keyboard_tab Data Act 2023/2854 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 4 Article 4 The rights and obligations of users and data holders with regard to access, use and making available product data and related service data
- 4 Article 5 Right of the user to share data with third parties
- 1 Article 8 Conditions under which data holders make data available to data recipients
- 1 Article 11 Technical protection measures on the unauthorised use or disclosure of data
- 4 Article 17 Requests for data to be made available
- 3 Article 18 Compliance with requests for data
- 1 Article 19 Obligations of public sector bodies, the Commission, the European Central Bank and Union bodies
- 1 Article 21 Sharing of data obtained in the context of an exceptional need with research organisations or statistical bodies
- 1 Article 22 Mutual assistance and cross-border cooperation
- 1 Article 25 Contractual terms concerning switching
- 2 Article 37 Competent authorities and data coordinators
- 1 Article 38 Right to lodge a complaint
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
BUSINESS TO CONSUMER AND BUSINESS TO BUSINESS DATA SHARING
CHAPTER III
OBLIGATIONS FOR DATA HOLDERS OBLIGED TO MAKE DATA AVAILABLE PURSUANT TO UNION LAW
CHAPTER IV
UNFAIR CONTRACTUAL TERMS RELATED TO DATA ACCESS AND USE BETWEEN ENTERPRISES
CHAPTER V
MAKING DATA AVAILABLE TO PUBLIC SECTOR BODIES, THE COMMISSION, THE EUROPEAN CENTRAL BANK AND UNION BODIES ON THE BASIS OF AN EXCEPTIONAL NEED
CHAPTER VI
SWITCHING BETWEEN DATA PROCESSING SERVICES
CHAPTER VII
UNLAWFUL INTERNATIONAL GOVERNMENTAL ACCESS AND TRANSFER OF NON-PERSONAL DATA
CHAPTER VIII
INTEROPERABILITY
CHAPTER IX
IMPLEMENTATION AND ENFORCEMENT
CHAPTER X
SUI GENERIS RIGHT UNDER DIRECTIVE 96/9/EC
CHAPTER XI
FINAL PROVISIONS
- data
- metadata
- personal data
- non-personal data
- connected product
- related service
- processing
- data processing service
- same service type
- data intermediation service
- data subject
- user
- data holder
- data recipient
- product data
- related service data
- readily available data
- trade secret
- trade secret holder
- profiling
- making available on the market
- placing on the market
- consumer
- enterprise
- small enterprise
- microenterprise
- Union bodies
- public sector body
- public emergency
- customer
- virtual assistants
- digital assets
- on-premises ICT infrastructure
- switching
- data egress charges
- switching charges
- functional equivalence
- exportable data
- smart contract
- interoperability
- common specifications
- harmonised standard
- data 337
- shall 140
- holder 92
- article 72
- request 53
- available 52
- pursuant 47
- user 45
- competent 45
- union 45
- which 45
- third 45
- regulation 43
- paragraph 42
- under 41
- commission 34
- party 34
- authority 33
- relevant 30
- accordance 30
- european 30
- bank 29
- central 29
- technical 29
- such 28
- measures 27
- authorities 27
- necessary 26
- without 26
- services 26
- requested 25
- delay 25
- including 24
- undue 24
- body 24
- member 24
- trade_secrets 24
- public_sector_body 24
- article 22
- make 22
- referred 22
- from 21
- state 21
- processing 20
- point 19
- access 19
- legal 18
- period 18
- national 17
- application 17
Article 4
The rights and obligations of users and data holders with regard to access, use and making available product data and related_service data
1. Where data cannot be directly accessed by the user from the connected_product or related_service, data holders shall make readily available data, as well as the relevant meta data necessary to interpret and use those data, accessible to the user without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. This shall be done on the basis of a simple request through electronic means where technically feasible.
2. Users and data holders may contractually restrict or prohibit accessing, using or further sharing data, if such processing could undermine security requirements of the connected_product, as laid down by Union or national law, resulting in a serious adverse effect on the health, safety or security of natural persons. Sectoral authorities may provide users and data holders with technical expertise in that context. Where the data holder refuses to share data pursuant to this Article, it shall notify the competent authority designated pursuant to Article 37.
3. Without prejudice to the user’s right to seek redress at any stage before a court or tribunal of a Member State, the user may, in relation to any dispute with the data holder concerning the contractual restrictions or prohibitions referred to in paragraph 2:
| (a) | lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority; or |
| (b) | agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1). |
4. Data holders shall not make the exercise of choices or rights under this Article by the user unduly difficult, including by offering choices to the user in a non-neutral manner or by subverting or impairing the autonomy, decision-making or choices of the user via the structure, design, function or manner of operation of a user digital interface or a part thereof.
5. For the purpose of verifying whether a natural or legal person qualifies as a user for the purposes of paragraph 1, a data holder shall not require that person to provide any information beyond what is necessary. Data holders shall not keep any information, in particular log data, on the user’s access to the data requested beyond what is necessary for the sound execution of the user’s access request and for the security and maintenance of the data infrastructure.
6. Trade secrets shall be preserved and shall be disclosed only where the data holder and the user take all necessary measures prior to the disclosure to preserve their confidentiality in particular regarding third parties. The data holder or, where they are not the same person, the trade_secret holder shall identify the data which are protected as trade_secrets, including in the relevant meta data, and shall agree with the user proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data, in particular in relation to third parties, such as model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.
7. Where there is no agreement on the necessary measures referred to in paragraph 6, or if the user fails to implement the measures agreed pursuant to paragraph 6 or undermines the confidentiality of the trade_secrets, the data holder may withhold or, as the case may be, suspend the sharing of data identified as trade_secrets. The decision of the data holder shall be duly substantiated and provided in writing to the user without undue delay. In such cases, the data holder shall notify the competent authority designated pursuant to Article 37 that it has withheld or suspended data sharing and identify which measures have not been agreed or implemented and, where relevant, which trade_secrets have had their confidentiality undermined.
8. In exceptional circumstances, where the data holder who is a trade_secret holder is able to demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade_secrets, despite the technical and organisational measures taken by the user pursuant to paragraph 6 of this Article, that data holder may refuse on a case-by-case basis a request for access to the specific data in question. That demonstration shall be duly substantiated on the basis of objective elements, in particular the enforceability of trade_secrets protection in third countries, the nature and level of confidentiality of the data requested, and the uniqueness and novelty of the connected_product, and shall be provided in writing to the user without undue delay. Where the data holder refuses to share data pursuant to this paragraph, it shall notify the competent authority designated pursuant to Article 37.
9. Without prejudice to a user’s right to seek redress at any stage before a court or tribunal of a Member State, a user wishing to challenge a data holder’s decision to refuse or to withhold or suspend data sharing pursuant to paragraphs 7 and 8 may:
| (a) | lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority, which shall, without undue delay, decide whether and under which conditions data sharing is to start or resume; or |
| (b) | agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1). |
10. The user shall not use the data obtained pursuant to a request referred to in paragraph 1 to develop a connected_product that competes with the connected_product from which the data originate, nor share the data with a third party with that intent and shall not use such data to derive insights about the economic situation, assets and production methods of the manufacturer or, where applicable the data holder.
11. The user shall not use coercive means or abuse gaps in the technical infrastructure of a data holder which is designed to protect the data in order to obtain access to data.
12. Where the user is not the data subject whose personal data is requested, any personal data generated by the use of a connected_product or related_service shall be made available by the data holder to the user only where there is a valid legal basis for processing under Article 6 of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of that Regulation and of Article 5(3) of Directive 2002/58/EC are fulfilled.
13. A data holder shall only use any readily available data that is non-personal data on the basis of a contract with the user. A data holder shall not use such data to derive insights about the economic situation, assets and production methods of, or the use by, the user in any other manner that could undermine the commercial position of that user on the markets in which the user is active.
14. Data holders shall not make available non-personal product data to third parties for commercial or non-commercial purposes other than the fulfilment of their contract with the user. Where relevant, data holders shall contractually bind third parties not to further share data received from them.
Article 5
Right of the user to share data with third parties
1. Upon request by a user, or by a party acting on behalf of a user, the data holder shall make available readily available data, as well as the relevant meta data necessary to interpret and use those data, to a third party without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge to the user, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. The data shall be made available by the data holder to the third party in accordance with Articles 8 and 9.
2. Paragraph 1 shall not apply to readily available data in the context of the testing of new connected_products, substances or processes that are not yet placed on the market unless their use by a third party is contractually permitted.
3. Any undertaking designated as a gatekeeper, pursuant to Article 3 of Regulation (EU) 2022/1925, shall not be an eligible third party under this Article and therefore shall not:
| (a) | solicit or commercially incentivise a user in any manner, including by providing monetary or any other compensation, to make data available to one of its services that the user has obtained pursuant to a request under Article 4(1); |
| (b) | solicit or commercially incentivise a user to request the data holder to make data available to one of its services pursuant to paragraph 1 of this Article; |
| (c) | receive data from a user that the user has obtained pursuant to a request under Article 4(1). |
4. For the purpose of verifying whether a natural or legal person qualifies as a user or as a third party for the purposes of paragraph 1, the user or the third party shall not be required to provide any information beyond what is necessary. Data holders shall not keep any information on the third party’s access to the data requested beyond what is necessary for the sound execution of the third party’s access request and for the security and maintenance of the data infrastructure.
5. The third party shall not use coercive means or abuse gaps in the technical infrastructure of a data holder which is designed to protect the data in order to obtain access to data.
6. A data holder shall not use any readily available data to derive insights about the economic situation, assets and production methods of, or the use by, the third party in any other manner that could undermine the commercial position of the third party on the markets in which the third party is active, unless the third party has given permission to such use and has the technical possibility to easily withdraw that permission at any time.
7. Where the user is not the data subject whose personal data is requested, any personal data generated by the use of a connected_product or related_service shall be made available by the data holder to the third party only where there is a valid legal basis for processing under Article 6 of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of that Regulation and of Article 5(3) of Directive 2002/58/EC are fulfilled.
8. Any failure on the part of the data holder and the third party to agree on arrangements for transmitting the data shall not hinder, prevent or interfere with the exercise of the rights of the data subject under Regulation (EU) 2016/679 and, in particular, with the right to data portability under Article 20 of that Regulation.
9. Trade secrets shall be preserved and shall be disclosed to third parties only to the extent that such disclosure is strictly necessary to fulfil the purpose agreed between the user and the third party. The data holder or, where they are not the same person, the trade_secret holder shall identify the data which are protected as trade_secrets, including in the relevant meta data, and shall agree with the third party all proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data, such as model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.
10. Where there is no agreement on the necessary measures referred to in paragraph 9 of this Article or if the third party fails to implement the measures agreed pursuant to paragraph 9 of this Article or undermines the confidentiality of the trade_secrets, the data holder may withhold or, as the case may be, suspend the sharing of data identified as trade_secrets. The decision of the data holder shall be duly substantiated and provided in writing to the third party without undue delay. In such cases, the data holder shall notify the competent authority designated pursuant to Article 37 that it has withheld or suspended data sharing and identify which measures have not been agreed or implemented and, where relevant, which trade_secrets have had their confidentiality undermined.
11. In exceptional circumstances, where the data holder who is a trade_secret holder is able to demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade_secrets, despite the technical and organisational measures taken by the third party pursuant to paragraph 9 of this Article, that data holder may refuse on a case-by-case basis a request for access to the specific data in question. That demonstration shall be duly substantiated on the basis of objective elements, in particular the enforceability of trade_secrets protection in third countries, the nature and level of confidentiality of the data requested, and the uniqueness and novelty of the connected_product, and shall be provided in writing to the third party without undue delay. Where the data holder refuses to share data pursuant to this paragraph, it shall notify the competent authority designated pursuant to Article 37.
12. Without prejudice to the third party’s right to seek redress at any stage before a court or tribunal of a Member State, a third party wishing to challenge a data holder’s decision to refuse or to withhold or suspend data sharing pursuant to paragraphs 10 and 11 may:
| (a) | lodge, in accordance with Article 37(5), point (b), a complaint with the competent authority, which shall, without undue delay, decide whether and under which conditions the data sharing is to start or resume; or |
| (b) | agree with the data holder to refer the matter to a dispute settlement body in accordance with Article 10(1). |
13. The right referred to in paragraph 1 shall not adversely affect the rights of data subjects pursuant to the applicable Union and national law on the protection of personal data.
Article 8
Conditions under which data holders make data available to data recipients
1. Where, in business-to-business relations, a data holder is obliged to make data available to a data recipient under Article 5 or under other applicable Union law or national legislation adopted in accordance with Union law, it shall agree with a data recipient the arrangements for making the data available and shall do so under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner in accordance with this Chapter and Chapter IV.
2. A contractual term concerning access to and the use of data, or liability and remedies for the breach or termination of data-related obligations, shall not be binding if it constitutes an unfair contractual term within the meaning of Article 13 or if, to the detriment of the user, it excludes the application of, derogates from or varies the effect of the user’s rights under Chapter II.
3. A data holder shall not discriminate regarding the arrangements for making data available between comparable categories of data recipients, including partner enterprises or linked enterprises of the data holder when making data available. Where a data recipient considers that the conditions under which data has been made available to it are discriminatory, the data holder shall without undue delay provide the data recipient, upon its reasoned request, with information showing that there has been no discrimination.
4. A data holder shall not make data available to a data recipient, including on an exclusive basis, unless requested to do so by the user under Chapter II.
5. Data holders and data recipients shall not be required to provide any information beyond what is necessary to verify compliance with the contractual terms agreed for making data available or with their obligations under this Regulation or other applicable Union law or national legislation adopted in accordance with Union law.
6. Unless otherwise provided for in Union law, including Article 4(6) and Article 5(9) of this Regulation, or by national legislation adopted in accordance with Union law, an obligation to make data available to a data recipient shall not oblige the disclosure of trade_secrets.
Article 11
Technical protection measures on the unauthorised use or disclosure of data
1. A data holder may apply appropriate technical protection measures, including smart_contracts and encryption, to prevent unauthorised access to data, including meta data, and to ensure compliance with Articles 4, 5, 6, 8 and 9, as well as with the agreed contractual terms for making data available. Such technical protection measures shall not discriminate between data recipients or hinder a user’s right to obtain a copy of, retrieve, use or access data, to provide data to third parties pursuant to Article 5 or any right of a third party under Union law or national legislation adopted in accordance with Union law. Users, third parties and data recipients shall not alter or remove such technical protection measures unless agreed by the data holder.
2. In the circumstances referred to in paragraph 3, the third party or data recipient shall comply, without undue delay, with the requests of the data holder and, where applicable and where they are not the same person, the trade_secret holder or the user:
| (a) | to erase the data made available by the data holder and any copies thereof; |
| (b) | to end the production, offering or placing_on_the_market or use of goods, derivative data or services produced on the basis of knowledge obtained through such data, or the importation, export or storage of infringing goods for those purposes, and destroy any infringing goods, where there is a serious risk that the unlawful use of those data will cause significant harm to the data holder, the trade_secret holder or the user or where such a measure would not be disproportionate in light of the interests of the data holder, the trade_secret holder or the user; |
| (c) | to inform the user of the unauthorised use or disclosure of the data and of the measures taken to put an end to the unauthorised use or disclosure of the data; |
| (d) | to compensate the party suffering from the misuse or disclosure of such unlawfully accessed or used data. |
3. Paragraph 2 shall apply where a third party or a data recipient has:
| (a) | for the purposes of obtaining data, provided false information to a data holder, deployed deceptive or coercive means or abused gaps in the technical infrastructure of the data holder designed to protect the data; |
| (b) | used the data made available for unauthorised purposes, including the development of a competing connected_product within the meaning of Article 6(2), point (e); |
| (c) | unlawfully disclosed data to another party; |
| (d) | not maintained the technical and organisational measures agreed pursuant to Article 5(9); or |
| (e) | altered or removed technical protection measures applied by the data holder pursuant to paragraph 1 of this Article without the agreement of the data holder. |
4. Paragraph 2 shall also apply where a user alters or removes technical protection measures applied by the data holder or does not maintain the technical and organisational measures taken by the user in agreement with the data holder or, where they are not the same person, the trade_secrets holder, in order to preserve trade_secrets, as well as in respect of any other party that receives the data from the user by means of an infringement of this Regulation.
5. Where the data recipient infringes Article 6(2), point (a) or (b), users shall have the same rights as data holders under paragraph 2 of this Article.
Article 17
Requests for data to be made available
1. When requesting data pursuant to Article 14, a public_sector_body, the Commission, the European Central Bank or a Union body shall:
| (a) | specify the data required, including the relevant meta data necessary to interpret and use those data; |
| (b) | demonstrate that the conditions necessary for the existence of an exceptional need as referred to in Article 15 for the purpose of which the data are requested are met; |
| (c) | explain the purpose of the request, the intended use of the data requested, including, where applicable, by a third party in accordance with paragraph 4 of this Article, the duration of that use, and, where relevant, how the processing of personal data is to address the exceptional need; |
| (d) | specify, if possible, when the data are expected to be erased by all parties that have access to them; |
| (e) | justify the choice of data holder to which the request is addressed; |
| (f) | specify any other public sector bodies or the Commission, European Central Bank or Union_bodies and the third parties with which the data requested is expected to be shared with; |
| (g) | where personal data are requested, specify any technical and organisational measures necessary and proportionate to implement data protection principles and necessary safeguards, such as pseudonymisation, and whether anonymisation can be applied by the data holder before making the data available; |
| (h) | state the legal provision allocating to the requesting public_sector_body, the Commission, the European Central Bank or the Union body the specific task carried out in the public interest relevant for requesting the data; |
| (i) | specify the deadline by which the data are to be made available and the deadline referred to in Article 18(2) by which the data holder may decline or seek modification of the request; |
| (j) | make its best efforts to avoid compliance with the data request resulting in the data holders’ liability for infringement of Union or national law. |
2. A request for data made pursuant to paragraph 1 of this Article shall:
| (a) | be made in writing and expressed in clear, concise and plain language understandable to the data holder; |
| (b) | be specific regarding the type of data requested and correspond to data which the data holder has control over at the time of the request; |
| (c) | be proportionate to the exceptional need and duly justified, regarding the granularity and volume of the data requested and frequency of access of the data requested; |
| (d) | respect the legitimate aims of the data holder, committing to ensuring the protection of trade_secrets in accordance with Article 19(3), and the cost and effort required to make the data available; |
| (e) | concern non-personal data, and only if this is demonstrated to be insufficient to respond to the exceptional need to use data, in accordance with Article 15(1), point (a), request personal data in pseudonymised form and establish the technical and organisational measures that are to be taken to protect the data; |
| (f) | inform the data holder of the penalties that are to be imposed pursuant to Article 40 by the competent authority designated pursuant to Article 37 in the event of non-compliance with the request; |
| (g) | where the request is made by a public_sector_body, be transmitted to the data coordinator referred to in Article 37 of the Member State where the requesting public_sector_body is established, who shall make the request publicly available online without undue delay unless the data coordinator considers that such publication would create a risk for public security; |
| (h) | where the request is made by the Commission, the European Central Bank or a Union body, be made available online without undue delay; |
| (i) | where personal data are requested, be notified without undue delay to the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679 in the Member State where the public_sector_body is established. |
The European Central Bank and Union_bodies shall inform the Commission of their requests.
3. A public_sector_body, the Commission, the European Central Bank or a Union body shall not make data obtained pursuant to this Chapter available for reuse as defined in Article 2, point (2), of Regulation (EU) 2022/868 or Article 2, point (11), of Directive (EU) 2019/1024. Regulation (EU) 2022/868 and Directive (EU) 2019/1024 shall not apply to the data held by public sector bodies obtained pursuant to this Chapter.
4. Paragraph 3 of this Article does not preclude a public_sector_body, the Commission, the European Central Bank or a Union body to exchange data obtained pursuant to this Chapter with another public_sector_body or the Commission, the European Central Bank or a Union body in view of completing the tasks referred to in Article 15, as specified in the request in accordance with paragraph 1, point (f), of this Article or to make the data available to a third party where it has delegated, by means of a publicly available agreement, technical inspections or other functions to that third party. The obligations on public sector bodies pursuant to Article 19, in particular safeguards to preserve the confidentiality of trade_secrets, shall apply also to such third parties. Where a public_sector_body, the Commission, the European Central Bank or a Union body transmits or makes data available under this paragraph, it shall notify the data holder from whom the data was received without undue delay.
5. Where the data holder considers that its rights under this Chapter have been infringed by the transmission or making available of data, it may lodge a complaint with the competent authority designated pursuant to Article 37 of the Member State where the data holder is established.
6. The Commission shall develop a model template for requests pursuant to this Article.
Article 18
Compliance with requests for data
1. A data holder receiving a request to make data available under this Chapter shall make the data available to the requesting public_sector_body, the Commission, the European Central Bank or a Union body without undue delay, taking into account necessary technical, organisational and legal measures.
2. Without prejudice to specific needs regarding the availability of data defined in Union or national law, a data holder may decline or seek the modification of a request to make data available under this Chapter without undue delay and, in any event, no later than five working days after the receipt of a request for the data necessary to respond to a public_emergency and without undue delay and, in any event, no later than 30 working days after the receipt of such a request in other cases of an exceptional need, on any of the following grounds:
| (a) | the data holder does not have control over the data requested; |
| (b) | a similar request for the same purpose has been previously submitted by another public_sector_body or the Commission, the European Central Bank or a Union body and the data holder has not been notified of the erasure of the data pursuant to Article 19(1), point (c); |
| (c) | the request does not meet the conditions laid down in Article 17(1) and (2). |
3. If the data holder decides to decline the request or to seek its modification in accordance with paragraph 2, point (b), it shall indicate the identity of the public_sector_body or the Commission, the European Central Bank or the Union body that previously submitted a request for the same purpose.
4. Where the data requested includes personal data, the data holder shall properly anonymise the data, unless the compliance with the request to make data available to a public_sector_body, the Commission, the European Central Bank or a Union body requires the disclosure of personal data. In such cases, the data holder shall pseudonymise the data.
5. Where the public_sector_body, the Commission, the European Central Bank or the Union body wishes to challenge a data holder’s refusal to provide the data requested, or where the data holder wishes to challenge the request and the matter cannot be resolved by an appropriate modification of the request, the matter shall be referred to the competent authority designated pursuant to Article 37 of the Member State where the data holder is established.
Article 19
Obligations of public sector bodies, the Commission, the European Central Bank and Union_bodies
1. A public_sector_body, the Commission, the European Central Bank or a Union body receiving data pursuant to a request made under Article 14 shall:
| (a) | not use the data in a manner incompatible with the purpose for which they were requested; |
| (b) | have implemented technical and organisational measures that preserve the confidentiality and integrity of the requested data and the security of the data transfers, in particular personal data, and safeguard the rights and freedoms of data subjects; |
| (c) | erase the data as soon as they are no longer necessary for the stated purpose and inform the data holder and individuals or organisations that received the data pursuant to Article 21(1) without undue delay that the data have been erased, unless archiving of the data is required in accordance with Union or national law on public access to documents in the context of transparency obligations. |
2. A public_sector_body, the Commission, the European Central Bank, a Union body or a third party receiving data under this Chapter shall not:
| (a) | use the data or insights about the economic situation, assets and production or operation methods of the data holder to develop or enhance a connected_product or related_service that competes with the connected_product or related_service of the data holder; |
| (b) | share the data with another third party for any of the purposes referred to in point (a). |
3. Disclosure of trade_secrets to a public_sector_body, the Commission, the European Central Bank or a Union body shall be required only to the extent that it is strictly necessary to achieve the purpose of a request under Article 15. In such a case, the data holder or, where they are not the same person, the trade_secret holder shall identify the data which are protected as trade_secrets, including in the relevant meta data. The public_sector_body, the Commission, the European Central Bank or the Union body shall, prior to the disclosure of trade_secrets, take all necessary and appropriate technical and organisational measures to preserve the confidentiality of the trade_secrets, including, as appropriate, the use of model contractual terms, technical standards and the application of codes of conduct.
4. A public_sector_body, the Commission, the European Central Bank or a Union body shall be responsible for the security of the data it receives.
Article 21
Sharing of data obtained in the context of an exceptional need with research organisations or statistical bodies
1. A public_sector_body, the Commission, the European Central Bank or a Union body shall be entitled to share data received under this Chapter:
| (a) | with individuals or organisations in view of carrying out scientific research or analytics compatible with the purpose for which the data was requested; or |
| (b) | with national statistical institutes and Eurostat for the production of official statistics. |
2. Individuals or organisations receiving the data pursuant to paragraph 1 shall act on a not-for-profit basis or in the context of a public-interest mission recognised in Union or national law. They shall not include organisations upon which commercial undertakings have a significant influence which is likely to result in preferential access to the results of the research.
3. Individuals or organisations receiving the data pursuant to paragraph 1 of this Article shall comply with the same obligations that are applicable to the public sector bodies, the Commission, the European Central Bank or Union_bodies pursuant to Article 17(3) and Article 19.
4. Notwithstanding Article 19(1), point (c), individuals or organisations receiving the data pursuant to paragraph 1 of this Article may keep the data received for the purpose for which the data was requested for up to six months following erasure of the data by the public sector bodies, the Commission, the European Central Bank and Union_bodies.
5. Where a public_sector_body, the Commission, the European Central Bank or a Union body intends to transmit or make data available under paragraph 1 of this Article, it shall notify without undue delay the data holder from whom the data was received, stating the identity and contact details of the organisation or the individual receiving the data, the purpose of the transmission or making available of the data, the period for which the data is to be used and the technical protection and organisational measures taken, including where personal data or trade_secrets are involved. Where the data holder disagrees with the transmission or making available of data, it may lodge a complaint with the competent authority designated pursuant to Article 37 of the Member State where the data holder is established.
Article 22
Mutual assistance and cross-border cooperation
1. Public sector bodies, the Commission, the European Central Bank and Union_bodies shall cooperate and assist one another, to implement this Chapter in a consistent manner.
2. Any data exchanged in the context of assistance requested and provided pursuant to paragraph 1 shall not be used in a manner incompatible with the purpose for which they were requested.
3. Where a public_sector_body intends to request data from a data holder established in another Member State, it shall first notify the competent authority designated pursuant to Article 37 in that Member State of that intention. This requirement shall also apply to requests by the Commission, the European Central Bank and Union_bodies. The request shall be examined by the competent authority of the Member State where the data holder is established.
4. After having examined the request in light of the requirements laid down in Article 17, the relevant competent authority shall, without undue delay, take one of the following actions:
| (a) | transmit the request to the data holder and, if applicable, advise the requesting public_sector_body, the Commission, the European Central Bank or the Union body of the need, if any, to cooperate with public sector bodies of the Member State in which the data holder is established with the aim of reducing the administrative burden on the data holder in complying with the request; |
| (b) | reject the request on duly substantiated grounds in accordance with this Chapter. |
The requesting public_sector_body, the Commission, the European Central Bank and the Union body shall take into account the advice of and the grounds provided by the relevant competent authority pursuant to the first subparagraph before taking any further action such as resubmitting the request, if applicable.
CHAPTER VI
SWITCHING BETWEEN DATA PROCESSING SERVICES
Article 25
Contractual terms concerning switching
1. The rights of the customer and the obligations of the provider of data processing services in relation to switching between providers of such services or, where applicable, to an on-premises_ICT_infrastructure shall be clearly set out in a written contract. The provider of data processing services shall make that contract available to the customer prior to signing the contract in a way that allows the customer to store and reproduce the contract.
2. Without prejudice to Directive (EU) 2019/770, the contract referred to in paragraph 1 of this Article shall include at least the following:
| (a) | clauses allowing the customer, upon request, to switch to a data processing service offered by a different provider of data processing services or to port all exportable data and digital_assets to an on-premises_ICT_infrastructure, without undue delay and in any event not after the mandatory maximum transitional period of 30 calendar days, to be initiated after the maximum notice period referred to in point (d), during which the service contract remains applicable and during which the provider of data processing services shall:
|
| (b) | an obligation of the provider of data processing services to support the customer’s exit strategy relevant to the contracted services, including by providing all relevant information; |
| (c) | a clause specifying that the contract shall be considered to be terminated and the customer shall be notified of the termination, in one of the following cases:
|
| (d) | a maximum notice period for initiation of the switching process, which shall not exceed two months; |
| (e) | an exhaustive specification of all categories of data and digital_assets that can be ported during the switching process, including, at a minimum, all exportable data; |
| (f) | an exhaustive specification of categories of data specific to the internal functioning of the provider’s data processing service that are to be exempted from the exportable data under point (e) of this paragraph where a risk of breach of trade_secrets of the provider exists, provided that such exemptions do not impede or delay the switching process provided for in Article 23; |
| (g) | a minimum period for data retrieval of at least 30 calendar days, starting after the termination of the transitional period that was agreed between the customer and the provider of data processing services, in accordance with point (a) of this paragraph and paragraph 4; |
| (h) | a clause guaranteeing full erasure of all exportable data and digital_assets generated directly by the customer, or relating to the customer directly, after the expiry of the retrieval period referred to in point (g) or after the expiry of an alternative agreed period at a date later than the date of expiry of the retrieval period referred to in point (g), provided that the switching process has been completed successfully; |
| (i) | switching charges, that may be imposed by providers of data processing services in accordance with Article 29. |
3. The contract referred to in paragraph 1 shall include clauses providing that the customer may notify the provider of data processing services of its decision to perform one or more of the following actions upon termination of the maximum notice period referred to in paragraph 2, point (d):
| (a) | switch to a different provider of data processing services, in which case the customer shall provide the necessary details of that provider; |
| (b) | switch to an on-premises_ICT_infrastructure; |
| (c) | erase its exportable data and digital_assets. |
4. Where the mandatory maximum transitional period as provided for in paragraph 2, point (a) is technically unfeasible, the provider of data processing services shall notify the customer within 14 working days of the making of the switching request, and shall duly justify the technical unfeasibility and indicate an alternative transitional period, which shall not exceed seven months. In accordance with paragraph 1, service continuity shall be ensured throughout the alternative transitional period.
5. Without prejudice to paragraph 4, the contract referred to in paragraph 1 shall include clauses providing the customer with the right to extend the transitional period once for a period that the customer considers more appropriate for its own purposes.
Article 37
Competent authorities and data coordinators
1. Each Member State shall designate one or more competent authorities to be responsible for the application and enforcement of this Regulation (competent authorities). Member States may establish one or more new authorities or rely on existing authorities.
2. Where a Member State designates more than one competent authority, it shall designate a data coordinator from among them to facilitate cooperation between the competent authorities and to assist entities within the scope of this Regulation on all matters related to its application and enforcement. Competent authorities shall, in the exercise of the tasks and powers assigned to them under paragraph 5, cooperate with each other.
3. The supervisory authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall be responsible for monitoring the application of this Regulation insofar as the protection of personal data is concerned. Chapters VI and VII of Regulation (EU) 2016/679 shall apply mutatis mutandis.
The European Data Protection Supervisor shall be responsible for monitoring the application of this Regulation insofar as it concerns the Commission, the European Central Bank or Union_bodies. Where relevant, Article 62 of Regulation (EU) 2018/1725 shall apply mutatis mutandis.
The tasks and powers of the supervisory authorities referred to in this paragraph shall be exercised with regard to the processing of personal data.
4. Without prejudice to paragraph 1 of this Article:
| (a) | for specific sectoral data access and use issues related to the application of this Regulation, the competence of sectoral authorities shall be respected; |
| (b) | the competent authority responsible for the application and enforcement of Articles 23 to 31 and Articles 34 and 35 shall have experience in the field of data and electronic communications services. |
5. Member States shall ensure that the tasks and powers of the competent authorities are clearly defined and include:
| (a) | promoting data literacy and awareness among users and entities falling within the scope of this Regulation of the rights and obligations under this Regulation; |
| (b) | handling complaints arising from alleged infringements of this Regulation, including in relation to trade_secrets, and investigating, to the extent appropriate, the subject matter of complaints and regularly informing complainants, where relevant in accordance with national law, of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another competent authority is necessary; |
| (c) | conducting investigations into matters that concern the application of this Regulation, including on the basis of information received from another competent authority or other public authority; |
| (d) | imposing effective, proportionate and dissuasive financial penalties which may include periodic penalties and penalties with retroactive effect, or initiating legal proceedings for the imposition of fines; |
| (e) | monitoring technological and relevant commercial developments of relevance for the making available and use of data; |
| (f) | cooperating with competent authorities of other Member States and, where relevant, with the Commission or the EDIB, to ensure the consistent and efficient application of this Regulation, including the exchange of all relevant information by electronic means, without undue delay, including regarding paragraph 10 of this Article; |
| (g) | cooperating with the relevant competent authorities responsible for the implementation of other Union or national legal acts, including with authorities competent in the field of data and electronic communication services, with the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679 or with sectoral authorities to ensure that this Regulation is enforced consistently with other Union and national law; |
| (h) | cooperating with the relevant competent authorities to ensure that Articles 23 to 31 and Articles 34 and 35 are enforced consistently with other Union law and self-regulation applicable to providers of data processing services; |
| (i) | ensuring that switching charges are withdrawn in accordance with Article 29; |
| (j) | examining the requests for data made pursuant to Chapter V. |
Where designated, the data coordinator shall facilitate the cooperation referred to in points (f), (g) and (h) of the first subparagraph and shall assist the competent authorities upon their request.
6. The data coordinator, where such competent authority has been designated, shall:
| (a) | act as the single point of contact for all issues related to the application of this Regulation; |
| (b) | ensure the online public availability of requests to make data available made by public sector bodies in the case of exceptional need under Chapter V and promote voluntary data sharing agreements between public sector bodies and data holders; |
| (c) | inform the Commission, on an annual basis, of the refusals notified under Article 4(2) and (8) and Article 5(11). |
7. Member States shall notify the Commission of the names of the competent authorities and of their tasks and powers and, where applicable, the name of the data coordinator. The Commission shall maintain a public register of those authorities.
8. When carrying out their tasks and exercising their powers in accordance with this Regulation, competent authorities shall remain impartial and free from any external influence, whether direct or indirect, and shall neither seek nor take instructions for individual cases from any other public authority or any private party.
9. Member States shall ensure that the competent authorities are provided with sufficient human and technical resources and relevant expertise to effectively carry out their tasks in accordance with this Regulation.
10. Entities falling within the scope of this Regulation shall be subject to the competence of the Member State where the entity is established. Where the entity is established in more than one Member State, it shall be considered to be under the competence of the Member State in which it has its main establishment, that is, where the entity has its head office or registered office from which the principal financial functions and operational control are exercised.
11. Any entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union, and which is not established in the Union, shall designate a legal representative in one of the Member States.
12. For the purpose of ensuring compliance with this Regulation, a legal representative shall be mandated by an entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union to be addressed in addition to or instead of it by competent authorities with regard to all issues related to that entity. That legal representative shall cooperate with and comprehensively demonstrate to the competent authorities, upon request, the actions taken and provisions put in place by the entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union to ensure compliance with this Regulation.
13. An entity falling within the scope of this Regulation that makes connected_products available or offers services in the Union, shall be considered to be under the competence of the Member State in which its legal representative is located. The designation of a legal representative by such an entity shall be without prejudice to the liability of, and any legal action that could be initiated against, such an entity. Until such time as an entity designates a legal representative in accordance with this Article, it shall be under the competence of all Member States, where applicable, for the purposes of ensuring the application and enforcement of this Regulation. Any competent authority may exercise its competence, including by imposing effective, proportionate and dissuasive penalties, provided that the entity is not subject to enforcement proceedings under this Regulation regarding the same facts by another competent authority.
14. Competent authorities shall have the power to request from users, data holders, or data recipients, or their legal representatives, falling under the competence of their Member State all information necessary to verify compliance with this Regulation. Any request for information shall be proportionate to the performance of the underlying task and shall be reasoned.
15. Where a competent authority in one Member State requests assistance or enforcement measures from a competent authority in another Member State, it shall submit a reasoned request. A competent authority shall, upon receiving such a request, provide a response, detailing the actions that have been taken or which are intended to be taken, without undue delay.
16. Competent authorities shall respect the principles of confidentiality and of professional and commercial secrecy and shall protect personal data in accordance with Union or national law. Any information exchanged in the context of a request for assistance and provided pursuant to this Article shall be used only in respect of the matter for which it was requested.
Article 38
Right to lodge a complaint
1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the relevant competent authority in the Member State of their habitual residence, place of work or establishment if they consider that their rights under this Regulation have been infringed. The data coordinator shall, upon request, provide all the necessary information to natural and legal persons for the lodging of their complaints with the appropriate competent authority.
2. The competent authority with which the complaint has been lodged shall inform the complainant, in accordance with national law, of the progress of the proceedings and of the decision taken.
3. Competent authorities shall cooperate to handle and resolve complaints effectively and in a timely manner, including by exchanging all relevant information by electronic means, without undue delay. This cooperation shall not affect the cooperation mechanisms provided for by Chapters VI and VII of Regulation (EU) 2016/679 and by Regulation (EU) 2017/2394.
whereas