keyboard_tab Digital Governance Act 2022/0868 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 3 Art. 4 Prohibition of exclusive arrangements
- 1 Art. 12 Conditions for providing data intermediation services
- 1 Art. 20 Transparency requirements
- 1 Art. 34 Penalties
CHAPTER I
General provisions
CHAPTER II
Re-use of certain categories of protected data held by public sector bodies
CHAPTER III
Requirements applicable to data intermediation services
CHAPTER IV
Data altruism
CHAPTER V
Competent authorities and procedural provisions
CHAPTER VI
European Data Innovation Board
CHAPTER VII
International access and transfer
CHAPTER VIII
Delegation and committee procedure
CHAPTER IX
Final and transitional provisions
- data
- re-use
- personal data
- non-personal data
- consent
- permission
- data subject
- data holder
- data user
- data sharing
- data intermediation service
- processing
- access
- main establishment
- services of data cooperatives
- data altruism
- public sector body
- bodies governed by public law
- public undertaking
- secure processing environment
- legal representative
- data 117
- shall 37
- services 36
- intermediation 36
- provider 18
- which 12
- altruism 12
- such 11
- recognised 11
- article 10
- subjects 10
- organisation 10
- ensure 8
- legal 8
- exclusive 8
- holders 8
- processing 7
- access 6
- service 6
- right 6
- used 6
- natural 6
- tools 6
- duration 6
- including 6
- take 6
- penalties 5
- measures 5
- conditions 5
- provision 5
- pursuant 5
- referred 5
- non-personal 5
- uses 5
- applicable 5
- union 5
- holder 5
- users 5
- practices 4
- user 4
- activity 4
- process 4
- persons 4
- person 4
- re-use 4
- interest 4
- necessary 4
- relevant 4
- description 4
- from 4
Article 4
Prohibition of exclusive arrangements
1. Agreements or other practices pertaining to the re-use of data held by public sector bodies containing categories of data referred to in Article 3(1) which grant exclusive rights or which have as their objective or effect to grant such exclusive rights or to restrict the availability of data for re-use by entities other than the parties to such agreements or other practices shall be prohibited.
2. By way of derogation from paragraph 1, an exclusive right to re-use data referred to in that paragraph may be granted to the extent necessary for the provision of a service or the supply of a product in the general interest that would not otherwise be possible.
3. An exclusive right as referred to in paragraph 2 shall be granted through an administrative act or contractual arrangement in accordance with applicable Union or national law and in compliance with the principles of transparency, equal treatment and non-discrimination.
4. The duration of an exclusive right to re-use data shall not exceed 12 months. Where a contract is concluded, the duration of the contract shall be the same as the duration of the exclusive right.
5. The grant of an exclusive right pursuant to paragraphs 2, 3 and 4, including the reasons as to why it is necessary to grant such a right, shall be transparent and be made publicly available online, in a form that complies with relevant Union law on public procurement.
6. Agreements or other practices falling within the scope of the prohibition referred to in paragraph 1 which do not meet the conditions laid down in paragraphs 2 and 3 and which were concluded before 23 June 2022 shall be terminated at the end of the applicable contract and in any event by 24 December 2024.
Article 12
Conditions for providing data intermediation services
The provision of data intermediation services referred in Article 10 shall be subject to the following conditions:
| (a) | the data intermediation services provider shall not use the data for which it provides data intermediation services for purposes other than to put them at the disposal of data users and shall provide data intermediation services through a separate legal person; |
| (b) | the commercial terms, including pricing, for the provision of data intermediation services to a data holder or data user shall not be dependent upon whether the data holder or data user uses other services provided by the same data intermediation services provider or by a related entity, and if so to what degree the data holder or data user uses such other services; |
| (c) | the data collected with respect to any activity of a natural or legal person for the purpose of the provision of the data intermediation service, including the date, time and geolocation data, duration of activity and connections to other natural or legal persons established by the person who uses the data intermediation service, shall be used only for the development of that data intermediation service, which may entail the use of data for the detection of fraud or cybersecurity, and shall be made available to the data holders upon request; |
| (d) | the data intermediation services provider shall facilitate the exchange of the data in the format in which it receives it from a data subject or a data holder, shall convert the data into specific formats only to enhance interoperability within and across sectors or if requested by the data user or where mandated by Union law or to ensure harmonisation with international or European data standards and shall offer an opt-out possibility regarding those conversions to data subjects or data holders, unless the conversion is mandated by Union law; |
| (e) | data intermediation services may include offering additional specific tools and services to data holders or data subjects for the specific purpose of facilitating the exchange of data, such as temporary storage, curation, conversion, anonymisation and pseudonymisation, such tools being used only at the explicit request or approval of the data holder or data subject and third-party tools offered in that context not being used for other purposes; |
| (f) | the data intermediation services provider shall ensure that the procedure for access to its service is fair, transparent and non-discriminatory for both data subjects and data holders, as well as for data users, including with regard to prices and terms of service; |
| (g) | the data intermediation services provider shall have procedures in place to prevent fraudulent or abusive practices in relation to parties seeking access through its data intermediation services; |
| (h) | the data intermediation services provider shall, in the event of its insolvency, ensure a reasonable continuity of the provision of its data intermediation services and, where such data intermediation services ensure the storage of data, shall have mechanisms in place to allow data holders and data users to obtain access to, to transfer or to retrieve their data and, where such data intermediation services are provided between data subjects and data users, to allow data subjects to exercise their rights; |
| (i) | the data intermediation services provider shall take appropriate measures to ensure interoperability with other data intermediation services, inter alia, by means of commonly used open standards in the sector in which the data intermediation services provider operates; |
| (j) | the data intermediation services provider shall put in place adequate technical, legal and organisational measures in order to prevent the transfer of or access to non-personal data that is unlawful under Union law or the national law of the relevant Member State; |
| (k) | the data intermediation services provider shall without delay inform data holders in the event of an unauthorised transfer, access or use of the non-personal data that it has shared; |
| (l) | the data intermediation services provider shall take necessary measures to ensure an appropriate level of security for the storage, processing and transmission of non-personal data, and the data intermediation services provider shall further ensure the highest level of security for the storage and transmission of competitively sensitive information; |
| (m) | the data intermediation services provider offering services to data subjects shall act in the data subjects’ best interest where it facilitates the exercise of their rights, in particular by informing and, where appropriate, advising data subjects in a concise, transparent, intelligible and easily accessible manner about intended data uses by data users and standard terms and conditions attached to such uses before data subjects give consent; |
| (n) | where a data intermediation services provider provides tools for obtaining consent from data subjects or permissions to process data made available by data holders, it shall, where relevant, specify the third-country jurisdiction in which the data use is intended to take place and provide data subjects with tools to both give and withdraw consent and data holders with tools to both give and withdraw permissions to process data; |
| (o) | the data intermediation services provider shall maintain a log record of the data intermediation activity. |
Article 20
Transparency requirements
1. A recognised data altruism organisation shall keep full and accurate records concerning:
| (a) | all natural or legal persons that were given the possibility to process data held by that recognised data altruism organisation, and their contact details; |
| (b) | the date or duration of the processing of personal data or use of non-personal data; |
| (c) | the purpose of the processing as declared by the natural or legal person that was given the possibility of processing; |
| (d) | the fees paid by natural or legal persons processing the data, if any. |
2. A recognised data altruism organisation shall draw up and transmit to the relevant competent authority for the registration of data altruism organisations an annual activity report which shall contain at least the following:
| (a) | information on the activities of the recognised data altruism organisation; |
| (b) | a description of the way in which the objectives of general interest for which data was collected have been promoted during the given financial year; |
| (c) | a list of all natural and legal persons that were allowed to process data it holds, including a summary description of the objectives of general interest pursued by such data processing and the description of the technical means used for it, including a description of the techniques used to preserve privacy and data protection; |
| (d) | a summary of the results of the data processing allowed by the recognised data altruism organisation, where applicable; |
| (e) | information on sources of revenue of the recognised data altruism organisation, in particular all revenue from allowing access to the data, and on expenditure. |
Article 34
Penalties
1. Member States shall lay down the rules on penalties applicable to infringements of the obligations regarding transfers of non-personal data to third countries pursuant to Article 5(14) and Article 31, the notification obligation of data intermediation services providers pursuant to Article 11, the conditions for providing data intermediation services pursuant to Article 12 and the conditions for the registration as a recognised data altruism organisation pursuant to Articles 18, 20, 21 and 22, and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. In their rules on penalties, Member States shall take into account the recommendations of the European Data Innovation Board. Member States shall, by 24 September 2023, notify the Commission of those rules and of those measures and shall notify it, without delay, of any subsequent amendment affecting them.
2. Member States shall take into account the following non-exhaustive and indicative criteria for the imposition of penalties on data intermediation services providers and recognised data altruism organisations for infringements of this Regulation, where appropriate:
| (a) | the nature, gravity, scale and duration of the infringement; |
| (b) | any action taken by the data intermediation services provider or recognised data altruism organisation to mitigate or remedy the damage caused by the infringement; |
| (c) | any previous infringements by the data intermediation services provider or recognised data altruism organisation; |
| (d) | the financial benefits gained or losses avoided by the data intermediation services provider or recognised data altruism organisation due to the infringement, insofar as such benefits or losses can be reliably established; |
| (e) | any other aggravating or mitigating factors applicable to the circumstances of the case. |
whereas