Digital Governance Act 2022/0868 EN

(1)	‘ data’ means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording;

(2)

‘ re-use’ means the use by natural or legal persons of data held by public sector bodies, for commercial or non-commercial purposes other than the initial purpose within the public task for which the data were produced, except for the exchange of data between public sector bodies purely in pursuit of their public tasks;

(3)	‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;

(4)	‘non-personal data’ means data other than personal data;

(5)	‘ consent’ means consent as defined in Article 4, point (11), of Regulation (EU) 2016/679;

(6)	‘ permission’ means giving data users the right to the processing of non-personal data;

(7)	‘ data subject’ means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679;

(8)

‘ data holder’ means a legal person, including public sector bodies and international organisations, or a natural person who is not a data subject with respect to the specific data in question, which, in accordance with applicable Union or national law, has the right to grant access to or to share certain personal data or non-personal data;

(9)	‘ data user’ means a natural or legal person who has lawful access to certain personal or non-personal data and has the right, including under Regulation (EU) 2016/679 in the case of personal data, to use that data for commercial or non-commercial purposes;

(10)

‘ data sharing’ means the provision of data by a data subject or a data holder to a data user for the purpose of the joint or individual use of such data, based on voluntary agreements or Union or national law, directly or through an intermediary, for example under open or commercial licences subject to a fee or free of charge;

(11)

‘ data intermediation service’ means a service which aims to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal or other means, including for the purpose of exercising the rights of data subjects in relation to personal data, excluding at least the following:

(a)	services that obtain data from data holders and aggregate, enrich or transform the data for the purpose of adding substantial value to it and license the use of the resulting data to data users, without establishing a commercial relationship between data holders and data users;

(b)	services that focus on the intermediation of copyright-protected content;

(c)

services that are exclusively used by one data holder in order to enable the use of the data held by that data holder, or that are used by multiple legal persons in a closed group, including supplier or customer relationships or collaborations established by contract, in particular those that have as a main objective to ensure the functionalities of objects and devices connected to the Internet of Things;

(d)	data sharing services offered by public sector bodies that do not aim to establish commercial relationships;

(12)	‘ processing’ means processing as defined in Article 4, point (2), of Regulation (EU) 2016/679 with regard to personal data or Article 3, point (2), of Regulation (EU) 2018/1807 with regard to non-personal data;

(13)	‘ access’ means data use, in accordance with specific technical, legal or organisational requirements, without necessarily implying the transmission or downloading of data;

(14)	‘ main_establishment’ of a legal person means the place of its central administration in the Union;

(15)

‘services of data cooperatives’ means data intermediation services offered by an organisational structure constituted by data subjects, one-person undertakings or SMEs who are members of that structure, having as its main objectives to support its members in the exercise of their rights with respect to certain data, including with regard to making informed choices before they consent to data processing, to exchange views on data processing purposes and conditions that would best represent the interests of its members in relation to their data, and to negotiate terms and conditions for data processing on behalf of its members before giving permission to the processing of non-personal data or before they consent to the processing of personal data;

(16)

‘ data altruism’ means the voluntary sharing of data on the basis of the consent of data subjects to process personal data pertaining to them, or permissions of data holders to allow the use of their non-personal data without seeking or receiving a reward that goes beyond compensation related to the costs that they incur where they make their data available for objectives of general interest as provided for in national law, where applicable, such as healthcare, combating climate change, improving mobility, facilitating the development, production and dissemination of official statistics, improving the provision of public services, public policy making or scientific research purposes in the general interest;

(17)	‘ public_sector_body’ means the State, regional or local authorities, bodies_governed_by_public_law or associations formed by one or more such authorities, or one or more such bodies_governed_by_public_law;

(18)

‘ bodies_governed_by_public_law’ means bodies that have the following characteristics:

(a)	they are established for the specific purpose of meeting needs in the general interest, and do not have an industrial or commercial character;

(b)	they have legal personality;

(c)

they are financed, for the most part, by the State, regional or local authorities, or other bodies_governed_by_public_law, are subject to management supervision by those authorities or bodies, or have an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional or local authorities, or by other bodies_governed_by_public_law;

(19)

‘ public_undertaking’ means any undertaking over which the public sector bodies may exercise directly or indirectly a dominant influence by virtue of their ownership of it, their financial participation therein, or the rules which govern it; for the purposes of this definition, a dominant influence on the part of the public sector bodies shall be presumed in any of the following cases in which those bodies, directly or indirectly:

(a)	hold the majority of the undertaking’s subscribed capital;

(b)	control the majority of the votes attaching to shares issued by the undertaking;

(c)	can appoint more than half of the undertaking’s administrative, management or supervisory body;

(20)

‘secure processing environment’ means the physical or virtual environment and organisational means to ensure compliance with Union law, such as Regulation (EU) 2016/679, in particular with regard to data subjects’ rights, intellectual property rights, and commercial and statistical confidentiality, integrity and accessibility, as well as with applicable national law, and to allow the entity providing the secure processing environment to determine and supervise all data processing actions, including the display, storage, download and export of data and the calculation of derivative data through computational algorithms;

(21)

‘ legal_representative’ means a natural or legal person established in the Union explicitly designated to act on behalf of a data intermediation services provider or an entity that collects data for objectives of general interest made available by natural or legal persons on the basis of data altruism not established in the Union, which may be addressed by the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations in addition to or instead of the data intermediation services provider or entity with regard to the obligations under this Regulation, including with regard to initiating enforcement proceedings against a non-compliant data intermediation services provider or entity not established in the Union.

CHAPTER II

Re-use of certain categories of protected data held by public sector bodies

Article 6

Fees

1. Public sector bodies which allow re-use of the categories of data referred to in Article 3(1) may charge fees for allowing the re-use of such data.

2. Any fees charged pursuant to paragraph 1 shall be transparent, non-discriminatory, proportionate and objectively justified and shall not restrict competition.

3. Public sector bodies shall ensure that any fees can also be paid online through widely available cross-border payment services, without discrimination based on the place of establishment of the payment service provider, the place of issue of the payment instrument or the location of the payment account within the Union.

4. Where public sector bodies charge fees, they shall take measures to provide incentives for the re-use of the categories of data referred to in Article 3(1) for non-commercial purposes, such as scientific research purposes, and by SMEs and start-ups in accordance with State aid rules. In that regard, public sector bodies may also make the data available at a discounted fee or free of charge, in particular to SMEs and start-ups, civil society and educational establishments. To that end, public sector bodies may establish a list of categories of re-users to which data for re-use is made available at a discounted fee or free of charge. That list, together with the criteria used to establish it, shall be made public.

5. Any fees shall be derived from the costs related to conducting the procedure for requests for the re-use of the categories of data referred to in Article 3(1) and limited to the necessary costs in relation to:

(a)	the reproduction, provision and dissemination of data;

(b)	the clearance of rights;

(c)	anonymisation or other forms of preparation of personal data and commercially confidential data as provided for in Article 5(3);

(d)	the maintenance of the secure processing environment;

(e)	the acquisition of the right to allow re-use in accordance with this Chapter by third parties outside the public sector; and

(f)	assisting re-users in seeking consent from data subjects and permission from data holders whose rights and interests may be affected by such re-use.

6. The criteria and methodology for calculating fees shall be laid down by the Member States and published. The public_sector_body shall publish a description of the main categories of costs and the rules used for the allocation of costs.

Article 11

Notification by data intermediation services providers

1. Any data intermediation services provider who intends to provide the data intermediation services referred to in Article 10 shall submit a notification to the competent authority for data intermediation services.

2. For the purposes of this Regulation, a data intermediation services provider with establishments in more than one Member State shall be deemed to be under the jurisdiction of the Member State in which it has its main_establishment, without prejudice to Union law regulating cross-border actions for damages and related proceedings.

3. A data intermediation services provider that is not established in the Union, but which offers the data intermediation services referred to in Article 10 within the Union, shall designate a legal_representative in one of the Member States in which those services are offered.

For the purpose of ensuring compliance with this Regulation, the legal_representative shall be mandated by the data intermediation services provider to be addressed in addition to or instead of it by competent authorities for data intermediation services or data subjects and data holders, with regard to all issues related to the data intermediation services provided. The legal_representative shall cooperate with and comprehensively demonstrate to the competent authorities for data intermediation services, upon request, the actions taken and provisions put in place by the data intermediation services provider to ensure compliance with this Regulation.

The data intermediation services provider shall be deemed to be under the jurisdiction of the Member State in which the legal_representative is located. The designation of a legal_representative by the data intermediation services provider shall be without prejudice to any legal actions which could be initiated against the data intermediation services provider.

4. After having submitted a notification in accordance with paragraph 1, the data intermediation services provider may start the activity subject to the conditions laid down in this Chapter.

5. The notification referred to in paragraph 1 shall entitle the data intermediation services provider to provide data intermediation services in all Member States.

6. The notification referred to in paragraph 1 shall include the following information:

(a)	the name of the data intermediation services provider;

(b)	the data intermediation services provider’s legal status, form, ownership structure, relevant subsidiaries and, where the data intermediation services provider is registered in a trade or other similar public national register, registration number;

(c)	the address of the data intermediation services provider’s main_establishment in the Union, if any, and, where applicable, of any secondary branch in another Member State or that of the legal_representative;

(d)	a public website where complete and up-to-date information on the data intermediation services provider and the activities can be found, including as a minimum the information referred to in points (a), (b), (c) and (f);

(e)	the data intermediation services provider’s contact persons and contact details;

(f)	a description of the data intermediation service the data intermediation services provider intends to provide, and an indication of the categories listed in Article 10 under which such data intermediation service falls;

(g)	the estimated date for starting the activity, if different from the date of the notification.

7. The competent authority for data intermediation services shall ensure that the notification procedure is non-discriminatory and does not distort the competition.

8. At the request of the data intermediation services provider, the competent authority for data intermediation services shall, within one week of a duly and fully completed notification, issue a standardised declaration, confirming that the data intermediation services provider has submitted the notification referred to in paragraph 1 and that the notification contains the information referred to in paragraph 6.

9. At the request of the data intermediation services provider, the competent authority for data intermediation services shall confirm that the data intermediation services provider complies with this Article and Article 12. Upon receipt of such a confirmation, that data intermediation services provider may use the label ‘ data intermediation services provider recognised in the Union’ in its written and spoken communication, as well as a common logo.

In order to ensure that data intermediation services providers recognised in the Union are easily identifiable throughout the Union, the Commission shall, by means of implementing acts, establish a design for the common logo. Data intermediation services providers recognised in the Union shall display the common logo clearly on every online and offline publication that relates to their data intermediation activities.

Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 33(2).

10. The competent authority for data intermediation services shall notify the Commission of each new notification by electronic means without delay. The Commission shall keep and regularly update a public register of all data intermediation services providers providing their services in the Union. The information referred to in paragraph 6, points (a), (b), (c), (d), (f) and (g), shall be published in the public register.

11. The competent authority for data intermediation services may charge fees for the notification in accordance with national law. Such fees shall be proportionate and objective and be based on the administrative costs related to the monitoring of compliance and other market control activities of the competent authority for data intermediation services in relation to notifications of data intermediation services providers. In the case of SMEs and start-ups, the competent authority for data intermediation services may charge a discounted fee or waive the fee.

12. Data intermediation services providers shall notify the competent authority for data intermediation services of any changes to the information provided pursuant to paragraph 6 within 14 days of the date of the change.

13. Where a data intermediation services provider ceases its activities, it shall notify the relevant competent authority for data intermediation services determined pursuant to paragraphs 1, 2 and 3 within 15 days.

14. The competent authority for data intermediation services shall notify the Commission of each notification referred to in paragraphs 12 and 13 by electronic means without delay. The Commission shall update the public register of the data intermediation services providers in the Union accordingly.

Article 12

Conditions for providing data intermediation services

The provision of data intermediation services referred in Article 10 shall be subject to the following conditions:

(a)	the data intermediation services provider shall not use the data for which it provides data intermediation services for purposes other than to put them at the disposal of data users and shall provide data intermediation services through a separate legal person;

(b)

the commercial terms, including pricing, for the provision of data intermediation services to a data holder or data user shall not be dependent upon whether the data holder or data user uses other services provided by the same data intermediation services provider or by a related entity, and if so to what degree the data holder or data user uses such other services;

(c)

the data collected with respect to any activity of a natural or legal person for the purpose of the provision of the data intermediation service, including the date, time and geolocation data, duration of activity and connections to other natural or legal persons established by the person who uses the data intermediation service, shall be used only for the development of that data intermediation service, which may entail the use of data for the detection of fraud or cybersecurity, and shall be made available to the data holders upon request;

(d)

the data intermediation services provider shall facilitate the exchange of the data in the format in which it receives it from a data subject or a data holder, shall convert the data into specific formats only to enhance interoperability within and across sectors or if requested by the data user or where mandated by Union law or to ensure harmonisation with international or European data standards and shall offer an opt-out possibility regarding those conversions to data subjects or data holders, unless the conversion is mandated by Union law;

(e)

data intermediation services may include offering additional specific tools and services to data holders or data subjects for the specific purpose of facilitating the exchange of data, such as temporary storage, curation, conversion, anonymisation and pseudonymisation, such tools being used only at the explicit request or approval of the data holder or data subject and third-party tools offered in that context not being used for other purposes;

(f)	the data intermediation services provider shall ensure that the procedure for access to its service is fair, transparent and non-discriminatory for both data subjects and data holders, as well as for data users, including with regard to prices and terms of service;

(g)	the data intermediation services provider shall have procedures in place to prevent fraudulent or abusive practices in relation to parties seeking access through its data intermediation services;

(h)

the data intermediation services provider shall, in the event of its insolvency, ensure a reasonable continuity of the provision of its data intermediation services and, where such data intermediation services ensure the storage of data, shall have mechanisms in place to allow data holders and data users to obtain access to, to transfer or to retrieve their data and, where such data intermediation services are provided between data subjects and data users, to allow data subjects to exercise their rights;

(i)	the data intermediation services provider shall take appropriate measures to ensure interoperability with other data intermediation services, inter alia, by means of commonly used open standards in the sector in which the data intermediation services provider operates;

(j)	the data intermediation services provider shall put in place adequate technical, legal and organisational measures in order to prevent the transfer of or access to non-personal data that is unlawful under Union law or the national law of the relevant Member State;

(k)	the data intermediation services provider shall without delay inform data holders in the event of an unauthorised transfer, access or use of the non-personal data that it has shared;

(l)

the data intermediation services provider shall take necessary measures to ensure an appropriate level of security for the storage, processing and transmission of non-personal data, and the data intermediation services provider shall further ensure the highest level of security for the storage and transmission of competitively sensitive information;

(m)

the data intermediation services provider offering services to data subjects shall act in the data subjects’ best interest where it facilitates the exercise of their rights, in particular by informing and, where appropriate, advising data subjects in a concise, transparent, intelligible and easily accessible manner about intended data uses by data users and standard terms and conditions attached to such uses before data subjects give consent;

(n)

where a data intermediation services provider provides tools for obtaining consent from data subjects or permissions to process data made available by data holders, it shall, where relevant, specify the third-country jurisdiction in which the data use is intended to take place and provide data subjects with tools to both give and withdraw consent and data holders with tools to both give and withdraw permissions to process data;

(o)	the data intermediation services provider shall maintain a log record of the data intermediation activity.

Article 13

Competent authorities for data intermediation services

1. Each Member State shall designate one or more competent authorities to carry out the tasks related to the notification procedure for data intermediation services and shall notify the Commission of the identity of those competent authorities by 24 September 2023. Each Member State shall also notify the Commission of any subsequent change to the identity of those competent authorities.

2. The competent authorities for data intermediation services shall comply with the requirements set out in Article 26.

3. The powers of the competent authorities for data intermediation services are without prejudice to the powers of the data protection authorities, national competition authorities, authorities in charge of cybersecurity and other relevant sectoral authorities. In accordance with their respective competences under Union and national law, those authorities shall establish strong cooperation and exchange information as is necessary for the exercise of their tasks in relation to data intermediation services providers, and shall aim to achieve consistency in the decisions taken in applying this Regulation.

Article 15

Exceptions

This Chapter shall not apply to recognised data altruism organisations or other not-for-profit entities insofar as their activities consist of seeking to collect data for objectives of general interest, made available by natural or legal persons on the basis of data altruism, unless those organisations and entities aim to establish commercial relationships between an undetermined number of data subjects and data holders on the one hand and data users on the other.

CHAPTER IV

Data altruism

Article 26

Requirements relating to competent authorities

1. The competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations shall be legally distinct from, and functionally independent of, any data intermediation services provider or recognised data altruism organisation. The functions of the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations may be carried out by the same authority. Member States may either establish one or more new authorities for those purposes or rely on existing ones.

2. Competent authorities for data intermediation services and competent authorities for the registration of data altruism organisations shall exercise their tasks in an impartial, transparent, consistent, reliable and timely manner. Where they exercise their tasks, they shall safeguard fair competition and non-discrimination.

3. The top-level management and personnel responsible for carrying out the relevant tasks of the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations shall not be the designer, manufacturer, supplier, installer, purchaser, owner, user or maintainer of the services which they evaluate, nor the authorised representative of any of those parties. This shall not preclude the use of evaluated services that are necessary for the operations of the competent authority for data intermediation services and the competent authority for the registration of data altruism organisations or the use of such services for personal purposes.

4. The top-level management and personnel of the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations shall not engage in any activity that may conflict with their independence of judgment or integrity in relation to evaluation activities assigned to them.

5. The competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations shall have at their disposal the adequate financial and human resources to carry out the tasks assigned to them, including the necessary technical knowledge and resources.

6. The competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations of a Member State shall provide the Commission and competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations from other Member States, on reasoned request and without delay, with the information necessary to carry out their tasks under this Regulation. Where a competent authority for data intermediation services or a competent authority for the registration of data altruism organisations considers the information requested to be confidential in accordance with Union and national law on commercial and professional confidentiality, the Commission and any other competent authorities for data intermediation services or competent authorities for the registration of data altruism organisations concerned shall ensure such confidentiality.

Article 27

Right to lodge a complaint

1. Natural and legal persons shall have the right to lodge a complaint in relation to any matter falling within the scope of this Regulation, individually or, where relevant, collectively, with the relevant competent authority for data intermediation services against a data intermediation services provider or with the relevant competent authority for the registration of data altruism organisations against a recognised data altruism organisation.

2. The competent authority for data intermediation services or the competent authority for the registration of data altruism organisations with which the complaint has been lodged shall inform the complainant of:

(a)	the progress of the proceedings and of the decision taken; and

(b)	the judicial remedies provided for in Article 28.

whereas

keyboard_tab Digital Governance Act 2022/0868 EN

Digital Governance Act 2022/0868 EN