keyboard_tab Data Act 2023/2854 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Article 2 Definitions
- 1 Article 32 International governmental access and transfer
- 4 Article 36 Essential requirements regarding smart contracts for executing data sharing agreements
- 1 Article 49 Evaluation and review
- Article 50 Entry into force and application
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
BUSINESS TO CONSUMER AND BUSINESS TO BUSINESS DATA SHARING
CHAPTER III
OBLIGATIONS FOR DATA HOLDERS OBLIGED TO MAKE DATA AVAILABLE PURSUANT TO UNION LAW
CHAPTER IV
UNFAIR CONTRACTUAL TERMS RELATED TO DATA ACCESS AND USE BETWEEN ENTERPRISES
CHAPTER V
MAKING DATA AVAILABLE TO PUBLIC SECTOR BODIES, THE COMMISSION, THE EUROPEAN CENTRAL BANK AND UNION BODIES ON THE BASIS OF AN EXCEPTIONAL NEED
CHAPTER VI
SWITCHING BETWEEN DATA PROCESSING SERVICES
CHAPTER VII
UNLAWFUL INTERNATIONAL GOVERNMENTAL ACCESS AND TRANSFER OF NON-PERSONAL DATA
CHAPTER VIII
INTEROPERABILITY
CHAPTER IX
IMPLEMENTATION AND ENFORCEMENT
CHAPTER X
SUI GENERIS RIGHT UNDER DIRECTIVE 96/9/EC
CHAPTER XI
FINAL PROVISIONS
- data
- metadata
- personal data
- non-personal data
- connected product
- related service
- processing
- data processing service
- same service type
- data intermediation service
- data subject
- user
- data holder
- data recipient
- product data
- related service data
- readily available data
- trade secret
- trade secret holder
- profiling
- making available on the market
- placing on the market
- consumer
- enterprise
- small enterprise
- microenterprise
- Union bodies
- public sector body
- public emergency
- customer
- virtual assistants
- digital assets
- on-premises ICT infrastructure
- switching
- data egress charges
- switching charges
- functional equivalence
- exportable data
- smart contract
- interoperability
- common specifications
- harmonised standard
- data 103
- means 47
- processing 31
- regulation 31
- article 30
- union 27
- shall 26
- services 22
- service 18
- such 18
- access 18
- paragraph 18
- commission 17
- european 16
- provider 16
- relevant 16
- requirements 16
- including 15
- laid 14
- which 14
- down 14
- national 14
- referred 13
- essential 12
- decision 12
- request 12
- legal 11
- authority 11
- thereof 11
- business 11
- person 10
- under 10
- smart_contract 10
- customer 10
- connected_product 10
- third-country 10
- accordance 9
- transfer 9
- available 9
- agreement 9
- member 9
- impact 8
- defined 8
- eu / 8
- third 8
- data’ 8
- acts 8
- smart_contracts 8
- more 7
- from 7
Article 2
Definitions
For the purposes of this Regulation, the following definitions apply:
| (1) | ‘ data’ means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording; |
| (2) | ‘meta data’ means a structured description of the contents or the use of data facilitating the discovery or use of that data; |
| (3) | ‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; |
| (4) | ‘non-personal data’ means data other than personal data; |
| (5) | ‘ connected_product’ means an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user; |
| (6) | ‘ related_service’ means a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected_product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected_product; |
| (7) | ‘ processing’ means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or other means of making them available, alignment or combination, restriction, erasure or destruction; |
| (8) | ‘ data processing service’ means a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction; |
| (9) | ‘ same_service_type’ means a set of data processing services that share the same primary objective, data processing service model and main functionalities; |
| (10) | ‘ data intermediation service’ means data intermediation service as defined in Article 2, point (11), of Regulation (EU) 2022/868; |
| (11) | ‘ data subject’ means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679; |
| (12) | ‘ user’ means a natural or legal person that owns a connected_product or to whom temporary rights to use that connected_product have been contractually transferred, or that receives related_services; |
| (13) | ‘ data holder’ means a natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related_service data which it has retrieved or generated during the provision of a related_service; |
| (14) | ‘ data recipient’ means a natural or legal person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected_product or related_service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation adopted in accordance with Union law; |
| (15) | ‘product data’ means data generated by the use of a connected_product that the manufacturer designed to be retrievable, via an electronic communications service, physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturer; |
| (16) | ‘ related_service data’ means data representing the digitisation of user actions or of events related to the connected_product, recorded intentionally by the user or generated as a by-product of the user’s action during the provision of a related_service by the provider; |
| (17) | ‘readily available data’ means product data and related_service data that a data holder lawfully obtains or can lawfully obtain from the connected_product or related_service, without disproportionate effort going beyond a simple operation; |
| (18) | ‘ trade_secret’ means trade_secret as defined in Article 2, point (1), of Directive (EU) 2016/943; |
| (19) | ‘ trade_secret holder’ means a trade_secret holder as defined in Article 2, point (2), of Directive (EU) 2016/943; |
| (20) | ‘ profiling’ means profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679; |
| (21) | ‘ making_available_on_the_market’ means any supply of a connected_product for distribution, consumption or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge; |
| (22) | ‘ placing_on_the_market’ means the first making available of a connected_product on the Union market; |
| (23) | ‘ consumer’ means any natural person who is acting for purposes which are outside that person’s trade, business, craft or profession; |
| (24) | ‘ enterprise’ means a natural or legal person that, in relation to contracts and practices covered by this Regulation, is acting for purposes which are related to that person’s trade, business, craft or profession; |
| (25) | ‘small enterprise’ means a small enterprise as defined in Article 2(2) of the Annex to Recommendation 2003/361/EC; |
| (26) | ‘micro enterprise’ means a micro enterprise as defined in Article 2(3) of the Annex to Recommendation 2003/361/EC; |
| (27) | ‘ Union_bodies’ means the Union_bodies, offices and agencies set up by or pursuant to acts adopted on the basis of the Treaty on European Union, the TFEU or the Treaty establishing the European Atomic Energy Community; |
| (28) | ‘ public_sector_body’ means national, regional or local authorities of the Member States and bodies governed by public law of the Member States, or associations formed by one or more such authorities or one or more such bodies; |
| (29) | ‘ public_emergency’ means an exceptional situation, limited in time, such as a public health emergency, an emergency resulting from natural disasters, a human-induced major disaster, including a major cybersecurity incident, negatively affecting the population of the Union or the whole or part of a Member State, with a risk of serious and lasting repercussions for living conditions or economic stability, financial stability, or the substantial and immediate degradation of economic assets in the Union or the relevant Member State and which is determined or officially declared in accordance with the relevant procedures under Union or national law; |
| (30) | ‘ customer’ means a natural or legal person that has entered into a contractual relationship with a provider of data processing services with the objective of using one or more data processing services; |
| (31) | ‘ virtual_assistants’ means software that can process demands, tasks or questions including those based on audio, written input, gestures or motions, and that, based on those demands, tasks or questions, provides access to other services or controls the functions of connected_products; |
| (32) | ‘ digital_assets’ means elements in digital form, including applications, for which the customer has the right of use, independently from the contractual relationship with the data processing service it intends to switch from; |
| (33) | ‘ on-premises_ICT_infrastructure’ means ICT infrastructure and computing resources owned, rented or leased by the customer, located in the data centre of the customer itself and operated by the customer or by a third-party; |
| (34) | ‘ switching’ means the process involving a source provider of data processing services, a customer of a data processing service and, where relevant, a destination provider of data processing services, whereby the customer of a data processing service changes from using one data processing service to using another data processing service of the same_service_type, or other service, offered by a different provider of data processing services, or to an on-premises_ICT_infrastructure, including through extracting, transforming and uploading the data; |
| (35) | ‘ data egress charges’ means data transfer fees charged to customers for extracting their data through the network from the ICT infrastructure of a provider of data processing services to the system of a different provider or to on-premises_ICT_infrastructure; |
| (36) | ‘ switching charges’ means charges, other than standard service fees or early termination penalties, imposed by a provider of data processing services on a customer for the actions mandated by this Regulation for switching to the system of a different provider or to on-premises_ICT_infrastructure, including data egress charges; |
| (37) | ‘ functional_equivalence’ means re-establishing on the basis of the customer’s exportable data and digital_assets, a minimum level of functionality in the environment of a new data processing service of the same_service_type after the switching process, where the destination data processing service delivers a materially comparable outcome in response to the same input for shared features supplied to the customer under the contract; |
| (38) | ‘exportable data’, for the purpose of Articles 23 to 31 and Article 35, means the input and output data, including meta data, directly or indirectly generated, or cogenerated, by the customer’s use of the data processing service, excluding any assets or data protected by intellectual property rights, or constituting a trade_secret, of providers of data processing services or third parties; |
| (39) | ‘ smart_contract’ means a computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological ordering; |
| (40) | ‘ interoperability’ means the ability of two or more data spaces or communication networks, systems, connected_products, applications, data processing services or components to exchange and use data in order to perform their functions; |
| (41) | open interoperability specification’ means a technical specification in the field of information and communication technologies which is performance oriented towards achieving interoperability between data processing services; |
| (42) | ‘ common_specifications’ means a document, other than a standard, containing technical solutions providing a means to comply with certain requirements and obligations established under this Regulation; |
| (43) | ‘ harmonised_standard’ means a harmonised_standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012. |
CHAPTER II
BUSINESS TO CONSUMER AND BUSINESS TO BUSINESS DATA SHARING
Article 32
International governmental access and transfer
1. Providers of data processing services shall take all adequate technical, organisational and legal measures, including contracts, in order to prevent international and third-country governmental access and transfer of non-personal data held in the Union where such transfer or access would create a conflict with Union law or with the national law of the relevant Member State, without prejudice to paragraph 2 or 3.
2. Any decision or judgment of a third-country court or tribunal and any decision of a third-country administrative authority requiring a provider of data processing services to transfer or give access to non-personal data falling within the scope of this Regulation held in the Union shall be recognised or enforceable in any manner only if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union, or any such agreement between the requesting third country and a Member State.
3. In the absence of an international agreement as referred to in paragraph 2, where a provider of data processing services is the addressee of a decision or judgment of a third-country court or tribunal or a decision of a third-country administrative authority to transfer or give access to non-personal data falling within the scope of this Regulation held in the Union and compliance with such a decision would risk putting the addressee in conflict with Union law or with the national law of the relevant Member State, transfer to or access to such data by that third-country authority shall take place only where:
| (a) | the third-country system requires the reasons and proportionality of such a decision or judgment to be set out and requires such a decision or judgment to be specific in character, for instance by establishing a sufficient link to certain suspected persons or infringements; |
| (b) | the reasoned objection of the addressee is subject to a review by a competent third-country court or tribunal; and |
| (c) | the competent third-country court or tribunal issuing the decision or judgment or reviewing the decision of an administrative authority is empowered under the law of that third country to take duly into account the relevant legal interests of the provider of the data protected by Union law or by the national law of the relevant Member State. |
The addressee of the decision or judgment may ask the opinion of the relevant national body or authority competent for international cooperation in legal matters, in order to determine whether the conditions laid down in the first subparagraph are met, in particular when it considers that the decision may relate to trade_secrets and other commercially sensitive data as well as to content protected by intellectual property rights or the transfer may lead to re-identification. The relevant national body or authority may consult the Commission. If the addressee considers that the decision or judgment may impinge on the national security or defence interests of the Union or its Member States, it shall ask the opinion of the relevant national body or authority in order to determine whether the data requested concerns national security or defence interests of the Union or its Member States. If the addressee has not received a reply within one month, or if the opinion of such body or authority concludes that the conditions laid down in the first subparagraph are not met, the addressee may reject the request for transfer or access, to non-personal data, on those grounds.
The EDIB referred to in Article 42 shall advise and assist the Commission in developing guidelines on the assessment of whether the conditions laid down in the first subparagraph of this paragraph are met.
4. If the conditions laid down in paragraph 2 or 3 are met, the provider of data processing services shall provide the minimum amount of data permissible in response to a request, on the basis of the reasonable interpretation of that request by the provider or relevant national body or authority referred to in paragraph 3, second subparagraph.
5. The provider of data processing services shall inform the customer about the existence of a request of a third-country authority to access its data before complying with that request, except where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity.
CHAPTER VIII
INTEROPERABILITY
Article 36
Essential requirements regarding smart_contracts for executing data sharing agreements
1. The vendor of an application using smart_contracts or, in the absence thereof, the person whose trade, business or profession involves the deployment of smart_contracts for others in the context of executing an agreement or part of it, to make data available shall ensure that those smart_contracts comply with the following essential requirements of:
| (a) | robustness and access control, to ensure that the smart_contract has been designed to offer access control mechanisms and a very high degree of robustness to avoid functional errors and to withstand manipulation by third parties; |
| (b) | safe termination and interruption, to ensure that a mechanism exists to terminate the continued execution of transactions and that the smart_contract includes internal functions which can reset or instruct the contract to stop or interrupt the operation, in particular to avoid future accidental executions; |
| (c) | data archiving and continuity, to ensure, in circumstances in which a smart_contract must be terminated or deactivated, there is a possibility to archive the transactional data, smart_contract logic and code in order to keep the record of operations performed on the data in the past (auditability); |
| (d) | access control, to ensure that a smart_contract is protected through rigorous access control mechanisms at the governance and smart_contract layers; and |
| (e) | consistency, to ensure consistency with the terms of the data sharing agreement that the smart_contract executes. |
2. The vendor of a smart_contract or, in the absence thereof, the person whose trade, business or profession involves the deployment of smart_contracts for others in the context of executing an agreement or part of it, to make data available shall perform a conformity assessment with a view to fulfilling the essential requirements laid down in paragraph 1 and, on the fulfilment of those requirements, issue an EU declaration of conformity.
3. By drawing up the EU declaration of conformity, the vendor of an application using smart_contracts or, in the absence thereof, the person whose trade, business or profession involves the deployment of smart_contracts for others in the context of executing an agreement or part of it, to make data available shall be responsible for compliance with the essential requirements laid down in paragraph 1.
4. A smart_contract that meets the harmonised_standards or the relevant parts thereof, the references of which are published in the Official Journal of the European Union, shall be presumed to be in conformity with the essential requirements laid down in paragraph 1 to the extent that those requirements are covered by such harmonised_standards or parts thereof.
5. The Commission shall, pursuant to Article 10 of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft harmonised_standards that satisfy the essential requirements laid down in paragraph 1 of this Article.
6. The Commission may, by means of implementing acts, adopt common_specifications covering any or all of the essential requirements laid down in paragraph 1 where the following conditions have been fulfilled:
| (a) | the Commission has requested, pursuant to Article 10(1) of Regulation (EU) No 1025/2012, one or more European standardisation organisations to draft a harmonised_standard that satisfies the essential requirements laid down in paragraph 1 of this Article and:
|
| (b) | no reference to harmonised_standards covering the relevant essential requirements laid down in paragraph 1 of this Article is published in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012 and no such reference is expected to be published within a reasonable period. |
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 46(2).
7. Before preparing a draft implementing act referred to in paragraph 6 of this Article, the Commission shall inform the committee referred to in Article 22 of Regulation (EU) No 1025/2012 that it considers that the conditions in paragraph 6 of this Article have been fulfilled.
8. When preparing the draft implementing act referred to in paragraph 6, the Commission shall take into account the advice of the EDIB and views of other relevant bodies or expert groups and shall duly consult all relevant stakeholders.
9. The vendor of a smart_contract or, in the absence thereof, the person whose trade, business or profession involves the deployment of smart_contracts for others in the context of executing an agreement or part of it, to make data available that meet the common_specifications established by implementing acts referred to in paragraph 6 or parts thereof shall be presumed to be in conformity with the essential requirements laid down in paragraph 1 to the extent that those requirements are covered by such common_specifications or parts thereof.
10. Where a harmonised_standard is adopted by a European standardisation organisation and proposed to the Commission for the purpose of publishing its reference in the Official Journal of the European Union, the Commission shall assess the harmonised_standard in accordance with Regulation (EU) No 1025/2012. Where the reference of a harmonised_standard is published in the Official Journal of the European Union, the Commission shall repeal the implementing acts referred to in paragraph 6 of this Article, or parts thereof which cover the same essential requirements as those covered by that harmonised_standard.
11. When a Member State considers that a common specification does not entirely satisfy the essential requirements laid down in paragraph 1, it shall inform the Commission thereof by submitting a detailed explanation. The Commission shall assess that detailed explanation and may, if appropriate, amend the implementing act establishing the common specification in question.
CHAPTER IX
IMPLEMENTATION AND ENFORCEMENT
Article 49
Evaluation and review
1. By 12 September 2028, the Commission shall carry out an evaluation of this Regulation and submit a report on its main findings to the European Parliament and to the Council, and to the European Economic and Social Committee. That evaluation shall assess, in particular:
| (a) | situations to be considered to be situations of exceptional need for the purpose of Article 15 of this Regulation and the application of Chapter V of this Regulation in practice, in particular the experience in the application of Chapter V of this Regulation by public sector bodies, the Commission, the European Central Bank and Union_bodies; the number and outcome of the proceedings brought to the competent authority under Article 18(5) on the application of Chapter V of this Regulation, as reported by the competent authorities; the impact of other obligations laid down in Union or national law for the purposes of complying with requests for access to information; the impact of voluntary data-sharing mechanisms, such as those put in place by data altruism organisations recognised under Regulation (EU) 2022/868, on meeting the objectives of Chapter V of this Regulation, and the role of personal data in the context of Article 15 of this Regulation, including the evolution of privacy-enhancing technologies; |
| (b) | the impact of this Regulation on the use of data in the economy, including on data innovation, data monetisation practices and data intermediation services, as well as on data sharing within the common European data spaces; |
| (c) | the accessibility and use of different categories and types of data; |
| (d) | the exclusion of certain categories of enterprises as beneficiaries under Article 5; |
| (e) | the absence of any impact on intellectual property rights; |
| (f) | the impact on trade_secrets, including on the protection against their unlawful acquisition, use and disclosure, as well as the impact of the mechanism allowing the data holder to refuse the user’s request under Article 4(8) and Article 5(11), taking into account, to the extent possible, any revision of Directive (EU) 2016/943; |
| (g) | whether the list of unfair contractual terms referred to in Article 13 is up-to-date in light of new business practices and the rapid pace of market innovation; |
| (h) | changes in the contractual practices of providers of data processing services and whether this results in sufficient compliance with Article 25; |
| (i) | the diminution of charges imposed by providers of data processing services for the switching process, in line with the gradual withdrawal of switching charges pursuant to Article 29; |
| (j) | the interplay of this Regulation with other Union legal acts of relevance to the data economy; |
| (k) | the prevention of unlawful governmental access to non-personal data; |
| (l) | the efficacy of the enforcement regime required under Article 37; |
| (m) | the impact of this Regulation on SMEs with regard to their capacity to innovate and to the availability of data processing services for users in the Union and the burden of complying with new obligations. |
2. By 12 September 2028, the Commission shall carry out an evaluation of this Regulation and submit a report on its main findings to the European Parliament and to the Council, and to the European Economic and Social Committee. That evaluation shall assess the impact of Articles 23 to 31 and Articles 34 and 35, in particular regarding pricing and the diversity of data processing services offered within the Union, with a special focus on SME providers.
3. Member States shall provide the Commission with the information necessary for the preparation of the reports referred to in paragraphs 1 and 2.
4. On the basis of the reports referred to in paragraphs 1 and 2, the Commission may, where appropriate, submit a legislative proposal to the European Parliament and to the Council to amend this Regulation.
whereas