keyboard_tab Data Act 2023/2854 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Article 1 Subject matter and scope
- 1 Article 14 Obligation to make data available on the basis of an exceptional need
- 1 Article 16 Relationship with other obligations to make data available to public sector bodies, the Commission, the European Central Bank and Union bodies
- 1 Article 21 Sharing of data obtained in the context of an exceptional need with research organisations or statistical bodies
- 2 Article 37 Competent authorities and data coordinators
- 2 Article 49 Evaluation and review
- Article 50 Entry into force and application
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
BUSINESS TO CONSUMER AND BUSINESS TO BUSINESS DATA SHARING
CHAPTER III
OBLIGATIONS FOR DATA HOLDERS OBLIGED TO MAKE DATA AVAILABLE PURSUANT TO UNION LAW
CHAPTER IV
UNFAIR CONTRACTUAL TERMS RELATED TO DATA ACCESS AND USE BETWEEN ENTERPRISES
CHAPTER V
MAKING DATA AVAILABLE TO PUBLIC SECTOR BODIES, THE COMMISSION, THE EUROPEAN CENTRAL BANK AND UNION BODIES ON THE BASIS OF AN EXCEPTIONAL NEED
CHAPTER VI
SWITCHING BETWEEN DATA PROCESSING SERVICES
CHAPTER VII
UNLAWFUL INTERNATIONAL GOVERNMENTAL ACCESS AND TRANSFER OF NON-PERSONAL DATA
CHAPTER VIII
INTEROPERABILITY
CHAPTER IX
IMPLEMENTATION AND ENFORCEMENT
CHAPTER X
SUI GENERIS RIGHT UNDER DIRECTIVE 96/9/EC
CHAPTER XI
FINAL PROVISIONS
- data
- metadata
- personal data
- non-personal data
- connected product
- related service
- processing
- data processing service
- same service type
- data intermediation service
- data subject
- user
- data holder
- data recipient
- product data
- related service data
- readily available data
- trade secret
- trade secret holder
- profiling
- making available on the market
- placing on the market
- consumer
- enterprise
- small enterprise
- microenterprise
- Union bodies
- public sector body
- public emergency
- customer
- virtual assistants
- digital assets
- on-premises ICT infrastructure
- switching
- data egress charges
- switching charges
- functional equivalence
- exportable data
- smart contract
- interoperability
- common specifications
- harmonised standard
- data 111
- regulation 60
- shall 50
- union 33
- competent 29
- authorities 27
- article 25
- commission 19
- public 19
- european 18
- available 18
- under 18
- services 18
- eu / 17
- chapter 16
- which 16
- including 15
- national 15
- authority 15
- legal 15
- application 15
- member 15
- entity 13
- sector 12
- request 11
- this 11
- states 11
- central 11
- bank 11
- bodies 11
- personal 10
- processing 10
- obligations 10
- within 10
- relevant 10
- such 10
- state 10
- providers 9
- protection 9
- scope 9
- from 9
- access 9
- paragraph 8
- information 8
- ensure 8
- sharing 8
- connected_products 8
- rights 8
- particular 8
- does 8
Article 1
Subject matter and scope
1. This Regulation lays down harmonised rules, inter alia, on:
| (a) | the making available of product data and related_service data to the user of the connected_product or related_service; |
| (b) | the making available of data by data holders to data recipients; |
| (c) | the making available of data by data holders to public sector bodies, the Commission, the European Central Bank and Union_bodies, where there is an exceptional need for those data for the performance of a specific task carried out in the public interest; |
| (d) | facilitating switching between data processing services; |
| (e) | introducing safeguards against unlawful third-party access to non-personal data; and |
| (f) | the development of interoperability standards for data to be accessed, transferred and used. |
2. This Regulation covers personal and non-personal data, including the following types of data, in the following contexts:
| (a) | Chapter II applies to data, with the exception of content, concerning the performance, use and environment of connected_products and related_services; |
| (b) | Chapter III applies to any private sector data that is subject to statutory data sharing obligations; |
| (c) | Chapter IV applies to any private sector data accessed and used on the basis of contract between enterprises; |
| (d) | Chapter V applies to any private sector data with a focus on non-personal data; |
| (e) | Chapter VI applies to any data and services processed by providers of data processing services; |
| (f) | Chapter VII applies to any non-personal data held in the Union by providers of data processing services. |
3. This Regulation applies to:
| (a) | manufacturers of connected_products placed on the market in the Union and providers of related_services, irrespective of the place of establishment of those manufacturers and providers; |
| (b) | users in the Union of connected_products or related_services as referred to in point (a); |
| (c) | data holders, irrespective of their place of establishment, that make data available to data recipients in the Union; |
| (d) | data recipients in the Union to whom data are made available; |
| (e) | public sector bodies, the Commission, the European Central Bank and Union_bodies that request data holders to make data available where there is an exceptional need for those data for the performance of a specific task carried out in the public interest and to the data holders that provide those data in response to such request; |
| (f) | providers of data processing services, irrespective of their place of establishment, providing such services to customers in the Union; |
| (g) | participants in data spaces and vendors of applications using smart_contracts and persons whose trade, business or profession involves the deployment of smart_contracts for others in the context of executing an agreement. |
4. Where this Regulation refers to connected_products or related_services, such references are also understood to include virtual_assistants insofar as they interact with a connected_product or related_service.
5. This Regulation is without prejudice to Union and national law on the protection of personal data, privacy and confidentiality of communications and integrity of terminal equipment, which shall apply to personal data processed in connection with the rights and obligations laid down herein, in particular Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive 2002/58/EC, including the powers and competences of supervisory authorities and the rights of data subjects. Insofar as users are data subjects, the rights laid down in Chapter II of this Regulation shall complement the rights of access by data subjects and rights to data portability under Articles 15 and 20 of Regulation (EU) 2016/679. In the event of a conflict between this Regulation and Union law on the protection of personal data or privacy, or national legislation adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data or privacy shall prevail.
6. This Regulation does not apply to or pre-empt voluntary arrangements for the exchange of data between private and public entities, in particular voluntary arrangements for data sharing.
This Regulation does not affect Union or national legal acts providing for the sharing of, access to and the use of data for the purpose of the prevention, investigation, detection or prosecution of criminal offences or for the execution of criminal penalties, or for customs and taxation purposes, in particular Regulations (EU) 2021/784, (EU) 2022/2065 and (EU) 2023/1543 and Directive (EU) 2023/1544, or international cooperation in that area. This Regulation does not apply to the collection or sharing of, access to or the use of data under Regulation (EU) 2015/847 and Directive (EU) 2015/849. This Regulation does not apply to areas that fall outside the scope of Union law and in any event does not affect the competences of the Member States concerning public security, defence or national security, regardless of the type of entity entrusted by the Member States to carry out tasks in relation to those competences, or their power to safeguard other essential State functions, including ensuring the territorial integrity of the State and the maintenance of law and order. This Regulation does not affect the competences of the Member States concerning customs and tax administration or the health and safety of citizens.
7. This Regulation complements the self-regulatory approach of Regulation (EU) 2018/1807 by adding generally applicable obligations on cloud switching.
8. This Regulation is without prejudice to Union and national legal acts providing for the protection of intellectual property rights, in particular Directives 2001/29/EC, 2004/48/EC and (EU) 2019/790.
9. This Regulation complements and is without prejudice to Union law which aims to promote the interests of consumers and ensure a high level of consumer protection, and to protect their health, safety and economic interests, in particular Directives 93/13/EEC, 2005/29/EC and 2011/83/EU.
10. This Regulation does not preclude the conclusion of voluntary lawful data sharing contracts, including contracts concluded on a reciprocal basis, which comply with the requirements laid down in this Regulation.
Article 14
Obligation to make data available on the basis of an exceptional need
Where a public_sector_body, the Commission, the European Central Bank or a Union body demonstrates an exceptional need, as set out in Article 15, to use certain data, including the relevant meta data necessary to interpret and use those data, to carry out its statutory duties in the public interest, data holders that are legal persons, other than public sectors bodies, which hold those data shall make them available upon a duly reasoned request.
Article 16
Relationship with other obligations to make data available to public sector bodies, the Commission, the European Central Bank and Union_bodies
1. This Chapter shall not affect the obligations laid down in Union or national law for the purposes of reporting, complying with requests for access to information or demonstrating or verifying compliance with legal obligations.
2. This Chapter shall not apply to public sector bodies, the Commission, the European Central Bank or Union_bodies carrying out activities for the prevention, investigation, detection or prosecution of criminal or administrative offences or the execution of criminal penalties, or to customs or taxation administration. This Chapter does not affect applicable Union and national law on the prevention, investigation, detection or prosecution of criminal or administrative offences or the execution of criminal or administrative penalties, or for customs or taxation administration.
Article 21
Sharing of data obtained in the context of an exceptional need with research organisations or statistical bodies
1. A public_sector_body, the Commission, the European Central Bank or a Union body shall be entitled to share data received under this Chapter:
| (a) | with individuals or organisations in view of carrying out scientific research or analytics compatible with the purpose for which the data was requested; or |
| (b) | with national statistical institutes and Eurostat for the production of official statistics. |
2. Individuals or organisations receiving the data pursuant to paragraph 1 shall act on a not-for-profit basis or in the context of a public-interest mission recognised in Union or national law. They shall not include organisations upon which commercial undertakings have a significant influence which is likely to result in preferential access to the results of the research.
3. Individuals or organisations receiving the data pursuant to paragraph 1 of this Article shall comply with the same obligations that are applicable to the public sector bodies, the Commission, the European Central Bank or Union_bodies pursuant to Article 17(3) and Article 19.
4. Notwithstanding Article 19(1), point (c), individuals or organisations receiving the data pursuant to paragraph 1 of this Article may keep the data received for the purpose for which the data was requested for up to six months following erasure of the data by the public sector bodies, the Commission, the European Central Bank and Union_bodies.
5. Where a public_sector_body, the Commission, the European Central Bank or a Union body intends to transmit or make data available under paragraph 1 of this Article, it shall notify without undue delay the data holder from whom the data was received, stating the identity and contact details of the organisation or the individual receiving the data, the purpose of the transmission or making available of the data, the period for which the data is to be used and the technical protection and organisational measures taken, including where personal data or trade_secrets are involved. Where the data holder disagrees with the transmission or making available of data, it may lodge a complaint with the competent authority designated pursuant to Article 37 of the Member State where the data holder is established.
Article 37
Competent authorities and data coordinators
1. Each Member State shall designate one or more competent authorities to be responsible for the application and enforcement of this Regulation (competent authorities). Member States may establish one or more new authorities or rely on existing authorities.
2. Where a Member State designates more than one competent authority, it shall designate a data coordinator from among them to facilitate cooperation between the competent authorities and to assist entities within the scope of this Regulation on all matters related to its application and enforcement. Competent authorities shall, in the exercise of the tasks and powers assigned to them under paragraph 5, cooperate with each other.
3. The supervisory authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall be responsible for monitoring the application of this Regulation insofar as the protection of personal data is concerned. Chapters VI and VII of Regulation (EU) 2016/679 shall apply mutatis mutandis.
The European Data Protection Supervisor shall be responsible for monitoring the application of this Regulation insofar as it concerns the Commission, the European Central Bank or Union_bodies. Where relevant, Article 62 of Regulation (EU) 2018/1725 shall apply mutatis mutandis.
The tasks and powers of the supervisory authorities referred to in this paragraph shall be exercised with regard to the processing of personal data.
4. Without prejudice to paragraph 1 of this Article:
| (a) | for specific sectoral data access and use issues related to the application of this Regulation, the competence of sectoral authorities shall be respected; |
| (b) | the competent authority responsible for the application and enforcement of Articles 23 to 31 and Articles 34 and 35 shall have experience in the field of data and electronic communications services. |
5. Member States shall ensure that the tasks and powers of the competent authorities are clearly defined and include:
| (a) | promoting data literacy and awareness among users and entities falling within the scope of this Regulation of the rights and obligations under this Regulation; |
| (b) | handling complaints arising from alleged infringements of this Regulation, including in relation to trade_secrets, and investigating, to the extent appropriate, the subject matter of complaints and regularly informing complainants, where relevant in accordance with national law, of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another competent authority is necessary; |
| (c) | conducting investigations into matters that concern the application of this Regulation, including on the basis of information received from another competent authority or other public authority; |
| (d) | imposing effective, proportionate and dissuasive financial penalties which may include periodic penalties and penalties with retroactive effect, or initiating legal proceedings for the imposition of fines; |
| (e) | monitoring technological and relevant commercial developments of relevance for the making available and use of data; |
| (f) | cooperating with competent authorities of other Member States and, where relevant, with the Commission or the EDIB, to ensure the consistent and efficient application of this Regulation, including the exchange of all relevant information by electronic means, without undue delay, including regarding paragraph 10 of this Article; |
| (g) | cooperating with the relevant competent authorities responsible for the implementation of other Union or national legal acts, including with authorities competent in the field of data and electronic communication services, with the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679 or with sectoral authorities to ensure that this Regulation is enforced consistently with other Union and national law; |
| (h) | cooperating with the relevant competent authorities to ensure that Articles 23 to 31 and Articles 34 and 35 are enforced consistently with other Union law and self-regulation applicable to providers of data processing services; |
| (i) | ensuring that switching charges are withdrawn in accordance with Article 29; |
| (j) | examining the requests for data made pursuant to Chapter V. |
Where designated, the data coordinator shall facilitate the cooperation referred to in points (f), (g) and (h) of the first subparagraph and shall assist the competent authorities upon their request.
6. The data coordinator, where such competent authority has been designated, shall:
| (a) | act as the single point of contact for all issues related to the application of this Regulation; |
| (b) | ensure the online public availability of requests to make data available made by public sector bodies in the case of exceptional need under Chapter V and promote voluntary data sharing agreements between public sector bodies and data holders; |
| (c) | inform the Commission, on an annual basis, of the refusals notified under Article 4(2) and (8) and Article 5(11). |
7. Member States shall notify the Commission of the names of the competent authorities and of their tasks and powers and, where applicable, the name of the data coordinator. The Commission shall maintain a public register of those authorities.
8. When carrying out their tasks and exercising their powers in accordance with this Regulation, competent authorities shall remain impartial and free from any external influence, whether direct or indirect, and shall neither seek nor take instructions for individual cases from any other public authority or any private party.
9. Member States shall ensure that the competent authorities are provided with sufficient human and technical resources and relevant expertise to effectively carry out their tasks in accordance with this Regulation.
10. Entities falling within the scope of this Regulation shall be subject to the competence of the Member State where the entity is established. Where the entity is established in more than one Member State, it shall be considered to be under the competence of the Member State in which it has its main establishment, that is, where the entity has its head office or registered office from which the principal financial functions and operational control are exercised.
11. Any entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union, and which is not established in the Union, shall designate a legal representative in one of the Member States.
12. For the purpose of ensuring compliance with this Regulation, a legal representative shall be mandated by an entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union to be addressed in addition to or instead of it by competent authorities with regard to all issues related to that entity. That legal representative shall cooperate with and comprehensively demonstrate to the competent authorities, upon request, the actions taken and provisions put in place by the entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union to ensure compliance with this Regulation.
13. An entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union, shall be considered to be under the competence of the Member State in which its legal representative is located. The designation of a legal representative by such an entity shall be without prejudice to the liability of, and any legal action that could be initiated against, such an entity. Until such time as an entity designates a legal representative in accordance with this Article, it shall be under the competence of all Member States, where applicable, for the purposes of ensuring the application and enforcement of this Regulation. Any competent authority may exercise its competence, including by imposing effective, proportionate and dissuasive penalties, provided that the entity is not subject to enforcement proceedings under this Regulation regarding the same facts by another competent authority.
14. Competent authorities shall have the power to request from users, data holders, or data recipients, or their legal representatives, falling under the competence of their Member State all information necessary to verify compliance with this Regulation. Any request for information shall be proportionate to the performance of the underlying task and shall be reasoned.
15. Where a competent authority in one Member State requests assistance or enforcement measures from a competent authority in another Member State, it shall submit a reasoned request. A competent authority shall, upon receiving such a request, provide a response, detailing the actions that have been taken or which are intended to be taken, without undue delay.
16. Competent authorities shall respect the principles of confidentiality and of professional and commercial secrecy and shall protect personal data in accordance with Union or national law. Any information exchanged in the context of a request for assistance and provided pursuant to this Article shall be used only in respect of the matter for which it was requested.
Article 49
Evaluation and review
1. By 12 September 2028, the Commission shall carry out an evaluation of this Regulation and submit a report on its main findings to the European Parliament and to the Council, and to the European Economic and Social Committee. That evaluation shall assess, in particular:
| (a) | situations to be considered to be situations of exceptional need for the purpose of Article 15 of this Regulation and the application of Chapter V of this Regulation in practice, in particular the experience in the application of Chapter V of this Regulation by public sector bodies, the Commission, the European Central Bank and Union_bodies; the number and outcome of the proceedings brought to the competent authority under Article 18(5) on the application of Chapter V of this Regulation, as reported by the competent authorities; the impact of other obligations laid down in Union or national law for the purposes of complying with requests for access to information; the impact of voluntary data-sharing mechanisms, such as those put in place by data altruism organisations recognised under Regulation (EU) 2022/868, on meeting the objectives of Chapter V of this Regulation, and the role of personal data in the context of Article 15 of this Regulation, including the evolution of privacy-enhancing technologies; |
| (b) | the impact of this Regulation on the use of data in the economy, including on data innovation, data monetisation practices and data intermediation services, as well as on data sharing within the common European data spaces; |
| (c) | the accessibility and use of different categories and types of data; |
| (d) | the exclusion of certain categories of enterprises as beneficiaries under Article 5; |
| (e) | the absence of any impact on intellectual property rights; |
| (f) | the impact on trade_secrets, including on the protection against their unlawful acquisition, use and disclosure, as well as the impact of the mechanism allowing the data holder to refuse the user’s request under Article 4(8) and Article 5(11), taking into account, to the extent possible, any revision of Directive (EU) 2016/943; |
| (g) | whether the list of unfair contractual terms referred to in Article 13 is up-to-date in light of new business practices and the rapid pace of market innovation; |
| (h) | changes in the contractual practices of providers of data processing services and whether this results in sufficient compliance with Article 25; |
| (i) | the diminution of charges imposed by providers of data processing services for the switching process, in line with the gradual withdrawal of switching charges pursuant to Article 29; |
| (j) | the interplay of this Regulation with other Union legal acts of relevance to the data economy; |
| (k) | the prevention of unlawful governmental access to non-personal data; |
| (l) | the efficacy of the enforcement regime required under Article 37; |
| (m) | the impact of this Regulation on SMEs with regard to their capacity to innovate and to the availability of data processing services for users in the Union and the burden of complying with new obligations. |
2. By 12 September 2028, the Commission shall carry out an evaluation of this Regulation and submit a report on its main findings to the European Parliament and to the Council, and to the European Economic and Social Committee. That evaluation shall assess the impact of Articles 23 to 31 and Articles 34 and 35, in particular regarding pricing and the diversity of data processing services offered within the Union, with a special focus on SME providers.
3. Member States shall provide the Commission with the information necessary for the preparation of the reports referred to in paragraphs 1 and 2.
4. On the basis of the reports referred to in paragraphs 1 and 2, the Commission may, where appropriate, submit a legislative proposal to the European Parliament and to the Council to amend this Regulation.
whereas