keyboard_tab Data Act 2023/2854 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Article 6 Obligations of third parties receiving data at the request of the user
- 1 Article 10 Dispute settlement
- 1 Article 15 Exceptional need to use data
- 1 Article 29 Gradual withdrawal of switching charges
- 2 Article 30 Technical aspects of switching
- 1 Article 37 Competent authorities and data coordinators
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
BUSINESS TO CONSUMER AND BUSINESS TO BUSINESS DATA SHARING
CHAPTER III
OBLIGATIONS FOR DATA HOLDERS OBLIGED TO MAKE DATA AVAILABLE PURSUANT TO UNION LAW
CHAPTER IV
UNFAIR CONTRACTUAL TERMS RELATED TO DATA ACCESS AND USE BETWEEN ENTERPRISES
CHAPTER V
MAKING DATA AVAILABLE TO PUBLIC SECTOR BODIES, THE COMMISSION, THE EUROPEAN CENTRAL BANK AND UNION BODIES ON THE BASIS OF AN EXCEPTIONAL NEED
CHAPTER VI
SWITCHING BETWEEN DATA PROCESSING SERVICES
CHAPTER VII
UNLAWFUL INTERNATIONAL GOVERNMENTAL ACCESS AND TRANSFER OF NON-PERSONAL DATA
CHAPTER VIII
INTEROPERABILITY
CHAPTER IX
IMPLEMENTATION AND ENFORCEMENT
CHAPTER X
SUI GENERIS RIGHT UNDER DIRECTIVE 96/9/EC
CHAPTER XI
FINAL PROVISIONS
- data
- metadata
- personal data
- non-personal data
- connected product
- related service
- processing
- data processing service
- same service type
- data intermediation service
- data subject
- user
- data holder
- data recipient
- product data
- related service data
- readily available data
- trade secret
- trade secret holder
- profiling
- making available on the market
- placing on the market
- consumer
- enterprise
- small enterprise
- microenterprise
- Union bodies
- public sector body
- public emergency
- customer
- virtual assistants
- digital assets
- on-premises ICT infrastructure
- switching
- data egress charges
- switching charges
- functional equivalence
- exportable data
- smart contract
- interoperability
- common specifications
- harmonised standard
- data 92
- shall 74
- services 34
- regulation 30
- processing 26
- competent 26
- authorities 25
- dispute 24
- article 24
- body 21
- settlement 21
- union 18
- accordance 18
- available 18
- switching 17
- user 15
- paragraph 15
- member 14
- under 13
- request 13
- referred 13
- authority 13
- which 12
- article 12
- application 12
- entity 12
- commission 12
- from 12
- including 12
- such 11
- providers 11
- information 11
- parties 11
- within 11
- party 10
- state 10
- legal 10
- necessary 9
- relevant 9
- make 9
- ensure 9
- third 9
- pursuant 9
- have 8
- and 8
- customer 8
- charges 8
- scope 8
- public 8
- the 8
Article 6
Obligations of third parties receiving data at the request of the user
1. A third party shall process the data made available to it pursuant to Article 5 only for the purposes and under the conditions agreed with the user and subject to Union and national law on the protection of personal data including the rights of the data subject insofar as personal data are concerned. The third party shall erase the data when they are no longer necessary for the agreed purpose, unless otherwise agreed with the user in relation to non-personal data.
2. The third party shall not:
| (a) | make the exercise of choices or rights under Article 5 and this Article by the user unduly difficult, including by offering choices to the user in a non-neutral manner, or by coercing, deceiving or manipulating the user, or by subverting or impairing the autonomy, decision-making or choices of the user, including by means of a user digital interface or a part thereof; |
| (b) | notwithstanding Article 22(2), points (a) and (c), of Regulation (EU) 2016/679, use the data it receives for the profiling, unless it is necessary to provide the service requested by the user; |
| (c) | make the data it receives available to another third party, unless the data is made available on the basis of a contract with the user, and provided that the other third party takes all necessary measures agreed between the data holder and the third party to preserve the confidentiality of trade_secrets; |
| (d) | make the data it receives available to an undertaking designated as a gatekeeper pursuant to Article 3 of Regulation (EU) 2022/1925; |
| (e) | use the data it receives to develop a product that competes with the connected_product from which the accessed data originate or share the data with another third party for that purpose; third parties shall also not use any non-personal product data or related_service data made available to them to derive insights about the economic situation, assets and production methods of, or use by, the data holder; |
| (f) | use the data it receives in a manner that has an adverse impact on the security of the connected_product or related_service; |
| (g) | disregard the specific measures agreed with a data holder or with the trade_secrets holder pursuant to Article 5(9) and undermine the confidentiality of trade_secrets; |
| (h) | prevent the user that is a consumer, including on the basis of a contract, from making the data it receives available to other parties. |
Article 10
Dispute settlement
1. Users, data holders and data recipients shall have access to a dispute settlement body, certified in accordance with paragraph 5 of this Article, to settle disputes pursuant to Article 4(3) and (9) and Article 5(12) as well as disputes relating to the fair, reasonable and non-discriminatory terms and conditions for, and transparent manner of, making data available in accordance with this Chapter and Chapter IV.
2. Dispute settlement bodies shall make the fees, or the mechanisms used to determine the fees, known to the parties concerned before those parties request a decision.
3. For disputes referred to a dispute settlement body pursuant to Article 4(3) and (9) and Article 5(12), where the dispute settlement body decides a dispute in favour of the user or of the data recipient, the data holder shall bear all the fees charged by the dispute settlement body and shall reimburse that user or that data recipient for any other reasonable expenses that it has incurred in relation to the dispute settlement. If the dispute settlement body decides a dispute in favour of the data holder, the user or the data recipient shall not be required to reimburse any fees or other expenses that the data holder paid or is to pay in relation to the dispute settlement, unless the dispute settlement body finds that the user or the data recipient manifestly acted in bad faith.
4. Customers and providers of data processing services shall have access to a dispute settlement body, certified in accordance with paragraph 5 of this Article, to settle disputes relating to breaches of the rights of customers and the obligations of providers of data processing services, in accordance with Articles 23 to 31.
5. The Member State where the dispute settlement body is established shall, at the request of that body, certify that body where it has demonstrated that it meets all of the following conditions:
| (a) | it is impartial and independent, and it is to issue its decisions in accordance with clear, non-discriminatory and fair rules of procedure; |
| (b) | it has the necessary expertise, in particular in relation to fair, reasonable and non-discriminatory terms and conditions, including compensation, and on making data available in a transparent manner, allowing the body to effectively determine those terms and conditions; |
| (c) | it is easily accessible through electronic communication technology; |
| (d) | it is capable of adopting its decisions in a swift, efficient and cost-effective manner in at least one official language of the Union. |
6. Member States shall notify to the Commission the dispute settlement bodies certified in accordance with paragraph 5. The Commission shall publish a list of those bodies on a dedicated website and keep it updated.
7. A dispute settlement body shall refuse to deal with a request to resolve a dispute that has already been brought before another dispute settlement body or before a court or tribunal of a Member State.
8. A dispute settlement body shall grant parties the possibility, within a reasonable period of time, to express their points of view on the matters those parties have brought before that body. In that context, each party to a dispute shall be provided with the submissions of the other party to their dispute and any statements made by experts. The parties shall be given the possibility to comment on those submissions and statements.
9. A dispute settlement body shall adopt its decision on a matter referred to it within 90 days of receipt of a request pursuant to paragraphs 1 and 4. That decision shall be in writing or on a durable medium and shall be supported by a statement of reasons.
10. Dispute settlement bodies shall draw up and make publicly available annual activity reports. Such annual reports shall include, in particular, the following general information:
| (a) | an aggregation of the outcomes of disputes; |
| (b) | the average time taken to resolve disputes; |
| (c) | the most common reasons for disputes. |
11. In order to facilitate the exchange of information and best practices, a dispute settlement body may decide to include recommendations in the report referred to in paragraph 10 as to how problems can be avoided or resolved.
12. The decision of a dispute settlement body shall be binding on the parties only if the parties have explicitly consented to its binding nature prior to the start of the dispute settlement proceedings.
13. This Article does not affect the right of parties to seek an effective remedy before a court or tribunal of a Member State.
Article 15
Exceptional need to use data
1. An exceptional need to use certain data within the meaning of this Chapter shall be limited in time and scope and shall be considered to exist only in any of the following circumstances:
| (a) | where the data requested is necessary to respond to a public_emergency and the public_sector_body, the Commission, the European Central Bank or the Union body is unable to obtain such data by alternative means in a timely and effective manner under equivalent conditions; |
| (b) | in circumstances not covered by point (a) and only insofar as non-personal data is concerned, where:
|
2. Paragraph 1, point (b), shall not apply to micro enterprises and small enterprises.
3. The obligation to demonstrate that the public_sector_body was unable to obtain non-personal data by purchasing them on the market shall not apply where the specific task carried out in the public interest is the production of official statistics and where the purchase of such data is not allowed by national law.
Article 29
Gradual withdrawal of switching charges
1. From 12 January 2027, providers of data processing services shall not impose any switching charges on the customer for the switching process.
2. From 11 January 2024 to 12 January 2027, providers of data processing services may impose reduced switching charges on the customer for the switching process.
3. The reduced switching charges referred to in paragraph 2 shall not exceed the costs incurred by the provider of data processing services that are directly linked to the switching process concerned.
4. Before entering into a contract with a customer, providers of data processing services shall provide the prospective customer with clear information on the standard service fees and early termination penalties that might be imposed, as well as on the reduced switching charges that might be imposed during the timeframe referred to in paragraph 2.
5. Where relevant, providers of data processing services shall provide information to a customer on data processing services that involve highly complex or costly switching or for which it is impossible to switch without significant interference in the data, digital_assets or service architecture.
6. Where applicable, providers of data processing services shall make the information referred to in paragraphs 4 and 5 publicly available to customers via a dedicated section of their website or in any other easily accessible way.
7. The Commission is empowered to adopt delegated acts in accordance with Article 45 to supplement this Regulation by establishing a monitoring mechanism for the Commission to monitor switching charges, imposed by providers of data processing services on the market to ensure that the withdrawal and reduction of switching charges, pursuant to paragraphs 1 and 2 of this Article are to be attained in accordance with the deadlines laid down in those paragraphs.
Article 30
Technical aspects of switching
1. Providers of data processing services that concern scalable and elastic computing resources limited to infrastructural elements such as servers, networks and the virtual resources necessary for operating the infrastructure, but that do not provide access to the operating services, software and applications that are stored, otherwise processed, or deployed on those infrastructural elements, shall, in accordance with Article 27, take all reasonable measures in their power to facilitate that the customer, after switching to a service covering the same_service_type, achieves functional_equivalence in the use of the destination data processing service. The source provider of data processing services shall facilitate the switching process by providing capabilities, adequate information, documentation, technical support and, where appropriate, the necessary tools.
2. Providers of data processing services, other than those referred to in paragraph 1, shall make open interfaces available to an equal extent to all their customers and the concerned destination providers of data processing services free of charge to facilitate the switching process. Those interfaces shall include sufficient information on the service concerned to enable the development of software to communicate with the services, for the purposes of data portability and interoperability.
3. For data processing services other than those referred to in paragraph 1 of this Article, providers of data processing services shall ensure compatibility with common_specifications based on open interoperability specifications or harmonised_standards for interoperability at least 12 months after the references to those common_specifications or harmonised_standards for interoperability of data processing services were published in the central Union standards repository for the interoperability of data processing services following the publication of the underlying implementing acts in the Official Journal of the European Union in accordance with Article 35(8).
4. Providers of data processing services other than those referred to in paragraph 1 of this Article shall update the online register referred to in Article 26, point (b) in accordance with their obligations under paragraph 3 of this Article.
5. In the case of switching between services of the same_service_type, for which common_specifications or the harmonised_standards for interoperability referred to in paragraph 3 of this Article have not been published in the central Union standards repository for the interoperability of data processing services in accordance with Article 35(8), the provider of data processing services shall, at the request of the customer, export all exportable data in a structured, commonly used and machine-readable format.
6. Providers of data processing services shall not be required to develop new technologies or services, or disclose or transfer digital_assets that are protected by intellectual property rights or that constitute a trade_secret, to a customer or to a different provider of data processing services or compromise the customer’s or provider’s security and integrity of service.
Article 37
Competent authorities and data coordinators
1. Each Member State shall designate one or more competent authorities to be responsible for the application and enforcement of this Regulation (competent authorities). Member States may establish one or more new authorities or rely on existing authorities.
2. Where a Member State designates more than one competent authority, it shall designate a data coordinator from among them to facilitate cooperation between the competent authorities and to assist entities within the scope of this Regulation on all matters related to its application and enforcement. Competent authorities shall, in the exercise of the tasks and powers assigned to them under paragraph 5, cooperate with each other.
3. The supervisory authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall be responsible for monitoring the application of this Regulation insofar as the protection of personal data is concerned. Chapters VI and VII of Regulation (EU) 2016/679 shall apply mutatis mutandis.
The European Data Protection Supervisor shall be responsible for monitoring the application of this Regulation insofar as it concerns the Commission, the European Central Bank or Union_bodies. Where relevant, Article 62 of Regulation (EU) 2018/1725 shall apply mutatis mutandis.
The tasks and powers of the supervisory authorities referred to in this paragraph shall be exercised with regard to the processing of personal data.
4. Without prejudice to paragraph 1 of this Article:
| (a) | for specific sectoral data access and use issues related to the application of this Regulation, the competence of sectoral authorities shall be respected; |
| (b) | the competent authority responsible for the application and enforcement of Articles 23 to 31 and Articles 34 and 35 shall have experience in the field of data and electronic communications services. |
5. Member States shall ensure that the tasks and powers of the competent authorities are clearly defined and include:
| (a) | promoting data literacy and awareness among users and entities falling within the scope of this Regulation of the rights and obligations under this Regulation; |
| (b) | handling complaints arising from alleged infringements of this Regulation, including in relation to trade_secrets, and investigating, to the extent appropriate, the subject matter of complaints and regularly informing complainants, where relevant in accordance with national law, of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another competent authority is necessary; |
| (c) | conducting investigations into matters that concern the application of this Regulation, including on the basis of information received from another competent authority or other public authority; |
| (d) | imposing effective, proportionate and dissuasive financial penalties which may include periodic penalties and penalties with retroactive effect, or initiating legal proceedings for the imposition of fines; |
| (e) | monitoring technological and relevant commercial developments of relevance for the making available and use of data; |
| (f) | cooperating with competent authorities of other Member States and, where relevant, with the Commission or the EDIB, to ensure the consistent and efficient application of this Regulation, including the exchange of all relevant information by electronic means, without undue delay, including regarding paragraph 10 of this Article; |
| (g) | cooperating with the relevant competent authorities responsible for the implementation of other Union or national legal acts, including with authorities competent in the field of data and electronic communication services, with the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679 or with sectoral authorities to ensure that this Regulation is enforced consistently with other Union and national law; |
| (h) | cooperating with the relevant competent authorities to ensure that Articles 23 to 31 and Articles 34 and 35 are enforced consistently with other Union law and self-regulation applicable to providers of data processing services; |
| (i) | ensuring that switching charges are withdrawn in accordance with Article 29; |
| (j) | examining the requests for data made pursuant to Chapter V. |
Where designated, the data coordinator shall facilitate the cooperation referred to in points (f), (g) and (h) of the first subparagraph and shall assist the competent authorities upon their request.
6. The data coordinator, where such competent authority has been designated, shall:
| (a) | act as the single point of contact for all issues related to the application of this Regulation; |
| (b) | ensure the online public availability of requests to make data available made by public sector bodies in the case of exceptional need under Chapter V and promote voluntary data sharing agreements between public sector bodies and data holders; |
| (c) | inform the Commission, on an annual basis, of the refusals notified under Article 4(2) and (8) and Article 5(11). |
7. Member States shall notify the Commission of the names of the competent authorities and of their tasks and powers and, where applicable, the name of the data coordinator. The Commission shall maintain a public register of those authorities.
8. When carrying out their tasks and exercising their powers in accordance with this Regulation, competent authorities shall remain impartial and free from any external influence, whether direct or indirect, and shall neither seek nor take instructions for individual cases from any other public authority or any private party.
9. Member States shall ensure that the competent authorities are provided with sufficient human and technical resources and relevant expertise to effectively carry out their tasks in accordance with this Regulation.
10. Entities falling within the scope of this Regulation shall be subject to the competence of the Member State where the entity is established. Where the entity is established in more than one Member State, it shall be considered to be under the competence of the Member State in which it has its main establishment, that is, where the entity has its head office or registered office from which the principal financial functions and operational control are exercised.
11. Any entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union, and which is not established in the Union, shall designate a legal representative in one of the Member States.
12. For the purpose of ensuring compliance with this Regulation, a legal representative shall be mandated by an entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union to be addressed in addition to or instead of it by competent authorities with regard to all issues related to that entity. That legal representative shall cooperate with and comprehensively demonstrate to the competent authorities, upon request, the actions taken and provisions put in place by the entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union to ensure compliance with this Regulation.
13. An entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union, shall be considered to be under the competence of the Member State in which its legal representative is located. The designation of a legal representative by such an entity shall be without prejudice to the liability of, and any legal action that could be initiated against, such an entity. Until such time as an entity designates a legal representative in accordance with this Article, it shall be under the competence of all Member States, where applicable, for the purposes of ensuring the application and enforcement of this Regulation. Any competent authority may exercise its competence, including by imposing effective, proportionate and dissuasive penalties, provided that the entity is not subject to enforcement proceedings under this Regulation regarding the same facts by another competent authority.
14. Competent authorities shall have the power to request from users, data holders, or data recipients, or their legal representatives, falling under the competence of their Member State all information necessary to verify compliance with this Regulation. Any request for information shall be proportionate to the performance of the underlying task and shall be reasoned.
15. Where a competent authority in one Member State requests assistance or enforcement measures from a competent authority in another Member State, it shall submit a reasoned request. A competent authority shall, upon receiving such a request, provide a response, detailing the actions that have been taken or which are intended to be taken, without undue delay.
16. Competent authorities shall respect the principles of confidentiality and of professional and commercial secrecy and shall protect personal data in accordance with Union or national law. Any information exchanged in the context of a request for assistance and provided pursuant to this Article shall be used only in respect of the matter for which it was requested.
whereas