keyboard_tab Data Act 2023/2854 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 7 Article 1 Subject matter and scope
- 2 Article 7 Scope of business-to-consumer and business-to-business data sharing obligations
- 1 Article 9 Compensation for making data available
- 1 Article 10 Dispute settlement
- 1 Article 11 Technical protection measures on the unauthorised use or disclosure of data
- 1 Article 13 Unfair contractual terms unilaterally imposed on another enterprise
- 1 Article 16 Relationship with other obligations to make data available to public sector bodies, the Commission, the European Central Bank and Union bodies
- 1 Article 17 Requests for data to be made available
- 2 Article 18 Compliance with requests for data
- 1 Article 25 Contractual terms concerning switching
- 2 Article 33 Essential requirements regarding interoperability of data, of data sharing mechanisms and services, as well as of common European data spaces
- 1 Article 35 Interoperability of data processing services
- 1 Article 36 Essential requirements regarding smart contracts for executing data sharing agreements
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
BUSINESS TO CONSUMER AND BUSINESS TO BUSINESS DATA SHARING
CHAPTER III
OBLIGATIONS FOR DATA HOLDERS OBLIGED TO MAKE DATA AVAILABLE PURSUANT TO UNION LAW
CHAPTER IV
UNFAIR CONTRACTUAL TERMS RELATED TO DATA ACCESS AND USE BETWEEN ENTERPRISES
CHAPTER V
MAKING DATA AVAILABLE TO PUBLIC SECTOR BODIES, THE COMMISSION, THE EUROPEAN CENTRAL BANK AND UNION BODIES ON THE BASIS OF AN EXCEPTIONAL NEED
CHAPTER VI
SWITCHING BETWEEN DATA PROCESSING SERVICES
CHAPTER VII
UNLAWFUL INTERNATIONAL GOVERNMENTAL ACCESS AND TRANSFER OF NON-PERSONAL DATA
CHAPTER VIII
INTEROPERABILITY
CHAPTER IX
IMPLEMENTATION AND ENFORCEMENT
CHAPTER X
SUI GENERIS RIGHT UNDER DIRECTIVE 96/9/EC
CHAPTER XI
FINAL PROVISIONS
- data
- metadata
- personal data
- non-personal data
- connected product
- related service
- processing
- data processing service
- same service type
- data intermediation service
- data subject
- user
- data holder
- data recipient
- product data
- related service data
- readily available data
- trade secret
- trade secret holder
- profiling
- making available on the market
- placing on the market
- consumer
- enterprise
- small enterprise
- microenterprise
- Union bodies
- public sector body
- public emergency
- customer
- virtual assistants
- digital assets
- on-premises ICT infrastructure
- switching
- data egress charges
- switching charges
- functional equivalence
- exportable data
- smart contract
- interoperability
- common specifications
- harmonised standard
- data 285
- shall 111
- article 60
- paragraph 54
- commission 51
- union 51
- available 42
- regulation 41
- holder 41
- request 40
- services 40
- european 39
- referred 38
- party 36
- such 36
- requirements 36
- article 31
- accordance 31
- body 30
- processing 30
- which 28
- down 27
- term 27
- essential 27
- laid 25
- contract 25
- dispute 24
- pursuant 23
- chapter 23
- the 23
- period 23
- access 22
- does 22
- settlement 21
- been 21
- make 20
- interoperability 20
- central 20
- imposed 19
- bank 19
- implementing 19
- contractual 19
- thereof 19
- eu / 18
- unilaterally 18
- parties 18
- point 18
- enterprise 17
- obligations 17
- acts 17
Article 1
Subject matter and scope
1. This Regulation lays down harmonised rules, inter alia, on:
| (a) | the making available of product data and related_service data to the user of the connected_product or related_service; |
| (b) | the making available of data by data holders to data recipients; |
| (c) | the making available of data by data holders to public sector bodies, the Commission, the European Central Bank and Union_bodies, where there is an exceptional need for those data for the performance of a specific task carried out in the public interest; |
| (d) | facilitating switching between data processing services; |
| (e) | introducing safeguards against unlawful third-party access to non-personal data; and |
| (f) | the development of interoperability standards for data to be accessed, transferred and used. |
2. This Regulation covers personal and non-personal data, including the following types of data, in the following contexts:
| (a) | Chapter II applies to data, with the exception of content, concerning the performance, use and environment of connected_products and related_services; |
| (b) | Chapter III applies to any private sector data that is subject to statutory data sharing obligations; |
| (c) | Chapter IV applies to any private sector data accessed and used on the basis of contract between enterprises; |
| (d) | Chapter V applies to any private sector data with a focus on non-personal data; |
| (e) | Chapter VI applies to any data and services processed by providers of data processing services; |
| (f) | Chapter VII applies to any non-personal data held in the Union by providers of data processing services. |
3. This Regulation applies to:
| (a) | manufacturers of connected_products placed on the market in the Union and providers of related_services, irrespective of the place of establishment of those manufacturers and providers; |
| (b) | users in the Union of connected_products or related_services as referred to in point (a); |
| (c) | data holders, irrespective of their place of establishment, that make data available to data recipients in the Union; |
| (d) | data recipients in the Union to whom data are made available; |
| (e) | public sector bodies, the Commission, the European Central Bank and Union_bodies that request data holders to make data available where there is an exceptional need for those data for the performance of a specific task carried out in the public interest and to the data holders that provide those data in response to such request; |
| (f) | providers of data processing services, irrespective of their place of establishment, providing such services to customers in the Union; |
| (g) | participants in data spaces and vendors of applications using smart_contracts and persons whose trade, business or profession involves the deployment of smart_contracts for others in the context of executing an agreement. |
4. Where this Regulation refers to connected_products or related_services, such references are also understood to include virtual_assistants insofar as they interact with a connected_product or related_service.
5. This Regulation is without prejudice to Union and national law on the protection of personal data, privacy and confidentiality of communications and integrity of terminal equipment, which shall apply to personal data processed in connection with the rights and obligations laid down herein, in particular Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive 2002/58/EC, including the powers and competences of supervisory authorities and the rights of data subjects. Insofar as users are data subjects, the rights laid down in Chapter II of this Regulation shall complement the rights of access by data subjects and rights to data portability under Articles 15 and 20 of Regulation (EU) 2016/679. In the event of a conflict between this Regulation and Union law on the protection of personal data or privacy, or national legislation adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data or privacy shall prevail.
6. This Regulation does not apply to or pre-empt voluntary arrangements for the exchange of data between private and public entities, in particular voluntary arrangements for data sharing.
This Regulation does not affect Union or national legal acts providing for the sharing of, access to and the use of data for the purpose of the prevention, investigation, detection or prosecution of criminal offences or for the execution of criminal penalties, or for customs and taxation purposes, in particular Regulations (EU) 2021/784, (EU) 2022/2065 and (EU) 2023/1543 and Directive (EU) 2023/1544, or international cooperation in that area. This Regulation does not apply to the collection or sharing of, access to or the use of data under Regulation (EU) 2015/847 and Directive (EU) 2015/849. This Regulation does not apply to areas that fall outside the scope of Union law and in any event does not affect the competences of the Member States concerning public security, defence or national security, regardless of the type of entity entrusted by the Member States to carry out tasks in relation to those competences, or their power to safeguard other essential State functions, including ensuring the territorial integrity of the State and the maintenance of law and order. This Regulation does not affect the competences of the Member States concerning customs and tax administration or the health and safety of citizens.
7. This Regulation complements the self-regulatory approach of Regulation (EU) 2018/1807 by adding generally applicable obligations on cloud switching.
8. This Regulation is without prejudice to Union and national legal acts providing for the protection of intellectual property rights, in particular Directives 2001/29/EC, 2004/48/EC and (EU) 2019/790.
9. This Regulation complements and is without prejudice to Union law which aims to promote the interests of consumers and ensure a high level of consumer protection, and to protect their health, safety and economic interests, in particular Directives 93/13/EEC, 2005/29/EC and 2011/83/EU.
10. This Regulation does not preclude the conclusion of voluntary lawful data sharing contracts, including contracts concluded on a reciprocal basis, which comply with the requirements laid down in this Regulation.
Article 7
Scope of business-to- consumer and business-to-business data sharing obligations
1. The obligations of this Chapter shall not apply to data generated through the use of connected_products manufactured or designed or related_services provided by a micro enterprise or a small enterprise, provided that that enterprise does not have a partner enterprise or a linked enterprise within the meaning of Article 3 of the Annex to Recommendation 2003/361/EC that does not qualify as a micro enterprise or a small enterprise and where the micro enterprise and small enterprise is not subcontracted to manufacture or design a connected_product or to provide a related_service.
The same shall apply to data generated through the use of connected_products manufactured by or related_services provided by an enterprise that has qualified as a medium-sized enterprise under Article 2 of the Annex to Recommendation 2003/361/EC for less than one year and to connected_products for one year after the date on which they were placed on the market by a medium-sized enterprise.
2. Any contractual term which, to the detriment of the user, excludes the application of, derogates from or varies the effect of the user’s rights under this Chapter shall not be binding on the user.
CHAPTER III
OBLIGATIONS FOR DATA HOLDERS OBLIGED TO MAKE DATA AVAILABLE PURSUANT TO UNION LAW
Article 9
Compensation for making data available
1. Any compensation agreed upon between a data holder and a data recipient for making data available in business-to-business relations shall be non- discriminatory and reasonable and may include a margin.
2. When agreeing on any compensation, the data holder and the data recipient shall take into account in particular:
| (a) | costs incurred in making the data available, including, in particular, the costs necessary for the formatting of data, dissemination via electronic means and storage; |
| (b) | investments in the collection and production of data, where applicable, taking into account whether other parties contributed to obtaining, generating or collecting the data in question. |
3. The compensation referred to in paragraph 1 may also depend on the volume, format and nature of the data.
4. Where the data recipient is an SME or a not-for-profit research organisation and where such a data recipient does not have partner enterprises or linked enterprises that do not qualify as SMEs, any compensation agreed shall not exceed the costs referred to in paragraph 2, point (a).
5. The Commission shall adopt guidelines on the calculation of reasonable compensation, taking into account the advice of the European Data Innovation Board (EDIB) referred to in Article 42.
6. This Article shall not preclude other Union law or national legislation adopted in accordance with Union law from excluding compensation for making data available or providing for lower compensation.
7. The data holder shall provide the data recipient with information setting out the basis for the calculation of the compensation in sufficient detail so that the data recipient can assess whether the requirements of paragraphs 1 to 4 are met.
Article 10
Dispute settlement
1. Users, data holders and data recipients shall have access to a dispute settlement body, certified in accordance with paragraph 5 of this Article, to settle disputes pursuant to Article 4(3) and (9) and Article 5(12) as well as disputes relating to the fair, reasonable and non-discriminatory terms and conditions for, and transparent manner of, making data available in accordance with this Chapter and Chapter IV.
2. Dispute settlement bodies shall make the fees, or the mechanisms used to determine the fees, known to the parties concerned before those parties request a decision.
3. For disputes referred to a dispute settlement body pursuant to Article 4(3) and (9) and Article 5(12), where the dispute settlement body decides a dispute in favour of the user or of the data recipient, the data holder shall bear all the fees charged by the dispute settlement body and shall reimburse that user or that data recipient for any other reasonable expenses that it has incurred in relation to the dispute settlement. If the dispute settlement body decides a dispute in favour of the data holder, the user or the data recipient shall not be required to reimburse any fees or other expenses that the data holder paid or is to pay in relation to the dispute settlement, unless the dispute settlement body finds that the user or the data recipient manifestly acted in bad faith.
4. Customers and providers of data processing services shall have access to a dispute settlement body, certified in accordance with paragraph 5 of this Article, to settle disputes relating to breaches of the rights of customers and the obligations of providers of data processing services, in accordance with Articles 23 to 31.
5. The Member State where the dispute settlement body is established shall, at the request of that body, certify that body where it has demonstrated that it meets all of the following conditions:
| (a) | it is impartial and independent, and it is to issue its decisions in accordance with clear, non-discriminatory and fair rules of procedure; |
| (b) | it has the necessary expertise, in particular in relation to fair, reasonable and non-discriminatory terms and conditions, including compensation, and on making data available in a transparent manner, allowing the body to effectively determine those terms and conditions; |
| (c) | it is easily accessible through electronic communication technology; |
| (d) | it is capable of adopting its decisions in a swift, efficient and cost-effective manner in at least one official language of the Union. |
6. Member States shall notify to the Commission the dispute settlement bodies certified in accordance with paragraph 5. The Commission shall publish a list of those bodies on a dedicated website and keep it updated.
7. A dispute settlement body shall refuse to deal with a request to resolve a dispute that has already been brought before another dispute settlement body or before a court or tribunal of a Member State.
8. A dispute settlement body shall grant parties the possibility, within a reasonable period of time, to express their points of view on the matters those parties have brought before that body. In that context, each party to a dispute shall be provided with the submissions of the other party to their dispute and any statements made by experts. The parties shall be given the possibility to comment on those submissions and statements.
9. A dispute settlement body shall adopt its decision on a matter referred to it within 90 days of receipt of a request pursuant to paragraphs 1 and 4. That decision shall be in writing or on a durable medium and shall be supported by a statement of reasons.
10. Dispute settlement bodies shall draw up and make publicly available annual activity reports. Such annual reports shall include, in particular, the following general information:
| (a) | an aggregation of the outcomes of disputes; |
| (b) | the average time taken to resolve disputes; |
| (c) | the most common reasons for disputes. |
11. In order to facilitate the exchange of information and best practices, a dispute settlement body may decide to include recommendations in the report referred to in paragraph 10 as to how problems can be avoided or resolved.
12. The decision of a dispute settlement body shall be binding on the parties only if the parties have explicitly consented to its binding nature prior to the start of the dispute settlement proceedings.
13. This Article does not affect the right of parties to seek an effective remedy before a court or tribunal of a Member State.
Article 11
Technical protection measures on the unauthorised use or disclosure of data
1. A data holder may apply appropriate technical protection measures, including smart_contracts and encryption, to prevent unauthorised access to data, including meta data, and to ensure compliance with Articles 4, 5, 6, 8 and 9, as well as with the agreed contractual terms for making data available. Such technical protection measures shall not discriminate between data recipients or hinder a user’s right to obtain a copy of, retrieve, use or access data, to provide data to third parties pursuant to Article 5 or any right of a third party under Union law or national legislation adopted in accordance with Union law. Users, third parties and data recipients shall not alter or remove such technical protection measures unless agreed by the data holder.
2. In the circumstances referred to in paragraph 3, the third party or data recipient shall comply, without undue delay, with the requests of the data holder and, where applicable and where they are not the same person, the trade_secret holder or the user:
| (a) | to erase the data made available by the data holder and any copies thereof; |
| (b) | to end the production, offering or placing_on_the_market or use of goods, derivative data or services produced on the basis of knowledge obtained through such data, or the importation, export or storage of infringing goods for those purposes, and destroy any infringing goods, where there is a serious risk that the unlawful use of those data will cause significant harm to the data holder, the trade_secret holder or the user or where such a measure would not be disproportionate in light of the interests of the data holder, the trade_secret holder or the user; |
| (c) | to inform the user of the unauthorised use or disclosure of the data and of the measures taken to put an end to the unauthorised use or disclosure of the data; |
| (d) | to compensate the party suffering from the misuse or disclosure of such unlawfully accessed or used data. |
3. Paragraph 2 shall apply where a third party or a data recipient has:
| (a) | for the purposes of obtaining data, provided false information to a data holder, deployed deceptive or coercive means or abused gaps in the technical infrastructure of the data holder designed to protect the data; |
| (b) | used the data made available for unauthorised purposes, including the development of a competing connected_product within the meaning of Article 6(2), point (e); |
| (c) | unlawfully disclosed data to another party; |
| (d) | not maintained the technical and organisational measures agreed pursuant to Article 5(9); or |
| (e) | altered or removed technical protection measures applied by the data holder pursuant to paragraph 1 of this Article without the agreement of the data holder. |
4. Paragraph 2 shall also apply where a user alters or removes technical protection measures applied by the data holder or does not maintain the technical and organisational measures taken by the user in agreement with the data holder or, where they are not the same person, the trade_secrets holder, in order to preserve trade_secrets, as well as in respect of any other party that receives the data from the user by means of an infringement of this Regulation.
5. Where the data recipient infringes Article 6(2), point (a) or (b), users shall have the same rights as data holders under paragraph 2 of this Article.
Article 13
Unfair contractual terms unilaterally imposed on another enterprise
1. A contractual term concerning access to and the use of data or liability and remedies for the breach or the termination of data related obligations, which has been unilaterally imposed by an enterprise on another enterprise, shall not be binding on the latter enterprise if it is unfair.
2. A contractual term which reflects mandatory provisions of Union law, or provisions of Union law which would apply if the contractual terms did not regulate the matter, shall not be considered to be unfair.
3. A contractual term is unfair if it is of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing.
4. In particular, a contractual term shall be unfair for the purposes of paragraph 3, if its object or effect is to:
| (a) | exclude or limit the liability of the party that unilaterally imposed the term for intentional acts or gross negligence; |
| (b) | exclude the remedies available to the party upon whom the term has been unilaterally imposed in the case of non-performance of contractual obligations, or the liability of the party that unilaterally imposed the term in the case of a breach of those obligations; |
| (c) | give the party that unilaterally imposed the term the exclusive right to determine whether the data supplied are in conformity with the contract or to interpret any contractual term. |
5. A contractual term shall be presumed to be unfair for the purposes of paragraph 3 if its object or effect is to:
| (a) | inappropriately limit remedies in the case of non-performance of contractual obligations or liability in the case of a breach of those obligations, or extend the liability of the enterprise upon whom the term has been unilaterally imposed; |
| (b) | allow the party that unilaterally imposed the term to access and use the data of the other contracting party in a manner that is significantly detrimental to the legitimate interests of the other contracting party, in particular when such data contain commercially sensitive data or are protected by trade_secrets or by intellectual property rights; |
| (c) | prevent the party upon whom the term has been unilaterally imposed from using the data provided or generated by that party during the period of the contract, or to limit the use of such data to the extent that that party is not entitled to use, capture, access or control such data or exploit the value of such data in an adequate manner; |
| (d) | prevent the party upon whom the term has been unilaterally imposed from terminating the agreement within a reasonable period; |
| (e) | prevent the party upon whom the term has been unilaterally imposed from obtaining a copy of the data provided or generated by that party during the period of the contract or within a reasonable period after the termination thereof; |
| (f) | enable the party that unilaterally imposed the term to terminate the contract at unreasonably short notice, taking into consideration any reasonable possibility of the other contracting party to switch to an alternative and comparable service and the financial detriment caused by such termination, except where there are serious grounds for so doing; |
| (g) | enable the party that unilaterally imposed the term to substantially change the price specified in the contract or any other substantive condition related to the nature, format, quality or quantity of the data to be shared, where no valid reason and no right of the other party to terminate the contract in the case of such a change is specified in the contract. |
Point (g) of the first subparagraph shall not affect terms by which the party that unilaterally imposed the term reserves the right to unilaterally change the terms of a contract of an indeterminate duration, provided that the contract specified a valid reason for such unilateral changes, that the party that unilaterally imposed the term is required to provide the other contracting party with reasonable notice of any such intended change, and that the other contracting party is free to terminate the contract at no cost in the case of a change.
6. A contractual term shall be considered to be unilaterally imposed within the meaning of this Article if it has been supplied by one contracting party and the other contracting party has not been able to influence its content despite an attempt to negotiate it. The contracting party that supplied the contractual term bears the burden of proving that that term has not been unilaterally imposed. The contracting party that supplied the contested contractual term may not argue that the term is an unfair contractual term.
7. Where the unfair contractual term is severable from the remaining terms of the contract, those remaining terms shall be binding.
8. This Article does not apply to contractual terms defining the main subject matter of the contract or to the adequacy of the price, as against the data supplied in exchange.
9. The parties to a contract covered by paragraph 1 shall not exclude the application of this Article, derogate from it, or vary its effects.
CHAPTER V
MAKING DATA AVAILABLE TO PUBLIC SECTOR BODIES, THE COMMISSION, THE EUROPEAN CENTRAL BANK AND UNION BODIES ON THE BASIS OF AN EXCEPTIONAL NEED
Article 16
Relationship with other obligations to make data available to public sector bodies, the Commission, the European Central Bank and Union_bodies
1. This Chapter shall not affect the obligations laid down in Union or national law for the purposes of reporting, complying with requests for access to information or demonstrating or verifying compliance with legal obligations.
2. This Chapter shall not apply to public sector bodies, the Commission, the European Central Bank or Union_bodies carrying out activities for the prevention, investigation, detection or prosecution of criminal or administrative offences or the execution of criminal penalties, or to customs or taxation administration. This Chapter does not affect applicable Union and national law on the prevention, investigation, detection or prosecution of criminal or administrative offences or the execution of criminal or administrative penalties, or for customs or taxation administration.
Article 17
Requests for data to be made available
1. When requesting data pursuant to Article 14, a public_sector_body, the Commission, the European Central Bank or a Union body shall:
| (a) | specify the data required, including the relevant meta data necessary to interpret and use those data; |
| (b) | demonstrate that the conditions necessary for the existence of an exceptional need as referred to in Article 15 for the purpose of which the data are requested are met; |
| (c) | explain the purpose of the request, the intended use of the data requested, including, where applicable, by a third party in accordance with paragraph 4 of this Article, the duration of that use, and, where relevant, how the processing of personal data is to address the exceptional need; |
| (d) | specify, if possible, when the data are expected to be erased by all parties that have access to them; |
| (e) | justify the choice of data holder to which the request is addressed; |
| (f) | specify any other public sector bodies or the Commission, European Central Bank or Union_bodies and the third parties with which the data requested is expected to be shared with; |
| (g) | where personal data are requested, specify any technical and organisational measures necessary and proportionate to implement data protection principles and necessary safeguards, such as pseudonymisation, and whether anonymisation can be applied by the data holder before making the data available; |
| (h) | state the legal provision allocating to the requesting public_sector_body, the Commission, the European Central Bank or the Union body the specific task carried out in the public interest relevant for requesting the data; |
| (i) | specify the deadline by which the data are to be made available and the deadline referred to in Article 18(2) by which the data holder may decline or seek modification of the request; |
| (j) | make its best efforts to avoid compliance with the data request resulting in the data holders’ liability for infringement of Union or national law. |
2. A request for data made pursuant to paragraph 1 of this Article shall:
| (a) | be made in writing and expressed in clear, concise and plain language understandable to the data holder; |
| (b) | be specific regarding the type of data requested and correspond to data which the data holder has control over at the time of the request; |
| (c) | be proportionate to the exceptional need and duly justified, regarding the granularity and volume of the data requested and frequency of access of the data requested; |
| (d) | respect the legitimate aims of the data holder, committing to ensuring the protection of trade_secrets in accordance with Article 19(3), and the cost and effort required to make the data available; |
| (e) | concern non-personal data, and only if this is demonstrated to be insufficient to respond to the exceptional need to use data, in accordance with Article 15(1), point (a), request personal data in pseudonymised form and establish the technical and organisational measures that are to be taken to protect the data; |
| (f) | inform the data holder of the penalties that are to be imposed pursuant to Article 40 by the competent authority designated pursuant to Article 37 in the event of non-compliance with the request; |
| (g) | where the request is made by a public_sector_body, be transmitted to the data coordinator referred to in Article 37 of the Member State where the requesting public_sector_body is established, who shall make the request publicly available online without undue delay unless the data coordinator considers that such publication would create a risk for public security; |
| (h) | where the request is made by the Commission, the European Central Bank or a Union body, be made available online without undue delay; |
| (i) | where personal data are requested, be notified without undue delay to the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679 in the Member State where the public_sector_body is established. |
The European Central Bank and Union_bodies shall inform the Commission of their requests.
3. A public_sector_body, the Commission, the European Central Bank or a Union body shall not make data obtained pursuant to this Chapter available for reuse as defined in Article 2, point (2), of Regulation (EU) 2022/868 or Article 2, point (11), of Directive (EU) 2019/1024. Regulation (EU) 2022/868 and Directive (EU) 2019/1024 shall not apply to the data held by public sector bodies obtained pursuant to this Chapter.
4. Paragraph 3 of this Article does not preclude a public_sector_body, the Commission, the European Central Bank or a Union body to exchange data obtained pursuant to this Chapter with another public_sector_body or the Commission, the European Central Bank or a Union body in view of completing the tasks referred to in Article 15, as specified in the request in accordance with paragraph 1, point (f), of this Article or to make the data available to a third party where it has delegated, by means of a publicly available agreement, technical inspections or other functions to that third party. The obligations on public sector bodies pursuant to Article 19, in particular safeguards to preserve the confidentiality of trade_secrets, shall apply also to such third parties. Where a public_sector_body, the Commission, the European Central Bank or a Union body transmits or makes data available under this paragraph, it shall notify the data holder from whom the data was received without undue delay.
5. Where the data holder considers that its rights under this Chapter have been infringed by the transmission or making available of data, it may lodge a complaint with the competent authority designated pursuant to Article 37 of the Member State where the data holder is established.
6. The Commission shall develop a model template for requests pursuant to this Article.
Article 18
Compliance with requests for data
1. A data holder receiving a request to make data available under this Chapter shall make the data available to the requesting public_sector_body, the Commission, the European Central Bank or a Union body without undue delay, taking into account necessary technical, organisational and legal measures.
2. Without prejudice to specific needs regarding the availability of data defined in Union or national law, a data holder may decline or seek the modification of a request to make data available under this Chapter without undue delay and, in any event, no later than five working days after the receipt of a request for the data necessary to respond to a public_emergency and without undue delay and, in any event, no later than 30 working days after the receipt of such a request in other cases of an exceptional need, on any of the following grounds:
| (a) | the data holder does not have control over the data requested; |
| (b) | a similar request for the same purpose has been previously submitted by another public_sector_body or the Commission, the European Central Bank or a Union body and the data holder has not been notified of the erasure of the data pursuant to Article 19(1), point (c); |
| (c) | the request does not meet the conditions laid down in Article 17(1) and (2). |
3. If the data holder decides to decline the request or to seek its modification in accordance with paragraph 2, point (b), it shall indicate the identity of the public_sector_body or the Commission, the European Central Bank or the Union body that previously submitted a request for the same purpose.
4. Where the data requested includes personal data, the data holder shall properly anonymise the data, unless the compliance with the request to make data available to a public_sector_body, the Commission, the European Central Bank or a Union body requires the disclosure of personal data. In such cases, the data holder shall pseudonymise the data.
5. Where the public_sector_body, the Commission, the European Central Bank or the Union body wishes to challenge a data holder’s refusal to provide the data requested, or where the data holder wishes to challenge the request and the matter cannot be resolved by an appropriate modification of the request, the matter shall be referred to the competent authority designated pursuant to Article 37 of the Member State where the data holder is established.
Article 25
Contractual terms concerning switching
1. The rights of the customer and the obligations of the provider of data processing services in relation to switching between providers of such services or, where applicable, to an on-premises_ICT_infrastructure shall be clearly set out in a written contract. The provider of data processing services shall make that contract available to the customer prior to signing the contract in a way that allows the customer to store and reproduce the contract.
2. Without prejudice to Directive (EU) 2019/770, the contract referred to in paragraph 1 of this Article shall include at least the following:
| (a) | clauses allowing the customer, upon request, to switch to a data processing service offered by a different provider of data processing services or to port all exportable data and digital_assets to an on-premises_ICT_infrastructure, without undue delay and in any event not after the mandatory maximum transitional period of 30 calendar days, to be initiated after the maximum notice period referred to in point (d), during which the service contract remains applicable and during which the provider of data processing services shall:
|
| (b) | an obligation of the provider of data processing services to support the customer’s exit strategy relevant to the contracted services, including by providing all relevant information; |
| (c) | a clause specifying that the contract shall be considered to be terminated and the customer shall be notified of the termination, in one of the following cases:
|
| (d) | a maximum notice period for initiation of the switching process, which shall not exceed two months; |
| (e) | an exhaustive specification of all categories of data and digital_assets that can be ported during the switching process, including, at a minimum, all exportable data; |
| (f) | an exhaustive specification of categories of data specific to the internal functioning of the provider’s data processing service that are to be exempted from the exportable data under point (e) of this paragraph where a risk of breach of trade_secrets of the provider exists, provided that such exemptions do not impede or delay the switching process provided for in Article 23; |
| (g) | a minimum period for data retrieval of at least 30 calendar days, starting after the termination of the transitional period that was agreed between the customer and the provider of data processing services, in accordance with point (a) of this paragraph and paragraph 4; |
| (h) | a clause guaranteeing full erasure of all exportable data and digital_assets generated directly by the customer, or relating to the customer directly, after the expiry of the retrieval period referred to in point (g) or after the expiry of an alternative agreed period at a date later than the date of expiry of the retrieval period referred to in point (g), provided that the switching process has been completed successfully; |
| (i) | switching charges, that may be imposed by providers of data processing services in accordance with Article 29. |
3. The contract referred to in paragraph 1 shall include clauses providing that the customer may notify the provider of data processing services of its decision to perform one or more of the following actions upon termination of the maximum notice period referred to in paragraph 2, point (d):
| (a) | switch to a different provider of data processing services, in which case the customer shall provide the necessary details of that provider; |
| (b) | switch to an on-premises_ICT_infrastructure; |
| (c) | erase its exportable data and digital_assets. |
4. Where the mandatory maximum transitional period as provided for in paragraph 2, point (a) is technically unfeasible, the provider of data processing services shall notify the customer within 14 working days of the making of the switching request, and shall duly justify the technical unfeasibility and indicate an alternative transitional period, which shall not exceed seven months. In accordance with paragraph 1, service continuity shall be ensured throughout the alternative transitional period.
5. Without prejudice to paragraph 4, the contract referred to in paragraph 1 shall include clauses providing the customer with the right to extend the transitional period once for a period that the customer considers more appropriate for its own purposes.
Article 33
Essential requirements regarding interoperability of data, of data sharing mechanisms and services, as well as of common European data spaces
1. Participants in data spaces that offer data or data services to other participants shall comply with the following essential requirements to facilitate the interoperability of data, of data sharing mechanisms and services, as well as of common European data spaces which are purpose- or sector-specific or cross-sectoral interoperable frameworks for common standards and practices to share or jointly process data for, inter alia, the development of new products and services, scientific research or civil society initiatives:
| (a) | the dataset content, use restrictions, licences, data collection methodology, data quality and uncertainty shall be sufficiently described, where applicable, in a machine-readable format, to allow the recipient to find, access and use the data; |
| (b) | the data structures, data formats, vocabularies, classification schemes, taxonomies and code lists, where available, shall be described in a publicly available and consistent manner; |
| (c) | the technical means to access the data, such as application programming interfaces, and their terms of use and quality of service shall be sufficiently described to enable automatic access and transmission of data between parties, including continuously, in bulk download or in real-time in a machine-readable format where that is technically feasible and does not hamper the good functioning of the connected_product; |
| (d) | where applicable, the means to enable the interoperability of tools for automating the execution of data sharing agreements, such as smart_contracts shall be provided. |
The requirements can have a generic nature or concern specific sectors, while taking fully into account the interrelation with requirements arising from other Union or national law.
2. The Commission is empowered to adopt delegated acts, in accordance with Article 45 of this Regulation to supplement this Regulation by further specifying the essential requirements laid down in paragraph 1 of this Article, in relation to those requirements that, by their nature, cannot produce the intended effect unless they are further specified in binding Union legal acts and in order to properly reflect technological and market developments.
The Commission shall when adopting delegated acts take into account the advice of the EDIB in accordance with Article 42, point (c)(iii).
3. The participants in data spaces that offer data or data services to other participants in data spaces which meet the harmonised_standards or parts thereof, the references of which are published in the Official Journal of the European Union, shall be presumed to be in conformity with the essential requirements laid down in paragraph 1 to the extent that those requirements are covered by such harmonised_standards or parts thereof.
4. The Commission shall, pursuant to Article 10 of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft harmonised_standards that satisfy the essential requirements laid down in paragraph 1 of this Article.
5. The Commission may, by means of implementing acts, adopt common_specifications covering any or all of the essential requirements laid down in paragraph 1 where the following conditions have been fulfilled:
| (a) | the Commission has requested, pursuant to Article 10(1) of Regulation (EU) No 1025/2012, one or more European standardisation organisations to draft a harmonised_standard that satisfies the essential requirements laid down in paragraph 1 of this Article and:
|
| (b) | no reference to harmonised_standards covering the relevant essential requirements laid down in paragraph 1 of this Article is published in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012 and no such reference is expected to be published within a reasonable period. |
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 46(2).
6. Before preparing a draft implementing act referred to in paragraph 5 of this Article, the Commission shall inform the committee referred to in Article 22 of Regulation (EU) No 1025/2012 that it considers that the conditions in paragraph 5 of this Article have been fulfilled.
7. When preparing the draft implementing act referred to in paragraph 5, the Commission shall take into account the advice of the EDIB and views of other relevant bodies or expert groups and shall duly consult all relevant stakeholders.
8. The participants in data spaces that offer data or data services to other participants in data spaces that meet the common_specifications established by implementing acts referred to in paragraph 5 or parts thereof shall be presumed to be in conformity with the essential requirements laid down in paragraph 1 to the extent that those requirements are covered by such common_specifications or parts thereof.
9. Where a harmonised_standard is adopted by a European standardisation organisation and proposed to the Commission for the purpose of publishing its reference in the Official Journal of the European Union, the Commission shall assess the harmonised_standard in accordance with Regulation (EU) No 1025/2012. Where the reference of a harmonised_standard is published in the Official Journal of the European Union, the Commission shall repeal the implementing acts referred to in paragraph 5 of this Article, or parts thereof which cover the same essential requirements as those covered by that harmonised_standard.
10. When a Member State considers that a common specification does not entirely satisfy the essential requirements laid down in paragraph 1, it shall inform the Commission thereof by submitting a detailed explanation. The Commission shall assess that detailed explanation and may, if appropriate, amend the implementing act establishing the common specification in question.
11. The Commission may adopt guidelines taking into account the proposal of the EDIB in accordance with Article 30, point (h), of Regulation (EU) 2022/868 laying down interoperable frameworks for common standards and practices for the functioning of common European data spaces.
Article 35
Interoperability of data processing services
1. Open interoperability specifications and harmonised_standards for the interoperability of data processing services shall:
| (a) | achieve, where technically feasible, interoperability between different data processing services that cover the same_service_type; |
| (b) | enhance portability of digital_assets between different data processing services that cover the same_service_type; |
| (c) | facilitate, where technically feasible, functional_equivalence between different data processing services referred to in Article 30(1) that cover the same_service_type; |
| (d) | not have an adverse impact on the security and integrity of data processing services and data; |
| (e) | be designed in such a way so as to allow for technical advances and the inclusion of new functions and innovation in data processing services. |
2. Open interoperability specifications and harmonised_standards for the interoperability of data processing services shall adequately address:
| (a) | the cloud interoperability aspects of transport interoperability, syntactic interoperability, semantic data interoperability, behavioural interoperability and policy interoperability; |
| (b) | the cloud data portability aspects of data syntactic portability, data semantic portability and data policy portability; |
| (c) | the cloud application aspects of application syntactic portability, application instruction portability, application meta data portability, application behaviour portability and application policy portability. |
3. Open interoperability specifications shall comply with Annex II to Regulation (EU) No 1025/2012.
4. After taking into account relevant international and European standards and self-regulatory initiatives, the Commission may, in accordance with Article 10(1) of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft harmonised_standards that satisfy the essential requirements laid down in paragraphs 1 and 2 of this Article.
5. The Commission may, by means of implementing acts, adopt common_specifications based on open interoperability specifications covering all of the essential requirements laid down in paragraphs 1 and 2.
6. When preparing the draft implementing act referred to in paragraph 5 of this Article, the Commission shall take into account the views of the relevant competent authorities referred to in Article 37(5), point (h) and other relevant bodies or expert groups and shall duly consult all relevant stakeholders.
7. When a Member State considers that a common specification does not entirely satisfy the essential requirements laid down in paragraphs 1 and 2, it shall inform the Commission thereof by submitting a detailed explanation. The Commission shall assess that detailed explanation and may, if appropriate, amend the implementing act establishing the common specification in question.
8. For the purpose of Article 30(3), the Commission shall, by means of implementing acts, publish the references of harmonised_standards and common_specifications for the interoperability of data processing services in a central Union standards repository for the interoperability of data processing services.
9. The implementing acts referred to in this Article shall be adopted in accordance with the examination procedure referred to in Article 46(2).
Article 36
Essential requirements regarding smart_contracts for executing data sharing agreements
1. The vendor of an application using smart_contracts or, in the absence thereof, the person whose trade, business or profession involves the deployment of smart_contracts for others in the context of executing an agreement or part of it, to make data available shall ensure that those smart_contracts comply with the following essential requirements of:
| (a) | robustness and access control, to ensure that the smart_contract has been designed to offer access control mechanisms and a very high degree of robustness to avoid functional errors and to withstand manipulation by third parties; |
| (b) | safe termination and interruption, to ensure that a mechanism exists to terminate the continued execution of transactions and that the smart_contract includes internal functions which can reset or instruct the contract to stop or interrupt the operation, in particular to avoid future accidental executions; |
| (c) | data archiving and continuity, to ensure, in circumstances in which a smart_contract must be terminated or deactivated, there is a possibility to archive the transactional data, smart_contract logic and code in order to keep the record of operations performed on the data in the past (auditability); |
| (d) | access control, to ensure that a smart_contract is protected through rigorous access control mechanisms at the governance and smart_contract layers; and |
| (e) | consistency, to ensure consistency with the terms of the data sharing agreement that the smart_contract executes. |
2. The vendor of a smart_contract or, in the absence thereof, the person whose trade, business or profession involves the deployment of smart_contracts for others in the context of executing an agreement or part of it, to make data available shall perform a conformity assessment with a view to fulfilling the essential requirements laid down in paragraph 1 and, on the fulfilment of those requirements, issue an EU declaration of conformity.
3. By drawing up the EU declaration of conformity, the vendor of an application using smart_contracts or, in the absence thereof, the person whose trade, business or profession involves the deployment of smart_contracts for others in the context of executing an agreement or part of it, to make data available shall be responsible for compliance with the essential requirements laid down in paragraph 1.
4. A smart_contract that meets the harmonised_standards or the relevant parts thereof, the references of which are published in the Official Journal of the European Union, shall be presumed to be in conformity with the essential requirements laid down in paragraph 1 to the extent that those requirements are covered by such harmonised_standards or parts thereof.
5. The Commission shall, pursuant to Article 10 of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft harmonised_standards that satisfy the essential requirements laid down in paragraph 1 of this Article.
6. The Commission may, by means of implementing acts, adopt common_specifications covering any or all of the essential requirements laid down in paragraph 1 where the following conditions have been fulfilled:
| (a) | the Commission has requested, pursuant to Article 10(1) of Regulation (EU) No 1025/2012, one or more European standardisation organisations to draft a harmonised_standard that satisfies the essential requirements laid down in paragraph 1 of this Article and:
|
| (b) | no reference to harmonised_standards covering the relevant essential requirements laid down in paragraph 1 of this Article is published in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012 and no such reference is expected to be published within a reasonable period. |
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 46(2).
7. Before preparing a draft implementing act referred to in paragraph 6 of this Article, the Commission shall inform the committee referred to in Article 22 of Regulation (EU) No 1025/2012 that it considers that the conditions in paragraph 6 of this Article have been fulfilled.
8. When preparing the draft implementing act referred to in paragraph 6, the Commission shall take into account the advice of the EDIB and views of other relevant bodies or expert groups and shall duly consult all relevant stakeholders.
9. The vendor of a smart_contract or, in the absence thereof, the person whose trade, business or profession involves the deployment of smart_contracts for others in the context of executing an agreement or part of it, to make data available that meet the common_specifications established by implementing acts referred to in paragraph 6 or parts thereof shall be presumed to be in conformity with the essential requirements laid down in paragraph 1 to the extent that those requirements are covered by such common_specifications or parts thereof.
10. Where a harmonised_standard is adopted by a European standardisation organisation and proposed to the Commission for the purpose of publishing its reference in the Official Journal of the European Union, the Commission shall assess the harmonised_standard in accordance with Regulation (EU) No 1025/2012. Where the reference of a harmonised_standard is published in the Official Journal of the European Union, the Commission shall repeal the implementing acts referred to in paragraph 6 of this Article, or parts thereof which cover the same essential requirements as those covered by that harmonised_standard.
11. When a Member State considers that a common specification does not entirely satisfy the essential requirements laid down in paragraph 1, it shall inform the Commission thereof by submitting a detailed explanation. The Commission shall assess that detailed explanation and may, if appropriate, amend the implementing act establishing the common specification in question.
CHAPTER IX
IMPLEMENTATION AND ENFORCEMENT
whereas