European Data Governance Act

note

This section reproduces the European Governance Act to make it easier for our readers. This is published by EU Commission on 25-November-2020. The original pdf can be found here.

CHAPTER I: GENERAL PROVISIONS

Article 1: Subject matter and scope

  1. This Regulation lays down:

    a) conditions for the re-use, within the Union, of certain categories of data held by public sector bodies;

    b) a notification and supervisory framework for the provision of data sharing services;

    c) a framework for voluntary registration of entities which collect and process data made available for altruistic purposes.

  2. This Regulation is without prejudice to specific provisions in other Union legal acts regarding access to or re-use of certain categories of data, or requirements related to processing of personal or non-personal data. Where a sector-specific Union legal act requires public sector bodies, providers of data sharing services or registered entities providing data altruism services to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union legal act shall also apply.

Article 2: Definitions

For the purpose of this Regulation, the following definitions apply:

  1. data means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording;

  2. re-use means the use by natural or legal persons of data held by public sector bodies, for commercial or non-commercial purposes other than the initial purpose within the public task for which the data were produced, except for the exchange of data between public sector bodies purely in pursuit of their public tasks;

  3. non-personal data means data other than personal data as defined in point (1) of Article 4 of Regulation (EU) 2016/679;

  4. metadata means data collected on any activity of a natural or legal person for the purposes of the provision of a data sharing service, including the date , time and geolocation data, duration of activity, connections to other natural or legal persons established by the person who uses the service;

  5. data holder means a legal person or data subject who, in accordance with applicable Union or national law, has the right to grant access to or to share certain personal or non-personal data under its control;

  6. data user means a natural or legal person who has lawful access to certain personal or non-personal data and is authorised to use that data for commercial or non-commercial purposes;

  7. data sharing means the provision by a data holder of data to a data user for the purpose of joint or individual use of the shared data, based on voluntary agreements, directly or through an intermediary;

  8. access means processing by a data user of data that has been provided by a data holder, in accordance with specific technical, legal, or organisational requirements, without necessarily implying the transmission or downloading of such data;

  9. main establishment of a legal entity means the place of its central administration in the Union;

  10. data altruism means the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non-personal data without seeking a reward, for purposes of general interest, such as scientific research purposes or improving public services;

  11. public sector body means the State, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities or one or more such bodies governed by public law;

  12. bodies governed by public law means bodies that have the following characteristics:

    a) they are established for the specific purpose of meeting needs in the general interest, and do not have an industrial or commercial character;

    b) they have legal personality;

    c) they are financed, for the most part, by the State, regional or local authorities, or by other bodies governed by public law; or are subject to management supervision by those authorities or bodies; or have an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional or local authorities, or by other bodies governed by public law;

  13. public undertaking means any undertaking over which the public sector bodies may exercise directly or indirectly a dominant influence by virtue of their ownership of it, their financial participation therein, or the rules which govern it; for the purpose of this definition, a dominant influence on the part of the public sector bodies shall be presumed in any of the following cases in which those bodies, directly or indirectly:

    a) hold the majority of the undertaking's subscribed capital;

    b) control the majority of the votes attaching to shares issued by the undertaking;

    c) can appoint more than half of the undertaking’s administrative, management or supervisory body;

  14. secure processing environment means the physical or virtual environment and organisational means to provide the opportunity to re-use data in a manner that allows for the operator of the secure processing environment to determine and supervise all data processing actions, including to display, storage, download, export of the data and calculation of derivative data through computational algorithms.

  15. representative means any natural or legal person established in the Union explicitly designated to act on behalf of a provider of data sharing services or an entity that collects data for objectives of general interest made available by natural or legal persons on the basis of data altruism not established in the Union, which may be addressed by a national competent authority instead of the provider of data sharing services or entity with regard to the obligations of that provider of data sharing services or entity set up by this Regulation.

CHAPTER II: RE-USE OF CERTAIN CATEGORIES OF PROTECTED DATA HELD BY PUBLIC SECTOR BODIES

Article 3: Categories of data

  1. This Chapter applies to data held by public sector bodies which are protected on grounds of:

    a) commercial confidentiality ; b) statistical confidentiality; c) protection of intellectual property rights of third parties; d) protection of personal data.

  2. This Chapter does not apply to:

    a) data held by public undertakings;

    b) data held by public service broadcasters and their subsidiaries, and by other bodies or their subsidiaries for the fulfilment of a public service broadcasting remit;

    c) data held by cultural establishments and educational establishments;

    d) data protected for reasons of national security , defence or public security;

    e) data the supply of which is an activity falling outside the scope of the public task of the public sector bodies concerned as defined by law or by other binding rules in the Member State concerned, or, in the absence of such rules, as defined in accordance with common administrative practice in that Member State, provided that the scope of the public tasks is transparent and subject to review.

  3. The provisions of this Chapter do not create any obligation on public sector bodies to allow re-use of data nor do they release public sector bodies from their confidentiality obligations. This Chapter is without prejudice to Union and national law or international agreements to which the Union or Member States are parties on the protection of categories of data provided in paragraph 1. This Chapter is without prejudice to Union and national law on access to documents and to obligations of public sector bodies under Union and national law to allow the re-use of data.

Article 4: Prohibition of exclusive arrangements

  1. Agreements or other practices pertaining to the re-use of data held by public sector bodies containing categories of data referred to in Article 3 (1) which grant exclusive rights or which have as their object or effect to grant such exclusive rights or to restrict the availability of data for re-use by entities other than the parties to such agreements or other practices shall be prohibited.

  2. By way of derogation from paragraph 1, an exclusive right to re-use data referred to in that paragraph may be granted to the extent necessary for the provision of a service or a product in the general interest.

  3. Such exclusive right shall be granted in the context of a relevant service or concession contract in compliance with applicable Union and national public procurement and concession award rules, or, in the case of a contract of a value for which neither Union nor national public procurement and concession award rules are applicable, in compliance with the principles of transparency, equal treatment and non-discrimination on grounds of nationality.

  4. In all cases not covered by paragraph 3 and where the general interest purpose cannot be fulfilled without granting an exclusive right, the principles of transparency, equal treatment and non-discrimination on grounds of nationality shall apply.

  5. The period of exclusivity of the right to re-use data shall not exceed three years. Where a contract is concluded, the duration of the contract awarded shall be as aligned with the period of exclusivity.

  6. The award of an exclusive right pursuant to paragraphs (2) to (5), including the reasons why it is necessary to grant such a right, shall be transparent and be made publicly available online, regardless of a possible publication of an award of a public procurement and concessions contract.

  7. Agreements or other practices falling within the scope of the prohibition in paragraph 1, which do not meet the conditions set out in paragraph 2, and which were concluded before the date of entry into force of this Regulation shall be terminated at the end of the contract and in any event at the latest within three years after the date of entry into force of this Regulation.

Article 5: Conditions for re-use

  1. Public sector bodies which are competent under national law to grant or refuse access for the re-use of one or more of the categories of data referred to in Article 3 (1) shall make publicly available the conditions for allowing such re-use. In that task, they may be assisted by the competent bodies referred to in Article 7 (1).

  2. Conditions for re-use shall be non-discriminatory, proportionate and objectively justified with regard to categories of data and purposes of re-use and the nature of the data for which re-use is allowed. These conditions shall not be used to restrict competition.

  3. Public sector bodies may impose an obligation to re-use only pre-processed data where such pre-processing aims to anonymize or pseudonymise personal data or delete commercially confidential information, including trade secrets.

  4. Public sector bodies may impose obligations

    a) to access and re-use the data within a secure processing environment provided and controlled by the public sector ;

    b) to access and re-use the data within the physical premises in which the secure processing environment is located, if remote access cannot be allowed without jeopardising the rights and interests of third parties.

  5. The public sector bodies shall impose conditions that preserve the integrity of the functioning of the technical systems of the secure processing environment used. The public sector body shall be able to verify any results of processing of data undertaken by the re-user and reserve the right to prohibit the use of results that contain information jeopardising the rights and interests of third parties.

  6. Where the re-use of data cannot be granted in accordance with the obligations laid down in paragraphs 3 to 5 and there is no other legal basis for transmitting the data under Regulation (EU) 2016/679, the public sector body shall support re-users in seeking consent of the data subjects and/or permission from the legal entities whose rights and interests may be affected by such re-use, where it is feasible without disproportionate cost for the public sector. In that task they may be assisted by the competent bodies referred to in Article 7 (1).

  7. Re-use of data shall only be allowed in compliance with intellectual property rights. The right of the maker of a database as provided for in Article 7(1) of Directive 96/9/EC shall not be exercised by public sector bodies in order to prevent the re-use of data or to restrict re-use beyond the limits set by this Regulation.

  8. When data requested is considered confidential, in accordance with Union or national law on commercial confidentiality, the public sector bodies shall ensure that the confidential information is not disclosed as a result of the re-use.

  9. The Commission may adopt implementing acts declaring that the legal, supervisory and enforcement arrangements of a third country:

    a) ensure protection of intellectual property and trade secrets in a way that is essentially equivalent to the protection ensured under Union law;

    b) are being effectively applied and enforced; and

    c) provide effective judicial redress. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 29 (2).

  10. Public sector bodies shall only transmit confidential data or data protected by intellectual property rights to a re-user which intends to transfer the data to a third country other than a country designated in accordance with paragraph 9 if the re-user undertakes:

    a) to comply with the obligations imposed in accordance with paragraphs 7 to 8 even after the data is transferred to the third country; and

    b) to accept the jurisdiction of the courts of the Member State of the public sector body as regards any dispute related to the compliance with the obligation in point a).

  11. Where specific Union acts adopted in accordance with a legislative procedure establish that certain non-personal data categories held by public sector bodies shall be deemed to be highly sensitive for the purposes of this Article, the Commission shall be empowered to adopt delegated acts in accordance with Article 28 supplementing this Regulation by laying down special conditions applicable for transfers to third-countries. The conditions for the transfer to third-countries shall be based on the nature of data categories identified in the Union act and on the grounds for deeming them highly sensitive, non-discriminatory and limited to what is necessary to achieve the public policy objectives identified in the Union law act, such as safety and public health, as well as risks of re-identification of anonymized data for data subjects, in accordance with the Union’s international obligations. They may include terms applicable for the transfer or technical arrangements in this regard, limitations as regards the re-use of data in third-countries or categories of persons which are entitled to transfer such data to third countries or, in exceptional cases, restrictions as regards transfers to third-countries.

  12. The natural or legal person to which the right to re-use non-personal data was granted may transfer the data only to those third-countries for which the requirements in paragraphs 9 to 11 are met.

  13. Where the re-user intends to transfer non-personal data to a third country, the public sector body shall inform the data holder about the transfer of data to that third country.

Article 6: Fees

  1. Public sector bodies which allow re-use of the categories of data referred to in Article 3 (1) may charge fees for allowing the re-use of such data.

  2. Any fees shall be non-discriminatory, proportionate and objectively justified and shall not restrict competition.

  3. Public sector bodies shall ensure that any fees can be paid online through widely available cross-border payment services, without discrimination based on the place of establishment of the payment service provider, the place of issue of the payment instrument or the location of the payment account within the Union.

  4. Where they apply fees, public sector bodies shall take measures to incentivise the re-use of the categories of data referred to in Article 3 (1) for non-commercial purposes and by small and medium-sized enterprises in line with State aid rules.

  5. Fees shall be derived from the costs related to the processing of requests for re-use of the categories of data referred to in Article 3 (1). The methodology for calculating fees shall be published in advance.

  6. The public sector body shall publish a description of the main categories of costs and the rules used for the allocation of costs.

Article 7: Competent bodies

  1. Member States shall designate one or more competent bodies, which may be sectoral, to support the public sector bodies which grant access to the re-use of the categories of data referred to in Article 3 (1) in the exercise of that task.

  2. The support provided for in paragraph 1 shall include, where necessary:

    a) providing technical support by making available a secure processing environment for providing access for the re-use of data;

    b) providing technical support in the application of tested techniques ensuring data processing in a manner that preserves privacy of the information contained in the data for which re-use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data;

    c) assisting the public sector bodies, where relevant, in obtaining consent or permission by re-users for re-use for altruistic and other purposes in line with specific decisions of data holders, including on the jurisdiction or jurisdictions in which the data processing is intended to take place;

    d) providing public sector bodies with assistance on the adequacy of undertakings made by a re-user, pursuant to Article 5 (10).

  3. The competent bodies may also be entrusted, pursuant Union or national law which provides for such access to be given, to grant access for the re-use of the categories of data referred to in Article 3 (1). While performing their function to grant or refuse access for re-use, Articles 4, 5, 6 and 8 (3) shall apply in regard to such competent bodies.

  4. The competent body or bodies shall have adequate legal and technical capacities and expertise to be able to comply with relevant Union or national law concerning the access regimes for the categories of data referred to in Article 3 (1).

  5. The Member States shall communicate to the Commission the identity of the competent bodies designated pursuant to paragraph 1 by [date of application of this Regulation]. They shall also communicate to the Commission any subsequent modification of the identity of those bodies.

Article 8: Single information point

  1. Member States shall ensure that all relevant information concerning the application of Articles 5 and 6 is available through a single information point.

  2. The single information point shall receive requests for the re-use of the categories of data referred to in Article 3 (1) and shall transmit them to the competent public sector bodies, or the competent bodies referred to in Article 7 (1), where relevant. The single information point shall make available by electronic means a register of available data resources containing relevant information describing the nature of available data.

  3. Requests for the re-use of the categories of data referred to in Article 3 (1) shall be granted or refused by the competent public sector bodies or the competent bodies referred to in Article 7 (1) within a reasonable time, and in any case within two months from the date of the request.

  4. Any natural or legal person affected by a decision of a public sector body or of a competent body, as the case may be, shall have the right to an effective judicial remedy against such decision before the courts of the Member State where the relevant body is located.

CHAPTER III: REQUIREMENTS APPLICABLE TO DATA SHARING SERVICES

Article 9: Providers of data sharing services

  1. The provision of the following data sharing services shall be subject to a notification procedure:

    a) intermediation services between data holders which are legal persons and potential data users, including making available the technical or other means to enable such services; those services may include bilateral or multilateral exchanges of data or the creation of platforms or databases enabling the exchange or joint exploitation of data, as well as the establishment of a specific infrastructure for the interconnection of data holders and data users;

    b) intermediation services between data subjects that seek to make their personal data available and potential data users, including making available the technical or other means to enable such services, in the exercise of the rights provided in Regulation (EU) 2016/679;

    c) services of data cooperatives, that is to say services supporting data subjects or one-person companies or micro, small and medium-sized enterprises, who are members of the cooperative or who confer the power to the cooperative to negotiate terms and conditions for data processing before they consent, in making informed choices before consenting to data processing, and allowing for mechanisms to exchange views on data processing purposes and conditions that would best represent the interests of data subjects or legal persons.

  2. This Chapter shall be without prejudice to the application of other Union and national law to providers of data sharing services, including powers of supervisory authorities to ensure compliance with applicable law, in particular as regard the protection of personal data and competition law.

Article 10: Notification of data sharing service providers

  1. Any provider of data sharing services who intends to provide the services referred to in Article 9 (1) shall submit a notification to the competent authority referred to in Article 12.

  2. For the purposes of this Regulation, a provider of data sharing services with establishments in more than one Member State, shall be deemed to be under the jurisdiction of the Member State in which it has its main establishment.

  3. A provider of data sharing services that is not established in the Union, but offers the services referred to in Article 9 (1) within the Union, shall appoint a legal representative in one of the Member States in which those services are offered. The provider shall be deemed to be under the jurisdiction of the Member State in which the legal representative is established.

  4. Upon notification, the provider of data sharing services may start the activity subject to the conditions laid down in this Chapter.

  5. The notification shall entitle the provider to provide data sharing services in all Member States.

  6. The notification shall include the following information:

    a) the name of the provider of data sharing services;

    b) the provider’s legal status, form and registration number, where the provider is registered in trade or in another similar public register;

    c) the address of the provider’s main establishment in the Union, if any, and, where applicable, any secondary branch in another Member State or that of the legal representative designated pursuant to paragraph 3;

    d) a website where information on the provider and the activities can be found, where applicable;

    e) the provider’s contact persons and contact details;

    f) a description of the service the provider intends to provide;

    g) the estimated date for starting the activity;

    h) the Member States where the provider intends to provide services.

  7. At the request of the provider, the competent authority shall, within one week, issue a standardised declaration, confirming that the provider has submitted the notification referred to in paragraph 4.

  8. The competent authority shall forward each notification to the national competent authorities of the Member States by electronic means, without delay.

  9. The competent authority shall notify the Commission of each new notification. The Commission shall keep a register of providers of data sharing services.

  10. The competent authority may charge fees. Such fees shall be proportionate and objective and be based on the administrative costs related to the monitoring of compliance and other market control activities of the competent authorities in relation to notifications of data sharing services.

  11. Where a provider of data sharing services ceases its activities, it shall notify the relevant competent authority determined pursuant to paragraphs 1, 2 and 3 within 15 days. The competent authority shall forward without delay each such notification to the national competent authorities in the Member States and to the Commission by electronic means.

Article 11: Conditions for providing data sharing services

The provision of data sharing services referred in Article 9 (1) shall be subject to the following conditions:

  1. the provider may not use the data for which it provides services for other purposes than to put them at the disposal of data users and data sharing services shall be placed in a separate legal entity;

  2. the metadata collected from the provision of the data sharing service may be used only for the development of that service;

  3. the provider shall ensure that the procedure for access to its service is fair, transparent and non-discriminatory for both data holders and data users, including as regards prices;

  4. the provider shall facilitate the exchange of the data in the format in which it receives it from the data holder and shall convert the data into specific formats only to enhance interoperability within and across sectors or if requested by the data user or where mandated by Union law or to ensure harmonisation with international or European data standards;

  5. the provider shall have procedures in place to prevent fraudulent or abusive practices in relation to access to data from parties seeking access through their services;

  6. the provider shall ensure a reasonable continuity of provision of its services and, in the case of services which ensure storage of data, shall have sufficient guarantees in place that allow data holders and data users to obtain access to their data in case of insolvency;

  7. the provider shall put in place adequate technical, legal and organisational measures in order to prevent transfer or access to non-personal data that is unlawful under Union law;

  8. the provider shall take measures to ensure a high level of security for the storage and transmission of non-personal data;

  9. the provider shall have procedures in place to ensure compliance with the Union and national rules on competition;

  10. the provider offering services to data subjects shall act in the data subjects’ best interest when facilitating the exercise of their rights, in particular by advising data subjects on potential data uses and standard terms and conditions attached to such uses;

  11. where a provider provides tools for obtaining consent from data subjects or permissions to process data made available by legal persons, it shall specify the jurisdiction or jurisdictions in which the data use is intended to take place.

Article 12: Competent authorities

  1. Each Member State shall designate in its territory one or more authorities competent to carry out the tasks related to the notification framework and shall communicate to the Commission the identity of those designated authorities by [date of application of this Regulation]. It shall also communicate to the Commission any subsequent modification.

  2. The designated competent authorities shall comply with Article 23.

  3. The designated competent authorities, the data protection authorities, the national competition authorities, the authorities in charge of cybersecurity, and other relevant sectorial authorities shall exchange the information which is necessary for the exercise of their tasks in relation to data sharing providers.

Article 13: Monitoring of compliance

  1. The competent authority shall monitor and supervise compliance with this Chapter

  2. The competent authority shall have the power to request from providers of data sharing services all the information that is necessary to verify compliance with the requirements laid down in Articles 10 and 11. Any request for information shall be proportionate to the performance of the task and shall be reasoned.

  3. Where the competent authority finds that a provider of data sharing services does not comply with one or more of the requirements laid down in Article 10 or 11, it shall notify that provider of those findings and give it the opportunity to state its views, within a reasonable time limit.

  4. The competent authority shall have the power to require the cessation of the breach referred to in paragraph 3 either immediately or within a reasonable time limit and shall take appropriate and proportionate measures aimed at ensuring compliance. In this regard, the competent authorities shall be able, where appropriate:

    a) to impose dissuasive financial penalties which may include periodic penalties with retroactive effect;

    b) to require cessation or postponement of the provision of the data sharing service.

  5. The competent authorities shall communicate the measures imposed pursuant to paragraph 4 and the reasons on which they are based to the entity concerned without delay and shall stipulate a reasonable period for the entity to comply with the measures.

  6. If a provider of data sharing services has its main establishment or legal representative in a Member State, but provides services in other Member States, the competent authority of the Member State of the main establishment or where the legal representative is located and the competent authorities of those other Member States shall cooperate and assist each other. Such assistance and cooperation may cover information exchanges between the competent authorities concerned and requests to take the measures referred to in this Article.

Article 14: Exceptions

This Chapter shall not apply to not-for-profit entities whose activities consist only in seeking to collect data for objectives of general interest, made available by natural or legal persons on the basis of data altruism.

CHAPTER IV: DATA ALTRUISM

Article 15: Register of recognised data altruism organisations

  1. Each competent authority designated pursuant to Article 20 shall keep a register of recognised data altruism organisations.

  2. The Commission shall maintain a Union register of recognised data altruism organisations.

  3. An entity registered in the register in accordance with Article 16 may refer to itself as a ‚Äėdata altruism organisation recognised in the Union‚Äô in its written and spoken communication.

Article 16: General requirements for registration

In order to qualify for registration, the data altruism organisation shall:

a) be a legal entity constituted to meet objectives of general interest;

b) operate on a not-for-profit basis and be independent from any entity that operates on a for-profit basis;

c) perform the activities related to data altruism take place through a legally independent structure, separate from other activities it has undertaken.

Article 17: Registration

  1. Any entity which meets the requirements of Article 16 may request to be entered in the register of recognised data altruism organisations referred to in Article 15 (1).

  2. For the purposes of this Regulation, an entity engaged in activities based on data altruism with establishments in more than one Member State, shall register in the Member State in which it has its main establishment.

  3. An entity that is not established in the Union, but meets the requirements in Article 16, shall appoint a legal representative in one of the Member States where it intends to collect data based on data altruism. For the purpose of compliance with this Regulation, that entity shall be deemed to be under the jurisdiction of the Member State where the legal representative is located.

  4. Applications for registration shall contain the following information:

    a) name of the entity;

    b) the entity’s legal status, form and registration number, where the entity is registered in a public register;

    c) the statutes of the entity, where appropriate;

    d) the entity’s main sources of income;

    e) the address of the entity’s main establishment in the Union, if any, and, where applicable, any secondary branch in another Member State or that of the legal representative designated pursuant to paragraph (3);

    f) a website where information on the entity and the activities can be found;

    g) the entity’s contact persons and contact details;

    h) the purposes of general interest it intends to promote when collecting data;

    i) any other documents which demonstrate that the requirements of Article 16 are met.

  5. Where the entity has submitted all necessary information pursuant to paragraph 4 and the competent authority considers that the entity complies with the requirements of Article 16, it shall register the entity in the register of recognised data altruism organisations within twelve weeks from the date of application. The registration shall be valid in all Member States. Any registration shall be communicated to the Commission, for inclusion in the Union register of recognised data altruism organisations.

  6. The information referred to in paragraph 4, points (a), (b), (f), (g), and (h) shall be published in the national register of recognised data altruism organisations.

  7. Any entity entered in the register of recognised data altruism organisations shall submit any changes of the information provided pursuant to paragraph 4 to the competent authority within 14 calendar days from the day on which the change takes place.

Article 18: Transparency requirements

  1. Any entity entered in the national register of recognised data altruism organisations shall keep full and accurate records concerning:

    a) all natural or legal persons that were given the possibility to process data held by that entity;

    b) the date or duration of such processing;

    c) the purpose of such processing as declared by the natural or legal person that was given the possibility of processing;

    d) the fees paid by natural or legal persons processing the data, if any.

  2. Any entity entered in the register of recognised data altruism organisations shall draw up and transmit to the competent national authority an annual activity report which shall contain at least the following:

a) information on the activities of the entity; b) a description of the way in which the general interest purposes for which data was collected have been promoted during the given financial year; c) a list of all natural and legal persons that were allowed to use data it holds, including a summary description of the general interest purposes pursued by such data use and the description of the technical means used for it, including a description of the techniques used to preserve privacy and data protection; d) a summary of the results of the data uses allowed by the entity, where applicable; e) information on sources of revenue of the entity, in particular all revenue resulted from allowing access to the data, and on expenditure.

Article 19: Specific requirements to safeguard rights and interests of data subjects and legal entities as regards their data

  1. Any entity entered in the register of recognised data altruism organisations shall inform data holders:

    a) about the purposes of general interest for which it permits the processing of their data by a data user in an easy-to-understand manner;

    b) about any processing outside the Union.

  2. The entity shall also ensure that the data is not be used for other purposes than those of general interest for which it permits the processing.

  3. Where an entity entered in the register of recognised data altruism organisations provides tools for obtaining consent from data subjects or permissions to process data made available by legal persons, it shall specify the jurisdiction or jurisdictions in which the data use is intended to take place.

Article 20: Competent authorities for registration

  1. Each Member State shall designate one or more competent authorities responsible for the register of recognised data altruism organisations and for the monitoring of compliance with the requirements of this Chapter. The designated competent authorities shall meet the requirements of Article 23.

  2. Each Member State shall inform the Commission of the identity of the designated authorities.

  3. The competent authority shall undertake its tasks in cooperation with the data protection authority, where such tasks are related to processing of personal data, and with relevant sectoral bodies of the same Member State. For any question requiring an assessment of compliance with Regulation (EU) 2016/679, the competent authority shall first seek an opinion or decision by the competent supervisory authority established pursuant to that Regulation and comply with that opinion or decision.

Article 21: Monitoring of compliance

  1. The competent authority shall monitor and supervise compliance of entities entered in the register of recognised data altruism organisations with the conditions laid down in this Chapter.

  2. The competent authority shall have the power to request information from entities included in the register of recognised data altruism organisations that is necessary to verify compliance with the provisions of this Chapter. Any request for information shall be proportionate to the performance of the task and shall be reasoned.

  3. Where the competent authority finds that an entity does not comply with one or more of the requirements of this Chapter it shall notify the entity of those findings and give it the opportunity to state its views, within a reasonable time limit.

  4. The competent authority shall have the power to require the cessation of the breach referred to in paragraph 3 either immediately or within a reasonable time limit and shall take appropriate and proportionate measures aimed at ensuring compliance.

  5. If an entity does not comply with one or more of the requirements of this Chapter even after having been notified in accordance with paragraph 3 by the competent authority, the entity shall:

    a) lose its right to refer to itself as a ‚Äėdata altruism organisation recognised in the Union‚Äô in any written and spoken communication;

    b) be removed from the register of recognised data altruism organisations.

  6. If an entity included in the register of recognised data altruism organisations has its main establishment or legal representative in a Member State but is active in other Member States, the competent authority of the Member State of the main establishment or where the legal representative is located and the competent authorities of those other Member States shall cooperate and assist each other as necessary. Such assistance and cooperation may cover information exchanges between the competent authorities concerned and requests to take the supervisory measures referred to in this Article.

Article 22: European data altruism consent form

  1. In order to facilitate the collection of data based on data altruism, the Commission may adopt implementing acts developing a European data altruism consent form. The form shall allow the collection of consent across Member States in a uniform format. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 29 (2).

  2. The European data altruism consent form shall use a modular approach allowing customisation for specific sectors and for different purposes.

  3. Where personal data are provided, the European data altruism consent form shall ensure that data subjects are able to give consent to and withdraw consent from a specific data processing operation in compliance with the requirements of Regulation (EU) 2016/679.

  4. The form shall be available in a manner that can be printed on paper and read by humans as well as in an electronic, machine-readable form.

CHAPTER V: COMPETENT AUTHORITIES AND PROCEDURAL PROVISIONS

Article 23: Requirements relating to competent authorities

  1. The competent authorities designated pursuant to Article 12 and Article 20 shall be legally distinct from, and functionally independent of any provider of data sharing services or entity included in the register of recognised data altruism organisations.

  2. Competent authorities shall exercise their tasks in an impartial, transparent, consistent, reliable and timely manner.

  3. The top-management and the personnel responsible for carrying out the relevant tasks of the competent authority provided for in this Regulation cannot be the designer, manufacturer, supplier, installer, purchaser, owner, user or maintainer of the services which they evaluate, nor the authorised representative of any of those parties or represent them. This shall not preclude the use of evaluated services that are necessary for the operations of the competent authority or the use of such services for personal purposes.

  4. Top-management and personnel shall not engage in any activity that may conflict with their independence of judgment or integrity in relation to evaluation activities entrusted to them.

  5. The competent authorities shall have at their disposal the adequate financial and human resources to carry out the tasks assigned to them, including the necessary technical knowledge and resources.

  6. The competent authorities of a Member State shall provide the Commission and competent authorities from other Member States, on reasoned request, with the information necessary to carry out their tasks under this Regulation. Where a national competent authority considers the information requested to be confidential in accordance with Union and national rules on commercial and professional confidentiality, the Commission and any other competent authorities concerned shall ensure such confidentiality.

Article 24: Right to lodge a complaint

  1. Natural and legal persons shall have the right to lodge a complaint with the relevant national competent authority against a provider of data sharing services or an entity entered in the register of recognised data altruism organisations.

  2. The authority with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken, and shall inform the complainant of the right to an effective judicial remedy provided for in Article 25.

Article 25: Right to an effective judicial remedy

  1. Notwithstanding any administrative or other non-judicial remedies, any affected natural and legal persons shall have the right to an effective judicial remedy with regard to:

    a) a failure to act on a complaint lodged with the competent authority referred to in Articles 12 and 20;

    b) decisions of the competent authorities referred to in Articles 13, 17 and 21 taken in the management, control and enforcement of the notification regime for providers of data sharing services and the monitoring of entities entered into the register of recognised data altruism organisations.

  2. Proceedings pursuant to this Article shall be brought before the courts of the Member State in which the authority against which the judicial remedy is sought is located.

CHAPTER VI: EUROPEAN DATA INNOVATION BOARD

Article 26: European Data Innovation Board

  1. The Commission shall establish a European Data Innovation Board (‚Äúthe Board‚ÄĚ) in the form of an Expert Group, consisting of the representatives of competent authorities of all the Member States, the European Data Protection Board, the Commission, relevant data spaces and other representatives of competent authorities in specific sectors.

  2. Stakeholders and relevant third parties may be invited to attend meetings of the Board and to participate in its work.

  3. The Commission shall chair the meetings of the Board.

  4. The Board shall be assisted by a secretariat provided by the Commission.

Article 27: Tasks of the Board.

The Board shall have the following tasks:

a) to advise and assist the Commission in developing a consistent practice of public sector bodies and competent bodies referred to in Article 7 (1) processing requests for the re-use of the categories of data referred to in Article 3 (1);

b) to advise and assist the Commission in developing a consistent practice of the competent authorities in the application of requirements applicable to data sharing providers;

c) to advise the Commission on the prioritisation of cross-sector standards to be used and developed for data use and cross-sector data sharing, cross-sectoral comparison and exchange of best practices with regards to sectoral requirements for security, access procedures, while taking into account sector-specific standardisations activities;

to assist the Commission in enhancing the interoperability of data as well as data sharing services between different sectors and domains, building on existing European, international or national standards;

e) to facilitate the cooperation between national competent authorities under this Regulation through capacity-building and the exchange of information, in particular by establishing methods for the efficient exchange of information relating to the notification procedure for data sharing service providers and the registration and monitoring of recognised data altruism organisations.

CHAPTER VII: COMMITTEE AND DELEGATION

Article 28: Exercise of the Delegation

  1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

  2. The power to adopt delegated acts referred to in Article 5 (11) shall be conferred on the Commission for an indeterminate period of time from […].

  3. The delegation of power referred to in Article 5 (11) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

  4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

  5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

  6. A delegated act adopted pursuant to Article 5 (11) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of three months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.

Article 29: Committee procedure

  1. The Commission shall be assisted by a committee within the meaning of Regulation (EU) No 182/2011.

  2. Where reference is made to this paragraph, Article 4 of Regulation (EU) No 182/2011 shall apply.

  3. Where the opinion of the committee is to be obtained by written procedure, that procedure shall be terminated without result when, within the time-limit for delivery of the opinion, the chair of the committee so decides or a committee member so requests. In such a case, the chair shall convene a committee meeting within a reasonable time.

CHAPTER VIII: FINAL PROVISIONS

Article 30: International access

  1. The public sector body, the natural or legal person to which the right to re-use data was granted under Chapter 2, the data sharing provider or the entity entered in the register of recognised data altruism organisations, as the case may be, shall take all reasonable technical, legal and organisational measures in order to prevent transfer or access to non-personal data held in the Union where such transfer or access would create a conflict with Union law or the law of the relevant Member State, unless the transfer or access are in line with paragraph 2 or 3.

  2. Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a public sector body, a natural or legal person to which the right to re-use data was granted under Chapter 2, a data sharing provider or entity entered in the register of recognised data altruism organisations to transfer from or give access to non-personal data subject to this Regulation in the Union may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or any such agreement between the requesting third country and a Member State concluded before [the entry into force of this Regulation].

  3. Where a public sector body, a natural or legal person to which the right to re-use data was granted under Chapter 2, a data sharing provider or entity entered in the register of recognised data altruism organisations is the addressee of a decision of a court or of an administrative authority of a third country to transfer from or give access to non-personal data held in the Union and compliance with such a decision would risk putting the addressee in conflict with Union law or with the law of the relevant Member State, transfer to or access to such data by that third-country authority shall take place only:

    a) where the third-country system requires the reasons and proportionality of the decision to be set out, and it requires the court order or the decision, as the case may be, to be specific in character, for instance by establishing a sufficient link to certain suspected persons, or infringements;

    b) the reasoned objection of the addressee is subject to a review by a competent court in the third-country; and

    c) in that context, the competent court issuing the order or reviewing the decision of an administrative authority is empowered under the law of that country to take duly into account the relevant legal interests of the provider of the data protected by Union law or the applicable Member State law.

    The addressee of the decision shall ask the opinion of the relevant competent bodies or authorities, pursuant to this Regulation, in order to determine if these conditions are met.

  4. If the conditions in paragraph 2, or 3 are met, the public sector body, the natural or legal person to which the right to re-use data was granted under Chapter 2, the data sharing provider or the entity entered in the register of recognised data altruism organisations, as the case may be, shall, provide the minimum amount of data permissible in response to a request, based on a reasonable interpretation of the request.

  5. The public sector body, the natural or legal person to which the right to re-use data was granted under Chapter 2, the data sharing provider and the entity providing data altruism shall inform the data holder about the existence of a request of an administrative authority in a third-country to access its data, except in cases where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity.

Article 31: Penalties

Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. Member States shall notify the Commission of those rules and measures by [date of application of the Regulation] and shall notify the Commission without delay of any subsequent amendment affecting them.

Article 32: Evaluation and review

By [four years after the data of application of this Regulation], the Commission shall carry out an evaluation of this Regulation, and submit a report on its main findings to the European Parliament and to the Council as well as to the European Economic and Social Committee. Member States shall provide the Commission with the information necessary for the preparation of that report.

Article 33: Amendment to Regulation (EU) No 2018/1724

In Annex II to Regulation (EU) No 2018/1724, the following line is added under ‚ÄúStarting, running and closing a business‚ÄĚ:

Article 34: Transitional arrangements

Entities providing the data sharing services provided in Article 9(1) on the date of entry into force of this Regulation shall comply with the obligations set out in Chapter III by [date - 2 years after the start date of the application of the Regulation] at the latest.

Article 35: Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from [12 months after its entry into force].

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, For the European Parliament For the Council