Data Act 2023/2854 EN

(1)	‘ data’ means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording;

(2)	‘meta data’ means a structured description of the contents or the use of data facilitating the discovery or use of that data;

(3)	‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;

(4)	‘non-personal data’ means data other than personal data;

(5)

‘ connected_product’ means an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user;

(6)

‘ related_service’ means a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected_product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected_product;

(7)

‘ processing’ means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or other means of making them available, alignment or combination, restriction, erasure or destruction;

(8)

‘ data processing service’ means a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction;

(9)	‘ same_service_type’ means a set of data processing services that share the same primary objective, data processing service model and main functionalities;

(10)	‘ data intermediation service’ means data intermediation service as defined in Article 2, point (11), of Regulation (EU) 2022/868;

(11)	‘ data subject’ means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679;

(12)	‘ user’ means a natural or legal person that owns a connected_product or to whom temporary rights to use that connected_product have been contractually transferred, or that receives related_services;

(13)

‘ data holder’ means a natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related_service data which it has retrieved or generated during the provision of a related_service;

(14)

‘ data recipient’ means a natural or legal person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected_product or related_service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation adopted in accordance with Union law;

(15)	‘product data’ means data generated by the use of a connected_product that the manufacturer designed to be retrievable, via an electronic communications service, physical connection or on-device access, by a user, data holder or a third party, including, where relevant, the manufacturer;

(16)	‘ related_service data’ means data representing the digitisation of user actions or of events related to the connected_product, recorded intentionally by the user or generated as a by-product of the user’s action during the provision of a related_service by the provider;

(17)	‘readily available data’ means product data and related_service data that a data holder lawfully obtains or can lawfully obtain from the connected_product or related_service, without disproportionate effort going beyond a simple operation;

(18)	‘ trade_secret’ means trade_secret as defined in Article 2, point (1), of Directive (EU) 2016/943;

(19)	‘ trade_secret holder’ means a trade_secret holder as defined in Article 2, point (2), of Directive (EU) 2016/943;

(20)	‘ profiling’ means profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679;

(21)	‘ making_available_on_the_market’ means any supply of a connected_product for distribution, consumption or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;

(22)	‘ placing_on_the_market’ means the first making available of a connected_product on the Union market;

(23)	‘ consumer’ means any natural person who is acting for purposes which are outside that person’s trade, business, craft or profession;

(24)	‘ enterprise’ means a natural or legal person that, in relation to contracts and practices covered by this Regulation, is acting for purposes which are related to that person’s trade, business, craft or profession;

(25)	‘small enterprise’ means a small enterprise as defined in Article 2(2) of the Annex to Recommendation 2003/361/EC;

(26)	‘micro enterprise’ means a micro enterprise as defined in Article 2(3) of the Annex to Recommendation 2003/361/EC;

(27)	‘ Union_bodies’ means the Union_bodies, offices and agencies set up by or pursuant to acts adopted on the basis of the Treaty on European Union, the TFEU or the Treaty establishing the European Atomic Energy Community;

(28)	‘ public_sector_body’ means national, regional or local authorities of the Member States and bodies governed by public law of the Member States, or associations formed by one or more such authorities or one or more such bodies;

(29)

‘ public_emergency’ means an exceptional situation, limited in time, such as a public health emergency, an emergency resulting from natural disasters, a human-induced major disaster, including a major cybersecurity incident, negatively affecting the population of the Union or the whole or part of a Member State, with a risk of serious and lasting repercussions for living conditions or economic stability, financial stability, or the substantial and immediate degradation of economic assets in the Union or the relevant Member State and which is determined or officially declared in accordance with the relevant procedures under Union or national law;

(30)	‘ customer’ means a natural or legal person that has entered into a contractual relationship with a provider of data processing services with the objective of using one or more data processing services;

(31)	‘ virtual_assistants’ means software that can process demands, tasks or questions including those based on audio, written input, gestures or motions, and that, based on those demands, tasks or questions, provides access to other services or controls the functions of connected_products;

(32)	‘ digital_assets’ means elements in digital form, including applications, for which the customer has the right of use, independently from the contractual relationship with the data processing service it intends to switch from;

(33)	‘ on-premises_ICT_infrastructure’ means ICT infrastructure and computing resources owned, rented or leased by the customer, located in the data centre of the customer itself and operated by the customer or by a third-party;

(34)

‘ switching’ means the process involving a source provider of data processing services, a customer of a data processing service and, where relevant, a destination provider of data processing services, whereby the customer of a data processing service changes from using one data processing service to using another data processing service of the same_service_type, or other service, offered by a different provider of data processing services, or to an on-premises_ICT_infrastructure, including through extracting, transforming and uploading the data;

(35)	‘ data egress charges’ means data transfer fees charged to customers for extracting their data through the network from the ICT infrastructure of a provider of data processing services to the system of a different provider or to on-premises_ICT_infrastructure;

(36)

‘ switching charges’ means charges, other than standard service fees or early termination penalties, imposed by a provider of data processing services on a customer for the actions mandated by this Regulation for switching to the system of a different provider or to on-premises_ICT_infrastructure, including data egress charges;

(37)

‘ functional_equivalence’ means re-establishing on the basis of the customer’s exportable data and digital_assets, a minimum level of functionality in the environment of a new data processing service of the same_service_type after the switching process, where the destination data processing service delivers a materially comparable outcome in response to the same input for shared features supplied to the customer under the contract;

(38)

‘exportable data’, for the purpose of Articles 23 to 31 and Article 35, means the input and output data, including meta data, directly or indirectly generated, or cogenerated, by the customer’s use of the data processing service, excluding any assets or data protected by intellectual property rights, or constituting a trade_secret, of providers of data processing services or third parties;

(39)	‘ smart_contract’ means a computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological ordering;

(40)	‘ interoperability’ means the ability of two or more data spaces or communication networks, systems, connected_products, applications, data processing services or components to exchange and use data in order to perform their functions;

(41)	open interoperability specification’ means a technical specification in the field of information and communication technologies which is performance oriented towards achieving interoperability between data processing services;

(42)	‘ common_specifications’ means a document, other than a standard, containing technical solutions providing a means to comply with certain requirements and obligations established under this Regulation;

(43)	‘ harmonised_standard’ means a harmonised_standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012.

CHAPTER II

BUSINESS TO CONSUMER AND BUSINESS TO BUSINESS DATA SHARING

Article 3

Obligation to make product data and related_service data accessible to the user

1. Connected products shall be designed and manufactured, and related_services shall be designed and provided, in such a manner that product data and related_service data, including the relevant meta data necessary to interpret and use those data, are, by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user.

2. Before concluding a contract for the purchase, rent or lease of a connected_product, the seller, rentor or lessor, which may be the manufacturer, shall provide at least the following information to the user, in a clear and comprehensible manner:

(a)	the type, format and estimated volume of product data which the connected_product is capable of generating;

(b)	whether the connected_product is capable of generating data continuously and in real-time;

(c)	whether the connected_product is capable of storing data on-device or on a remote server, including, where applicable, the intended duration of retention;

(d)	how the user may access, retrieve or, where relevant, erase the data, including the technical means to do so, as well as their terms of use and quality of service.

3. Before concluding a contract for the provision of a related_service, the provider of such related_service shall provide at least the following information to the user, in a clear and comprehensible manner:

(a)

the nature, estimated volume and collection frequency of product data that the prospective data holder is expected to obtain and, where relevant, the arrangements for the user to access or retrieve such data, including the prospective data holder’s data storage arrangements and the duration of retention;

(b)	the nature and estimated volume of related_service data to be generated, as well as the arrangements for the user to access or retrieve such data, including the prospective data holder’s data storage arrangements and the duration of retention;

(c)	whether the prospective data holder expects to use readily available data itself and the purposes for which those data are to be used, and whether it intends to allow one or more third parties to use the data for purposes agreed upon with the user;

(d)	the identity of the prospective data holder, such as its trading name and the geographical address at which it is established and, where applicable, of other data processing parties;

(e)	the means of communication which make it possible to contact the prospective data holder quickly and communicate with that data holder efficiently;

(f)	how the user can request that the data are shared with a third party and, where applicable, end the data sharing;

(g)	the user’s right to lodge a complaint alleging an infringement of any of the provisions of this Chapter with the competent authority designated pursuant to Article 37;

(h)

whether a prospective data holder is the holder of trade_secrets contained in the data that is accessible from the connected_product or generated during the provision of a related_service, and, where the prospective data holder is not the trade_secret holder, the identity of the trade_secret holder;

(i)	the duration of the contract between the user and the prospective data holder, as well as the arrangements for terminating such a contract.

Article 13

Unfair contractual terms unilaterally imposed on another enterprise

1. A contractual term concerning access to and the use of data or liability and remedies for the breach or the termination of data related obligations, which has been unilaterally imposed by an enterprise on another enterprise, shall not be binding on the latter enterprise if it is unfair.

2. A contractual term which reflects mandatory provisions of Union law, or provisions of Union law which would apply if the contractual terms did not regulate the matter, shall not be considered to be unfair.

3. A contractual term is unfair if it is of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing.

4. In particular, a contractual term shall be unfair for the purposes of paragraph 3, if its object or effect is to:

(a)	exclude or limit the liability of the party that unilaterally imposed the term for intentional acts or gross negligence;

(b)	exclude the remedies available to the party upon whom the term has been unilaterally imposed in the case of non-performance of contractual obligations, or the liability of the party that unilaterally imposed the term in the case of a breach of those obligations;

(c)	give the party that unilaterally imposed the term the exclusive right to determine whether the data supplied are in conformity with the contract or to interpret any contractual term.

5. A contractual term shall be presumed to be unfair for the purposes of paragraph 3 if its object or effect is to:

(a)	inappropriately limit remedies in the case of non-performance of contractual obligations or liability in the case of a breach of those obligations, or extend the liability of the enterprise upon whom the term has been unilaterally imposed;

(b)

allow the party that unilaterally imposed the term to access and use the data of the other contracting party in a manner that is significantly detrimental to the legitimate interests of the other contracting party, in particular when such data contain commercially sensitive data or are protected by trade_secrets or by intellectual property rights;

(c)

prevent the party upon whom the term has been unilaterally imposed from using the data provided or generated by that party during the period of the contract, or to limit the use of such data to the extent that that party is not entitled to use, capture, access or control such data or exploit the value of such data in an adequate manner;

(d)	prevent the party upon whom the term has been unilaterally imposed from terminating the agreement within a reasonable period;

(e)	prevent the party upon whom the term has been unilaterally imposed from obtaining a copy of the data provided or generated by that party during the period of the contract or within a reasonable period after the termination thereof;

(f)

enable the party that unilaterally imposed the term to terminate the contract at unreasonably short notice, taking into consideration any reasonable possibility of the other contracting party to switch to an alternative and comparable service and the financial detriment caused by such termination, except where there are serious grounds for so doing;

(g)

enable the party that unilaterally imposed the term to substantially change the price specified in the contract or any other substantive condition related to the nature, format, quality or quantity of the data to be shared, where no valid reason and no right of the other party to terminate the contract in the case of such a change is specified in the contract.

Point (g) of the first subparagraph shall not affect terms by which the party that unilaterally imposed the term reserves the right to unilaterally change the terms of a contract of an indeterminate duration, provided that the contract specified a valid reason for such unilateral changes, that the party that unilaterally imposed the term is required to provide the other contracting party with reasonable notice of any such intended change, and that the other contracting party is free to terminate the contract at no cost in the case of a change.

6. A contractual term shall be considered to be unilaterally imposed within the meaning of this Article if it has been supplied by one contracting party and the other contracting party has not been able to influence its content despite an attempt to negotiate it. The contracting party that supplied the contractual term bears the burden of proving that that term has not been unilaterally imposed. The contracting party that supplied the contested contractual term may not argue that the term is an unfair contractual term.

7. Where the unfair contractual term is severable from the remaining terms of the contract, those remaining terms shall be binding.

8. This Article does not apply to contractual terms defining the main subject matter of the contract or to the adequacy of the price, as against the data supplied in exchange.

9. The parties to a contract covered by paragraph 1 shall not exclude the application of this Article, derogate from it, or vary its effects.

CHAPTER V

MAKING DATA AVAILABLE TO PUBLIC SECTOR BODIES, THE COMMISSION, THE EUROPEAN CENTRAL BANK AND UNION BODIES ON THE BASIS OF AN EXCEPTIONAL NEED

Article 17

Requests for data to be made available

1. When requesting data pursuant to Article 14, a public_sector_body, the Commission, the European Central Bank or a Union body shall:

(a)	specify the data required, including the relevant meta data necessary to interpret and use those data;

(b)	demonstrate that the conditions necessary for the existence of an exceptional need as referred to in Article 15 for the purpose of which the data are requested are met;

(c)	explain the purpose of the request, the intended use of the data requested, including, where applicable, by a third party in accordance with paragraph 4 of this Article, the duration of that use, and, where relevant, how the processing of personal data is to address the exceptional need;

(d)	specify, if possible, when the data are expected to be erased by all parties that have access to them;

(e)	justify the choice of data holder to which the request is addressed;

(f)	specify any other public sector bodies or the Commission, European Central Bank or Union_bodies and the third parties with which the data requested is expected to be shared with;

(g)	where personal data are requested, specify any technical and organisational measures necessary and proportionate to implement data protection principles and necessary safeguards, such as pseudonymisation, and whether anonymisation can be applied by the data holder before making the data available;

(h)	state the legal provision allocating to the requesting public_sector_body, the Commission, the European Central Bank or the Union body the specific task carried out in the public interest relevant for requesting the data;

(i)	specify the deadline by which the data are to be made available and the deadline referred to in Article 18(2) by which the data holder may decline or seek modification of the request;

(j)	make its best efforts to avoid compliance with the data request resulting in the data holders’ liability for infringement of Union or national law.

2. A request for data made pursuant to paragraph 1 of this Article shall:

(a)	be made in writing and expressed in clear, concise and plain language understandable to the data holder;

(b)	be specific regarding the type of data requested and correspond to data which the data holder has control over at the time of the request;

(c)	be proportionate to the exceptional need and duly justified, regarding the granularity and volume of the data requested and frequency of access of the data requested;

(d)	respect the legitimate aims of the data holder, committing to ensuring the protection of trade_secrets in accordance with Article 19(3), and the cost and effort required to make the data available;

(e)

concern non-personal data, and only if this is demonstrated to be insufficient to respond to the exceptional need to use data, in accordance with Article 15(1), point (a), request personal data in pseudonymised form and establish the technical and organisational measures that are to be taken to protect the data;

(f)	inform the data holder of the penalties that are to be imposed pursuant to Article 40 by the competent authority designated pursuant to Article 37 in the event of non-compliance with the request;

(g)

where the request is made by a public_sector_body, be transmitted to the data coordinator referred to in Article 37 of the Member State where the requesting public_sector_body is established, who shall make the request publicly available online without undue delay unless the data coordinator considers that such publication would create a risk for public security;

(h)	where the request is made by the Commission, the European Central Bank or a Union body, be made available online without undue delay;

(i)	where personal data are requested, be notified without undue delay to the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679 in the Member State where the public_sector_body is established.

The European Central Bank and Union_bodies shall inform the Commission of their requests.

3. A public_sector_body, the Commission, the European Central Bank or a Union body shall not make data obtained pursuant to this Chapter available for reuse as defined in Article 2, point (2), of Regulation (EU) 2022/868 or Article 2, point (11), of Directive (EU) 2019/1024. Regulation (EU) 2022/868 and Directive (EU) 2019/1024 shall not apply to the data held by public sector bodies obtained pursuant to this Chapter.

4. Paragraph 3 of this Article does not preclude a public_sector_body, the Commission, the European Central Bank or a Union body to exchange data obtained pursuant to this Chapter with another public_sector_body or the Commission, the European Central Bank or a Union body in view of completing the tasks referred to in Article 15, as specified in the request in accordance with paragraph 1, point (f), of this Article or to make the data available to a third party where it has delegated, by means of a publicly available agreement, technical inspections or other functions to that third party. The obligations on public sector bodies pursuant to Article 19, in particular safeguards to preserve the confidentiality of trade_secrets, shall apply also to such third parties. Where a public_sector_body, the Commission, the European Central Bank or a Union body transmits or makes data available under this paragraph, it shall notify the data holder from whom the data was received without undue delay.

5. Where the data holder considers that its rights under this Chapter have been infringed by the transmission or making available of data, it may lodge a complaint with the competent authority designated pursuant to Article 37 of the Member State where the data holder is established.

6. The Commission shall develop a model template for requests pursuant to this Article.

Article 25

Contractual terms concerning switching

1. The rights of the customer and the obligations of the provider of data processing services in relation to switching between providers of such services or, where applicable, to an on-premises_ICT_infrastructure shall be clearly set out in a written contract. The provider of data processing services shall make that contract available to the customer prior to signing the contract in a way that allows the customer to store and reproduce the contract.

2. Without prejudice to Directive (EU) 2019/770, the contract referred to in paragraph 1 of this Article shall include at least the following:

(a)

clauses allowing the customer, upon request, to switch to a data processing service offered by a different provider of data processing services or to port all exportable data and digital_assets to an on-premises_ICT_infrastructure, without undue delay and in any event not after the mandatory maximum transitional period of 30 calendar days, to be initiated after the maximum notice period referred to in point (d), during which the service contract remains applicable and during which the provider of data processing services shall:

(i)	provide reasonable assistance to the customer and third parties authorised by the customer in the switching process;

(ii)	act with due care to maintain business continuity, and continue the provision of the functions or services under the contract;

(iii)

provide clear information concerning known risks to continuity in the provision of the functions or services on the part of the source provider of data processing services;

(iv)	ensure that a high level of security is maintained throughout the switching process, in particular the security of the data during their transfer and the continued security of the data during the retrieval period specified in point (g), in accordance with applicable Union or national law;

(b)	an obligation of the provider of data processing services to support the customer’s exit strategy relevant to the contracted services, including by providing all relevant information;

(c)

a clause specifying that the contract shall be considered to be terminated and the customer shall be notified of the termination, in one of the following cases:

(i)	where applicable, upon the successful completion of the switching process;

(ii)	at the end of the maximum notice period referred to in paragraph (d), where the customer does not wish to switch but to erase its exportable data and digital_assets upon service termination;

(d)	a maximum notice period for initiation of the switching process, which shall not exceed two months;

(e)	an exhaustive specification of all categories of data and digital_assets that can be ported during the switching process, including, at a minimum, all exportable data;

(f)

an exhaustive specification of categories of data specific to the internal functioning of the provider’s data processing service that are to be exempted from the exportable data under point (e) of this paragraph where a risk of breach of trade_secrets of the provider exists, provided that such exemptions do not impede or delay the switching process provided for in Article 23;

(g)	a minimum period for data retrieval of at least 30 calendar days, starting after the termination of the transitional period that was agreed between the customer and the provider of data processing services, in accordance with point (a) of this paragraph and paragraph 4;

(h)

a clause guaranteeing full erasure of all exportable data and digital_assets generated directly by the customer, or relating to the customer directly, after the expiry of the retrieval period referred to in point (g) or after the expiry of an alternative agreed period at a date later than the date of expiry of the retrieval period referred to in point (g), provided that the switching process has been completed successfully;

(i)	switching charges, that may be imposed by providers of data processing services in accordance with Article 29.

3. The contract referred to in paragraph 1 shall include clauses providing that the customer may notify the provider of data processing services of its decision to perform one or more of the following actions upon termination of the maximum notice period referred to in paragraph 2, point (d):

(a)	switch to a different provider of data processing services, in which case the customer shall provide the necessary details of that provider;

(b)	switch to an on-premises_ICT_infrastructure;

(c)	erase its exportable data and digital_assets.

4. Where the mandatory maximum transitional period as provided for in paragraph 2, point (a) is technically unfeasible, the provider of data processing services shall notify the customer within 14 working days of the making of the switching request, and shall duly justify the technical unfeasibility and indicate an alternative transitional period, which shall not exceed seven months. In accordance with paragraph 1, service continuity shall be ensured throughout the alternative transitional period.

5. Without prejudice to paragraph 4, the contract referred to in paragraph 1 shall include clauses providing the customer with the right to extend the transitional period once for a period that the customer considers more appropriate for its own purposes.

Article 31

Specific regime for certain data processing services

1. The obligations laid down in Article 23, point (d), Article 29 and Article 30(1) and (3) shall not apply to data processing services of which the majority of main features has been custom-built to accommodate the specific needs of an individual customer or where all components have been developed for the purposes of an individual customer, and where those data processing services are not offered at broad commercial scale via the service catalogue of the provider of data processing services.

2. The obligations laid down in this Chapter shall not apply to data processing services provided as a non-production version for testing and evaluation purposes and for a limited period of time.

3. Prior to the conclusion of a contract on the provision of the data processing services referred to in this Article, the provider of data processing services shall inform the prospective customer of the obligations of this Chapter that do not apply.

CHAPTER VII

UNLAWFUL INTERNATIONAL GOVERNMENTAL ACCESS AND TRANSFER OF NON-PERSONAL DATA

Article 37

Competent authorities and data coordinators

1. Each Member State shall designate one or more competent authorities to be responsible for the application and enforcement of this Regulation (competent authorities). Member States may establish one or more new authorities or rely on existing authorities.

2. Where a Member State designates more than one competent authority, it shall designate a data coordinator from among them to facilitate cooperation between the competent authorities and to assist entities within the scope of this Regulation on all matters related to its application and enforcement. Competent authorities shall, in the exercise of the tasks and powers assigned to them under paragraph 5, cooperate with each other.

3. The supervisory authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall be responsible for monitoring the application of this Regulation insofar as the protection of personal data is concerned. Chapters VI and VII of Regulation (EU) 2016/679 shall apply mutatis mutandis.

The European Data Protection Supervisor shall be responsible for monitoring the application of this Regulation insofar as it concerns the Commission, the European Central Bank or Union_bodies. Where relevant, Article 62 of Regulation (EU) 2018/1725 shall apply mutatis mutandis.

The tasks and powers of the supervisory authorities referred to in this paragraph shall be exercised with regard to the processing of personal data.

4. Without prejudice to paragraph 1 of this Article:

(a)	for specific sectoral data access and use issues related to the application of this Regulation, the competence of sectoral authorities shall be respected;

(b)	the competent authority responsible for the application and enforcement of Articles 23 to 31 and Articles 34 and 35 shall have experience in the field of data and electronic communications services.

5. Member States shall ensure that the tasks and powers of the competent authorities are clearly defined and include:

(a)	promoting data literacy and awareness among users and entities falling within the scope of this Regulation of the rights and obligations under this Regulation;

(b)

handling complaints arising from alleged infringements of this Regulation, including in relation to trade_secrets, and investigating, to the extent appropriate, the subject matter of complaints and regularly informing complainants, where relevant in accordance with national law, of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another competent authority is necessary;

(c)	conducting investigations into matters that concern the application of this Regulation, including on the basis of information received from another competent authority or other public authority;

(d)	imposing effective, proportionate and dissuasive financial penalties which may include periodic penalties and penalties with retroactive effect, or initiating legal proceedings for the imposition of fines;

(e)	monitoring technological and relevant commercial developments of relevance for the making available and use of data;

(f)

cooperating with competent authorities of other Member States and, where relevant, with the Commission or the EDIB, to ensure the consistent and efficient application of this Regulation, including the exchange of all relevant information by electronic means, without undue delay, including regarding paragraph 10 of this Article;

(g)

cooperating with the relevant competent authorities responsible for the implementation of other Union or national legal acts, including with authorities competent in the field of data and electronic communication services, with the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679 or with sectoral authorities to ensure that this Regulation is enforced consistently with other Union and national law;

(h)	cooperating with the relevant competent authorities to ensure that Articles 23 to 31 and Articles 34 and 35 are enforced consistently with other Union law and self-regulation applicable to providers of data processing services;

(i)	ensuring that switching charges are withdrawn in accordance with Article 29;

(j)	examining the requests for data made pursuant to Chapter V.

Where designated, the data coordinator shall facilitate the cooperation referred to in points (f), (g) and (h) of the first subparagraph and shall assist the competent authorities upon their request.

6. The data coordinator, where such competent authority has been designated, shall:

(a)	act as the single point of contact for all issues related to the application of this Regulation;

(b)	ensure the online public availability of requests to make data available made by public sector bodies in the case of exceptional need under Chapter V and promote voluntary data sharing agreements between public sector bodies and data holders;

(c)	inform the Commission, on an annual basis, of the refusals notified under Article 4(2) and (8) and Article 5(11).

7. Member States shall notify the Commission of the names of the competent authorities and of their tasks and powers and, where applicable, the name of the data coordinator. The Commission shall maintain a public register of those authorities.

8. When carrying out their tasks and exercising their powers in accordance with this Regulation, competent authorities shall remain impartial and free from any external influence, whether direct or indirect, and shall neither seek nor take instructions for individual cases from any other public authority or any private party.

9. Member States shall ensure that the competent authorities are provided with sufficient human and technical resources and relevant expertise to effectively carry out their tasks in accordance with this Regulation.

10. Entities falling within the scope of this Regulation shall be subject to the competence of the Member State where the entity is established. Where the entity is established in more than one Member State, it shall be considered to be under the competence of the Member State in which it has its main establishment, that is, where the entity has its head office or registered office from which the principal financial functions and operational control are exercised.

11. Any entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union, and which is not established in the Union, shall designate a legal representative in one of the Member States.

12. For the purpose of ensuring compliance with this Regulation, a legal representative shall be mandated by an entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union to be addressed in addition to or instead of it by competent authorities with regard to all issues related to that entity. That legal representative shall cooperate with and comprehensively demonstrate to the competent authorities, upon request, the actions taken and provisions put in place by the entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union to ensure compliance with this Regulation.

13. An entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union, shall be considered to be under the competence of the Member State in which its legal representative is located. The designation of a legal representative by such an entity shall be without prejudice to the liability of, and any legal action that could be initiated against, such an entity. Until such time as an entity designates a legal representative in accordance with this Article, it shall be under the competence of all Member States, where applicable, for the purposes of ensuring the application and enforcement of this Regulation. Any competent authority may exercise its competence, including by imposing effective, proportionate and dissuasive penalties, provided that the entity is not subject to enforcement proceedings under this Regulation regarding the same facts by another competent authority.

14. Competent authorities shall have the power to request from users, data holders, or data recipients, or their legal representatives, falling under the competence of their Member State all information necessary to verify compliance with this Regulation. Any request for information shall be proportionate to the performance of the underlying task and shall be reasoned.

15. Where a competent authority in one Member State requests assistance or enforcement measures from a competent authority in another Member State, it shall submit a reasoned request. A competent authority shall, upon receiving such a request, provide a response, detailing the actions that have been taken or which are intended to be taken, without undue delay.

16. Competent authorities shall respect the principles of confidentiality and of professional and commercial secrecy and shall protect personal data in accordance with Union or national law. Any information exchanged in the context of a request for assistance and provided pursuant to this Article shall be used only in respect of the matter for which it was requested.

Article 43

Databases containing certain data

The sui generis right provided for in Article 7 of Directive 96/9/EC shall not apply when data is obtained from or generated by a connected_product or related_service falling within the scope of this Regulation, in particular in relation to Articles 4 and 5 thereof.

CHAPTER XI

FINAL provisionS

whereas

keyboard_tab Data Act 2023/2854 EN

Data Act 2023/2854 EN