125 Amendments of Klemen GROŠELJ related to 2022/0047(COD)
Amendment 95 #
Proposal for a regulation
Citation 1
Citation 1
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 and Article 103 thereof,
Amendment 110 #
Proposal for a regulation
Recital 5
Recital 5
(5) This Regulation ensures that users of a connected product or related service in the Union can access, in a timely manner, the data generated by the use of that connected product or related service and that those users can use the data, including by sharing them with third parties of their choice, either directly or through data intermediation services. It imposes the obligation on the data holder to make data available to users and third parties nominated by the users in certain circumstances. It also ensures that data holders make data available to data recipients in the Union under fair, reasonable and non-discriminatory terms and in a transparent manner. Private law rules are key in the overall framework of data sharing. Therefore, this Regulation adapts rules of contract law and prevents the exploitation of contractual imbalances that hinder fair data access and use for micro, small or medium-sized enterprises within the meaning of Recommendation 2003/361/EC. This Regulation also ensures that data holders make available to public sector bodies of the Member States and to Union institutions, agencies or bodies, where there is an exceptional need, the data that are necessary for the performance of tasks carried out in the public interest. In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and data sharing mechanisms and services in the Union. This Regulation should not be interpreted as recognising or creating any legal basis for the data holder to hold, have access to or process data, or as conferring any new right on the data holder to use data generated by the use of a connected product or related service. Instead, it takes as its starting point the control that the data holder effectively enjoys, de facto or de jure, over data generated by connected products or related services.
Amendment 114 #
Proposal for a regulation
Recital 6
Recital 6
(6) Data generation is the result of the actions of at least two actors, the designer or manufacturer of a product, and where different from the manufacturer the provider of related services for the connected product and the user of that connected product. It gives rise to questions of fairness in the digital economy, because the data recorded by such connected products or related services are an important input for aftermarket, ancillary and other services. In order to realise the important economic benefits of data as a non-rival good for the economy and society, a general approach to assigning access and usage rights on data is preferable to awarding exclusive rights of access and use.
Amendment 122 #
Proposal for a regulation
Recital 11
Recital 11
(11) Union law setting physical design and data requirements for connected products to be placed on the Union market should not be affecbe complemented by this Regulation.
Amendment 125 #
Proposal for a regulation
Recital 14
Recital 14
(14) Physical products that obtain, generate or collect, by means of their components, including sensors, or embedded operating systems, data concerning their performance, use or environment and that are able to communicate that data via a publiclyn available electronic communications service (often referred to as the Internet of Things) should be covered by this Regulation. Electronic communications services include land- based telephone networks, television cable networks, satellite-based networks and near-field communication networks. Such products may include vehicles, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery. The data represent the digitalisation of user actions and events and should accordingly be accessible to the user, while information derived or inferred from this data, where lawfully held, should not be considered within scope of this Regulation. Such data are potentially valuable to the user and support innovation and the development of digital and other services protecting the environment, health and the circular economy, in particular though facilitating the maintenance and repair of the products in question.
Amendment 133 #
Proposal for a regulation
Recital 14 a (new)
Recital 14 a (new)
(14 a) The data represent the digitalisation of user actions and events. These data are potentially valuable to the user and should accordingly always be accessible to the user. Data generated by the use of a connected product or related service include data recorded intentionally by the user or as a by- product of the users’ actions and events. Such data can also be generated or recorded without any action by the user, such as when the product is in ‘standby mode’ or switched off, including diagnostics data and data captured by embedded applications of sensors. Such data should include data in the form and format in which they are generated by the product, and made available in a comprehensible, structured and machine- readable format, including the relevant metadata. This Regulation should cover only raw data, that is either collected or intended to be collected by the data holder. The data resulting from any software process that calculates derivative data shall be excluded from the scope, as such data and software process may be subject to intellectual property rights.
Amendment 137 #
Proposal for a regulation
Recital 15
Recital 15
(15) In contrast, certain products that are primarily designed to display or play content, or to record and transmit content, amongst others for the use by an online service should not be covered by this Reguand are often covered by intellectual property rights and electronic communications services legislation. Such products include, for example, personal computers, servers, tablets and smart phones, smart televisions, cameras, webcams, sound recording systems and text scanners. They require human input to produce various forms of content, such as text documents, sound files, video files, games, digital maps. All these connected products have also a strong element of collection of data on how the products operate, such as proximity sensors, accelerometer or gyroscope, the collection of these data being of potential value in improving the performance of the connected products or related services. These non-personal data referring to the functionality of connected products should be included in the scope of this Regulation and should exclude all content data regulated by Union and national law and data concerning intellectual property and electronic communications services.
Amendment 145 #
Proposal for a regulation
Recital 16
Recital 16
(16) It is necessary to lay down rules applying to connected products that incorporate or are interconnected with a service in such a way that the absence of the service would prevent the product from performing its functions. Such related services can be part of the sale, rent or lease agreement, or such services are normally provided for products of the same type and the user could reasonably expect them to be provided given the nature of the product and taking into account any public statement made by or on behalf of the seller, renter, lessor or other persons in previous links of the chain of transactions, including the manufacturer. These related services may themselves generate data of value to the user independently of the data collection capabilities of the connected product with which they are interconnected. This Regulation should also apply to a related service that is not supplied by the seller, renter or lessor itself, but is supplied, under the sales, rental or lease contract, by a third party. In the event of doubt as to whether the supply of service forms part of the sale, rent or lease contract, this Regulation should apply.
Amendment 146 #
Proposal for a regulation
Recital 17
Recital 17
Amendment 154 #
Proposal for a regulation
Recital 18
Recital 18
(18) The user of a connected product should be understood as the legal or natural person, such as a business or, consumer, which has purchased, rented or leased the product the product, or to whom the owner of the connected product has transferred, on the basis of a rental or lease agreement, temporary rights to use the connected product or receive related services. Depending on the legal title under which he uses it, such a user bears the risks and enjoys the benefits of using the connected product and should enjoy also the access to the data it generates. The user should therefore have an active role in the data economy and be entitled to derive benefit from non-personal data generated by thate use of that connected product and any related service.
Amendment 159 #
Proposal for a regulation
Recital 19
Recital 19
(19) In practice, not all data generated by connected products or related services are easily accessible to their users, and there are often limited possibilities for the portability of data generated by products connected to the Internet of Things. Users are unable to obtain data necessary to make use of providers of repair and other services, and businesses are unable to launch innovative, more efficient and convenient services. In many sectors, manufacturers, who are also providing related services are often able to determine, through their control of the technical design of the connected product or related services, what data are generated and how they can be accessed, even though they have no legal right to the data. It is therefore necessary to ensure that products are designed and manufactured and related services are provided in such a manner that data generated by their use are always easily accessible to the usernd securely accessible in a format that allows the user to view, retrieve and process it, either directly on the connected product or, where not technically possible, on a separate device from the connected product. This Regulation should not be interpreted as an additional obligation for data holders to store data on-device or on a remote server, that are necessary for the immediate functioning of the connected product but the data holder does not intend to extract. Upon an explicit and voluntary agreement between the data holder and the user, such data could be collected and stored.
Amendment 164 #
Proposal for a regulation
Recital 20
Recital 20
(20) In cases of co-ownership of the connected product and related services provided, where several persons or entities own a product or are party to a lease or rent agreement and benefit from access to a related service, reasonable efforts should be made in, the design of the connected product or related service or the relevant interface so thathall enable all persons canto have access to data they generate. Users of products that generate data typically require a user account to be set up. This allows for identification of the user by the manufacturer or related service provider as well as a means to communicate to exercise and process data access requests. For identification and authentication purposes, manufacturers and providers of related services should enable users to use European Digital Identity Wallets, issued pursuant to Regulation (EU) XXX/XXXX establishing a framework for a European Digital Identity. Manufacturers or designers of a product that is typically used by several persons should put in place the necessary mechanism that allow separate user accounts for individual persons, where relevant, or the possibility for several persons to use the same user account. Access should be granted to the user upon simple request mechanisms granting automatic execution, not requiring examination or clearance by the manufacturer or data holder. This means that data should only be made available when the user actually wants this. Where automated execution of the data access request is not possible, for instance, via a user account or accompanying mobile application provided with the product or service, the manufacturer should inform the user how the data may be accessed. User accounts should enable users to revoke consent for processing and data sharing, as well as request deletion of the data generated through the use of the connected product, particularly in cases when the users of the product intend to transfer the ownership of the product to another party.
Amendment 172 #
Proposal for a regulation
Recital 21
Recital 21
(21) PConnected products may be designed to make certain data directly available from an on- device data storage or from a remote server to which the data are communicated. Access to the on-device data storage may be enabled via cable- based or wireless local area networks connected to a publicly available electronic communications service or a mobile network. The server may be the manufacturer’s own local server capacity or that of a third party or a cloud service provider who functions as data holder. TheyConnected products may be designed to permit the user or a third party to process the data on the product or on a computing instance of the manufacturer as well as enable the user to retrieve the data.
Amendment 175 #
Proposal for a regulation
Recital 22
Recital 22
(22) Virtual assistants play an increasing role in digitising consumer environments and serve as an easy-to-use interface to play content, obtain information, or activate physical objects connected to the Internet of Things. Virtual assistants can act as a single gateway in, for example, a smart home environment and record significant amounts of relevant data on how users interact with products connected to the Internet of Things, including those manufactured by other parties and can replace the use of manufacturer-provided interfaces such as touchscreens or smart phone apps. The user may wish to make available such data with third party manufacturers and enable novel smart home services. Such virtual assistants should be covered by the data access right provided for in this Regulation also regarding data recorded before the virtual assistant’s activation by the wake word and data generated when a user interacts with a product via a virtual assistant provided by an entity other than the manufacturer of the product. However, only the data stemming from the interaction between the user and product through the virtual assistant falls within the scope of this Regulation. Data produced by the virtual assistant unrelated to the use of a product is not the object of this Regulation.
Amendment 178 #
Proposal for a regulation
Recital 23
Recital 23
(23) Before concluding a contract for the purchase, rent, or lease of a product or the provision of a related service, clear and sufficient information should be provided to the user on how the data generated may be accesthe data holder shall provide to the user clear and sufficient information that would enable the user to effectively exercise its rights upon the data they generate through the use of connected products and related services. The data holder shall develop mechanisms to keep the user up to date when the information changes during the lifetime of the connected product or when the purpose for which the data will be used changes from the originally specified purposed. This obligation provides transparency over the data generated and enhances the easy and secure access for the user, as well as the right to retrieve, process and further harness the value of non-personal data. This obligation to provide information does not affect the obligation for the controller to provide information to the data subject pursuant to Article 12, 13 and 14 of Regulation (EU) 2016/679.
Amendment 184 #
Proposal for a regulation
Recital 24
Recital 24
(24) This Regulation imposes the obligation on data holders to make data available in certain circumstances. Insofar as personal data are processed, the data holder should be a controller under Regulation (EU) 2016/679. Where users are data subjects, data holders should be obliged to provide them access to their data and to make the data available to third parties of the user’s choice in accordance with this Regulation. However, this Regulation does not create a legal basis under Regulation (EU) 2016/679 for the data holder to provide access to personal data or make it available to a third party when requested by as user that is not a data subject and should not be understood as conferring any new right on the data holder to use data generated by the use of a connected product or related service. This applies in particular where the manufacturer is the data holder. In that caseWhen the manufacturer is also the party providing related services and qualifies as a data holder, the basis for the manufacturer to use non-personal data should be a contractual agreement between the manufacturer and the user. This agreement may be part of the sale, rent or lease agreement relating to the productIn such cases, the contract for purchase and provision of related services can be merged. Any contractual term in the agreement stipulating that the data holder may use the data generated by the user of a connected product or related service should be transparent to the user, including as regards the purpose for which the data holder intends to use the data. This Regulation should not prevent contractual conditions, whose effect is to exclude or limit the use of the data, or certain categories thereof, by the data holder. Where a data holder intends to share data with third parties for the fulfilment of the contractual obligations, it should inform the user of the nature and volume of the shared data and, where relevant, contractually bind the third party not to use the data for any other purposes. This Regulation should also not prevent sector- specific regulatory requirements under Union law, or national law compatible with Union law, which would exclude or limit the use of certain such data by the data holder on well- defined public policy grounds.
Amendment 194 #
Proposal for a regulation
Recital 27
Recital 27
(27) The data holder may require appropriate user identification and authentication to verify the user’s entitlement to access the data. Where there is a legal obligation for identification and authentication, data holders should provide users the possibility to use European Digital Identity Wallets pursuant to Regulation (EU) XXX/XXXX establishing a framework for a European Digital Identity. In the case of personal data processed by a processor on behalf of the controller, the data holder should ensure that the access request is received and handled by the processor.
Amendment 197 #
Proposal for a regulation
Recital 27 a (new)
Recital 27 a (new)
Amendment 200 #
Proposal for a regulation
Recital 28
Recital 28
(28) TWhen the user should be free to use the data for any lawful purpose. This includes providing the data the user has received exercising the right under this Regulationhas requested the data holder to make data available to a third party offering an aftermarket service that may be in competition with a service provided by the data holder, or to instruct the data holder to do so. Ties for the user's commercial purposes, the data holder should ensure that the data made available to the third party is as accurate, complete, reliable, relevant and up-to-date as the data the data holder itself may be able or entitled to access from the use of the product or related service. Any trade secrets or intellectual property rights should be respected in handling the data. It is important to preserve incentives to invest in connected products with functionalities based on the use of data from sensors built into that connected product. The aim of this Regulation should accordingly be understood as to foster the development of new, innovative products or related services, stimulate innovation on aftermarkets, but also stimulatefoster the development of entirely novel services making use of the data, including based on data from a variety of products or related services. At the same time, it aims to avoid undermining the investment incentives for the type of connected product from which the data are obtained, for instance, by the use of data to develop a competing connected product.
Amendment 210 #
Proposal for a regulation
Recital 29 a (new)
Recital 29 a (new)
(29 a) The data generated by the use of a connected product is a materialisation of the users’ actions and events. The user as a generator of data should have a central role in the data economy, have the right to control and decide how to harness the value of these data and be free to use the data for any lawful purpose. The user should have the right to share non- personal data with third parties for commercial purposes. Such data sharing, could be performed directly by the user, upon the request of the user by the data holder or through data intermediation services. Data intermediation services, as regulated by Regulation (EU) 2022/868 could facilitate a data economy by establishing commercial relationships between users, data holders and data recipients and may support users in exercising their right to use data, such as ensuring the proper anonymisation of data or aggregation of access to data from multiple individual users.
Amendment 211 #
Proposal for a regulation
Recital 29 b (new)
Recital 29 b (new)
(29 b) In order to facilitate the creation of fair and efficient data markets for non- personal data with an active involvement of users, data holders should not be able to monetise and share non-personal data from individual users, unless this is necessary for the fulfilment of contractual obligations to the user. Data holders, due to the investments in data collection and processing infrastructure should have the right to further manipulate, aggregate and enrich the data obtained from multiple users, and monetise aggregated data sets from multiple users.
Amendment 226 #
Proposal for a regulation
Recital 35
Recital 35
(35) The third partyData holders and data recipients should also refrain from using the data to profile individuals unless these processing activities are strictly necessary to provide the service requested by the user. The requirement to delete data when no longer required for the purpose agreed with the user complements the right to erasure of the data subject pursuant to Article 17 of Regulation 2016/679. Where the third party is a provider of a data intermediation service within the meaning of [Data Governance Act], the safeguards for the data subject provided for by that Regulation apply. The third partydata recipient may use the data to develop a new and innovative connected product or related service but not to develop a competing product.
Amendment 230 #
Proposal for a regulation
Recital 36
Recital 36
(36) Start-ups, small and medium-sized enterprises and companies from traditional sectors with less-developed digital capabilities struggle to obtain access to relevant data. This Regulation aims to facilitate access to data for these entities, while ensuring that the corresponding obligations are scoped as proportionately as possible to avoid overreach. At the same time, a small number of very large companies have emerged with considerable economic power in the digital economy through theby either manufacturing of connected products and provision of related services in certain sectors or accumulation and aggregation of vast volumes of data and the technological infrastructure for monetising them. These companies include undertakings which hold a dominant position in certain sectors in manufacturing connected devices and providing related services and undertakings that provide core platform services controlling whole platform ecosystems in the digital economy and whom existing or new market operators are unable to challenge or contest. The [Regulation on contestable and fair markets in the digital sector (Digital Markets Act)](EU) 2022/1925 aims to redress these inefficiencies and imbalances by allowing the Commission to designate a provider as a “gatekeeper”, and imposes a number of obligations on such designated gatekeepers, including a prohibition to combine certain data without consent, and an obligation to ensure effective rights to data portability under Article 20 of Regulation (EU) 2016/679. Consistent with the [Regulation on contestable and fair markets in the digital sector (Digital Markets Act)](EU) 2022/1925, and given the unrivalled ability of these companies to acquire data, it would not be necessary to achieve the objective of this Regulation, and would thus be disproportionate in relation to data holders made subject to such obligations, to include such gatekeeper undertakings as beneficiaries of the data access right. This means that an undertaking providing core platform services that has been designated as a gatekeeper cannot request or be granted access to users’ data generated by the use of a product or related service or by a virtual assistant based on the provisions of Chapter II of this Regulation. An undertaking providing core platform services designated as a gatekeeper pursuant to Digital Markets Act should be understood to include all legal entities of a group of companies where one legal entity provides a core platform service. Furthermore, third parties to whom data are made available at the request of the user may not make the data available to a designated gatekeeper. For instance, the third party may not sub-contract the service provision to a gatekeeper. However, this does not prevent third parties from using data processing services offered by a designated gatekeeper. This exclusion of designated gatekeepers from the scope of the access right under this Regulation of undertakings manufacturing connected products or providing related services, which have been determined to have a dominant position on the market pursuant national or Union competition law and any designated gatekeepers does not prevent these companies from obtaining data through other lawful means.
Amendment 234 #
Proposal for a regulation
Recital 37
Recital 37
(37) Given the current state of technology, it is overly burdensome to impose further design obligations in relation to products manufactured or designed and related services provided by micro and small enterprisefor data holders that are micro and small enterprises to fulfill the obligations to make data available to data recipients. That is not the case, however, where a micro or small enterprise is sub-contracted to manufacture or design a productconnected product or provide a related service. In such situations, the enterprise, which has sub-contracted to the micro or small enterprise, is able to compensate the sub- contractor appropriately. A micro or small enterprise may nevertheless be subject to the requirements laid down by this Regulation as data holder, where it is not the manufacturer of the product or a provider of related services.
Amendment 239 #
Proposal for a regulation
Recital 38
Recital 38
(38) This Regulation contains general access rules, whenever a data holder is obliged by law to make data available to a data recipient. Such access should be based on fair, reasonable, non-discriminatory and transparent conditions to ensure consistency of data sharing practices in the internal market, including across sectors, and to encourage and promote fair data sharing practices even in areas where no such right to data access is provided. These general access rules do not apply to obligations to make data available under Regulation (EU) 2016/679. Voluntary data sharing remains unaffected by these rules. The Commission should develop a framework aimed at preventing and mitigating distortions on the data market.
Amendment 242 #
Proposal for a regulation
Recital 39
Recital 39
(39) Based on the principle of contractual freedom, the parties should remain free to negotiate the precise conditions for making data available in their contracts, within the framework of the general access rules for making data available. Where no international or Union standards on the cybersecurity of data sharing exist, parties are encouraged to indicate any technical and organisational aspects in the terms of the contract, including in relation to data security.
Amendment 250 #
Proposal for a regulation
Recital 42
Recital 42
(42) In order to incentivise the continued investment in generating valuable data, including investments in relevant technical tools, this Regulation contains the principle that the data holder may request reasonable compensation when legally obliged to make data available to the data recipient. These provisions should not be understood as paying for the data itself, but in the case of micro, small or medium-sized enterprises, for the costs incurred and investment required for making the data available. The Commission should develop guidance detailing what qualifies as a reasonable compensation in the data economy.
Amendment 267 #
Proposal for a regulation
Recital 50
Recital 50
(50) Parties to dDispute settlement proceedings are an alternative mean for dispute resolution and should not be prevented parties from exercising their fundamental rights to an effective remedy and to a fair trial. Therefore, the decision to submit a dispute to a dispute settlement body should not deprive those parties of their right to seek redress before a court or a tribunal of a Member State.
Amendment 269 #
Proposal for a regulation
Recital 50 a (new)
Recital 50 a (new)
(50 a) In order to avoid misuse of the new data access rights, the data holder may apply protective measures in relation to the data made available to the data recipient to prevent unauthorised access and ensure compliance with the framework of data access pursuant to this Regulation. However, those technical measures should not hinder the effective access and use of data for the data recipient. In the case of abusive practices such as misleading the data holder with inaccurate information or developing a competing connected product, the data holder can, resort to remedies such as requesting the deletion of data and the end of production of connected products based on the data received.
Amendment 287 #
Proposal for a regulation
Recital 57
Recital 57
(57) In case of public emergencies, such as public health emergencies, emergencies resulting from environmental degradation and major natural disasters including those aggravated by climate change, as well as human-induced major disasters, such as major cybersecurity incidents, the public interest resulting from the use of the data will outweigh the interests of the data holders to dispose freely of the data they hold. In such a case, data holders should be placed under an obligation to make the data available to public sector bodies or to Union institutions, agencies or bodies upon their request. The existence of a public emergency is determinshould be determined and declared according to the respective procedures in the Member States or of relevant international organisations. In cases of major cybersecurity incidents, this Regulation should be complementary but not create a duplication of requirements deriving from Directive (EU) XXXX/XXXX on measures for a high common level of cybersecurity across the union [NIS2] and Regulation (EU) XXX/XXXX on Digital Operational Resilience for financial entities [DORA].
Amendment 300 #
Proposal for a regulation
Recital 59
Recital 59
(59) This Regulation should not apply to, nor pre-empt, voluntary arrangements for the exchange of non-personal data between private and public entities. Obligations placed on data holders to provide data that are motivated by needs of a non-exceptional nature, notably where the range of data and of data holders is known and where data use can take place on a regular basis, as in the case of reporting obligations and internal market obligations, should not be affected by this Regulation. Requirements to access data to verify compliance with applicable rules, including in cases where public sector bodies assign the task of the verification of compliance to entities other than public sector bodies, should also not be affected by this Regulation.
Amendment 303 #
Proposal for a regulation
Recital 60
Recital 60
(60) For the exercise of their tasks in the areas of prevention, investigation, detection or prosecution of criminal and administrative offences, the execution of criminal and administrative penalties, as well as the collection of data for taxation or customs purposes, public sector bodies and Union institutions, agencies and bodies should rely on their powers under sectoral legislation. This Regulation accordingly does not affect instruments for the sharing, access and use of data in those areas. This Regulation should not apply to connected products and related services provided for public security, defence and national security.
Amendment 304 #
Proposal for a regulation
Recital 61
Recital 61
(61) A proportionate, limited and predictable framework at Union level is necessary for the making available of data by data holders, in cases of exceptional needs, to public -sector bodies and to Union institution, agencies or bodies both to ensure legal certainty and, to minimise the administrative burdens placed on businesses and to avoid misuse of data. To this end, data requests by public sector bodies and by Union institution, agencies and bodies to data holders should be transparent, limited in time, and proportionate in terms of their scope of content and their granularity. The purpose of the request and the intended use of the data requested should be specific and clearly explained, while allowing appropriate flexibility for the requesting entity to perform its tasks in the public interest. The request should also respect the legitimate interests of the businesses to whom the request is made. In order to ensure a higher degree of coordination and avoid additional burden on private companies, Member States should designate one competent authority to act as a single point of contact between public entities requesting access to data and private entities providing access to these data. The competent authority should receive the requests from the public sector bodies or Union institutions, agencies or bodies, analyse whether the requests comply with the requirements set by this Regulation and further direct them to the data holders for execution. The burden on data holders should be minimised by obliging requesting entities to respect the once-only principle, which prevents the same data from being requested more than once by more than one public sector body or Union institution, agency or body where those data are needed to respond to a public emergency. To ensure transparency, data requests made by public sector bodies and by Union institutions, agencies or bodies should be made public without undue delay by the entity requesting the datacompetent authority and online public availability of all requests justified by a public emergency should be ensured.
Amendment 309 #
Proposal for a regulation
Recital 62
Recital 62
(62) The objective of the obligation to provide the data is to ensure that public sector bodies and Union institutions, agencies or bodies have the necessary knowledge to respond to, prevent or recover from public emergencies or to maintain the capacity to fulfil specific tasks explicitly provided by law. The data obtained by those entities may be commercially sensitive. Therefore, Directive (EU) 2019/1024 of the European Parliament and of the Council65 should not apply to data made available under this Regulation and should not be considered as open data available for reuse by third parties. This however should not affect the applicability of Directive (EU) 2019/1024 to the reuse of official statistics for the production of which data obtained pursuant to this Regulation was used, provided the reuse does not include the underlying data. In addition, it should not affect the possibility of sharing the data for conducting research or for the compilation of official statistics, provided the conditions laid down in this Regulation are met. Public sector bodies should also be allowed to exchange data obtained pursuant to this Regulation with other public sector bodies to address the exceptional needs for which the data has been requested only with the prior explicit consent of the data holder. _________________ 65 Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (OJ L 172, 26.6.2019, p. 56).
Amendment 312 #
Proposal for a regulation
Recital 63
Recital 63
(63) Data holders should have the possibility to either ask for a modification of the request made by a public sector body or Union institution, agency and body or its cancellation in a period of 5 or 15 working days depending on the nature of the exceptional need invoked in the requestwithout undue delay, but no longer than 5 working days. In case of requests motivated by a public emergency, justified reason not to make the data available should exist if it can be shown that the data is unavailable, the request does not meet the criteria laid down in Chapter V of this Regulation or the request is similar or identical to a previously submitted request for the same purpose by another public sector body or by another Union institution, agency or body and the data holder has not been notified regarding the destruction of such data. A data holder rejecting the request or seeking its modification should communicate the underlying justification for refusing the request to the public sector body or to the Union institution, agency or body requesting the datacompetent authority. In case the sui generis database rights under Directive 96/6/EC of the European Parliament and of the Council66 apply in relation to the requested datasets, data holders should exercise their rights in a way that does not prevent the public sector body and Union institutions, agencies or bodies from obtaining the data, or from sharing it, in accordance with this Regulation. _________________ 66 Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases (OJ L 77, 27.3.1996, p. 20).
Amendment 316 #
Proposal for a regulation
Recital 64
Recital 64
(64) Where it is strictly necessary to include personal data in the data made available to a public sector body or to a Union institution, agency or body the applicable rules on personal data protection should be complied with and the making available of the data and their subsequent use should and be accompanied by safeguards for the rights and interests of individuals concerned by those data. The body requesting the data should demonstrate the strict necessity and the specific and limited purposes for processing. The data holder should take reasonable effortPrior to making the data available, the data holder should apply all necessary means to anonymise the data or, where such anonymisation proves impossible, the data holder should apply technological means such as pseudonymisation and aggregation, prior to making the data available.
Amendment 318 #
Proposal for a regulation
Recital 65
Recital 65
(65) Data made available to public sector bodies and to Union institutions, agencies and bodies on the basis of exceptional need should only be used for the purpose for which they were requested, unless the data holder that made the data available has expresslicitly agreed for the data to be used for other purposes. The data should be destroyedpublic sector bodies and Union institutions, agencies and bodies should take all necessary legal, technical and organisational measures to ensure the integrity and security of the data and should destroy the data once it is no longer necessary for the purpose stated in the request, unless agreed otherwise, and the data holder should be informed thereof.
Amendment 322 #
Proposal for a regulation
Recital 66
Recital 66
(66) When reusing data provided by data holders, public sector bodies and Union institutions, agencies or bodies should respect both existing applicable legislation and contractual obligations to which the data holder is subject. Where the disclosure of trade secrets of the data holder to public sector bodies or to Union institutions, agencies or bodies is strictly necessary to fulfil the purpose for which the data has been requested, confidentiality of such disclosure shouldall be ensured to the data holder.
Amendment 325 #
Proposal for a regulation
Recital 67
Recital 67
(67) When the safeguarding of a significant public goodinterest is at stake, such as is the case of responding to public emergencies, the public sector body or the Union institution, agency or body should not be expected to compensate enterprises for the data obtained. Public emergencies are rare, temporary events and not all such emergencies require the use of data held by enterprises. The business activities of the data holders are therefore not likely to be negatively affected as a consequence of the public sector bodies or Union institutions, agencies or bodies having recourse to this Regulation. However, as cases of an exceptional need other than responding to a public emergency might be more frequent, including cases of prevention of or recovery from a public emergency, data holders should in such cases be entitled to a reasonable compensation which should not exceed the technical and organisational costs incurred in complying with the request and the reasonable margin required for making the data available to the public sector body or to the Union institution, agency or body. The compensation should not be understood as constituting payment for the data itself and as being compulsory.
Amendment 326 #
Proposal for a regulation
Recital 68
Recital 68
(68) The public sector body or Union institution, agency or body may share the data it has obtained pursuant to the request with other entities or persons when this is needed to carry out scientific research activities or analytical activities it cannot perform itself. Data holders should be notified regarding such data sharings, providing the data holder with all necessary information regarding the identity of the data recipient and the activities that will be carried out by the data recipient. The data holder should have the right to object to the sharing of data by a public sector body or a Union institution, agency or body to the competent authority, when such data sharing does not meet the requirements of this Regulation. Such data may also be shared under the same circumstances with the national statistical institutes and Eurostat for the compilation of official statistics. Such research activities should however be compatible with the purpose for which the data was requested and the data holder should be informed about the further sharing of the data it had provided. Individuals conducting research or research organisations with whom these data may be shared should act either on a not-for- profit basis or in the context of a public- interest mission recognised by the State. Organisations upon which commercial undertakings have a decisive influence allowing such undertakings to exercise control because of structural situations, which could result in preferential access to the results of the research, should not be considered research organisations for the purposes of this Regulation.
Amendment 356 #
Proposal for a regulation
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Regulation lays down harmonised rules on making data generated by the use of a connected product or related service available to the user of that connected product or related service, on the making data available by a user to a data recipient or by the data holders to data recipients, and on the making data available by data holders to public sector bodies or Union institutions, agencies or bodies, where there is an exceptional need, for the performance of a task carried out in the public interest:
Amendment 360 #
Proposal for a regulation
Article 1 – paragraph 1 a (new)
Article 1 – paragraph 1 a (new)
1 a. Where this Regulation refers to connected products that are primarily designed to display or play content, or to record and transmit content, amongst others for the use by an online service, the data generated by them shall be covered by this Regulation, insofar it does not overlap with the scope of the national and Union law referring to electronic communications services.
Amendment 365 #
Proposal for a regulation
Article 1 – paragraph 2 – point a
Article 1 – paragraph 2 – point a
(a) manufacturers of connected products and suppliproviders of related services placed on the market in the Union and the users of such products or services, irrespective of their place of establishment;
Amendment 369 #
Proposal for a regulation
Article 1 – paragraph 2 – point b a (new)
Article 1 – paragraph 2 – point b a (new)
Amendment 370 #
Proposal for a regulation
Article 1 – paragraph 2 – point d
Article 1 – paragraph 2 – point d
(d) public sector bodies and Union institutions, agencies or bodies that request data holders to make data available where there is an exceptional need to that data for the performance of a task carried out in the public interestrevention, response or recovery from a public emergency and the data holders that provide those data in response to such request;
Amendment 374 #
Proposal for a regulation
Article 1 – paragraph 2 – point e
Article 1 – paragraph 2 – point e
(e) providers of data processing services offer, irrespective of their place of establishment, providing such services to customers in the Union.
Amendment 382 #
Proposal for a regulation
Article 1 – paragraph 4
Article 1 – paragraph 4
4. This Regulation shall not apply to, nor pre-empt, voluntary arrangements for the exchange of non-personal data between private and public entities. It shall not affect Union and national legal acts providing for the sharing, access and use of data for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including Regulation (EU) 2021/784 of the European Parliament and of the Council72 and the [e- evidence proposals [COM(2018) 225 and 226] once adopted, and international cooperation in that area. This Regulation shall not affect the collection, sharing, access to and use of data under Directive (EU) 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing and Regulation (EU) 2015/847 of the European Parliament and of the Council on information accompanying the transfer of funds. This Regulation shall not affect the competences of the Member States regarding activities concerning public security, defence, national security, customs and tax administration and the health and safety of citizens in accordance with Union law. This Regulation shall not apply to the data generated by connected products and related services provided for public security, defence and national security. _________________ 72 Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online (OJ L 172, 17.5.2021, p. 79).
Amendment 392 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1
Article 2 – paragraph 1 – point 1
(1) ‘data’ means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording;, that is generated by the use of a connected product and can be transmitted via electronic communications services.
Amendment 424 #
Proposal for a regulation
Article 2 – paragraph 1 – point 3
Article 2 – paragraph 1 – point 3
(3) ‘related service’ means a digital service, including software, which is incorporated in orbut excluding electronic communications services, which is inter-connected with a product in such a way that its absence would prevent the product from performing one or more of its functions;
Amendment 429 #
Proposal for a regulation
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) ‘user’ means a natural or legal person that owns, rents or leases a a product and receives a related service from a data holder or a lawful user to whom the owner of the connected product has transferred, pursuant to a rental or lease agreement, the right to use the connected product or receives a related services from a data holder;
Amendment 438 #
Proposal for a regulation
Article 2 – paragraph 1 – point 6
Article 2 – paragraph 1 – point 6
(6) ‘data holder’ means a legal or natural person, other than the user, who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case ofto make available non-personal data and through control of the technical design of thegenerated by the use of a connected product andor a related services, the ability, to make available certain and who has the control over these data;
Amendment 446 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) ‘data recipient’ means a legal or natural person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected product or related service, to whom the data holduser makes the data available either directly, or through data intermediation services, or the data holder, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation implementing Union law;
Amendment 454 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘public emergency’ means an exceptional situation negativ legally declared state of emergency by the Union or a Member State for an exceptional and immediate situation caused by natural or man-made disasters, adversely affecting the population of the Union, a Member State or part of it, with a risk of seriousignificant and lasting repercussions on living conditionsthe health, safety or economic stability of citizen, or the substantial degradation of economic assets in the Union or the relevant Member State(s);
Amendment 474 #
Proposal for a regulation
Article 2 – paragraph 1 – point 17
Article 2 – paragraph 1 – point 17
(17) ‘electronic ledger’ means an electronic ledger within the meaning of Article 3, point (53), of Regulation (EU) No 910/2014XXX/XXXX [establishing a European Digital Identity framework];
Amendment 488 #
Proposal for a regulation
Article 3 – title
Article 3 – title
3 Obligation of the manufacturer or a provider of related services to make data generated by the use of connected products or related services accessible to the user
Amendment 490 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the userthat the data holder can readily obtain from the product on to an existing interface, or data that are collected or aimed to be collected by the data holder, are by default, easily, securely and, where relevant and appropriate, directly accessible to the user in a structured, commonly used and machine- readable format along with the relevant metadata, on a free of charge basis and retrievable by the user. Where technically feasible, the user should be able to access and retrieve such data directly from the device, without recourse to related services.
Amendment 499 #
Proposal for a regulation
Article 3 – paragraph 1 a (new)
Article 3 – paragraph 1 a (new)
1 a. Before concluding a contract for the purchase, rent or lease of a connected product, the manufacturer shall provide to the user, in the form of a standardised label at least the following information: (a) the nature, format and estimated volume of data that the connected product is capable of generating; (b) the means by which the connected product can transmit data, including whether the data will be stored on-device or on a remote server; (c) whether the seller, renter or lessor is the data holder and, if not, the identity of the data holder, such as its trading name, the geographical address at which it is established and where applicable the legal entity identifier; (d) how the user of the connected product can access, retrieve or request erasure of the generated data from the connected product; (e) the on-device storage capacity, including the duration for which data collected by the connected product can be stored on it; (f) the period for which the device is guaranteed to receive functionality updates according to the Regulation (EU) XXX/XXXX [Cyber resilience Act].
Amendment 512 #
Proposal for a regulation
Article 3 – paragraph 2 – introductory part
Article 3 – paragraph 2 – introductory part
2. Before concluding a contract for the purchase, rent or lease of a product orrovision of a related service, at least the following information shall be provided to the user, in a simple manner, clear and comprehensible format:
Amendment 514 #
Proposal for a regulation
Article 3 – paragraph 2 – point a
Article 3 – paragraph 2 – point a
(a) the nature an, format, frequency and estimated volume of the data likely to be generated by the use of the connected product orand related service;
Amendment 518 #
Proposal for a regulation
Article 3 – paragraph 2 – point b
Article 3 – paragraph 2 – point b
(b) whether the data is likely towill be generated continuously and in real-time;
Amendment 520 #
Proposal for a regulation
Article 3 – paragraph 2 – point b a (new)
Article 3 – paragraph 2 – point b a (new)
(b a) whether the data will be stored on- device or on a remote server;
Amendment 523 #
Proposal for a regulation
Article 3 – paragraph 2 – point c
Article 3 – paragraph 2 – point c
(c) how the user may access, retrieve and request de erasure of those data;
Amendment 536 #
Proposal for a regulation
Article 3 – paragraph 2 – point d
Article 3 – paragraph 2 – point d
(d) whether the manufacturer supplying the product or the service provider providing the related service intends to use the data itself or allow a third party to use the data and, if so, the purposes for which those data will be used;
Amendment 540 #
Proposal for a regulation
Article 3 – paragraph 2 – point e
Article 3 – paragraph 2 – point e
(e) whether the seller, renter or lessorprovider of the related service is the only data holder and, if not, the identity of the other data holders, such as its trading name and, the geographical address at which it is established; and where applicable the legal entity identifier;
Amendment 545 #
Proposal for a regulation
Article 3 – paragraph 2 – point f a (new)
Article 3 – paragraph 2 – point f a (new)
(f a) where relevant, the type of data likely to be generated by the use of the connected product or related service that may contain or contains any trade secrets or may reveal or reveals any other relevant information concerning intellectual property rights and thus requires prior explicit written consent of the data holder before providing access to, using or sharing it;
Amendment 547 #
Proposal for a regulation
Article 3 – paragraph 2 – point g
Article 3 – paragraph 2 – point g
(g) how the user may request that the data are shared with a third-party and withdraw the consent for data sharing;
Amendment 557 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Where data cannot be directly accessed by the user from the product, the data holder shall make available to the user the data generated by its use of a product or related service without undue delay, free of charge and, where applicable, continuously and in real-time. This shall be done on the basis of a simple request through electronic means where technically feasiblin a structured, commonly used and machine- readable format, free of charge and, where technically feasible, continuously and in real-time.
Amendment 567 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. The data holder shall not require the user to provide any information beyond what is strictly necessary to verify the quality as a user pursuant to paragraph 1. The data holder shall not keep any information on the user’'s access to the data requested beyond what is necessary for the sound execution of the user’s access request and for the security and the maintenance of the data infrastructure. Where identification is legally required, data holders shall enable the possibility for users to identify and authenticate through the European Digital Identity Wallets, pursuant to Regulation (EU) XXX/XXXX [European Digital Identity framework].
Amendment 584 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. Trade secrets shall only be disclosed provided that all specifiche data holder can take all necessary measures are taken, in advance to preserve the confidentiality of its trade secrets, in particular wisofar this is not hampering the respect to third partiesights of the users or third parties to access data. The data holder and the user can agree on measures to preserve the confidentiality of the shared data, in particular in relation to third parties.
Amendment 585 #
Proposal for a regulation
Article 4 – paragraph 3 a (new)
Article 4 – paragraph 3 a (new)
3 a. The user shall have the right to either directly share, through a data holder or through providers of data intermediation services as set in the Regulation (EU) 2022/868, their non- personal data to any data recipient for commercial purposes. The data sharing between a user and a data recipient shall be done through contractual agreements, the provisions of Chapter IV on fair, reasonable and non-discriminatory terms shall apply mutatis mutandis to the contractual agreements between users and data recipients.
Amendment 586 #
Proposal for a regulation
Article 4 – paragraph 3 b (new)
Article 4 – paragraph 3 b (new)
3 b. Data holders shall not make available non-personal data transmitted to them from the connected product of the individual user, to third parties for commercial or non-commercial purposes other than the fulfilment of their obligations to the user. Where relevant, data holders shall contractually bind third parties not to monetise or further share data received from them.
Amendment 602 #
Proposal for a regulation
Article 5 – title
Article 5 – title
5 Right of the user to share data with third parties
Amendment 610 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. Upon request by a user, or by a party acting on behalf of a user, the data holder shall make available the data generated by the use of a connected product or related service to a third party, in accordance with Articles 8 and 9, without undue delay, free of charge to the user, of the same quality as is available to the data holder and, where applicaeasily, securely, in a structured, commonly used and machine- readable format and, where technically feasible, continuously and in real-time.
Amendment 616 #
Proposal for a regulation
Article 5 – paragraph 2 – introductory part
Article 5 – paragraph 2 – introductory part
2. Any undertaking manufacturing connected products or providing related services which has been determined to have a dominant position on the market pursuant to national or Union competition law and any undertaking providing core platform services for which one or more of such services have been designated as a gatekeeper, pursuant to Article […] of [Regulation XXX on contestable and fair markets in the digital sector (Digital Markets Act)73 ], shall not be an eligible third party under this Article and therefore shall not: _________________ 73 OJ […].
Amendment 625 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
3. The user or third party shall not be required to provide any information beyond what is strictly necessary to verify the quality as user or as third party pursuant to paragraph 1. The data holder shall not keep any information on the third party’s access to the data requested beyond what is necessary for the sound execution of the third party’s access request and for the security and the maintenance of the data infrastructure. Where identification is not legally required, users should be able to use products anonymously.
Amendment 652 #
Proposal for a regulation
Article 6 – paragraph 2 – point b
Article 6 – paragraph 2 – point b
(b) use the data it receives for purposes of direct marketing or advertising, credit scoring, including for the profiling of natural persons within the meaning of Article 4(4) of Regulation (EU) 2016/679, unless it is necessary to provide the service requested by the user, and with the user’s explicit consent;
Amendment 665 #
Proposal for a regulation
Article 6 – paragraph 2 – point d
Article 6 – paragraph 2 – point d
(d) make the data available it receives to an undertaking manufacturing connected products or providing related services which has been determined to have a dominant position on the market pursuant to national or Union competition law and to an undertaking providing core platform services for which one or more of such services have been designated as a gatekeeper pursuant to Article […] of [Regulation on contestable and fair markets in the digital sector (Digital Markets Act)];
Amendment 680 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. The obligations pursuant to Articles 4, 5, and 6 of this Chapter shall not apply to data generated by the use of connected products manufactured ord related services provided by enterprises that qualify as micro or small enterprises, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the Annex to Recommendation 2003/361/EC which do not qualify as a micro or small enterprise.
Amendment 684 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. Where this Regulation refers to products or related services, such reference shall also be understood to include virtual assistants, insofar as they are used to access or control a product or related serviceconnected product.
Amendment 695 #
6 a. Data holders and data recipients shall take all necessary legal, organisational and technical measures to ensure the cybersecurity of the data transfers and security and integrity of the data.
Amendment 703 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
2. Where the data recipient is a micro, small or medium enterprise, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the Annex to Recommendation 2003/361/EC which do not qualify as a micro, small or medium enterprise, any compensation agreed shall not exceed the costs directly related to making the data available to the data recipient and which are attributable to the request. Article 8(3) shall apply accordingly.
Amendment 713 #
Proposal for a regulation
Article 9 – paragraph 4 a (new)
Article 9 – paragraph 4 a (new)
4 a. The Commission shall develop guidelines to determine what are the criteria for a reasonable compensation according to paragraph 1, set between data holders and data recipients.
Amendment 716 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
1. DUsers, data holders and data recipients shall have access to dispute settlement bodies, certified in accordance with paragraph 2 of this Article, to settle disputes in relation to the determination of fair, reasonable and non-discriminatory terms for and the transparent manner of making data available in accordance with Articles 8 and 9.
Amendment 718 #
Proposal for a regulation
Article 10 – paragraph 6 a (new)
Article 10 – paragraph 6 a (new)
6 a. Dispute settlement bodies shall be obliged, when dealing with personal data related disputes, to act in line with EU and national law in the field of personal data protection, including personal data protection case law.
Amendment 726 #
Proposal for a regulation
Article 11 – paragraph 1 a (new)
Article 11 – paragraph 1 a (new)
1 a. Where the data recipient has acted in violation of Article 6(2)(a) and 6(2)(b), users shall have the same rights as data holders under paragraph 2 of this Article. Paragraph 3 shall apply mutatis mutandis.
Amendment 728 #
Proposal for a regulation
Article 11 – paragraph 2 – introductory part
Article 11 – paragraph 2 – introductory part
2. A data recipient that has, for the purposes of obtaining non-personal data, provided inaccurate or false information to the data holder, deployed deceptive or coercive means or abused evident gaps in the technical infrastructure of the data holder designed to protect the data, has used the data made available for unauthorised purposes or has disclosed those data to another party without the data holder’s authorisation, shall without undue delay, unless the data holder or the user instruct otherwise:
Amendment 743 #
Proposal for a regulation
Article 13 – paragraph 2
Article 13 – paragraph 2
2. A contractual term is unfair if it is of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing and creates a significant imbalance between the rights and obligations of the parties to the contract.
Amendment 751 #
Proposal for a regulation
Article 13 – paragraph 8 a (new)
Article 13 – paragraph 8 a (new)
8 a. Within 12 months from the entry into force of this Regulation, the Commission shall by means of implementing acts further develop guidelines on the reasonable prices for the compensation for data sharing and measures to prevent and mitigate data market distortion practices provided in Chapters III and IV.
Amendment 771 #
Proposal for a regulation
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
An exceptional need to use data within the meaning of this Chapter shall be limited in time and scope and deemed to exist in any ofonly in the following circumstances:
Amendment 777 #
Proposal for a regulation
Article 15 – paragraph 1 – point a
Article 15 – paragraph 1 – point a
(a) where the data requested is strictly necessary to respond to a public emergency;
Amendment 781 #
Proposal for a regulation
Article 15 – paragraph 1 – point b
Article 15 – paragraph 1 – point b
(b) where the data request is limited in time and scope andstrictly necessary to prevent a public emergency or to assist the recovery from a public emergency; and only if all of the following conditions are fulfilled:
Amendment 782 #
Proposal for a regulation
Article 15 – paragraph 1 – point b – point i (new)
Article 15 – paragraph 1 – point b – point i (new)
i) the public sector body or Union institution, agency or body has exhausted all other means to obtain such data, including by purchasing the data on the market at market rates or by relying on existing obligations to make data available, and the adoption of new legislative measures cannot ensure the timely availability of the data; or
Amendment 783 #
Proposal for a regulation
Article 15 – paragraph 1 – point b – point ii (new)
Article 15 – paragraph 1 – point b – point ii (new)
ii) obtaining the data in line with the procedure laid down in this Chapter would substantively reduce the administrative burden for data holders or other enterprises.
Amendment 809 #
Proposal for a regulation
Article 17 – paragraph 1 – introductory part
Article 17 – paragraph 1 – introductory part
1. WherIn the requestings for data pursuant to Article 14(1), a public sector body or a Union institution, agency or body shall:
Amendment 813 #
Proposal for a regulation
Article 17 – paragraph 1 – point b
Article 17 – paragraph 1 – point b
(b) demonstrate the exceptional need for which the data are requested, laying down the circumstance justifying the request and demonstrating that all the conditions mentioned in Article 15 are met;
Amendment 817 #
Proposal for a regulation
Article 17 – paragraph 1 – point c a (new)
Article 17 – paragraph 1 – point c a (new)
(c a) justify the choice of data holder;
Amendment 818 #
Proposal for a regulation
Article 17 – paragraph 1 – point c b (new)
Article 17 – paragraph 1 – point c b (new)
(c b) mention the other public sector bodies, Union institutions, agencies or bodies, including where applicable third parties to which the data obtained will be made available to;
Amendment 822 #
Proposal for a regulation
Article 17 – paragraph 1 – point e
Article 17 – paragraph 1 – point e
(e) specify tha reasonable deadline by which the data are to be made available or within which the data holder may request the public sector body, Union institution, agency or body to modify or withdraw the request.;
Amendment 827 #
Proposal for a regulation
Article 17 – paragraph 1 – point e a (new)
Article 17 – paragraph 1 – point e a (new)
Amendment 831 #
Proposal for a regulation
Article 17 – paragraph 1 – point e b (new)
Article 17 – paragraph 1 – point e b (new)
(e b) where known at the moment of the request, specify for how long data will be stored and when data will be deleted.
Amendment 838 #
Proposal for a regulation
Article 17 – paragraph 2 – point b
Article 17 – paragraph 2 – point b
(b) be justified and proportionate to the exceptional need, in terms of the granularity and volume of the data requested and frequency of access of the data requested, and be limited to data necessary to carry out the task;
Amendment 840 #
Proposal for a regulation
Article 17 – paragraph 2 – point b a (new)
Article 17 – paragraph 2 – point b a (new)
(b a) mention the purpose of this processing;
Amendment 851 #
Proposal for a regulation
Article 17 – paragraph 2 – point d a (new)
Article 17 – paragraph 2 – point d a (new)
(d a) be sent to the competent authority referred to in paragraph 2a of this Article and Article 31;
Amendment 853 #
Proposal for a regulation
Article 17 – paragraph 2 a (new)
Article 17 – paragraph 2 a (new)
2 a. A public sector body or a Union institution, agency or body requesting access to the data shall send the request to the competent authority referred to in Article 31. The competent authority shall coordinate the requests by: (a) analysing whether the request meets the requirements laid down in this Chapter; (b) determine whether a data holder has not received similar requests to make data available by more public sector bodies or Union institutions, agencies or bodies; (c) sending the requests to the data holder for the execution; (d) ensuring the online public availability of requests for access to data made by public sector bodies.
Amendment 855 #
Proposal for a regulation
Article 17 – paragraph 4 – subparagraph 1
Article 17 – paragraph 4 – subparagraph 1
Amendment 866 #
Proposal for a regulation
Article 17 – paragraph 4 a (new)
Article 17 – paragraph 4 a (new)
4 a. The third party shall not use the data it receives from a public sector body or a Union institution, agency or body to develop a product or a service that competes with the product or service from which the accessed data originate or share the data with another third party for that purpose.
Amendment 874 #
Proposal for a regulation
Article 18 – paragraph 2 – introductory part
Article 18 – paragraph 2 – introductory part
2. Without prejudice to specific needs regarding the availability of data defined in sectoral legislation, the data holder may decline or seek the modification of the request, withiout undue delay, but no longer than 5 working days following the receipt of a request for the data necessary to respond to a public emergency and within 15 working days in other cases of exceptional need, on either of the following grounds:
Amendment 880 #
Proposal for a regulation
Article 18 – paragraph 2 – point b a (new)
Article 18 – paragraph 2 – point b a (new)
(b a) a similar request for the same purpose has been previously submitted by another public sector body or Union institution, agency or body and the data holder has not been notified of the destruction of the data pursuant to Article 19(1)(c).
Amendment 881 #
Proposal for a regulation
Article 18 – paragraph 3
Article 18 – paragraph 3
3. In case of a request for data necessary to respond to a public emergencyfor an exceptional need pursuant to Article 15, the data holder may also decline or seek modification of the request if the data holder already provided the requested data in response to previously submitted request for the same purpose by another public sector body or Union institution agency or body and the data holder has not been notified of the destruction of the data pursuant to Article 19(1), point (c).
Amendment 885 #
Proposal for a regulation
Article 18 – paragraph 5
Article 18 – paragraph 5
5. Where compliance with the request to make data available to a public sector body or a Union institution, agency or body requires the disclosure of personal data, the data holder shall take reasonable efforts to pseudonymise the data, insofar as the request can be fulfilled with pseudall necessary measures to irreversibly anonymised the data.
Amendment 902 #
Proposal for a regulation
Article 19 – paragraph 1 – point b a (new)
Article 19 – paragraph 1 – point b a (new)
(b a) take all necessary legal, technical and organisational measures to ensure the integrity and security of the data received;
Amendment 904 #
Proposal for a regulation
Article 19 – paragraph 1 – point c
Article 19 – paragraph 1 – point c
(c) destroy the data as soon as, without undue delay, the data theyat are no longer necessary for the stated purpose and inform the data holder that the data have been destroyed.;
Amendment 907 #
Proposal for a regulation
Article 19 – paragraph 1 – point c a (new)
Article 19 – paragraph 1 – point c a (new)
(c a) notify the data holder, without undue delay, of any cybersecurity threat, vulnerability or incident that has compromised the security and integrity of the data that has been transferred to them, without prejudice to the reporting obligations under Regulation (EU) XXX/XXXX [EUIBA] and Directive (EU) XXX/XXXX [NIS2].
Amendment 914 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
2. Disclosure of trade secrets or alleged trade secrets to a public sector body or to a Union institution, agency or body shall only be required to the extent that it is strictly necessary to achieve the purpose of the request. In such a case, the public sector body or the Union institution, agency or body shall take appropriate the legal, technical and organisational measures needed to preserve the confidentiality of those trade secrets.
Amendment 925 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
2. Where tThe data holder claimsshall be entitled to reasonable compensation for making data available in compliance with a request made pursuant to Article 15, points (b) or (c), s. Such compensation shall not exceed the technical and organisational costs incurred to comply with the request including, where necessary, the costs of anonymisation and of technical adaptation, plus a fair and reasonable margin. Upon request of the public sector body or the Union institution, agency or body requesting the data, the data holder shall provide information on the basis for the calculation of the costs and the reasonable margin.
Amendment 933 #
Proposal for a regulation
Article 21 – title
Article 21 – title
21 Contribution of research organisations or statistical bodies in the context of exceptional needs
Amendment 941 #
Proposal for a regulation
Article 21 – paragraph 2
Article 21 – paragraph 2
2. Individuals or organisations receiving the data pursuant to paragraph 1 shall act exclusively on a not-for-profit basis or in the context of a public-interest mission recognised in Union or Member State law. They shall not include organisations upon which commercial undertakings have a decisive influence or which could result in preferential access to the results of the research.
Amendment 943 #
Proposal for a regulation
Article 21 – paragraph 4
Article 21 – paragraph 4
4. Where a public sector body or a Union institution, agency or body intends to transmits or makes data available under paragraph 1, it shall notify the data holder from whom the data was received. and provide all necessary information regarding the identity of the data recipient and the activities that will be carried out by the data recipient based on the data received pursuant to paragraph 1. Data holders shall have the right to object to the sharing of data by a public sector body or a Union institution, agency or body under paragraph 1, to the competent authority, when such data sharing does not meet the requirements of this Chapter.
Amendment 949 #
Proposal for a regulation
Article 22 – paragraph 4
Article 22 – paragraph 4
4. After having been notifiedreceived the request in accordance with paragraph 3, the relevant competent authority shall advisend the requesting public sector body of the need, if any, to to the coomperate with public sector bodiestent authority of the Member State in which the data holder is established, with the aim of ensuring cooperation among authorities and reducing the administrative burden on the data holder in complying with the request. The requesting public sector body shall take the advice of the relevant competent authority into account.
Amendment 950 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
3. Where a public sector body intends to request data from a data holder established in another Member State, it shall first notify and send the request to the competent authority of that Member State as referred to in Article 31, of that intention. This requirement shall also apply to requests by Union institutions, agencies and bodies.
Amendment 1005 #
Proposal for a regulation
Article 27 – paragraph 1
Article 27 – paragraph 1
1. Providers of data processing services shall take all reasonablenecessary technical, legal and organisational measures, including contractual arrangements, in order to prevent international transfer or governmental access to non-personal data held in the Union where such transfer or access would create a conflict with Union law or the national law of the relevant Member State, without prejudice to paragraph 2 or 3.
Amendment 1092 #
Proposal for a regulation
Article 30 – paragraph 6
Article 30 – paragraph 6
6. Where harmonised standards referred to in paragraph 4 of this Article do not exist or w, the Commission shall issue a standardisation request in accordance with Article 10 of Regulation 1025/2012. Where the Commission considers that the relevant harmonised standards are insufficient to ensure conformity with the essential requirements in paragraph 1 of this Article in a cross- border context, the Commission may, by way of implementing acts, adopt common specifications in respect of the essential requirements set out in paragraph 1 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).
Amendment 1115 #
Proposal for a regulation
Article 31 – paragraph 3 – point g
Article 31 – paragraph 3 – point g
(g) ensuring the online public availability of requests for access to data made by public sector bodies in the case of public emergencies undercoordinating requests made by public sector bodies to private sector to access data, according to Chapter V;.
Amendment 1128 #
Proposal for a regulation
Article 32 – paragraph 2
Article 32 – paragraph 2
2. The competent authority with which the complaint has been lodged shall inform the complainant in accordance with national law of the progress of the proceedings and of the decision taken.
Amendment 1163 #
Proposal for a regulation
Article 42 – paragraph 2 a (new)
Article 42 – paragraph 2 a (new)
The obligation resulting from Article 3(1) shall apply retroactively to connected products placed on the market within 5 years prior to the entry into force of this Regulation, only when the manufacturer or provider of related service is able to remotely deploy mechanisms to ensure the fulfilment of the requirements pursuant to Article 3(1) and only when the deployment of such mechanisms would not place a disproportionate burden on the manufacturer or provider of related services.