a conflict with Union law or the national law of the relevant Member State, without prejudice to paragraph 2 or 3.
2. Any decision or judgment of a third-country court or tribunal and any decision of a third-country administrative authority requiring a public_sector_body, a natural or legal person to which the right to re-use data was granted under Chapter II, a data intermediation services provider or recognised data altruism organisation to transfer or give access to non-personal data within the scope of this Regulation held in the Union shall be recognised or enforceable in any manner only if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or any such agreement between the requesting third country and a Member State.
3. In the absence of an international agreement as referred to in paragraph 2 of this Article, where a public_sector_body, a natural or legal person to which the right to re-use data was granted under Chapter II, a data intermediation services provider or recognised data altruism organisation is the addressee of a decision or judgment of a third-country court or tribunal or a decision of a third-country administrative authority to transfer or give access to non-personal data within the scope of this Regulation held in the Union and compliance with such a decision would risk putting the addressee in conflict with Union law or with the national law of the relevant Member State, transfer to or access to such data by that third-country authority shall take place only where:
| (a) | the third-country system requires the reasons and proportionality of such a decision or judgment to be set out and requires such a decision or judgment to be specific in character, for instance by establishing a sufficient link to certain suspected persons or infringements; |
| (b) | the reasoned objection of the addressee is subject to a review by a competent third-country court or tribunal; and |
| (c) | the competent third-country court or tribunal issuing the decision or judgment or reviewing the decision of an administrative authority is empowered under the law of that third country to take duly into account the relevant legal interests of the provider of the data protected under Union law or the national law of the relevant Member State. |
4. If the conditions laid down in paragraph 2 or 3 are met, the public_sector_body, the natural or legal person to which the right to re-use data was granted under Chapter II, the data intermediation services provider or the recognised data altruism organisation shall provide the minimum amount of data permissible in response to a request, based on a reasonable interpretation of the request.
5. The public_sector_body, the natural or legal person to which the right to re-use data was granted under Chapter II, the data intermediation services provider and the recognised data altruism organisation shall inform the data holder about the existence of a request of a third-country administrative authority to access its data before complying with that request, except where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity.
CHAPTER VIII
Delegation and committee procedure
Article 34
Penalties
1. Member States shall lay down the rules on penalties applicable to infringements of the obligations regarding transfers of non-personal data to third countries pursuant to Article 5(14) and Article 31, the notification obligation of data intermediation services providers pursuant to Article 11, the conditions for providing data intermediation services pursuant to Article 12 and the conditions for the registration as a recognised data altruism organisation pursuant to Articles 18, 20, 21 and 22, and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. In their rules on penalties, Member States shall take into account the recommendations of the European Data Innovation Board. Member States shall, by 24 September 2023, notify the Commission of those rules and of those measures and shall notify it, without delay, of any subsequent amendment affecting them.
2. Member States shall take into account the following non-exhaustive and indicative criteria for the imposition of penalties on data intermediation services providers and recognised data altruism organisations for infringements of this Regulation, where appropriate:
| (a) | the nature, gravity, scale and duration of the infringement; |
| (b) | any action taken by the data intermediation services provider or recognised data altruism organisation to mitigate or remedy the damage caused by the infringement; |
| (c) | any previous infringements by the data intermediation services provider or recognised data altruism organisation; |
| (d) | the financial benefits gained or losses avoided by the data intermediation services provider or recognised data altruism organisation due to the infringement, insofar as such benefits or losses can be reliably established; |
| (e) | any other aggravating or mitigating factors applicable to the circumstances of the case. |
whereas