keyboard_tab Data Act 2023/2854 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Article 3 Obligation to make product data and related service data accessible to the user
- 2 Article 4 The rights and obligations of users and data holders with regard to access, use and making available product data and related service data
- 1 Article 5 Right of the user to share data with third parties
- 1 Article 17 Requests for data to be made available
- 1 Article 20 Compensation in cases of an exceptional need
- 1 Article 21 Sharing of data obtained in the context of an exceptional need with research organisations or statistical bodies
- 3 Article 38 Right to lodge a complaint
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
BUSINESS TO CONSUMER AND BUSINESS TO BUSINESS DATA SHARING
CHAPTER III
OBLIGATIONS FOR DATA HOLDERS OBLIGED TO MAKE DATA AVAILABLE PURSUANT TO UNION LAW
CHAPTER IV
UNFAIR CONTRACTUAL TERMS RELATED TO DATA ACCESS AND USE BETWEEN ENTERPRISES
CHAPTER V
MAKING DATA AVAILABLE TO PUBLIC SECTOR BODIES, THE COMMISSION, THE EUROPEAN CENTRAL BANK AND UNION BODIES ON THE BASIS OF AN EXCEPTIONAL NEED
CHAPTER VI
SWITCHING BETWEEN DATA PROCESSING SERVICES
CHAPTER VII
UNLAWFUL INTERNATIONAL GOVERNMENTAL ACCESS AND TRANSFER OF NON-PERSONAL DATA
CHAPTER VIII
INTEROPERABILITY
CHAPTER IX
IMPLEMENTATION AND ENFORCEMENT
CHAPTER X
SUI GENERIS RIGHT UNDER DIRECTIVE 96/9/EC
CHAPTER XI
FINAL PROVISIONS
- data
- metadata
- personal data
- non-personal data
- connected product
- related service
- processing
- data processing service
- same service type
- data intermediation service
- data subject
- user
- data holder
- data recipient
- product data
- related service data
- readily available data
- trade secret
- trade secret holder
- profiling
- making available on the market
- placing on the market
- consumer
- enterprise
- small enterprise
- microenterprise
- Union bodies
- public sector body
- public emergency
- customer
- virtual assistants
- digital assets
- on-premises ICT infrastructure
- switching
- data egress charges
- switching charges
- functional equivalence
- exportable data
- smart contract
- interoperability
- common specifications
- harmonised standard
- data 224
- shall 74
- holder 69
- article 50
- user 47
- pursuant 40
- third 39
- available 34
- which 32
- request 28
- party 26
- paragraph 22
- relevant 21
- such 19
- necessary 19
- commission 18
- requested 18
- access 17
- technical 17
- authority 17
- central 16
- union 16
- bank 16
- article 16
- european 16
- trade_secrets 16
- competent 16
- make 15
- body 15
- under 15
- without 14
- delay 14
- including 14
- measures 14
- public_sector_body 14
- undue 14
- regulation 13
- connected_product 13
- made 12
- accordance 12
- confidentiality 12
- parties 11
- sharing 11
- designated 11
- holders 11
- eu / 11
- personal 10
- member 10
- complaint 10
- whether 10
Article 3
Obligation to make product data and related_service data accessible to the user
1. Connected products shall be designed and manufactured, and related_services shall be designed and provided, in such a manner that product data and related_service data, including the relevant meta data necessary to interpret and use those data, are, by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user.
2. Before concluding a contract for the purchase, rent or lease of a connected_product, the seller, rentor or lessor, which may be the manufacturer, shall provide at least the following information to the user, in a clear and comprehensible manner:
| (a) | the type, format and estimated volume of product data which the connected_product is capable of generating; |
| (b) | whether the connected_product is capable of generating data continuously and in real-time; |
| (c) | whether the connected_product is capable of storing data on-device or on a remote server, including, where applicable, the intended duration of retention; |
| (d) | how the user may access, retrieve or, where relevant, erase the data, including the technical means to do so, as well as their terms of use and quality of service. |
3. Before concluding a contract for the provision of a related_service, the provider of such related_service shall provide at least the following information to the user, in a clear and comprehensible manner:
| (a) | the nature, estimated volume and collection frequency of product data that the prospective data holder is expected to obtain and, where relevant, the arrangements for the user to access or retrieve such data, including the prospective data holder’s data storage arrangements and the duration of retention; |
| (b) | the nature and estimated volume of related_service data to be generated, as well as the arrangements for the user to access or retrieve such data, including the prospective data holder’s data storage arrangements and the duration of retention; |
| (c) | whether the prospective data holder expects to use readily available data itself and the purposes for which those data are to be used, and whether it intends to allow one or more third parties to use the data for purposes agreed upon with the user; |
| (d) | the identity of the prospective data holder, such as its trading name and the geographical address at which it is established and, where applicable, of other data processing parties; |
| (e) | the means of communication which make it possible to contact the prospective data holder quickly and communicate with that data holder efficiently; |
| (f) | how the user can request that the data are shared with a third party and, where applicable, end the data sharing; |
| (g) | the user’s right to lodge a complaint alleging an infringement of any of the provisions of this Chapter with the competent authority designated pursuant to Article 37; |
| (h) | whether a prospective data holder is the holder of trade_secrets contained in the data that is accessible from the connected_product or generated during the provision of a related_service, and, where the prospective data holder is not the trade_secret holder, the identity of the trade_secret holder; |
| (i) | the duration of the contract between the user and the prospective data holder, as well as the arrangements for terminating such a contract. |
Article 4
The rights and obligations of users and data holders with regard to access, use and making available product data and related_service data
1. Where data cannot be directly accessed by the user from the connected_product or related_service, data holders shall make readily available data, as well as the relevant meta data necessary to interpret and use those data, accessible to the user without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. This shall be done on the basis of a simple request through electronic means where technically feasible.
2. Users and data holders may contractually restrict or prohibit accessing, using or further sharing data, if such processing could undermine security requirements of the connected_product, as laid down by Union or national law, resulting in a serious adverse effect on the health, safety or security of natural persons. Sectoral authorities may provide users and data holders with technical expertise in that context. Where the data holder refuses to share data pursuant to this Article, it shall notify the competent authority designated pursuant to Article 37.
3. Without prejudice to the user’s right to seek redress at any stage before a court or tribunal of a Member State, the user may, in relation to any dispute with the data holder concerning the contractual restrictions or prohibitions referred to in paragraph 2:
| (a) | lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority; or |
| (b) | agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1). |
4. Data holders shall not make the exercise of choices or rights under this Article by the user unduly difficult, including by offering choices to the user in a non-neutral manner or by subverting or impairing the autonomy, decision-making or choices of the user via the structure, design, function or manner of operation of a user digital interface or a part thereof.
5. For the purpose of verifying whether a natural or legal person qualifies as a user for the purposes of paragraph 1, a data holder shall not require that person to provide any information beyond what is necessary. Data holders shall not keep any information, in particular log data, on the user’s access to the data requested beyond what is necessary for the sound execution of the user’s access request and for the security and maintenance of the data infrastructure.
6. Trade secrets shall be preserved and shall be disclosed only where the data holder and the user take all necessary measures prior to the disclosure to preserve their confidentiality in particular regarding third parties. The data holder or, where they are not the same person, the trade_secret holder shall identify the data which are protected as trade_secrets, including in the relevant meta data, and shall agree with the user proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data, in particular in relation to third parties, such as model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.
7. Where there is no agreement on the necessary measures referred to in paragraph 6, or if the user fails to implement the measures agreed pursuant to paragraph 6 or undermines the confidentiality of the trade_secrets, the data holder may withhold or, as the case may be, suspend the sharing of data identified as trade_secrets. The decision of the data holder shall be duly substantiated and provided in writing to the user without undue delay. In such cases, the data holder shall notify the competent authority designated pursuant to Article 37 that it has withheld or suspended data sharing and identify which measures have not been agreed or implemented and, where relevant, which trade_secrets have had their confidentiality undermined.
8. In exceptional circumstances, where the data holder who is a trade_secret holder is able to demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade_secrets, despite the technical and organisational measures taken by the user pursuant to paragraph 6 of this Article, that data holder may refuse on a case-by-case basis a request for access to the specific data in question. That demonstration shall be duly substantiated on the basis of objective elements, in particular the enforceability of trade_secrets protection in third countries, the nature and level of confidentiality of the data requested, and the uniqueness and novelty of the connected_product, and shall be provided in writing to the user without undue delay. Where the data holder refuses to share data pursuant to this paragraph, it shall notify the competent authority designated pursuant to Article 37.
9. Without prejudice to a user’s right to seek redress at any stage before a court or tribunal of a Member State, a user wishing to challenge a data holder’s decision to refuse or to withhold or suspend data sharing pursuant to paragraphs 7 and 8 may:
| (a) | lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority, which shall, without undue delay, decide whether and under which conditions data sharing is to start or resume; or |
| (b) | agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1). |
10. The user shall not use the data obtained pursuant to a request referred to in paragraph 1 to develop a connected_product that competes with the connected_product from which the data originate, nor share the data with a third party with that intent and shall not use such data to derive insights about the economic situation, assets and production methods of the manufacturer or, where applicable the data holder.
11. The user shall not use coercive means or abuse gaps in the technical infrastructure of a data holder which is designed to protect the data in order to obtain access to data.
12. Where the user is not the data subject whose personal data is requested, any personal data generated by the use of a connected_product or related_service shall be made available by the data holder to the user only where there is a valid legal basis for processing under Article 6 of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of that Regulation and of Article 5(3) of Directive 2002/58/EC are fulfilled.
13. A data holder shall only use any readily available data that is non-personal data on the basis of a contract with the user. A data holder shall not use such data to derive insights about the economic situation, assets and production methods of, or the use by, the user in any other manner that could undermine the commercial position of that user on the markets in which the user is active.
14. Data holders shall not make available non-personal product data to third parties for commercial or non-commercial purposes other than the fulfilment of their contract with the user. Where relevant, data holders shall contractually bind third parties not to further share data received from them.
Article 5
Right of the user to share data with third parties
1. Upon request by a user, or by a party acting on behalf of a user, the data holder shall make available readily available data, as well as the relevant meta data necessary to interpret and use those data, to a third party without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge to the user, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. The data shall be made available by the data holder to the third party in accordance with Articles 8 and 9.
2. Paragraph 1 shall not apply to readily available data in the context of the testing of new connected_products, substances or processes that are not yet placed on the market unless their use by a third party is contractually permitted.
3. Any undertaking designated as a gatekeeper, pursuant to Article 3 of Regulation (EU) 2022/1925, shall not be an eligible third party under this Article and therefore shall not:
| (a) | solicit or commercially incentivise a user in any manner, including by providing monetary or any other compensation, to make data available to one of its services that the user has obtained pursuant to a request under Article 4(1); |
| (b) | solicit or commercially incentivise a user to request the data holder to make data available to one of its services pursuant to paragraph 1 of this Article; |
| (c) | receive data from a user that the user has obtained pursuant to a request under Article 4(1). |
4. For the purpose of verifying whether a natural or legal person qualifies as a user or as a third party for the purposes of paragraph 1, the user or the third party shall not be required to provide any information beyond what is necessary. Data holders shall not keep any information on the third party’s access to the data requested beyond what is necessary for the sound execution of the third party’s access request and for the security and maintenance of the data infrastructure.
5. The third party shall not use coercive means or abuse gaps in the technical infrastructure of a data holder which is designed to protect the data in order to obtain access to data.
6. A data holder shall not use any readily available data to derive insights about the economic situation, assets and production methods of, or the use by, the third party in any other manner that could undermine the commercial position of the third party on the markets in which the third party is active, unless the third party has given permission to such use and has the technical possibility to easily withdraw that permission at any time.
7. Where the user is not the data subject whose personal data is requested, any personal data generated by the use of a connected_product or related_service shall be made available by the data holder to the third party only where there is a valid legal basis for processing under Article 6 of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of that Regulation and of Article 5(3) of Directive 2002/58/EC are fulfilled.
8. Any failure on the part of the data holder and the third party to agree on arrangements for transmitting the data shall not hinder, prevent or interfere with the exercise of the rights of the data subject under Regulation (EU) 2016/679 and, in particular, with the right to data portability under Article 20 of that Regulation.
9. Trade secrets shall be preserved and shall be disclosed to third parties only to the extent that such disclosure is strictly necessary to fulfil the purpose agreed between the user and the third party. The data holder or, where they are not the same person, the trade_secret holder shall identify the data which are protected as trade_secrets, including in the relevant meta data, and shall agree with the third party all proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data, such as model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.
10. Where there is no agreement on the necessary measures referred to in paragraph 9 of this Article or if the third party fails to implement the measures agreed pursuant to paragraph 9 of this Article or undermines the confidentiality of the trade_secrets, the data holder may withhold or, as the case may be, suspend the sharing of data identified as trade_secrets. The decision of the data holder shall be duly substantiated and provided in writing to the third party without undue delay. In such cases, the data holder shall notify the competent authority designated pursuant to Article 37 that it has withheld or suspended data sharing and identify which measures have not been agreed or implemented and, where relevant, which trade_secrets have had their confidentiality undermined.
11. In exceptional circumstances, where the data holder who is a trade_secret holder is able to demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade_secrets, despite the technical and organisational measures taken by the third party pursuant to paragraph 9 of this Article, that data holder may refuse on a case-by-case basis a request for access to the specific data in question. That demonstration shall be duly substantiated on the basis of objective elements, in particular the enforceability of trade_secrets protection in third countries, the nature and level of confidentiality of the data requested, and the uniqueness and novelty of the connected_product, and shall be provided in writing to the third party without undue delay. Where the data holder refuses to share data pursuant to this paragraph, it shall notify the competent authority designated pursuant to Article 37.
12. Without prejudice to the third party’s right to seek redress at any stage before a court or tribunal of a Member State, a third party wishing to challenge a data holder’s decision to refuse or to withhold or suspend data sharing pursuant to paragraphs 10 and 11 may:
| (a) | lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority, which shall, without undue delay, decide whether and under which conditions the data sharing is to start or resume; or |
| (b) | agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1). |
13. The right referred to in paragraph 1 shall not adversely affect the rights of data subjects pursuant to the applicable Union and national law on the protection of personal data.
Article 17
Requests for data to be made available
1. When requesting data pursuant to Article 14, a public_sector_body, the Commission, the European Central Bank or a Union body shall:
| (a) | specify the data required, including the relevant meta data necessary to interpret and use those data; |
| (b) | demonstrate that the conditions necessary for the existence of an exceptional need as referred to in Article 15 for the purpose of which the data are requested are met; |
| (c) | explain the purpose of the request, the intended use of the data requested, including, where applicable, by a third party in accordance with paragraph 4 of this Article, the duration of that use, and, where relevant, how the processing of personal data is to address the exceptional need; |
| (d) | specify, if possible, when the data are expected to be erased by all parties that have access to them; |
| (e) | justify the choice of data holder to which the request is addressed; |
| (f) | specify any other public sector bodies or the Commission, European Central Bank or Union_bodies and the third parties with which the data requested is expected to be shared with; |
| (g) | where personal data are requested, specify any technical and organisational measures necessary and proportionate to implement data protection principles and necessary safeguards, such as pseudonymisation, and whether anonymisation can be applied by the data holder before making the data available; |
| (h) | state the legal provision allocating to the requesting public_sector_body, the Commission, the European Central Bank or the Union body the specific task carried out in the public interest relevant for requesting the data; |
| (i) | specify the deadline by which the data are to be made available and the deadline referred to in Article 18(2) by which the data holder may decline or seek modification of the request; |
| (j) | make its best efforts to avoid compliance with the data request resulting in the data holders’ liability for infringement of Union or national law. |
2. A request for data made pursuant to paragraph 1 of this Article shall:
| (a) | be made in writing and expressed in clear, concise and plain language understandable to the data holder; |
| (b) | be specific regarding the type of data requested and correspond to data which the data holder has control over at the time of the request; |
| (c) | be proportionate to the exceptional need and duly justified, regarding the granularity and volume of the data requested and frequency of access of the data requested; |
| (d) | respect the legitimate aims of the data holder, committing to ensuring the protection of trade_secrets in accordance with Article 19(3), and the cost and effort required to make the data available; |
| (e) | concern non-personal data, and only if this is demonstrated to be insufficient to respond to the exceptional need to use data, in accordance with Article 15(1), point (a), request personal data in pseudonymised form and establish the technical and organisational measures that are to be taken to protect the data; |
| (f) | inform the data holder of the penalties that are to be imposed pursuant to Article 40 by the competent authority designated pursuant to Article 37 in the event of non-compliance with the request; |
| (g) | where the request is made by a public_sector_body, be transmitted to the data coordinator referred to in Article 37 of the Member State where the requesting public_sector_body is established, who shall make the request publicly available online without undue delay unless the data coordinator considers that such publication would create a risk for public security; |
| (h) | where the request is made by the Commission, the European Central Bank or a Union body, be made available online without undue delay; |
| (i) | where personal data are requested, be notified without undue delay to the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679 in the Member State where the public_sector_body is established. |
The European Central Bank and Union_bodies shall inform the Commission of their requests.
3. A public_sector_body, the Commission, the European Central Bank or a Union body shall not make data obtained pursuant to this Chapter available for reuse as defined in Article 2, point (2), of Regulation (EU) 2022/868 or Article 2, point (11), of Directive (EU) 2019/1024. Regulation (EU) 2022/868 and Directive (EU) 2019/1024 shall not apply to the data held by public sector bodies obtained pursuant to this Chapter.
4. Paragraph 3 of this Article does not preclude a public_sector_body, the Commission, the European Central Bank or a Union body to exchange data obtained pursuant to this Chapter with another public_sector_body or the Commission, the European Central Bank or a Union body in view of completing the tasks referred to in Article 15, as specified in the request in accordance with paragraph 1, point (f), of this Article or to make the data available to a third party where it has delegated, by means of a publicly available agreement, technical inspections or other functions to that third party. The obligations on public sector bodies pursuant to Article 19, in particular safeguards to preserve the confidentiality of trade_secrets, shall apply also to such third parties. Where a public_sector_body, the Commission, the European Central Bank or a Union body transmits or makes data available under this paragraph, it shall notify the data holder from whom the data was received without undue delay.
5. Where the data holder considers that its rights under this Chapter have been infringed by the transmission or making available of data, it may lodge a complaint with the competent authority designated pursuant to Article 37 of the Member State where the data holder is established.
6. The Commission shall develop a model template for requests pursuant to this Article.
Article 20
Compensation in cases of an exceptional need
1. Data holders other than micro enterprises and small enterprises shall make available data necessary to respond to a public_emergency pursuant to Article 15(1), point (a), free of charge. The public_sector_body, the Commission, the European Central Bank or the Union body that has received data shall provide public acknowledgement to the data holder if requested by the data holder.
2. The data holder shall be entitled to fair compensation for making data available in compliance with a request made pursuant to Article 15(1), point (b). Such compensation shall cover the technical and organisational costs incurred to comply with the request including, where applicable, the costs of anonymisation, pseudonymisation, aggregation and of technical adaptation, and a reasonable margin. Upon request of the public_sector_body, the Commission, the European Central Bank or the Union body, the data holder shall provide information on the basis for the calculation of the costs and the reasonable margin.
3. Paragraph 2 shall also apply where a micro enterprise and small enterprise claims compensation for making data available.
4. Data holders shall not be entitled to compensation for making data available in compliance with a request made pursuant to Article 15(1), point (b), where the specific task carried out in the public interest is the production of official statistics and where the purchase of data is not allowed by national law. Member States shall notify the Commission where the purchase of data for the production of official statistics is not allowed by national law.
5. Where the public_sector_body, the Commission, the European Central Bank or the Union body disagrees with the level of compensation requested by the data holder, they may lodge a complaint with the competent authority designated pursuant to Article 37 of the Member State where the data holder is established.
Article 21
Sharing of data obtained in the context of an exceptional need with research organisations or statistical bodies
1. A public_sector_body, the Commission, the European Central Bank or a Union body shall be entitled to share data received under this Chapter:
| (a) | with individuals or organisations in view of carrying out scientific research or analytics compatible with the purpose for which the data was requested; or |
| (b) | with national statistical institutes and Eurostat for the production of official statistics. |
2. Individuals or organisations receiving the data pursuant to paragraph 1 shall act on a not-for-profit basis or in the context of a public-interest mission recognised in Union or national law. They shall not include organisations upon which commercial undertakings have a significant influence which is likely to result in preferential access to the results of the research.
3. Individuals or organisations receiving the data pursuant to paragraph 1 of this Article shall comply with the same obligations that are applicable to the public sector bodies, the Commission, the European Central Bank or Union_bodies pursuant to Article 17(3) and Article 19.
4. Notwithstanding Article 19(1), point (c), individuals or organisations receiving the data pursuant to paragraph 1 of this Article may keep the data received for the purpose for which the data was requested for up to six months following erasure of the data by the public sector bodies, the Commission, the European Central Bank and Union_bodies.
5. Where a public_sector_body, the Commission, the European Central Bank or a Union body intends to transmit or make data available under paragraph 1 of this Article, it shall notify without undue delay the data holder from whom the data was received, stating the identity and contact details of the organisation or the individual receiving the data, the purpose of the transmission or making available of the data, the period for which the data is to be used and the technical protection and organisational measures taken, including where personal data or trade_secrets are involved. Where the data holder disagrees with the transmission or making available of data, it may lodge a complaint with the competent authority designated pursuant to Article 37 of the Member State where the data holder is established.
Article 38
Right to lodge a complaint
1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the relevant competent authority in the Member State of their habitual residence, place of work or establishment if they consider that their rights under this Regulation have been infringed. The data coordinator shall, upon request, provide all the necessary information to natural and legal persons for the lodging of their complaints with the appropriate competent authority.
2. The competent authority with which the complaint has been lodged shall inform the complainant, in accordance with national law, of the progress of the proceedings and of the decision taken.
3. Competent authorities shall cooperate to handle and resolve complaints effectively and in a timely manner, including by exchanging all relevant information by electronic means, without undue delay. This cooperation shall not affect the cooperation mechanisms provided for by Chapters VI and VII of Regulation (EU) 2016/679 and by Regulation (EU) 2017/2394.
whereas