keyboard_tab Data Act 2023/2854 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 2 Article 1 Subject matter and scope
- 1 Article 2 Definitions
- 1 Article 6 Obligations of third parties receiving data at the request of the user
- 1 Article 7 Scope of business-to-consumer and business-to-business data sharing obligations
- 1 Article 44 Other Union legal acts governing rights and obligations on data access and use
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
BUSINESS TO consumer AND BUSINESS TO BUSINESS DATA SHARING
CHAPTER III
OBLIGATIONS FOR DATA HOLDERS OBLIGED TO MAKE DATA AVAILABLE PURSUANT TO UNION LAW
CHAPTER IV
UNFAIR CONTRACTUAL TERMS RELATED TO DATA ACCESS AND USE BETWEEN ENTERPRISES
CHAPTER V
MAKING DATA AVAILABLE TO PUBLIC SECTOR BODIES, THE COMMISSION, THE EUROPEAN CENTRAL BANK AND UNION BODIES ON THE BASIS OF AN EXCEPTIONAL NEED
CHAPTER VI
SWITCHING BETWEEN DATA PROCESSING SERVICES
CHAPTER VII
UNLAWFUL INTERNATIONAL GOVERNMENTAL ACCESS AND TRANSFER OF NON-PERSONAL DATA
CHAPTER VIII
INTEROPERABILITY
CHAPTER IX
IMPLEMENTATION AND ENFORCEMENT
CHAPTER X
SUI GENERIS RIGHT UNDER DIRECTIVE 96/9/EC
CHAPTER XI
FINAL PROVISIONS
- data
- metadata
- personal data
- non-personal data
- connected product
- related service
- processing
- data processing service
- same service type
- data intermediation service
- data subject
- user
- data holder
- data recipient
- product data
- related service data
- readily available data
- trade secret
- trade secret holder
- profiling
- making available on the market
- placing on the market
- consumer
- enterprise
- small enterprise
- microenterprise
- Union bodies
- public sector body
- public emergency
- customer
- virtual assistants
- digital assets
- on-premises ICT infrastructure
- switching
- data egress charges
- switching charges
- functional equivalence
- exportable data
- smart contract
- interoperability
- common specifications
- harmonised standard
- data 220
- means 93
- european 59
- regulation 56
- council 51
- processing 51
- eu / 48
- union 45
- parliament 43
- service 37
- services 36
- oj l 35
- article 35
- including 30
- which 27
- user 26
- available 25
- connected_product 25
- from 21
- provider 20
- related_service 20
- legal 19
- rights 19
- customer 18
- such 18
- shall 18
- national 18
- access 17
- digital 17
- third 17
- chapter 16
- no / 16
- data’ 16
- defined 16
- enterprise 16
- natural 16
- electronic 15
- party 15
- regulation 15
- under 15
- protection 15
- point 14
- holder 14
- business 14
- personal 14
- than 13
- member 13
- public 13
- product 13
- obligations 12
Article 2
Definitions
For the purposes of this Regulation, the following definitions apply:
| (1) | ‘ data’ means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording; |
| (2) | ‘meta data’ means a structured description of the contents or the use of data facilitating the discovery or use of that data; |
| (3) | ‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; |
| (4) | ‘non-personal data’ means data other than personal data; |
| (5) | ‘ connected_product’ means an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user; |
| (6) | ‘ related_service’ means a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected_product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected_product; |
| (7) | ‘ processing’ means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or other means of making them available, alignment or combination, restriction, erasure or destruction; |
| (8) | ‘ data processing service’ means a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction; |
| (9) | ‘ same_service_type’ means a set of data processing services that share the same primary objective, data processing service model and main functionalities; |
| (10) | ‘ data intermediation service’ means data intermediation service as defined in Article 2, point (11), of Regulation (EU) 2022/868; |
| (11) | ‘ data subject’ means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679; |
| (12) | ‘ user’ means a natural or legal person that owns a connected_product or to whom temporary rights to use that connected_product have been contractually transferred, or that receives related_services; |
| (13) | ‘ data holder’ means a natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related_service data which it has retrieved or generated during the provision of a related_service; |
| (14) | ‘ data recipient’ means a natural or legal person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected_product or related_service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation adopted in accordance with Union law; |
| (15) | ‘product data’ means data generated by the use of a connected_product that the manufacturer designed to be retrievable, via an electronic communications service, physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturer; |
| (16) | ‘ related_service data’ means data representing the digitisation of user actions or of events related to the connected_product, recorded intentionally by the user or generated as a by-product of the user’s action during the provision of a related_service by the provider; |
| (17) | ‘readily available data’ means product data and related_service data that a data holder lawfully obtains or can lawfully obtain from the connected_product or related_service, without disproportionate effort going beyond a simple operation; |
| (18) | ‘ trade_secret’ means trade_secret as defined in Article 2, point (1), of Directive (EU) 2016/943; |
| (19) | ‘ trade_secret holder’ means a trade_secret holder as defined in Article 2, point (2), of Directive (EU) 2016/943; |
| (20) | ‘ profiling’ means profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679; |
| (21) | ‘ making_available_on_the_market’ means any supply of a connected_product for distribution, consumption or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge; |
| (22) | ‘ placing_on_the_market’ means the first making available of a connected_product on the Union market; |
| (23) | ‘ consumer’ means any natural person who is acting for purposes which are outside that person’s trade, business, craft or profession; |
| (24) | ‘ enterprise’ means a natural or legal person that, in relation to contracts and practices covered by this Regulation, is acting for purposes which are related to that person’s trade, business, craft or profession; |
| (25) | ‘small enterprise’ means a small enterprise as defined in Article 2(2) of the Annex to Recommendation 2003/361/EC; |
| (26) | ‘micro enterprise’ means a micro enterprise as defined in Article 2(3) of the Annex to Recommendation 2003/361/EC; |
| (27) | ‘ Union_bodies’ means the Union_bodies, offices and agencies set up by or pursuant to acts adopted on the basis of the Treaty on European Union, the TFEU or the Treaty establishing the European Atomic Energy Community; |
| (28) | ‘ public_sector_body’ means national, regional or local authorities of the Member States and bodies governed by public law of the Member States, or associations formed by one or more such authorities or one or more such bodies; |
| (29) | ‘ public_emergency’ means an exceptional situation, limited in time, such as a public health emergency, an emergency resulting from natural disasters, a human-induced major disaster, including a major cybersecurity incident, negatively affecting the population of the Union or the whole or part of a Member State, with a risk of serious and lasting repercussions for living conditions or economic stability, financial stability, or the substantial and immediate degradation of economic assets in the Union or the relevant Member State and which is determined or officially declared in accordance with the relevant procedures under Union or national law; |
| (30) | ‘ customer’ means a natural or legal person that has entered into a contractual relationship with a provider of data processing services with the objective of using one or more data processing services; |
| (31) | ‘ virtual_assistants’ means software that can process demands, tasks or questions including those based on audio, written input, gestures or motions, and that, based on those demands, tasks or questions, provides access to other services or controls the functions of connected_products; |
| (32) | ‘ digital_assets’ means elements in digital form, including applications, for which the customer has the right of use, independently from the contractual relationship with the data processing service it intends to switch from; |
| (33) | ‘ on-premises_ICT_infrastructure’ means ICT infrastructure and computing resources owned, rented or leased by the customer, located in the data centre of the customer itself and operated by the customer or by a third-party; |
| (34) | ‘ switching’ means the process involving a source provider of data processing services, a customer of a data processing service and, where relevant, a destination provider of data processing services, whereby the customer of a data processing service changes from using one data processing service to using another data processing service of the same_service_type, or other service, offered by a different provider of data processing services, or to an on-premises_ICT_infrastructure, including through extracting, transforming and uploading the data; |
| (35) | ‘ data egress charges’ means data transfer fees charged to customers for extracting their data through the network from the ICT infrastructure of a provider of data processing services to the system of a different provider or to on-premises_ICT_infrastructure; |
| (36) | ‘ switching charges’ means charges, other than standard service fees or early termination penalties, imposed by a provider of data processing services on a customer for the actions mandated by this Regulation for switching to the system of a different provider or to on-premises_ICT_infrastructure, including data egress charges; |
| (37) | ‘ functional_equivalence’ means re-establishing on the basis of the customer’s exportable data and digital_assets, a minimum level of functionality in the environment of a new data processing service of the same_service_type after the switching process, where the destination data processing service delivers a materially comparable outcome in response to the same input for shared features supplied to the customer under the contract; |
| (38) | ‘exportable data’, for the purpose of Articles 23 to 31 and Article 35, means the input and output data, including meta data, directly or indirectly generated, or cogenerated, by the customer’s use of the data processing service, excluding any assets or data protected by intellectual property rights, or constituting a trade_secret, of providers of data processing services or third parties; |
| (39) | ‘ smart_contract’ means a computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological ordering; |
| (40) | ‘ interoperability’ means the ability of two or more data spaces or communication networks, systems, connected_products, applications, data processing services or components to exchange and use data in order to perform their functions; |
| (41) | open interoperability specification’ means a technical specification in the field of information and communication technologies which is performance oriented towards achieving interoperability between data processing services; |
| (42) | ‘ common_specifications’ means a document, other than a standard, containing technical solutions providing a means to comply with certain requirements and obligations established under this Regulation; |
| (43) | ‘ harmonised_standard’ means a harmonised_standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012. |
CHAPTER II
BUSINESS TO consumer AND BUSINESS TO BUSINESS DATA SHARING
Article 1
Subject matter and scope
1. This Regulation lays down harmonised rules, inter alia, on:
| (a) | the making available of product data and related_service data to the user of the connected_product or related_service; |
| (b) | the making available of data by data holders to data recipients; |
| (c) | the making available of data by data holders to public sector bodies, the Commission, the European Central Bank and Union_bodies, where there is an exceptional need for those data for the performance of a specific task carried out in the public interest; |
| (d) | facilitating switching between data processing services; |
| (e) | introducing safeguards against unlawful third-party access to non-personal data; and |
| (f) | the development of interoperability standards for data to be accessed, transferred and used. |
2. This Regulation covers personal and non-personal data, including the following types of data, in the following contexts:
| (a) | Chapter II applies to data, with the exception of content, concerning the performance, use and environment of connected_products and related_services; |
| (b) | Chapter III applies to any private sector data that is subject to statutory data sharing obligations; |
| (c) | Chapter IV applies to any private sector data accessed and used on the basis of contract between enterprises; |
| (d) | Chapter V applies to any private sector data with a focus on non-personal data; |
| (e) | Chapter VI applies to any data and services processed by providers of data processing services; |
| (f) | Chapter VII applies to any non-personal data held in the Union by providers of data processing services. |
3. This Regulation applies to:
| (a) | manufacturers of connected_products placed on the market in the Union and providers of related_services, irrespective of the place of establishment of those manufacturers and providers; |
| (b) | users in the Union of connected_products or related_services as referred to in point (a); |
| (c) | data holders, irrespective of their place of establishment, that make data available to data recipients in the Union; |
| (d) | data recipients in the Union to whom data are made available; |
| (e) | public sector bodies, the Commission, the European Central Bank and Union_bodies that request data holders to make data available where there is an exceptional need for those data for the performance of a specific task carried out in the public interest and to the data holders that provide those data in response to such request; |
| (f) | providers of data processing services, irrespective of their place of establishment, providing such services to customers in the Union; |
| (g) | participants in data spaces and vendors of applications using smart_contracts and persons whose trade, business or profession involves the deployment of smart_contracts for others in the context of executing an agreement. |
4. Where this Regulation refers to connected_products or related_services, such references are also understood to include virtual_assistants insofar as they interact with a connected_product or related_service.
5. This Regulation is without prejudice to Union and national law on the protection of personal data, privacy and confidentiality of communications and integrity of terminal equipment, which shall apply to personal data processed in connection with the rights and obligations laid down herein, in particular Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive 2002/58/EC, including the powers and competences of supervisory authorities and the rights of data subjects. Insofar as users are data subjects, the rights laid down in Chapter II of this Regulation shall complement the rights of access by data subjects and rights to data portability under Articles 15 and 20 of Regulation (EU) 2016/679. In the event of a conflict between this Regulation and Union law on the protection of personal data or privacy, or national legislation adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data or privacy shall prevail.
6. This Regulation does not apply to or pre-empt voluntary arrangements for the exchange of data between private and public entities, in particular voluntary arrangements for data sharing.
This Regulation does not affect Union or national legal acts providing for the sharing of, access to and the use of data for the purpose of the prevention, investigation, detection or prosecution of criminal offences or for the execution of criminal penalties, or for customs and taxation purposes, in particular Regulations (EU) 2021/784, (EU) 2022/2065 and (EU) 2023/1543 and Directive (EU) 2023/1544, or international cooperation in that area. This Regulation does not apply to the collection or sharing of, access to or the use of data under Regulation (EU) 2015/847 and Directive (EU) 2015/849. This Regulation does not apply to areas that fall outside the scope of Union law and in any event does not affect the competences of the Member States concerning public security, defence or national security, regardless of the type of entity entrusted by the Member States to carry out tasks in relation to those competences, or their power to safeguard other essential State functions, including ensuring the territorial integrity of the State and the maintenance of law and order. This Regulation does not affect the competences of the Member States concerning customs and tax administration or the health and safety of citizens.
7. This Regulation complements the self-regulatory approach of Regulation (EU) 2018/1807 by adding generally applicable obligations on cloud switching.
8. This Regulation is without prejudice to Union and national legal acts providing for the protection of intellectual property rights, in particular Directives 2001/29/EC, 2004/48/EC and (EU) 2019/790.
9. This Regulation complements and is without prejudice to Union law which aims to promote the interests of consumers and ensure a high level of consumer protection, and to protect their health, safety and economic interests, in particular Directives 93/13/EEC, 2005/29/EC and 2011/83/EU.
10. This Regulation does not preclude the conclusion of voluntary lawful data sharing contracts, including contracts concluded on a reciprocal basis, which comply with the requirements laid down in this Regulation.
Article 2
Definitions
For the purposes of this Regulation, the following definitions apply:
| (1) | ‘ data’ means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording; |
| (2) | ‘meta data’ means a structured description of the contents or the use of data facilitating the discovery or use of that data; |
| (3) | ‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; |
| (4) | ‘non-personal data’ means data other than personal data; |
| (5) | ‘ connected_product’ means an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user; |
| (6) | ‘ related_service’ means a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected_product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected_product; |
| (7) | ‘ processing’ means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or other means of making them available, alignment or combination, restriction, erasure or destruction; |
| (8) | ‘ data processing service’ means a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction; |
| (9) | ‘ same_service_type’ means a set of data processing services that share the same primary objective, data processing service model and main functionalities; |
| (10) | ‘ data intermediation service’ means data intermediation service as defined in Article 2, point (11), of Regulation (EU) 2022/868; |
| (11) | ‘ data subject’ means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679; |
| (12) | ‘ user’ means a natural or legal person that owns a connected_product or to whom temporary rights to use that connected_product have been contractually transferred, or that receives related_services; |
| (13) | ‘ data holder’ means a natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related_service data which it has retrieved or generated during the provision of a related_service; |
| (14) | ‘ data recipient’ means a natural or legal person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected_product or related_service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation adopted in accordance with Union law; |
| (15) | ‘product data’ means data generated by the use of a connected_product that the manufacturer designed to be retrievable, via an electronic communications service, physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturer; |
| (16) | ‘ related_service data’ means data representing the digitisation of user actions or of events related to the connected_product, recorded intentionally by the user or generated as a by-product of the user’s action during the provision of a related_service by the provider; |
| (17) | ‘readily available data’ means product data and related_service data that a data holder lawfully obtains or can lawfully obtain from the connected_product or related_service, without disproportionate effort going beyond a simple operation; |
| (18) | ‘ trade_secret’ means trade_secret as defined in Article 2, point (1), of Directive (EU) 2016/943; |
| (19) | ‘ trade_secret holder’ means a trade_secret holder as defined in Article 2, point (2), of Directive (EU) 2016/943; |
| (20) | ‘ profiling’ means profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679; |
| (21) | ‘ making_available_on_the_market’ means any supply of a connected_product for distribution, consumption or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge; |
| (22) | ‘ placing_on_the_market’ means the first making available of a connected_product on the Union market; |
| (23) | ‘ consumer’ means any natural person who is acting for purposes which are outside that person’s trade, business, craft or profession; |
| (24) | ‘ enterprise’ means a natural or legal person that, in relation to contracts and practices covered by this Regulation, is acting for purposes which are related to that person’s trade, business, craft or profession; |
| (25) | ‘small enterprise’ means a small enterprise as defined in Article 2(2) of the Annex to Recommendation 2003/361/EC; |
| (26) | ‘micro enterprise’ means a micro enterprise as defined in Article 2(3) of the Annex to Recommendation 2003/361/EC; |
| (27) | ‘ Union_bodies’ means the Union_bodies, offices and agencies set up by or pursuant to acts adopted on the basis of the Treaty on European Union, the TFEU or the Treaty establishing the European Atomic Energy Community; |
| (28) | ‘ public_sector_body’ means national, regional or local authorities of the Member States and bodies governed by public law of the Member States, or associations formed by one or more such authorities or one or more such bodies; |
| (29) | ‘ public_emergency’ means an exceptional situation, limited in time, such as a public health emergency, an emergency resulting from natural disasters, a human-induced major disaster, including a major cybersecurity incident, negatively affecting the population of the Union or the whole or part of a Member State, with a risk of serious and lasting repercussions for living conditions or economic stability, financial stability, or the substantial and immediate degradation of economic assets in the Union or the relevant Member State and which is determined or officially declared in accordance with the relevant procedures under Union or national law; |
| (30) | ‘ customer’ means a natural or legal person that has entered into a contractual relationship with a provider of data processing services with the objective of using one or more data processing services; |
| (31) | ‘ virtual_assistants’ means software that can process demands, tasks or questions including those based on audio, written input, gestures or motions, and that, based on those demands, tasks or questions, provides access to other services or controls the functions of connected_products; |
| (32) | ‘ digital_assets’ means elements in digital form, including applications, for which the customer has the right of use, independently from the contractual relationship with the data processing service it intends to switch from; |
| (33) | ‘ on-premises_ICT_infrastructure’ means ICT infrastructure and computing resources owned, rented or leased by the customer, located in the data centre of the customer itself and operated by the customer or by a third-party; |
| (34) | ‘ switching’ means the process involving a source provider of data processing services, a customer of a data processing service and, where relevant, a destination provider of data processing services, whereby the customer of a data processing service changes from using one data processing service to using another data processing service of the same_service_type, or other service, offered by a different provider of data processing services, or to an on-premises_ICT_infrastructure, including through extracting, transforming and uploading the data; |
| (35) | ‘ data egress charges’ means data transfer fees charged to customers for extracting their data through the network from the ICT infrastructure of a provider of data processing services to the system of a different provider or to on-premises_ICT_infrastructure; |
| (36) | ‘ switching charges’ means charges, other than standard service fees or early termination penalties, imposed by a provider of data processing services on a customer for the actions mandated by this Regulation for switching to the system of a different provider or to on-premises_ICT_infrastructure, including data egress charges; |
| (37) | ‘ functional_equivalence’ means re-establishing on the basis of the customer’s exportable data and digital_assets, a minimum level of functionality in the environment of a new data processing service of the same_service_type after the switching process, where the destination data processing service delivers a materially comparable outcome in response to the same input for shared features supplied to the customer under the contract; |
| (38) | ‘exportable data’, for the purpose of Articles 23 to 31 and Article 35, means the input and output data, including meta data, directly or indirectly generated, or cogenerated, by the customer’s use of the data processing service, excluding any assets or data protected by intellectual property rights, or constituting a trade_secret, of providers of data processing services or third parties; |
| (39) | ‘ smart_contract’ means a computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological ordering; |
| (40) | ‘ interoperability’ means the ability of two or more data spaces or communication networks, systems, connected_products, applications, data processing services or components to exchange and use data in order to perform their functions; |
| (41) | open interoperability specification’ means a technical specification in the field of information and communication technologies which is performance oriented towards achieving interoperability between data processing services; |
| (42) | ‘ common_specifications’ means a document, other than a standard, containing technical solutions providing a means to comply with certain requirements and obligations established under this Regulation; |
| (43) | ‘ harmonised_standard’ means a harmonised_standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012. |
CHAPTER II
BUSINESS TO consumer AND BUSINESS TO BUSINESS DATA SHARING
Article 6
Obligations of third parties receiving data at the request of the user
1. A third party shall process the data made available to it pursuant to Article 5 only for the purposes and under the conditions agreed with the user and subject to Union and national law on the protection of personal data including the rights of the data subject insofar as personal data are concerned. The third party shall erase the data when they are no longer necessary for the agreed purpose, unless otherwise agreed with the user in relation to non-personal data.
2. The third party shall not:
| (a) | make the exercise of choices or rights under Article 5 and this Article by the user unduly difficult, including by offering choices to the user in a non-neutral manner, or by coercing, deceiving or manipulating the user, or by subverting or impairing the autonomy, decision-making or choices of the user, including by means of a user digital interface or a part thereof; |
| (b) | notwithstanding Article 22(2), points (a) and (c), of Regulation (EU) 2016/679, use the data it receives for the profiling, unless it is necessary to provide the service requested by the user; |
| (c) | make the data it receives available to another third party, unless the data is made available on the basis of a contract with the user, and provided that the other third party takes all necessary measures agreed between the data holder and the third party to preserve the confidentiality of trade_secrets; |
| (d) | make the data it receives available to an undertaking designated as a gatekeeper pursuant to Article 3 of Regulation (EU) 2022/1925; |
| (e) | use the data it receives to develop a product that competes with the connected_product from which the accessed data originate or share the data with another third party for that purpose; third parties shall also not use any non-personal product data or related_service data made available to them to derive insights about the economic situation, assets and production methods of, or use by, the data holder; |
| (f) | use the data it receives in a manner that has an adverse impact on the security of the connected_product or related_service; |
| (g) | disregard the specific measures agreed with a data holder or with the trade_secrets holder pursuant to Article 5(9) and undermine the confidentiality of trade_secrets; |
| (h) | prevent the user that is a consumer, including on the basis of a contract, from making the data it receives available to other parties. |
Article 7
Scope of business-to- consumer and business-to-business data sharing obligations
1. The obligations of this Chapter shall not apply to data generated through the use of connected_products manufactured or designed or related_services provided by a micro enterprise or a small enterprise, provided that that enterprise does not have a partner enterprise or a linked enterprise within the meaning of Article 3 of the Annex to Recommendation 2003/361/EC that does not qualify as a micro enterprise or a small enterprise and where the micro enterprise and small enterprise is not subcontracted to manufacture or design a connected_product or to provide a related_service.
The same shall apply to data generated through the use of connected_products manufactured by or related_services provided by an enterprise that has qualified as a medium-sized enterprise under Article 2 of the Annex to Recommendation 2003/361/EC for less than one year and to connected_products for one year after the date on which they were placed on the market by a medium-sized enterprise.
2. Any contractual term which, to the detriment of the user, excludes the application of, derogates from or varies the effect of the user’s rights under this Chapter shall not be binding on the user.
CHAPTER III
OBLIGATIONS FOR DATA HOLDERS OBLIGED TO MAKE DATA AVAILABLE PURSUANT TO UNION LAW
Article 44
Other Union legal acts governing rights and obligations on data access and use
1. The specific obligations for the making available of data between businesses, between businesses and consumers, and on exceptional basis between businesses and public bodies, in Union legal acts that entered into force on or before 11 January 2024, and delegated or implementing acts pursuant thereto, shall remain unaffected.
2. This Regulation is without prejudice to Union law specifying, in light of the needs of a sector, a common European data space, or an area of public interest, further requirements, in particular in relation to:
| (a) | technical aspects of data access; |
| (b) | limits on the rights of data holders to access or use certain data provided by users; |
| (c) | aspects going beyond data access and use. |
3. This Regulation, with the exception of Chapter V, is without prejudice to Union and national law providing for access to and authorising the use of data for scientific research purposes.
Article 50
Entry into force and application
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from 12 September 2025.
The obligation resulting from Article 3(1) shall apply to connected_products and the services related to them placed on the market after 12 September 2026.
Chapter III shall apply in relation to obligations to make data available under Union law or national legislation adopted in accordance with Union law, which enters into force after 12 September 2025.
Chapter IV shall apply to contracts concluded after 12 September 2025.
Chapter IV shall apply from 12 September 2027 to contracts concluded on or before 12 September 2025 provided that they are:
| (a) | of indefinite duration; or |
| (b) | due to expire at least 10 years from 11 January 2024. |
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Strasbourg, 13 December 2023.
For the European Parliament
The President
R. METSOLA
For the Council
The President
P. NAVARRO RÍOS
(1) OJ C 402, 19.10.2022, p. 5.
(2) OJ C 365, 23.9.2022, p. 18.
(3) OJ C 375, 30.9.2022, p. 112.
(4) Position of the European Parliament of 9 November 2023 (not yet published in the Official Journal) and decision of the Council of 27 November 2023.
(5) Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).
(6) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(7) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
(8) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).
(9) Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29).
(10) Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to- consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’) (OJ L 149, 11.6.2005, p. 22).
(11) Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council (OJ L 304, 22.11.2011, p. 64).
(12) Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online (OJ L 172, 17.5.2021, p. 79).
(13) Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (OJ L 277, 27.10.2022, p. 1).
(14) Regulation (EU) 2023/1543 of the European Parliament and of the Council of 12 July 2023 on European Production Orders and European Preservation Orders for electronic evidence in criminal proceedings and for the execution of custodial sentences following criminal proceedings (OJ L 191, 28.7.2023, p. 118).
(15) Directive (EU) 2023/1544 of the European Parliament and of the Council of 12 July 2023 laying down harmonised rules on the designation of designated establishments and the appointment of legal representatives for the purpose of gathering electronic evidence in criminal proceedings (OJ L 191, 28.7.2023, p. 181).
(16) Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (OJ L 141, 5.6.2015, p. 1).
(17) Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73).
(18) Directive (EU) 2019/882 of the European Parliament and of the Council of 17 April 2019 on the accessibility requirements for products and services (OJ L 151, 7.6.2019, p. 70).
(19) Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society (OJ L 167, 22.6.2001, p. 10).
(20) Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights (OJ L 157, 30.4.2004, p. 45).
(21) Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC (OJ L 130, 17.5.2019, p. 92).
(22) Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (OJ L 152, 3.6.2022, p. 1).
(23) Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information ( trade_secrets) against their unlawful acquisition, use and disclosure (OJ L 157, 15.6.2016, p. 1).
(24) Directive 98/6/EC of the European Parliament and of the Council of 16 February 1998 on consumer protection in the indication of the prices of products offered to consumers (OJ L 80, 18.3.1998, p. 27).
(25) Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1).
(26) Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (OJ L 265, 12.10.2022, p. 1).
(27) Regulation (EC) No 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities (OJ L 87, 31.3.2009, p. 164).
(28) Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (OJ L 172, 26.6.2019, p. 56).
(29) Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases (OJ L 77, 27.3.1996, p. 20).
(30) Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union (OJ L 303, 28.11.2018, p. 59).
(31) Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services (OJ L 136, 22.5.2019, p. 1).
(32) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1).
(33) Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).
(34) Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).
(35) Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC (OJ L 218, 13.8.2008, p. 82).
(36) Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws and repealing Regulation (EC) No 2006/2004 (OJ L 345, 27.12.2017, p. 1).
(37) Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, 4.12.2020, p. 1).
(38) OJ L 123, 12.5.2016, p. 1.
(39) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
ELI: http:// data.europa.eu/eli/reg/2023/2854/oj
ISSN 1977-0677 (electronic edition)