keyboard_tab Digital Governance Act 2022/0868 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Art. 3 Categories of data
- 2 Art. 11 Notification by data intermediation services providers
- 3 Art. 12 Conditions for providing data intermediation services
- 1 Art. 20 Transparency requirements
- 1 Art. 26 Requirements relating to competent authorities
- 1 Art. 31 International access and transfer
- 6 Art. 36 Amendment to Regulation (EU) 2018/1724
CHAPTER I
General provisions
CHAPTER II
Re-use of certain categories of protected data held by public sector bodies
CHAPTER III
Requirements applicable to data intermediation services
CHAPTER IV
Data altruism
CHAPTER V
Competent authorities and procedural provisions
CHAPTER VI
European Data Innovation Board
CHAPTER VII
International access and transfer
CHAPTER VIII
Delegation and committee procedure
CHAPTER IX
Final and transitional provisions
- data
- re-use
- personal data
- non-personal data
- consent
- permission
- data subject
- data holder
- data user
- data sharing
- data intermediation service
- processing
- access
- main establishment
- services of data cooperatives
- data altruism
- public sector body
- bodies governed by public law
- public undertaking
- secure processing environment
- legal representative
- data 210
- services 101
- intermediation 99
- shall 61
- provider 44
- competent 39
- altruism 25
- which 24
- union 24
- authority 23
- registration 22
- authorities 22
- such 21
- notification 19
- legal 18
- recognised 17
- activity 15
- access 14
- article 14
- public 13
- organisation 13
- the 13
- referred 13
- organisations 12
- request 12
- member state 12
- natural 12
- under 12
- paragraph 11
- national 11
- subjects 11
- ensure 11
- relevant 11
- chapter 10
- third-country 10
- person 10
- information 10
- service 9
- held 9
- including 9
- holders 9
- transfer 9
- decision 9
- business 9
- confirmation 9
- without 8
- regulation 8
- non-personal 7
- providers 7
- subject 7
Article 3
Categories of data
1. This Chapter applies to data held by public sector bodies which are protected on grounds of:
| (a) | commercial confidentiality, including business, professional and company secrets; |
| (b) | statistical confidentiality; |
| (c) | the protection of intellectual property rights of third parties; or |
| (d) | the protection of personal data, insofar as such data fall outside the scope of Directive (EU) 2019/1024. |
2. This Chapter does not apply to:
| (a) | data held by public_undertakings; |
| (b) | data held by public service broadcasters and their subsidiaries, and by other bodies or their subsidiaries for the fulfilment of a public service broadcasting remit; |
| (c) | data held by cultural establishments and educational establishments; |
| (d) | data held by public sector bodies which are protected for reasons of public security, defence or national security; or |
| (e) | data the supply of which is an activity falling outside the scope of the public task of the public sector bodies concerned as defined by law or by other binding rules in the Member State concerned, or, in the absence of such rules, as defined in accordance with common administrative practice in that Member State, provided that the scope of the public tasks is transparent and subject to review. |
3. This Chapter is without prejudice to:
| (a) | Union and national law and international agreements to which the Union or Member States are party on the protection of categories of data referred to in paragraph 1; and |
| (b) | Union and national law on access to documents. |
Article 11
Notification by data intermediation services providers
1. Any data intermediation services provider who intends to provide the data intermediation services referred to in Article 10 shall submit a notification to the competent authority for data intermediation services.
2. For the purposes of this Regulation, a data intermediation services provider with establishments in more than one Member State shall be deemed to be under the jurisdiction of the Member State in which it has its main_establishment, without prejudice to Union law regulating cross-border actions for damages and related proceedings.
3. A data intermediation services provider that is not established in the Union, but which offers the data intermediation services referred to in Article 10 within the Union, shall designate a legal_representative in one of the Member States in which those services are offered.
For the purpose of ensuring compliance with this Regulation, the legal_representative shall be mandated by the data intermediation services provider to be addressed in addition to or instead of it by competent authorities for data intermediation services or data subjects and data holders, with regard to all issues related to the data intermediation services provided. The legal_representative shall cooperate with and comprehensively demonstrate to the competent authorities for data intermediation services, upon request, the actions taken and provisions put in place by the data intermediation services provider to ensure compliance with this Regulation.
The data intermediation services provider shall be deemed to be under the jurisdiction of the Member State in which the legal_representative is located. The designation of a legal_representative by the data intermediation services provider shall be without prejudice to any legal actions which could be initiated against the data intermediation services provider.
4. After having submitted a notification in accordance with paragraph 1, the data intermediation services provider may start the activity subject to the conditions laid down in this Chapter.
5. The notification referred to in paragraph 1 shall entitle the data intermediation services provider to provide data intermediation services in all Member States.
6. The notification referred to in paragraph 1 shall include the following information:
| (a) | the name of the data intermediation services provider; |
| (b) | the data intermediation services provider’s legal status, form, ownership structure, relevant subsidiaries and, where the data intermediation services provider is registered in a trade or other similar public national register, registration number; |
| (c) | the address of the data intermediation services provider’s main_establishment in the Union, if any, and, where applicable, of any secondary branch in another Member State or that of the legal_representative; |
| (d) | a public website where complete and up-to-date information on the data intermediation services provider and the activities can be found, including as a minimum the information referred to in points (a), (b), (c) and (f); |
| (e) | the data intermediation services provider’s contact persons and contact details; |
| (f) | a description of the data intermediation service the data intermediation services provider intends to provide, and an indication of the categories listed in Article 10 under which such data intermediation service falls; |
| (g) | the estimated date for starting the activity, if different from the date of the notification. |
7. The competent authority for data intermediation services shall ensure that the notification procedure is non-discriminatory and does not distort the competition.
8. At the request of the data intermediation services provider, the competent authority for data intermediation services shall, within one week of a duly and fully completed notification, issue a standardised declaration, confirming that the data intermediation services provider has submitted the notification referred to in paragraph 1 and that the notification contains the information referred to in paragraph 6.
9. At the request of the data intermediation services provider, the competent authority for data intermediation services shall confirm that the data intermediation services provider complies with this Article and Article 12. Upon receipt of such a confirmation, that data intermediation services provider may use the label ‘ data intermediation services provider recognised in the Union’ in its written and spoken communication, as well as a common logo.
In order to ensure that data intermediation services providers recognised in the Union are easily identifiable throughout the Union, the Commission shall, by means of implementing acts, establish a design for the common logo. Data intermediation services providers recognised in the Union shall display the common logo clearly on every online and offline publication that relates to their data intermediation activities.
Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 33(2).
10. The competent authority for data intermediation services shall notify the Commission of each new notification by electronic means without delay. The Commission shall keep and regularly update a public register of all data intermediation services providers providing their services in the Union. The information referred to in paragraph 6, points (a), (b), (c), (d), (f) and (g), shall be published in the public register.
11. The competent authority for data intermediation services may charge fees for the notification in accordance with national law. Such fees shall be proportionate and objective and be based on the administrative costs related to the monitoring of compliance and other market control activities of the competent authority for data intermediation services in relation to notifications of data intermediation services providers. In the case of SMEs and start-ups, the competent authority for data intermediation services may charge a discounted fee or waive the fee.
12. Data intermediation services providers shall notify the competent authority for data intermediation services of any changes to the information provided pursuant to paragraph 6 within 14 days of the date of the change.
13. Where a data intermediation services provider ceases its activities, it shall notify the relevant competent authority for data intermediation services determined pursuant to paragraphs 1, 2 and 3 within 15 days.
14. The competent authority for data intermediation services shall notify the Commission of each notification referred to in paragraphs 12 and 13 by electronic means without delay. The Commission shall update the public register of the data intermediation services providers in the Union accordingly.
Article 12
Conditions for providing data intermediation services
The provision of data intermediation services referred in Article 10 shall be subject to the following conditions:
| (a) | the data intermediation services provider shall not use the data for which it provides data intermediation services for purposes other than to put them at the disposal of data users and shall provide data intermediation services through a separate legal person; |
| (b) | the commercial terms, including pricing, for the provision of data intermediation services to a data holder or data user shall not be dependent upon whether the data holder or data user uses other services provided by the same data intermediation services provider or by a related entity, and if so to what degree the data holder or data user uses such other services; |
| (c) | the data collected with respect to any activity of a natural or legal person for the purpose of the provision of the data intermediation service, including the date, time and geolocation data, duration of activity and connections to other natural or legal persons established by the person who uses the data intermediation service, shall be used only for the development of that data intermediation service, which may entail the use of data for the detection of fraud or cybersecurity, and shall be made available to the data holders upon request; |
| (d) | the data intermediation services provider shall facilitate the exchange of the data in the format in which it receives it from a data subject or a data holder, shall convert the data into specific formats only to enhance interoperability within and across sectors or if requested by the data user or where mandated by Union law or to ensure harmonisation with international or European data standards and shall offer an opt-out possibility regarding those conversions to data subjects or data holders, unless the conversion is mandated by Union law; |
| (e) | data intermediation services may include offering additional specific tools and services to data holders or data subjects for the specific purpose of facilitating the exchange of data, such as temporary storage, curation, conversion, anonymisation and pseudonymisation, such tools being used only at the explicit request or approval of the data holder or data subject and third-party tools offered in that context not being used for other purposes; |
| (f) | the data intermediation services provider shall ensure that the procedure for access to its service is fair, transparent and non-discriminatory for both data subjects and data holders, as well as for data users, including with regard to prices and terms of service; |
| (g) | the data intermediation services provider shall have procedures in place to prevent fraudulent or abusive practices in relation to parties seeking access through its data intermediation services; |
| (h) | the data intermediation services provider shall, in the event of its insolvency, ensure a reasonable continuity of the provision of its data intermediation services and, where such data intermediation services ensure the storage of data, shall have mechanisms in place to allow data holders and data users to obtain access to, to transfer or to retrieve their data and, where such data intermediation services are provided between data subjects and data users, to allow data subjects to exercise their rights; |
| (i) | the data intermediation services provider shall take appropriate measures to ensure interoperability with other data intermediation services, inter alia, by means of commonly used open standards in the sector in which the data intermediation services provider operates; |
| (j) | the data intermediation services provider shall put in place adequate technical, legal and organisational measures in order to prevent the transfer of or access to non-personal data that is unlawful under Union law or the national law of the relevant Member State; |
| (k) | the data intermediation services provider shall without delay inform data holders in the event of an unauthorised transfer, access or use of the non-personal data that it has shared; |
| (l) | the data intermediation services provider shall take necessary measures to ensure an appropriate level of security for the storage, processing and transmission of non-personal data, and the data intermediation services provider shall further ensure the highest level of security for the storage and transmission of competitively sensitive information; |
| (m) | the data intermediation services provider offering services to data subjects shall act in the data subjects’ best interest where it facilitates the exercise of their rights, in particular by informing and, where appropriate, advising data subjects in a concise, transparent, intelligible and easily accessible manner about intended data uses by data users and standard terms and conditions attached to such uses before data subjects give consent; |
| (n) | where a data intermediation services provider provides tools for obtaining consent from data subjects or permissions to process data made available by data holders, it shall, where relevant, specify the third-country jurisdiction in which the data use is intended to take place and provide data subjects with tools to both give and withdraw consent and data holders with tools to both give and withdraw permissions to process data; |
| (o) | the data intermediation services provider shall maintain a log record of the data intermediation activity. |
Article 20
Transparency requirements
1. A recognised data altruism organisation shall keep full and accurate records concerning:
| (a) | all natural or legal persons that were given the possibility to process data held by that recognised data altruism organisation, and their contact details; |
| (b) | the date or duration of the processing of personal data or use of non-personal data; |
| (c) | the purpose of the processing as declared by the natural or legal person that was given the possibility of processing; |
| (d) | the fees paid by natural or legal persons processing the data, if any. |
2. A recognised data altruism organisation shall draw up and transmit to the relevant competent authority for the registration of data altruism organisations an annual activity report which shall contain at least the following:
| (a) | information on the activities of the recognised data altruism organisation; |
| (b) | a description of the way in which the objectives of general interest for which data was collected have been promoted during the given financial year; |
| (c) | a list of all natural and legal persons that were allowed to process data it holds, including a summary description of the objectives of general interest pursued by such data processing and the description of the technical means used for it, including a description of the techniques used to preserve privacy and data protection; |
| (d) | a summary of the results of the data processing allowed by the recognised data altruism organisation, where applicable; |
| (e) | information on sources of revenue of the recognised data altruism organisation, in particular all revenue from allowing access to the data, and on expenditure. |
Article 26
Requirements relating to competent authorities
1. The competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations shall be legally distinct from, and functionally independent of, any data intermediation services provider or recognised data altruism organisation. The functions of the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations may be carried out by the same authority. Member States may either establish one or more new authorities for those purposes or rely on existing ones.
2. Competent authorities for data intermediation services and competent authorities for the registration of data altruism organisations shall exercise their tasks in an impartial, transparent, consistent, reliable and timely manner. Where they exercise their tasks, they shall safeguard fair competition and non-discrimination.
3. The top-level management and personnel responsible for carrying out the relevant tasks of the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations shall not be the designer, manufacturer, supplier, installer, purchaser, owner, user or maintainer of the services which they evaluate, nor the authorised representative of any of those parties. This shall not preclude the use of evaluated services that are necessary for the operations of the competent authority for data intermediation services and the competent authority for the registration of data altruism organisations or the use of such services for personal purposes.
4. The top-level management and personnel of the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations shall not engage in any activity that may conflict with their independence of judgment or integrity in relation to evaluation activities assigned to them.
5. The competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations shall have at their disposal the adequate financial and human resources to carry out the tasks assigned to them, including the necessary technical knowledge and resources.
6. The competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations of a Member State shall provide the Commission and competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations from other Member States, on reasoned request and without delay, with the information necessary to carry out their tasks under this Regulation. Where a competent authority for data intermediation services or a competent authority for the registration of data altruism organisations considers the information requested to be confidential in accordance with Union and national law on commercial and professional confidentiality, the Commission and any other competent authorities for data intermediation services or competent authorities for the registration of data altruism organisations concerned shall ensure such confidentiality.
Article 31
International access and transfer
1. The public_sector_body, the natural or legal person to which the right to re-use data was granted under Chapter II, the data intermediation services provider or the recognised data altruism organisation shall take all reasonable technical, legal and organisational measures, including contractual arrangements, in order to prevent international transfer or governmental access to non-personal data held in the Union where such transfer or access would create a conflict with Union law or the national law of the relevant Member State, without prejudice to paragraph 2 or 3.
2. Any decision or judgment of a third-country court or tribunal and any decision of a third-country administrative authority requiring a public_sector_body, a natural or legal person to which the right to re-use data was granted under Chapter II, a data intermediation services provider or recognised data altruism organisation to transfer or give access to non-personal data within the scope of this Regulation held in the Union shall be recognised or enforceable in any manner only if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or any such agreement between the requesting third country and a Member State.
3. In the absence of an international agreement as referred to in paragraph 2 of this Article, where a public_sector_body, a natural or legal person to which the right to re-use data was granted under Chapter II, a data intermediation services provider or recognised data altruism organisation is the addressee of a decision or judgment of a third-country court or tribunal or a decision of a third-country administrative authority to transfer or give access to non-personal data within the scope of this Regulation held in the Union and compliance with such a decision would risk putting the addressee in conflict with Union law or with the national law of the relevant Member State, transfer to or access to such data by that third-country authority shall take place only where:
| (a) | the third-country system requires the reasons and proportionality of such a decision or judgment to be set out and requires such a decision or judgment to be specific in character, for instance by establishing a sufficient link to certain suspected persons or infringements; |
| (b) | the reasoned objection of the addressee is subject to a review by a competent third-country court or tribunal; and |
| (c) | the competent third-country court or tribunal issuing the decision or judgment or reviewing the decision of an administrative authority is empowered under the law of that third country to take duly into account the relevant legal interests of the provider of the data protected under Union law or the national law of the relevant Member State. |
4. If the conditions laid down in paragraph 2 or 3 are met, the public_sector_body, the natural or legal person to which the right to re-use data was granted under Chapter II, the data intermediation services provider or the recognised data altruism organisation shall provide the minimum amount of data permissible in response to a request, based on a reasonable interpretation of the request.
5. The public_sector_body, the natural or legal person to which the right to re-use data was granted under Chapter II, the data intermediation services provider and the recognised data altruism organisation shall inform the data holder about the existence of a request of a third-country administrative authority to access its data before complying with that request, except where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity.
CHAPTER VIII
Delegation and committee procedure
Article 36
Amendment to Regulation (EU) 2018/1724
In the table in Annex II to Regulation (EU) 2018/1724, the entry ‘Starting, running and closing a business’ is replaced by the following:
| Life events | Procedures | Expected output subject to an assessment of the application by the competent authority in accordance with national law, where relevant |
| Starting, running and closing a business | Notification of business activity, permission for exercising a business activity, changes of business activity and the termination of a business activity not involving insolvency or liquidation procedures, excluding the initial registration of a business activity with the business register and excluding procedures concerning the constitution of or any subsequent filing by companies or firms within the meaning of the second paragraph of Article 54 TFEU | Confirmation of the receipt of notification or change, or of the request for permission for business activity |
|
| Registration of an employer (a natural person) with compulsory pension and insurance schemes | Confirmation of registration or social security registration number |
| Registration of employees with compulsory pension and insurance schemes | Confirmation of registration or social security registration number | |
| Submitting a corporate tax declaration | Confirmation of the receipt of the declaration | |
| Notification to the social security schemes of the end of contract with an employee, excluding procedures for the collective termination of employee contracts | Confirmation of the receipt of the notification | |
| Payment of social contributions for employees | Receipt or other form of confirmation of payment of social contributions for employees | |
| Notification of a data intermediation services provider | Confirmation of the receipt of notification | |
| Registration as a data altruism organisation recognised in the Union | Confirmation of the registration |
whereas