Chapter I – General provisions (Art. 1-2)
Art. 1 DGA - Subject matter and scope arrow_right_alt
- This Regulation lays down:
- conditions for the re-use, within the Union, of certain categories of data held by public sector bodies;
- a notification and supervisory framework for the provision of data intermediation services;
- a framework for voluntary registration of entities which collect and process data made available for altruistic purposes; and
- a framework for the establishment of a European Data Innovation Board.
- This Regulation does not create any obligation on public sector bodies to allow the re-use of data, nor does it release public sector bodies from their confidentiality obligations under Union or national law.
This Regulation is without prejudice to:
-
- specific provisions in Union or national law regarding the access to or re-use of certain categories of data, in particular with regard to the granting of access to and disclosure of official documents; and
- the obligations of public sector bodies under Union or national law to allow the re-use of data or to requirements related to processing of non-personal data.
Where sector-specific Union or national law requires public sector bodies, data intermediation services providers or recognised data altruism organisations to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union or national law shall also apply. Any such specific additional requirements shall be non-discriminatory, proportionate and objectively justified.
- Union and national law on the protection of personal data shall apply to any personal data processed in connection with this Regulation. In particular, this Regulation is without prejudice to Regulations (EU) 2016/679 and (EU) 2018/1725 and Directives 2002/58/EC and (EU) 2016/680, including with regard to the powers and competences of supervisory authorities. In the event of a conflict between this Regulation and Union law on the protection of personal data or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data shall prevail. This Regulation does not create a legal basis for the processing of personal data, nor does it affect any of the rights and obligations set out in Regulations (EU) 2016/679 or (EU) 2018/1725 or Directives 2002/58/EC or (EU) 2016/680.
- This Regulation is without prejudice to the application of competition law.
- This Regulation is without prejudice to the competences of the Member States with regard to their activities concerning public security, defence and national security.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
Recital 1
The Treaty on the Functioning of the European Union (TFEU) provides for the establishment of an internal market and the institution of a system ensuring that competition in the internal market is not distorted. The establishment of common rules and practices in the Member States relating to the development of a framework for data governance should contribute to the achievement of those objectives, while fully respecting fundamental rights. It should also guarantee the strengthening of the open strategic autonomy of the Union while fostering international free flow of data.
Recital 2
Over the last decade, digital technologies have transformed the economy and society, affecting all sectors of activity and daily life. Data is at the centre of that transformation: data-driven innovation will bring enormous benefits to both Union citizens and the economy, for example by improving and personalising medicine, providing new mobility, and contributing to the communication of the Commission of 11 December 2019 on the European Green Deal. In order to make the data-driven economy inclusive for all Union citizens, particular attention must be paid to reducing the digital divide, boosting the participation of women in the data economy and fostering cutting-edge European expertise in the technology sector. The data economy has to be built in a way that enables undertakings, in particular micro, small and medium-sized enterprises (SMEs), as defined in the Annex to Commission Recommendation 2003/361/EC (1), and start-ups to thrive, ensuring data access neutrality and data portability and interoperability, and avoiding lock-in effects. In its communication of 19 February 2020 on a European strategy for data (the ‘European strategy for data’), the Commission described the vision of a common European data space, meaning an internal market for data in which data could be used irrespective of its physical storage location in the Union in compliance with applicable law, which, inter alia, could be pivotal for the rapid development of artificial intelligence technologies.
The Commission also called for the free and safe flow of data with third countries, subject to exceptions and restrictions for public security, public order and other legitimate public policy objectives of the Union, in line with international obligations, including on fundamental rights. In order to turn that vision into reality, the Commission proposed establishing domain-specific common European data spaces for data sharing and data pooling. As proposed in the European strategy for data, such common European data spaces could cover areas such as health, mobility, manufacturing, financial services, energy or agriculture, or a combination of such areas, for example energy and climate, as well as thematic areas such as the European Green Deal or European data spaces for public administration or skills. Common European data spaces should make data findable, accessible, interoperable and re-usable (the ‘FAIR data principles’), while ensuring a high level of cybersecurity. Where there is a level playing field in the data economy, undertakings compete on quality of services, and not on the amount of data they control. For the purposes of the design, creation and maintenance of the level playing field in the data economy, sound governance is needed in which relevant stakeholders of a common European data space need to participate and be represented.
(1) Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).
Recital 3
It is necessary to improve the conditions for data sharing in the internal market, by creating a harmonised framework for data exchanges and laying down certain basic requirements for data governance, paying specific attention to facilitating cooperation between Member States. This Regulation should aim to develop further the borderless digital internal market and a human-centric, trustworthy and secure data society and economy. Sector-specific Union law can develop, adapt and propose new and complementary elements, depending on the specificities of the sector, such as the Union law envisaged on the European health data space and on access to vehicle data. Moreover, certain sectors of the economy are already regulated by sector-specific Union law, which includes rules relating to the sharing of or access to data across borders or across the Union, for example Directive 2011/24/EU of the European Parliament and of the Council (1) in the context of the European health data space, and relevant legislative acts in the field of transport, such as Regulations (EU) 2019/1239 (2) and (EU) 2020/1056 (3) and Directive 2010/40/EU (4) of the European Parliament and of the Council in the context of the European mobility data space.
This Regulation should therefore be without prejudice to Regulations (EC) No 223/2009 (5), (EU) 2018/858 (6) and (EU) 2018/1807 (7) as well as Directives 2000/31/EC (8), 2001/29/EC (9), 2004/48/EC (10), 2007/2/EC (11), 2010/40/EU, (EU) 2015/849 (12), (EU) 2016/943 (13), (EU) 2017/1132 (14), (EU) 2019/790 (15) and (EU) 2019/1024 (16) of the European Parliament and of the Council and any other sector-specific Union law that regulates access to and re-use of data. This Regulation should be without prejudice to Union and national law on the access to and use of data for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, as well as international cooperation in that context.
This Regulation should be without prejudice to the competences of the Member States with regard to their activities concerning public security, defence and national security. The re-use of data protected for such reasons and held by public sector bodies, including data from procurement procedures falling within the scope of Directive 2009/81/EC of the European Parliament and of the Council (17), should not be covered by this Regulation. A horizontal regime for the re-use of certain categories of protected data held by public sector bodies, the provision of data intermediation services and of services based on data altruism in the Union should be established. Specific characteristics of different sectors may require the design of sectoral data-based systems, while building on the requirements of this Regulation. Data intermediation services providers that meet the requirements laid down in this Regulation should be able to use the label ‘data intermediation services provider recognised in the Union’. Legal persons that seek to support objectives of general interest by making available relevant data based on data altruism at scale and that meet the requirements laid down in this Regulation should be able to register as and use the label ‘data altruism organisation recognised in the Union’. Where sector-specific Union or national law requires public sector bodies, such data intermediation services providers or such legal persons (recognised data altruism organisations) to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union or national law should also apply.
(1) Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45).
(2) Regulation (EU) 2019/1239 of the European Parliament and of the Council of 20 June 2019 establishing a European Maritime Single Window environment and repealing Directive 2010/65/EU (OJ L 198, 25.7.2019, p. 64).
(3) Regulation (EU) 2020/1056 of the European Parliament and of the Council of 15 July 2020 on electronic freight transport information (OJ L 249, 31.7.2020, p. 33).
(4) Directive 2010/40/EU of the European Parliament and of the Council of 7 July 2010 on the framework for the deployment of Intelligent Transport Systems in the field of road transport and for interfaces with other modes of transport (OJ L 207, 6.8.2010, p. 1).
(5) Regulation (EC) No 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities (OJ L 87, 31.3.2009, p. 164).
(6) Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018, p. 1).
(7) Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union (OJ L 303, 28.11.2018, p. 59).
(8) Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1).
(9) Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society (OJ L 167, 22.6.2001, p. 10).
(10) Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights (OJ L 157, 30.4.2004, p. 45).
(11) Directive 2007/2/EC of the European Parliament and of the Council of 14 March 2007 establishing an Infrastructure for Spatial Information in the European Community (INSPIRE) (OJ L 108, 25.4.2007, p. 1).
(12) Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73).
(13) Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ L 157, 15.6.2016, p. 1).
(14) Directive (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 relating to certain aspects of company law (OJ L 169, 30.6.2017, p. 46).
(15) Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC (OJ L 130, 17.5.2019, p. 92).
(16) Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (OJ L 172, 26.6.2019, p. 56).
(17) Directive 2009/81/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of procedures for the award of certain works contracts, supply contracts and service contracts by contracting authorities or entities in the fields of defence and security, and amending Directives 2004/17/EC and 2004/18/EC (OJ L 216, 20.8.2009, p. 76).
Recital 4
This Regulation should be without prejudice to Regulations (EU) 2016/679 (1) and (EU) 2018/1725 (2) of the European Parliament and of the Council and to Directives 2002/58/EC (3) and (EU) 2016/680 (4) of the European Parliament and of the Council and the corresponding provisions of national law, including where personal and non-personal data in a data set are inextricably linked. In particular, this Regulation should not be read as creating a new legal basis for the processing of personal data for any of the regulated activities, or as amending the information requirements laid down in Regulation (EU) 2016/679. The implementation of this Regulation should not prevent cross-border transfers of data in accordance with Chapter V of Regulation (EU) 2016/679. In the event of a conflict between this Regulation and Union law on the protection of personal data or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data should prevail. It should be possible to consider data protection authorities to be competent authorities under this Regulation. Where other authorities function as competent authorities under this Regulation, they should do so without prejudice to the supervisory powers and competences of data protection authorities under Regulation (EU) 2016/679.
(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(2) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
(3) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).
(4) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).
Recital 5
Action at Union level is necessary to increase trust in data sharing by establishing appropriate mechanisms for control by data subjects and data holders over data that relates to them, and in order to address other barriers to a well-functioning and competitive data-driven economy. That action should be without prejudice to obligations and commitments in the international trade agreements concluded by the Union. A Union-wide governance framework should have the objective of building trust among individuals and undertakings in relation to data access, control, sharing, use and re-use, in particular by establishing appropriate mechanisms for data subjects to know and meaningfully exercise their rights, as well as with regard to the re-use of certain types of data held by the public sector bodies, the provision of services by data intermediation services providers to data subjects, data holders and data users, as well as the collection and processing of data made available for altruistic purposes by natural and legal persons. In particular, more transparency regarding the purpose of data use and conditions under which data is stored by undertakings can help increase trust.
Recital 6
The idea that data that has been generated or collected by public sector bodies or other entities at the expense of public budgets should benefit society has been part of Union policy for a long time. Directive (EU) 2019/1024 and sector-specific Union law ensure that the public sector bodies make more of the data they produce easily available for use and re-use. However, certain categories of data, such as commercially confidential data, data that are subject to statistical confidentiality and data protected by intellectual property rights of third parties, including trade secrets and personal data, in public databases are often not made available, not even for research or innovative activities in the public interest, despite such availability being possible in accordance with the applicable Union law, in particular Regulation (EU) 2016/679 and Directives 2002/58/EC and (EU) 2016/680. Due to the sensitivity of such data, certain technical and legal procedural requirements must be met before they are made available, not least in order to ensure the respect of rights others have over such data or to limit the negative impact on fundamental rights, the principle of non-discrimination and data protection. The fulfilment of such requirements is usually time- and knowledge-intensive. This has led to the insufficient use of such data. While some Member States are establishing structures, processes or legislation to facilitate that type of re-use, this is not the case across the Union. In order to facilitate the use of data for European research and innovation by private and public entities, clear conditions for access to and use of such data are needed across the Union.
Recital 7
There are techniques enabling analyses on databases that contain personal data, such as anonymisation, differential privacy, generalisation, suppression and randomisation, the use of synthetic data or similar methods and other state-of-the-art privacy-preserving methods that could contribute to a more privacy-friendly processing of data. Member States should provide support to public sector bodies to make optimal use of such techniques, thus making as much data as possible available for sharing. The application of such techniques, together with comprehensive data protection impact assessments and other safeguards, can contribute to more safety in the use and re-use of personal data and should ensure the safe re-use of commercially confidential business data for research, innovation and statistical purposes. In many cases the application of such techniques, impact assessments and other safeguards implies that data can be used and re-used only in a secure processing environment that is provided or controlled by the public sector body. There is experience at Union level with such secure processing environments that are used for research on statistical microdata on the basis of Commission Regulation (EU) No 557/2013 (1). In general, insofar as personal data are concerned, the processing of personal data should be based upon one or more of the legal bases for processing provided in Articles 6 and 9 of Regulation (EU) 2016/679.
(1) Commission Regulation (EU) No 557/2013 of 17 June 2013 implementing Regulation (EC) No 223/2009 of the European Parliament and of the Council on European Statistics as regards access to confidential data for scientific purposes and repealing Commission Regulation (EC) No 831/2002 (OJ L 164, 18.6.2013, p. 16).
Recital 8
In accordance with Regulation (EU) 2016/679, the principles of data protection should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person, or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. Re-identification of data subjects from anonymised datasets should be prohibited. This should not prejudice the possibility to conduct research into anonymisation techniques, in particular for the purpose of ensuring information security, improving existing anonymisation techniques and contributing to the overall robustness of anonymisation, undertaken in accordance with Regulation (EU) 2016/679.
Recital 9
In order to facilitate the protection of personal data and confidential data and to speed up the process of making such data available for re-use under this Regulation, Member States should encourage public sector bodies to create and make available data in accordance with the principle of ‘open by design and by default’ referred to in Article 5(2) of Directive (EU) 2019/1024 and to promote the creation and the procurement of data in formats and structures that facilitate anonymisation in that regard.
Recital 10
The categories of data held by public sector bodies which should be subject to re-use under this Regulation fall outside the scope of Directive (EU) 2019/1024 that excludes data which is not accessible due to commercial and statistical confidentiality and data that is included in works or other subject matter over which third parties have intellectual property rights. Commercially confidential data includes data protected by trade secrets, protected know-how and any other information the undue disclosure of which would have an impact on the market position or financial health of the undertaking. This Regulation should apply to personal data that fall outside the scope of Directive (EU) 2019/1024 insofar as the access regime excludes or restricts access to such data for reasons of data protection, privacy and the integrity of the individual, in particular in accordance with data protection rules. The re-use of data, which may contain trade secrets, should take place without prejudice to Directive (EU) 2016/943, which sets out the framework for the lawful acquisition, use or disclosure of trade secrets.
Recital 11
This Regulation should not create an obligation to allow the re-use of data held by public sector bodies. In particular, each Member State should therefore be able to decide whether data is made accessible for re-use, also in terms of the purposes and scope of such access. This Regulation should complement and be without prejudice to more specific obligations on public sector bodies to allow re-use of data laid down in sector-specific Union or national law. Public access to official documents may be considered to be in the public interest. Taking into account the role of public access to official documents and transparency in a democratic society, this Regulation should also be without prejudice to Union or national law on granting access to and disclosing official documents. Access to official documents may in particular be granted in accordance with national law without imposing specific conditions or by imposing specific conditions that are not provided by this Regulation.
Recital 12
The re-use regime provided for in this Regulation should apply to data the supply of which forms part of the public tasks of the public sector bodies concerned under law or other binding rules in the Member States. In the absence of such rules, the public tasks should be defined in accordance with common administrative practice in the Member States, provided that the scope of the public tasks is transparent and subject to review. The public tasks could be defined generally or on a case-by-case basis for individual public sector bodies. As public undertakings are not covered by the definition of public sector body, the data held by public undertakings should not be covered by this Regulation. Data held by cultural establishments, such as libraries, archives and museums as well as orchestras, operas, ballets and theatres, and by educational establishments should not be covered by this Regulation since the works and other documents they hold are predominantly covered by third party intellectual property rights. Research-performing organisations and research-funding organisations could also be organised as public sector bodies or bodies governed by public law.
This Regulation should apply to such hybrid organisations only in their capacity as research-performing organisations. If a research-performing organisation holds data as a part of a specific public-private association with private sector organisations or other public sector bodies, bodies governed by public law or hybrid research-performing organisations, i.e. organised as either public sector bodies or public undertakings, with the main purpose of pursuing research, those data should also not be covered by this Regulation. Where relevant, Member States should be able to apply this Regulation to public undertakings or private undertakings that exercise public sector duties or provide services of general interest. The exchange of data, purely in pursuit of their public tasks, among public sector bodies in the Union or between public sector bodies in the Union and public sector bodies in third countries or international organisations, as well as the exchange of data between researchers for non-commercial scientific research purposes, should not be subject to the provisions of this Regulation concerning the re-use of certain categories of protected data held by public sector bodies.
Recital 13
Public sector bodies should comply with competition law when establishing the principles for re-use of data they hold, avoiding the conclusion of agreements which might have as their objective or effect the creation of exclusive rights for the re-use of certain data. Such agreements should be possible only where justified and necessary for the provision of a service or the supply of a product in the general interest. This may be the case where the exclusive use of the data is the only way to maximise the societal benefits of the data in question, for example where there is only one entity (which has specialised in the processing of a specific dataset) capable of providing the service or supplying the product which allows the public sector body to provide a service or supply a product in the general interest. Such arrangements should, however, be concluded in accordance with applicable Union or national law and be subject to regular review based on a market analysis in order to ascertain whether such exclusivity continues to be necessary. In addition, such arrangements should comply with the relevant State aid rules, as appropriate, and should be concluded for a limited duration which should not exceed 12 months. In order to ensure transparency, such exclusive agreements should be published online, in a form that complies with relevant Union law on public procurement. Where an exclusive right to re-use data does not comply with this Regulation, that exclusive right should be invalid.
Recital 14
Prohibited exclusive agreements and other practices or arrangements pertaining to the re-use of data held by public sector bodies which do not expressly grant exclusive rights but which can reasonably be expected to restrict the availability of data for re-use that have been concluded or were already in place before the date of entry into force of this Regulation should not be renewed after the expiry of their term. In the case of indefinite or longer-term agreements, they should be terminated within 30 months of the date of entry into force of this Regulation.
Art. 2 DGA - Definitions arrow_right_alt
For the purposes of this Regulation, the following definitions apply:
- ‘data’ means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording;
- ‘re-use’ means the use by natural or legal persons of data held by public sector bodies, for commercial or non-commercial purposes other than the initial purpose within the public task for which the data were produced, except for the exchange of data between public sector bodies purely in pursuit of their public tasks;
- ‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;
- ‘non-personal data’ means data other than personal data;
- ‘consent’ means consent as defined in Article 4, point (11), of Regulation (EU) 2016/679;
- ‘permission’ means giving data users the right to the processing of non-personal data;
- ‘data subject’ means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679;
- ‘data holder’ means a legal person, including public sector bodies and international organisations, or a natural person who is not a data subject with respect to the specific data in question, which, in accordance with applicable Union or national law, has the right to grant access to or to share certain personal data or non-personal data;
- ‘data user’ means a natural or legal person who has lawful access to certain personal or non-personal data and has the right, including under Regulation (EU) 2016/679 in the case of personal data, to use that data for commercial or non-commercial purposes;
- ‘data sharing’ means the provision of data by a data subject or a data holder to a data user for the purpose of the joint or individual use of such data, based on voluntary agreements or Union or national law, directly or through an intermediary, for example under open or commercial licences subject to a fee or free of charge;
- ‘data intermediation service’ means a service which aims to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal or other means, including for the purpose of exercising the rights of data subjects in relation to personal data, excluding at least the following:
- services that obtain data from data holders and aggregate, enrich or transform the data for the purpose of adding substantial value to it and license the use of the resulting data to data users, without establishing a commercial relationship between data holders and data users;
- services that focus on the intermediation of copyright-protected content;
- services that are exclusively used by one data holder in order to enable the use of the data held by that data holder, or that are used by multiple legal persons in a closed group, including supplier or customer relationships or collaborations established by contract, in particular those that have as a main objective to ensure the functionalities of objects and devices connected to the Internet of Things;
- data sharing services offered by public sector bodies that do not aim to establish commercial relationships;
- ‘processing’ means processing as defined in Article 4, point (2), of Regulation (EU) 2016/679 with regard to personal data or Article 3, point (2), of Regulation (EU) 2018/1807 with regard to non-personal data;
- ‘access’ means data use, in accordance with specific technical, legal or organisational requirements, without necessarily implying the transmission or downloading of data;
- ‘main establishment’ of a legal person means the place of its central administration in the Union;
- ‘services of data cooperatives’ means data intermediation services offered by an organisational structure constituted by data subjects, one-person undertakings or SMEs who are members of that structure, having as its main objectives to support its members in the exercise of their rights with respect to certain data, including with regard to making informed choices before they consent to data processing, to exchange views on data processing purposes and conditions that would best represent the interests of its members in relation to their data, and to negotiate terms and conditions for data processing on behalf of its members before giving permission to the processing of non-personal data or before they consent to the processing of personal data;
- ‘data altruism’ means the voluntary sharing of data on the basis of the consent of data subjects to process personal data pertaining to them, or permissions of data holders to allow the use of their non-personal data without seeking or receiving a reward that goes beyond compensation related to the costs that they incur where they make their data available for objectives of general interest as provided for in national law, where applicable, such as healthcare, combating climate change, improving mobility, facilitating the development, production and dissemination of official statistics, improving the provision of public services, public policy making or scientific research purposes in the general interest;
- ‘public sector body’ means the State, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities, or one or more such bodies governed by public law;
- ‘bodies governed by public law’ means bodies that have the following characteristics:
- they are established for the specific purpose of meeting needs in the general interest, and do not have an industrial or commercial character;
- they have legal personality;
- they are financed, for the most part, by the State, regional or local authorities, or other bodies governed by public law, are subject to management supervision by those authorities or bodies, or have an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional or local authorities, or by other bodies governed by public law;
- ‘public undertaking’ means any undertaking over which the public sector bodies may exercise directly or indirectly a dominant influence by virtue of their ownership of it, their financial participation therein, or the rules which govern it; for the purposes of this definition, a dominant influence on the part of the public sector bodies shall be presumed in any of the following cases in which those bodies, directly or indirectly:
- hold the majority of the undertaking’s subscribed capital;
- control the majority of the votes attaching to shares issued by the undertaking;
- can appoint more than half of the undertaking’s administrative, management or supervisory body;
- ‘secure processing environment’ means the physical or virtual environment and organisational means to ensure compliance with Union law, such as Regulation (EU) 2016/679, in particular with regard to data subjects’ rights, intellectual property rights, and commercial and statistical confidentiality, integrity and accessibility, as well as with applicable national law, and to allow the entity providing the secure processing environment to determine and supervise all data processing actions, including the display, storage, download and export of data and the calculation of derivative data through computational algorithms;
- ‘legal representative’ means a natural or legal person established in the Union explicitly designated to act on behalf of a data intermediation services provider or an entity that collects data for objectives of general interest made available by natural or legal persons on the basis of data altruism not established in the Union, which may be addressed by the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations in addition to or instead of the data intermediation services provider or entity with regard to the obligations under this Regulation, including with regard to initiating enforcement proceedings against a non-compliant data intermediation services provider or entity not established in the Union.
- 28
- 29
- 30
- 41
Recital 28
This Regulation should cover services which aim to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal or other means, including for the purpose of exercising the rights of data subjects in relation to personal data. Where undertakings or other entities offer multiple data-related services, only the activities which directly concern the provision of data intermediation services should be covered by this Regulation. The provision of cloud storage, analytics, data sharing software, web browsers, browser plug-ins or email services should not be considered to be data intermediation services within the meaning of this Regulation, provided that such services only provide technical tools for data subjects or data holders to share data with others, but the provision of such tools neither aims to establish a commercial relationship between data holders and data users nor allows the data intermediation services provider to acquire information on the establishment of commercial relationships for the purposes of data sharing. Examples of data intermediation services include data marketplaces on which undertakings could make data available to others, orchestrators of data sharing ecosystems that are open to all interested parties, for instance in the context of common European data spaces, as well as data pools established jointly by several legal or natural persons with the intention to license the use of such data pools to all interested parties in a manner that all participants that contribute to the data pools would receive a reward for their contribution.
This would exclude services that obtain data from data holders and aggregate, enrich or transform the data for the purpose of adding substantial value to it and license the use of the resulting data to data users, without establishing a commercial relationship between data holders and data users. This would also exclude services that are exclusively used by one data holder in order to enable the use of the data held by that data holder, or that are used by multiple legal persons in a closed group, including supplier or customer relationships or collaborations established by contract, in particular those that have as a main objective to ensure the functionalities of objects and devices connected to the Internet of Things.
Recital 29
Services that focus on the intermediation of copyright-protected content, such as online content-sharing service providers as defined in Article 2, point (6), of Directive (EU) 2019/790, should not be covered by this Regulation. Consolidated tape providers as defined in Article 2(1), point (35), of Regulation (EU) No 600/2014 of the European Parliament and of the Council (1) and account information service providers as defined in Article 4, point (19), of Directive (EU) 2015/2366 of the European Parliament and of the Council (2) should not be considered to be data intermediation services providers for the purposes of this Regulation. This Regulation should not apply to services offered by public sector bodies in order to facilitate either the re-use of protected data held by public sector bodies in accordance with this Regulation or the use of any other data, insofar as those services do not aim to establish commercial relationships. Data altruism organisations regulated by this Regulation should not be considered to be offering data intermediation services provided that those services do not establish a commercial relationship between potential data users, on the one hand, and data subjects and data holders who make data available for altruistic purposes, on the other. Other services that do not aim to establish commercial relationships, such as repositories that aim to enable the re-use of scientific research data in accordance with open access principles should not be considered to be data intermediation services within the meaning of this Regulation.
(1) Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84).
(2) Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35).
Recital 30
A specific category of data intermediation services includes providers of services that offer their services to data subjects. Such data intermediation services providers seek to enhance the agency of data subjects, and in particular individuals’ control over data relating to them. Such providers would assist individuals in exercising their rights under Regulation (EU) 2016/679, in particular giving and withdrawing their consent to data processing, the right of access to their own data, the right to the rectification of inaccurate personal data, the right of erasure or right ‘to be forgotten’, the right to restrict processing and the right to data portability, which allows data subjects to move their personal data from one data controller to the other. In that context, it is important that the business model of such providers ensures that there are no misaligned incentives that encourage individuals to use such services to make more data relating to them available for processing than would be in their interest. This could include advising individuals on the possible uses of their data and making due diligence checks on data users before allowing them to contact data subjects, in order to avoid fraudulent practices. In certain situations, it could be desirable to collate actual data within a personal data space so that processing can happen within that space without personal data being transmitted to third parties in order to maximise the protection of personal data and privacy. Such personal data spaces could contain static personal data such as name, address or date of birth as well as dynamic data that an individual generates through, for example, the use of an online service or an object connected to the Internet of Things. They could also be used to store verified identity information such as passport numbers or social security information, as well as credentials such as driving licences, diplomas or bank account information.
Recital 41
The main establishment of a data intermediation services provider in the Union should be the place of its central administration in the Union. The main establishment of a data intermediation services provider in the Union should be determined in accordance with objective criteria and should imply the effective and real exercise of management activities. Activities of a data intermediation services provider should comply with the national law of the Member State in which it has its main establishment.