Activities of Sergey LAGODINSKY related to 2020/0340(COD)
Plenary speeches (1)
Data Governance Act (debate)
Opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council Proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council European data governance (Data Governance Act)
Legal basis opinions (0)
Amendments (95)
Amendment 53 #
Proposal for a regulation
Recital 3
Recital 3
(3) It is necessary to improve the conditions for data sharing in the internal market, by creating a harmonised framework for data exchanges. Sector- specific legislation can develop, adapt and propose new and complementary elements, depending on the specificities of the sector, such as the envisaged legislation on the European health data space25 and on access to vehicle data. Moreover, certain sectors of the economy are already regulated by sector-specific Union law that include rules relating to cross-border or Union wide sharing or access to data26 . This Regulation is therefore without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the Council (27 ), and in particular the implementation of this Regulation shall not prevent cross border transfers of data in accordance with Chapter V of Regulation (EU) 2016/679 from taking place, Directive (EU) 2016/680 of the European Parliament and of the Council (28 ), Directive (EU) 2016/943 of the European Parliament and of the Council (29 ), Regulation (EU) 2018/1807 of the European Parliament and of the Council (30 ), Regulation (EC) No 223/2009 of the European Parliament and of the Council (31 ), Directive 2000/31/EC of the European Parliament and of the Council (32 ), Directive 2001/29/EC of the European Parliament and of the Council (33 ), Directive (EU) 2019/790 of the European Parliament and of the Council (34 ), Directive 2004/48/EC of the European Parliament and of the Council (35 ), Directive (EU) 2019/1024 of the European Parliament and of the Council (36 ), as well as Regulation 2018/858/EU of the European Parliament and of the Council (37 ), Directive 2010/40/EU of the European Parliament and of the Council (38 ) and Delegated Regulations adopted on its basis, and any other sector-specific Union legislation that organises the access to and re-use of data. This Regulation should be without prejudice to Union law on the access and use of data for the purpose of international cooperation in the context of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. A horizontal regime for the re-use of certain categories of protected data held by public sector bodies, the provision of data sharing services and of services based on data altruism in the Union should be established. Specific characteristics of different sectors may require the design of sectoral data-based systems, while building on the requirements of this Regulation. Where a sector-specific Union legal act requires public sector bodies, providers of data sharing services or registered entities providing data altruism services to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union legal act should also apply. _________________ 25 See: Annexes to the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Commission Work Programme 2021 (COM(2020) 690 final). 26For example, Directive 2011/24/EU in the context of the European Health Data Space, and relevant transport legislation such as Directive 2010/40/EU, Regulation 2019/1239 and Regulation (EU) 2020/1056, in the context of the European Mobility Data Space. 27Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (OJ L 119, 4.5.2016, p.1) 28Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. (OJ L 119, 4.5.2016, p.89) 29Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. (OJ L 157, 15.6.2016, p.1) 30 Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union. (OJ L 303, 28.11.2018, p. 59) 31Regulation (EC) No 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities. (OJ L 87, 31.03.2009, p. 164) 32Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000, on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce). (OJ L 178, 17.07.2000, p. 1) 33Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society. (OJ L 167, 22.6.2001, p. 10) 34 Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC. (OJ L 130, 17.5.2019, p. 92) 35Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights. (OJ L 157, 30.4.2004). 36Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information. (OJ L 172, 26.6.2019, p. 56). 37 Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018). 38 Directive 2010/40/EU of the European Parliament and of the Council of 7 July 2010 on the framework for the deployment of Intelligent Transport Systems in the field of road transport and for interfaces with other modes of transport. (OJ L 207, 6.8.2010, p. 1)
Amendment 55 #
Proposal for a regulation
Recital 3 a (new)
Recital 3 a (new)
Amendment 57 #
(4) Action at Union level is necessary in order to address the barriers to a well- functioning data-driven economy and to increase awareness and trust regarding the sharing of data, in particular by establishing proper mechanisms for data subjects to know and meaningfully exercise their rights, as well as data holders to exercise control over data, and create a Union-wide governance framework for data access and use, in particular regarding the re-use of certain types of data held by the public sector, the provision of services by data sharing providers to business users and to data subjects, as well as the collection and processing of data made available for altruistic purposes by natural and legal persons.
Amendment 62 #
Proposal for a regulation
Recital 5
Recital 5
(5) The idea that data that has been generated at the expense of public budgets should benefit society has been part of Union policy for a long time. Directive (EU) 2019/1024 as well as sector-specific legislation ensure that the public sector makes more of the data it produces easily available for use and re-use. However, certain categories of data (commercially confidential data, data subject to statistical confidentiality, data protected by intellectual property rights of third parties, including trade secrets and personal data not accessible on the basis of specific national or Union legislation, such as Regulation (EU) 2016/679 and Directive (EU) 2016/680) in public databases is often not made available, not even for research or innovative activities. Due to the sensitivity of this data, certain technical and legal procedural requirements must be met before they are made available, in order to ensure the respect of rights others have over such data. Such, or limit negative impact on fundamental rights, the principle of non-discrimination and data protection. Such technical and legal procedural requirements are usually time- and knowledge-intensive to fulfil. This has led to the underutilisation of such data and a lack of public trust, transparency, and legal clarity. While some Member States are setting up structures, processes and sometimes legislate to facilitate this type of re-use, this is not the case across the Union.
Amendment 64 #
Proposal for a regulation
Recital 6
Recital 6
(6) There are techniques enabling privacy-friendly analyses on databases that contain personal data, such as anonymisation, pseudonymisation, differential privacy, generalisation, or suppression, and randomisation. Application of these privacy-enhancing technologies, together with comprehensive data protection approaches should ensure the safe that could contribute to a more privacy-friendly processing of data. Application of these technologies, together with comprehensive data protection impact assessments and other approaches, can contribute to more safety in the use and re-use of personal data and commercially confidential business data for research, innovation and statistical purposes. In many cases this implies that the data use and re-use in this context can only be done in a secure processing environment set in place and supervised by the public sector. There is experience at Union level with such secure processing environments that are used for research on statistical microdata on the basis of Commission Regulation (EU) 557/2013 (39 [1]). In general, insofar as personal data are concerned, the processing of personal data should rely upon one or more of the grounds for processing provided in Article 6 and 9 of Regulation (EU) 2016/679. _________________ 39 Commission Regulation (EU) 557/2013 of 17 June 2013 implementing Regulation (EC) No 223/2009 of the European Parliament and of the Council on European Statistics as regards access to confidential data for scientific purposes and repealing Commission Regulation (EC) No 831/2002 (OJ L 164, 18.6.2013, p. 16).
Amendment 65 #
Proposal for a regulation
Recital 6 a (new)
Recital 6 a (new)
(6a) In order to facilitate the protection of personal data or confidential data, and to speed up the process of making such data available for re-use under this Regulation, Member States should encourage public authorities to create and procure data in formats and structures that allow for swift anonymisation, similar to the principle ‘open by design and by default’ as referenced in Recital (16) of Directive (EU) 2019/1024 (Open Data Directive), and as encouraged under the green transition and digital transformation strategy promoting interoperability, energy efficiency, personal data protection and the use of open-source solutions.
Amendment 66 #
Proposal for a regulation
Recital 7
Recital 7
(7) The categories of data held by public sector bodies which should be subject to re-use under this Regulation fall outside the scope of Directive (EU) 2019/1024 that excludes data which is not accessible due to commercial and statistical confidentiality and data for which third parties have intellectual property rights. PThis Regulation should apply to personal data that fall outside the scope of Directive (EU) 2019/1024 insofar as the access regime excludes or restricts access to such data for reasons of data protection, privacy and the integrity of the individual, in particular in accordance with data protection rules. The re-use of data, which may contain trade secrets, should take place without prejudice to Directive (EU) 2016/94340 , which sets the framework for the lawful acquisition, use or disclosure of trade secrets. This Regulation is without prejudice and complementary to more specific obligations on public sector bodies to allow re-use of data laid down in sector- specific Union or national law. _________________ 40This Regulation should not create an obligation to allow re-use of personal data held by public sector bodies. OJ L 157, 15.6.2016, p. 1–18
Amendment 70 #
Proposal for a regulation
Recital 9
Recital 9
(9) Public sector bodies should comply with competition law when establishing the principles for re-use of data they hold, avoiding as far as possible the conclusion of agreements, which might have as their objective or effect the creation of exclusive rights for the re-use of certain data. Such agreement should be only possible when justified and necessary for the provision of a service of generalpublic interest. This may be the case when exclusive use of the data is the only way to maximise the societal benefits of the data in question, for example where there is only one entity (which has specialised in the processing of a specific dataset) capable of delivering the service or the product which allows the public sector body to provide an advanced digital service in the generalpublic interest. Such arrangements should, however, be concluded in compliance with public procurement rules and be subject to regular review based on a market analysis in order to ascertain whether such exclusivity continues to be necessary. In addition, such arrangements should comply with the relevant State aid rules, as appropriate, and should be concluded for a limited period, which should not exceed three years. In order to ensure transparency, such exclusive agreements should be published online, regardless of a possible publication of an award of a public procurement contract.
Amendment 71 #
Proposal for a regulation
Recital 11
Recital 11
(11) Conditions for re-use of protected data that apply to public sector bodies competent under national law to allow re- use, and which should be without prejudice to rights or obligations concerning access to such data, should be laid down. Those conditions should be non-discriminatory, proportionate and objectively justified, while not restricting competition. In particular, pPublic sector bodies allowing re-use should have in place the technical means necessary to ensure the protection of rights and interests of third parties. Conditions attached to the re-use of data should be limited to what is necessary to preserve the rights and interests of others in the data and the integrity of the information technology and communication systems of the public sector bodies. Public sector bodies should apply conditions which best serve the interests of the re-user without leading to a disproportionate effortburden for the public sector. Depending on the case at hand, bConditions should be designed to ensure effective safeguards with regard to the protection of personal data. Before its transmission, personal data should be fully anonymised, so as to definitively not allow the identification of the data subjects, or data containing commercially confidential information modified in such a way that no confidential information is disclosed. Where provision of anonymised or modified data would not respond to the needs of the re-userthe impact on the protection of personal data has been carefully assessed and the risks for the rights and interests of data subjects are minimal, on- premise or remote re-use of the data within a secure processing environment could be permitted. Data analyses in such secure processing environments should be supervised by the public sector body, so as to protect the rights and interests of others. In particular, personal data should only be transmitted for re-use to a third party where a legal basis allows such transmission. The public sector body could makeIn a context of growing availability and sharing of data, even the re-use of such secure processing environment conditional on the signature by the re-user of a confidentiality agreement that prohibits the disclosure of any information that jeopardises the rightnon- personal data could have an impact on the protection of personal data, especially where such data are the result of anonymisation and other techniques, as and interests of third parties that the re- user may have acquired despite the safeguards put in place. crease in available data can lead to an increase in the chance of re- identification of data subjects, as also pointed out in the AEPD-EDPS joint paper on 10 misunderstandings related to anonymisation, published on 27 April 20211a.The public sector bodies, where relevant, should facilitate the re-use of personal data on the basis of consent of data subjects or, in case of non-personal data, on the basis of permissions of legal persons on the re-use of data pertaining to them, through adequate technical means. In this respect, it should be possible for the public sector body shouldto support potential re- users in seeking such consent by establishing technical mechanisms that permit transmitting requests for consent from re-users, where permitted and practically feasible. No contact information should be given that allows re-users to contact data subjects or companies directly. When transmitting the request to consent to data subjects that have previously agreed to being contacted, the public sector body should ensure that the data subjects are thoroughly informed of their rights, in particular of the right to refuse such a request. The responsibility for demonstrating that valid consent has been obtained should lie with the re-users. _________________ 1ahttps://edps.europa.eu/data- protection/our- work/publications/papers/aepd-edps-joint- paper-10-misunderstandings-related_en AEPD-EDPS joint paper on 10 misunderstandings related to anonymisation, published on 27 April 2021.
Amendment 75 #
Proposal for a regulation
Recital 11 a (new)
Recital 11 a (new)
(11a) The de-anonymisation of datasets should be prohibited unless where data subjects have given their consent, or another legal basis permits it. This should be without prejudice to the possibility to conduct research into anonymisation techniques, in particular where finding possible weaknesses in existing anonymisation techniques could lead to the overall strengthening of anonymisation, while duly respecting the fundamental right to the protection of personal data.
Amendment 79 #
Proposal for a regulation
Recital 14
Recital 14
(14) Companies and data subjects should be able to trust that the re-use of certain categories of protected data, which are held by the public sector, will take place in a manner that respects their rights and interests. Additional safeguards should thus be put in place for situations in which the re-use of such public sector data is taking place on the basis of a processing of the data outside the public sector. Such an additional safeguard could be found in the requirement that public sector bodies should take fully into accounrespect the rights and interests of natural and legal persons (in particular the protection of personal data, commercially sensitive data and the protection of intellectual property rights) in case such data is transferred to third countries.
Amendment 81 #
Proposal for a regulation
Recital 15
Recital 15
(15) Furthermore, it is important to protect commercially sensitive data of non- personal nature, notably trade secrets, but also non-personal data representing content protected by intellectual property rights from unlawful access that may lead to IP theft or industrial espionage, while ensuring that unnecessary legal barriers pertaining to exclusive rights are removed in order to unlock the potential of the use of non- personal data. In order to ensure the protection of fundamental rights or interests of data subjects and data holders, non-personal data which is to be protected from unlawful or unauthorised access under Union or national law, and which is held by public sector bodies, should be transferred only to third-countries where appropriate safeguards for the use of data are provided. Such appropriate safeguards should be considered to exist when in that third- country there are equivalent measures in place which ensure that non-personal data benefits from a level of protection similar to that applicable by means of Union or national law in particular as regards the protection of trade secrets and the protection of intellectual property rights. To that end, the Commission may adopt implementing acts that declare that a third country provides a level of protection that is essentially equivalent to those provided by Union or national law. The assessment of the level of protection afforded in such third-country should, in particular, take into consideration the relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law concerning the access to and protection of non-personal data, any access by the public authorities of that third country to the data transferred, the existence and effective functioning of one or more independent supervisory authorities in the third country with responsibility for ensuring and enforcing compliance with the legal regime ensuring access to such data, or the third countries’ international commitments regarding the protection of data the third country concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems. The existence of effective legal remedies for data subjects and data holders, public sector bodies or data sharing providers in the third country concerned is of particular importance in the context of the transfer of non-personal data to that third country. Such safeguards should therefore include the availability of enforceable rights and of effective legal remedies.
Amendment 87 #
Proposal for a regulation
Recital 20
Recital 20
(20) Public sector bodies should be able to charge fees for the re-use of data but should also be able to decide to make the data availablallow re- use at lower or no cost, for example for certain categories of re-uses such as non- commercial re-use, re-use for scientific research purposes, or re-use by small and medium-sized enterprises, so as to incentivise such re-use in order to stimulate research and innovation and support companies that are an important source of innovation and typically find it more difficult to collect relevant data themselves, in line with State aid rules. Such fees should be reasonable, transparent, published online and non- discriminatory.
Amendment 88 #
Proposal for a regulation
Recital 21
Recital 21
(21) In order to incentivise the re-use of these categories of data, Member States should establish a single information point to act as the primary interface for re-users that seek to re-use such data held by the public sector bodies. It should have a cross-sector remit, and should complement, if necessary, arrangements at the sectoral level. In addition, Member States should designate, establish or facilitate the establishment of competent bodies to support the activities of public sector bodies allowing re-use of certain categories of protected data. Their tasks may include granting access to data, where mandated in sectoral Union or Member States legislation. Those competent bodies should provide support to public sector bodies with state-of-the-art techniques, including secure data processing environments, which allow data analysis in a manner that preserves the privacy of the information. Such support structure could support the data subjects and data holders with management of the consents and permissions, including consent tor permission to re-use for certain areas of scientific research when in keeping with recognised ethical standards for scientific research. DThe competent bodies should not have a supervisory function, which is reserved for supervisory authorities under Regulation (EU) 2016/679. Without prejudice to the supervisory powers of data protection authorities, data processing should be performed under the responsibility of the public sector body responsible for the register containing the data, who remains a data controller in the sense of Regulation (EU) 2016/679 insofar as personal data are concerned. Member States may have in place one or several competent bodies, which could act in different sectors.
Amendment 90 #
Proposal for a regulation
Recital 22
Recital 22
(22) Providers of data sharing services (data intermediaries) are expected to play a key role in the data economy, as. They could become a tool to facilitate the aggregation and exchange of substantial amounts of relevant data. Data intermediaries offering services that connect the different actors have the potential to contribute to the efficient pooling of data as well as to the facilitation of bilateral data sharing. Specialised data intermediaries that are independent from both data subjects and data holders, and from data users, can have a facilitating role in the emergence of new data-driven ecosystems independent from any player with a significant degree of market power. This Regulation should only cover providers of data sharing services that have as a main objective the establishment of a business, a legal and potentially also technical relation between data holders, including data subjectsubjects and data holders, on the one hand, and potential users on the other hand, and assist both parties in a transaction of data assets between the two. It should only cover services aiming at intermediating between an iundefinited number of data holders and data userssubjects and data holders, on the one hand, and data users on the other hand, excluding data sharing services that are meant to be used by a closed group of data subjects and data holders, and users. Providers of cloud services should be excluded, as well as service providers that obtain data from data subjects and data holders, aggregate, enrich or transform the data and licence the use of the resulting data to data users, without establishing a direct relationship between data holders and data userssubjects and data holders, on the one hand, and data users on the other hand, for example advertisement or data brokers, data consultancies, providers of data products resulting from value added to the data by the service provider. At the same time, data sharing service providers should be allowed to make adaptations to the data exchanged, to the extent that this improves the usability of the data by the data user, where the data user desires this, such as to convert it into specific formats. In addition, services that focus on the intermediation of content, in particular on copyright-protected content, should not be covered by this Regulation. Data exchange platforms that are exclusively used by one data holder in order to enable the use of data they hold as well as platforms developed in the context of objects and devices connected to the Internet-of-Things that have as their main objective to ensure functionalities of the connected object or device and allow value added services, should not be covered by this Regulation. ‘Consolidated tape providers’ in the sense of Article 4 (1) point 53 of Directive 2014/65/EU of the European Parliament and of the Council42 as well as ‘account information service providers’ in the sense of Article 4 point 19 of Directive (EU) 2015/2366 of the European Parliament and of the Council43 should not be considered as data sharing service providers for the purposes of this Regulation. Entities which restrict their activities to facilitating use of data made available on the basis of data altruism and that operate on a not-for-profit basis should not be covered by Chapter III of this Regulation, as this activity serves objectives of general interest by increasing the volume of data available for such purposes. _________________ 42Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU, OJ L 173/349. 43Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.
Amendment 96 #
Proposal for a regulation
Recital 28
Recital 28
(28) This Regulation should be without prejudice to the obligation of providers of data sharing services to comply with Regulation (EU) 2016/679 and the responsibility of supervisory authorities to ensure compliance with that Regulation. When providers of data sharing services process personal data, this Regulation should not affect the protection of personal data. Where the data sharing service providers are data controllers or processors in the sense of Regulation (EU) 2016/679 they are bound by the rules of that Regulation. This Regulation should be also without prejudice to the application of competition law.
Amendment 105 #
Proposal for a regulation
Recital 35
Recital 35
(35) There is a strong potential in the use of data made available voluntarily by data subjects based on their consent or, where it concerns non-personal data, made available by legal persons, for purposes of generalpublic interest. Such purposes would include healthcare, combating climate change, improving mobility, facilitating the establishment of official statistics or improving the provision of public services. Support to scientific research, including for example technological development and demonstration, fundamental research, applied research and privately funded research, should be considered as welcan also fulfil purposes of generalpublic interest. This Regulation aims at contributing to the emergence of pools of data made available on the basis of data altruism that have a sufficient size in order to enable data analytics and machine learning, including across borders in the Union.
Amendment 108 #
Proposal for a regulation
Recital 36
Recital 36
(36) Legal entities that seek to support purposes of generalpublic interest by making available relevant data based on data altruism at scale and meet certain requirements, should be able to register as ‘Data Altruism Organisations recognised in the Unionapply for registration as ‘Public Interest Data Hub’. This could lead to the establishment of data repositories. As registration in a Member State would be valid across the Union, and this should facilitate cross- border data use within the Union and the emergence of data pools covering several Member States. Data subjects in this respect would consent to specific purposes of data processing, but could also consent to data processing in certain areas of research or parts of research projects as it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Legal persons could give permission to the processing of their non- personal data for a range of purposes not defined at the moment of giving the permission. The voluntary compliance of such registered entities with a set of requirements should bring trust that the data made available on altruistic purposes is serving a generalpublic interest purpose. Such trust should result in particular from a place of establishment or a legal representative within the Union, as well as from the requirement that registered entities have a not-for-profit character, from transparency requirements and from specific safeguards in place to protect rights and interests of data subjects and companies. The protection of the rights and interests of data subjects should notably include representative actions for the protection of the collective interests of consumers referred to as data subjects according to Directive 2020/1828. Further safeguards should include making it possible to process relevant data within a secure processing environment operated by the registered entity, oversight mechanisms such as ethics councils or boards to ensure that the data controller maintains high standards of scientific ethics, effective technical means to withdraw or modify consent at any moment, based on the information obligations of data processors under Regulation (EU) 2016/679 as well as means for data subjects to stay informed about the use of data they made available.
Amendment 109 #
Proposal for a regulation
Recital 38
Recital 38
(38) Data Altruism Organisations recognised in the UnionPublic Interest Data Hubs should be able to collect relevant data directly from natural and legal persons or to process data collected by others. Where they are data controllers or processors in the meaning of Regulation (EU) 2016/679 they are bound by the rules of that Regulation. Typically, data altruism would rely on consent of data subjects in the sense of Article 6(1)(a) and 9(2)(a) and in compliance with requirements for lawful consent in accordance with Article 7 of Regulation (EU) 2016/679. In accordance with Regulation (EU) 2016/679, scientific research purposes can be supported by consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research or only to certain areas of research or parts of research projects. Article 5(1)(b) of Regulation (EU) 2016/679 specifies that further processing for scientific or historical research purposes or statistical purposes should, in accordance with Article 89(1) of Regulation (EU) 2016/679, not be considered to be incompatible with the initial purposes. For non-personal data, the usage limitations should be found in the permission given by the data holder.
Amendment 111 #
Proposal for a regulation
Recital 40
Recital 40
(40) In order to successfully implement the data governance framework, a European Data Innovation Board should be established, in the form of an expert group. The Board should consist of representatives of the Member States, the Commission and representatives of relevant data spaces and specific sectors (such as health, agriculture, transport and statistics), as well as representatives from civil society, academia, research and standard setting organisations, as relevant. The European Data Protection Board should be invited to appoint a representative to the European Data Innovation Board.
Amendment 116 #
Proposal for a regulation
Article 1 – paragraph 2 a (new)
Article 1 – paragraph 2 a (new)
(2a) Union law on the protection of personal data shall apply to any personal data processed in connection with this Regulation. In particular, this Regulation shall be without prejudice to Regulation (EU) 2016/679, Directive 2002/58/EC, and Regulation (EU) 2018/1725, including the competences and powers of supervisory authorities. In the event of conflict between the provisions of this Regulation and Union law on the protection of personal data, the latter shall prevail. This Regulation does not create a legal basis for the processing of personal data.
Amendment 118 #
Proposal for a regulation
Article 2 – paragraph 1 – point 2 a (new)
Article 2 – paragraph 1 – point 2 a (new)
(2 a) 'personal data' means personal data as defined in point (1) of Article 4 of Regulation (EU) 2016/679;
Amendment 119 #
Proposal for a regulation
Article 2 – paragraph 1 – point 3 a (new)
Article 2 – paragraph 1 – point 3 a (new)
(3a) ‘consent’ means consent as defined in point (11) of Article 4 of Regulation (EU) 2016/679;
Amendment 120 #
Proposal for a regulation
Article 2 – paragraph 1 – point 3 b (new)
Article 2 – paragraph 1 – point 3 b (new)
(3b) 'data subject' means data subject as defined in point (1) of Article 4 of Regulation (EU) 2016/679;
Amendment 121 #
Proposal for a regulation
Article 2 – paragraph 1 – point 4
Article 2 – paragraph 1 – point 4
Amendment 122 #
Proposal for a regulation
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) ‘data holder’ means a natural or legal person or data subject whothat, in accordance with applicable Union or national law, has the right to grant access to or to share certain personal or non-personal data under its control;
Amendment 123 #
Proposal for a regulation
Article 2 – paragraph 1 – point 6
Article 2 – paragraph 1 – point 6
(6) ‘data user’ means a natural or legal person who has lawful access to certain personal or non-personal data and is authorisedhas the right, including under Regulation (EU) 2016/679 in the case of personal data, to use that data for commercial or non- commercial purposes;
Amendment 125 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) ‘data sharing’ means the provision of data by a data holder of data to a data user for the purpose of joint or individual use of the sharedat data, based on voluntary agreements or Union law, as well as the provision of data by a data subject to a data user based on consent, directly or through an intermediary;
Amendment 126 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7 a (new)
Article 2 – paragraph 1 – point 7 a (new)
(7a) ‘data sharing service’ means a service, that, through the provision of technical, legal and other means establishes relationships between an undefined number of data subjects and data holders, on the one hand, and data users, on the other hand;
Amendment 127 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7 b (new)
Article 2 – paragraph 1 – point 7 b (new)
(7b) ‘processing’ means processing as defined in point (2) of Article 4 of Regulation (EU) 2016/679;
Amendment 128 #
Proposal for a regulation
Article 2 – paragraph 1 – point 8
Article 2 – paragraph 1 – point 8
(8) ‘access’ means processing by a data user of data that has been provided by a data holderdata use, in accordance with specific technical, legal, or organisational requirements, without necessarily implying the transmission or downloading of such data;
Amendment 129 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘data altruism’ means the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non-personal datavoluntary data sharing by data holders, or the consent to data sharing by a data subject, without seeking or receiving a reward, for purposes of general interest, such aspublic interest, such as health care, combating climate change, improving mobility, facilitating the establishment of official statistics, improving public services, or scientific research purposes or improvingin the public servicinterest;
Amendment 131 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10 a (new)
Article 2 – paragraph 1 – point 10 a (new)
(10a) ‘Public Interest Data Hub’ means an entity controlling, facilitating the processing, or processing itself, data pursuant to paragraph 10 for objectives of public interest, such as healthcare, combating climate change, improving mobility, facilitating the establishment of official statistics, improving public services, or scientific research purposes in the public interest;
Amendment 132 #
Proposal for a regulation
Article 2 – paragraph 1 – point 14
Article 2 – paragraph 1 – point 14
(14) ‘secure processing environment’ means the physical or virtual environment and organisational means to provide the opportunity to re-use data in a manner that allows for the operator ofpreserves data subjects’ rights under Regulation (EU) 2016/679 and commercial and statistical confidentiality, ensuring compliance with applicable legislation, or that allows the entity providing the secure processing environment to determine and supervise all data processing actions, including tohe display, storage, download, export of the data, and calculation of derivative data through computational algorithms.
Amendment 135 #
Proposal for a regulation
Article 3 – paragraph 3 a (new)
Article 3 – paragraph 3 a (new)
(3a) Where anonymisation, aggregation, or other techniques can be applied so that the protections under paragraph 1 no longer apply, public sector bodies shall make available the data for re-use as mandated by the Open Data Directive, without prejudice to the provisions of Article 5.
Amendment 142 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
(3) Public sector bodies may impose an obligationshall, in accordance with Union law, impose conditions necessary to pre-use only pre-processed data where such pre-processing aims to anonymize or pseudonymiseserve protection on the grounds listed in Article 3(1) to enable re-use. Such conditions may consist of the following requirements for re-users: (a) in the case of personal data, or delete commercially confidential information, including trade secrets. nly allow access to pre-processed data that has been anonymized, or (b) in the case of commercially confidential information, including trade secrets, or of confidential statistical data, or of content protected by intellectual property rights, only allow access to data that has been modified, aggregated, or treated by any other method to prevent unwanted disclosure;
Amendment 144 #
Proposal for a regulation
Article 5 – paragraph 4
Article 5 – paragraph 4
Amendment 146 #
Proposal for a regulation
Article 5 – paragraph 4 – point a
Article 5 – paragraph 4 – point a
(a) to access and re-use the data remotely within a secure processing environment provided and controlled by the public sector ; or
Amendment 147 #
(5) TIn the case that re-use has been allowed according to paragraph 3, points(a) and (b), the public sector bodies shall impose conditions that preserve the integrity of the functioning of the technical systems of the secure processing environment used. The public sector body shall be able to verifyreserve the right to verify the process, the means, and any results of processing of data undertaken by the re- user to preserve the integrity of the protection of the data and reserve the right to prohibit the use of results that contain information jeopardising the rights and interests of third parties. The public sector body shall make use of such a secure processing environment provided the re- user has signed a confidentiality agreement that prohibits the disclosure of any information jeopardising the rights and interests of third parties that the re- user may have acquired despite the safeguards and conditions put in place pursuant to paragraph 3.
Amendment 151 #
Proposal for a regulation
Article 5 – paragraph 5 a (new)
Article 5 – paragraph 5 a (new)
(5a) The public sector bodies shall publish a list of categories of anonymised data made available for re-use, the methods used for anonymisation and other pre-processing, as well as methods of transmission, over a period of at least up to the last two calendar years. The information shall be provided in such a manner that does not allow to identify data subjects.
Amendment 152 #
Proposal for a regulation
Article 5 – paragraph 5 b (new)
Article 5 – paragraph 5 b (new)
(5b) In case of anonymised data, public sector bodies shall make a data protection impact assessment prior to granting access to the data. Where it can be reasonably assumed, or where an impact assessment indicates that the processing or subsequent combination of data could lead to identification or de- anonymisation, the public sector body shall not allow access to, or re-use of the data.
Amendment 153 #
Proposal for a regulation
Article 5 – paragraph 5 c (new)
Article 5 – paragraph 5 c (new)
(5c) Re-use with the purpose of identifying data subjects or otherwise de- anonymising datasets shall be prohibited. Re-users shall not identify any data subjects.
Amendment 154 #
Proposal for a regulation
Article 5 – paragraph 6
Article 5 – paragraph 6
(6) Where the re-use of personal data cannot be granted in accordance with the obligations laid down in paragraphs 3 to 5 and there is no other legal basis for transmitting the data under Regulation (EU) 2016/679, the public sector body shall support entities requesting re-users in seeking valid consent of the data subjects, insofar as a legal basis exists for the public sector body to collect their consent, and/or permission from the legal entitiedata holders whose rights and interests may be affected by such re-use, where it is feasible without disproportionate cost for the public sector, and where there is no reason to believe that the combination of non-personal data sets would lead to the identification of data subjects. In that task they may be assisted by the competent bodies referred to in Article 7 (1).
Amendment 156 #
Proposal for a regulation
Article 5 – paragraph 6 a (new)
Article 5 – paragraph 6 a (new)
(6a) Where public sector bodies make available personal data for re-use pursuant to this Article, they shall inform data subjects accordingly of this re-use and of the rights of the data subject in that regard. The public sector bodies shall support data subjects in exercising their rights, including in relation to any re- users. In that task they may be assisted by the competent bodies referred to in Article 7 (1).
Amendment 157 #
Proposal for a regulation
Article 5 – paragraph 6 b (new)
Article 5 – paragraph 6 b (new)
(6b) Public sector bodies shall invite individuals, civil society and consumer protection organisations, in an open and collaborative manner, to participate in setting up processes for allowing the re- use of personal data.
Amendment 158 #
Proposal for a regulation
Article 5 – paragraph 6 c (new)
Article 5 – paragraph 6 c (new)
(6c) In particular where special categories of data and sensitive sectors such as the health sector are concerned, re-use of personal data shall take into account the outcome of prior data protection impact assessments.
Amendment 159 #
Proposal for a regulation
Article 5 – paragraph 9 – subparagraph 1 – introductory part
Article 5 – paragraph 9 – subparagraph 1 – introductory part
(9) TWhen justified by the volume of cases pursuant to paragraph 10 in specific countries, the Commission may adopt implementing acts declaring that the legal, supervisory and enforcement arrangements of a third country:
Amendment 162 #
Proposal for a regulation
Article 5 – paragraph 10 – introductory part
Article 5 – paragraph 10 – introductory part
(10) Public sector bodies shall only transmit confidential data or data protected by intellectual property rights to a re-user which intends to transfer the dataimpose an obligation upon the re-user not to transfer non-personal data or data protected on grounds set out in Article 3 (1), points (a), (b), or (c) to a third country other than a country designated in accordance with paragraph 9 if10a, unless the re-user undertakes:
Amendment 163 #
Proposal for a regulation
Article 5 – paragraph 11
Article 5 – paragraph 11
(11) Where specific Union acts adopted in accordance with a legislative procedure establish that certain non-personal data categories held by public sector bodies shall be deemed to be highly sensitive for the purposes of this Article and where their transfer to third countries may put at risk Union policy objectives, such as safety and public health, or may lead to identification of data subjects in anonymised data, the Commission shall be empowered to adopt delegated acts in accordance with Article 28 supplementing this Regulation by laying down special conditions applicable for transfers to third- countries. Those conditions for the transfer to third-countries shall be based on the nature of data categories identified in the Union act and on the grounds for deeming them highly sensitive, non- discriminatory and limited to what is necessary to achieve the public policy objectives identified in the Union law act, such as safety and public health, as well as risks of re-identification of anonymized data for data subjects, in accordance with the Union’s international obligations. They conditions may include terms applicable for the transfer or technical arrangements in this regard, limitations as regards the re-use of data in third-countries or categories of persons which are entitled to transfer such data to third countries or, in exceptional cases, restrictions as regards transfers to third- countries.
Amendment 165 #
Proposal for a regulation
Article 5 – paragraph 13
Article 5 – paragraph 13
(13) Where the re-user intends to transfer non-personal data to a third country, the public sector body shall inform the data holder about the intention to transfer ofthat data to that third country. Where the data can be reasonably assumed to lead to the identification or identifiability of natural persons when combined with other datasets, the data shall be treated as personal data.
Amendment 167 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
(2) Any fees pursuant to paragraph 1 shall be non- discriminatory, proportionate and objectively justified and shall not restrict competition, or inhibit the re-use of data for purposes in the public interest.
Amendment 170 #
Proposal for a regulation
Article 6 – paragraph 4
Article 6 – paragraph 4
(4) Where they apply fees, public sector bodies shall take measures to incentivise the re-use of the categories of data referred to in Article 3 (1) for non- commercial purposesby non- profit organisations, and for non- commercial purposes such as scientific research, and by small and medium-sized enterprises in line with State aid rules. Where possible, this should allow the re- use at lower or no cost.
Amendment 172 #
Proposal for a regulation
Article 6 – paragraph 5
Article 6 – paragraph 5
(5) Fees shall be derived from the costs related to the processing of requests for re- use of the categories of data referred to in Article 3 (1). TheAny fees shall be limited to covering the costs incurred, such as for the preparation of data to uphold protection on the grounds listed in Article 3(1), for maintaining the secure processing environment and further costs incurred by Article 5(3), and as incurred in relation to supporting re-users seeking consent and permission as provided in Article5(6). The criteria and methodology for calculating fees shall be published in advance.
Amendment 173 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
(1) For the tasks mentioned in this Article, Member States shall designate one or more competent bodies, which may be sectoral, to support the public sector bodies which grant access to the re-use of the categories of data referred to in Article 3 (1) in the exercise of that task.
Amendment 175 #
Proposal for a regulation
Article 7 – paragraph 2 – point b
Article 7 – paragraph 2 – point b
(b) providing technical support in the application of tested techniquesfor ensuring data processing in a manner that preserves privacy of the information contained in the data for which re-use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data;
Amendment 177 #
Proposal for a regulation
Recital 9
Recital 9
(9) Public sector bodies should comply with competition law when establishing the principles for re-use of data they hold, avoiding as far as possible the conclusion of agreements, which might have as their objective or effect the creation of exclusive rights for the re-use of certain data. Such agreement should be only possible when justified and necessary for the provision of a service of generalpublic interest. This may be the case when exclusive use of the data is the only way to maximise the societal benefits of the data in question, for example where there is only one entity (which has specialised in the processing of a specific dataset) capable of delivering the service or the product which allows the public sector body to provide an advanced digital service in the generalpublic interest. Such arrangements should, however, be concluded in compliance with public procurement rules and be subject to regular review based on a market analysis in order to ascertain whether such exclusivity continues to be necessary. In addition, such arrangements should comply with the relevant State aid rules, as appropriate, and should be concluded for a limited period, which should not exceed three years. In order to ensure transparency, such exclusive agreements should be published online, regardless of a possible publication of an award of a public procurement contract. (This amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout.)
Amendment 177 #
Proposal for a regulation
Article 7 – paragraph 2 – point c
Article 7 – paragraph 2 – point c
(c) assisting the public sector bodies, where relevant, to support re-users in obtaining consent for permission by re-users for re-use for altruistic and other purposere-use of personal data, or permission from data holders in line with their specific decisions of data holders, including on the jurisdiction or jurisdictions in which the data processing is intended to take place;
Amendment 181 #
Proposal for a regulation
Recital 11 a (new)
Recital 11 a (new)
(11 a) The de-anonymisation of datasets should be prohibited unless where data subjects have given their consent, or another legal basis permits it. This should be without prejudice to the possibility to conduct research into anonymisation techniques, in particular where finding possible weaknesses in existing anonymisation techniques could lead to the overall strengthening of anonymisation, while duly respecting the fundamental right to the protection of personal data.
Amendment 183 #
(a) intermediation services between data holders which are legal persons and potential data users of non-personal data, including making available the technical or other means to enable such services; those services may include bilateral or multilateral exchanges of non-personal data or the creation of platforms or databases enabling the exchange or joint exploitation of non- personal data, as well as the establishment of a specific infrastructure for the interconnection of data holders and data users;
Amendment 184 #
Proposal for a regulation
Article 9 – paragraph 1 – point b
Article 9 – paragraph 1 – point b
(b) intermediation services between data subjects that seek to make their personal data available and potential data users, including making available the technical or other means to enable such services, inand in particular enabling the exercise of the data subjects' rights provided in Regulation (EU) 2016/679;
Amendment 185 #
Proposal for a regulation
Article 9 – paragraph 1 – point c
Article 9 – paragraph 1 – point c
(c) servicactivities of data cooperatives, that is to say services supporting data subjects or one-person companies or micro, small and medium-sized enterprises, who are members of the cooperative or who confer the power to the cooperaorganisations or services, which: (i) support members who are data subjects to exercise the rights provided in Regulation (EU) 2016/679, by offering services including, but not limited to, collective toly negotiateing terms and conditions for data processing before they consent, in making informed choices before consenting to data processing, and, allowing for mechanisms to exchange views on data processing purposes and conditions, that would bestereby representing their interests; of data subjects or legal personsr (ii) enable small and medium-sized enterprises, and not-for-profit or academic institutions to collectively negotiate terms for sharing non-personal data.
Amendment 188 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
(2) This ChapterRegulation shall be without prejudice to the application of other Union and national law to providers of data sharing services, including powers of supervisory authorities to ensure compliance with applicable law, in particular as regard the protection of personal data and competition law.
Amendment 192 #
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
(3) A provider of data sharing services that is not established in the Union, but offers the services referred to in Article 9 (1) within the Union, shall appoint a legal representative in one of the Member States in which those services are offered. The provider shall be deemed to be under the jurisdiction of the Member State in which the legal representative is established. The representative shall be mandated by the provider of data sharing services to be addressed in addition to or instead of it by, in particular, competent authorities and data subjects and data holders, on all issues related to the data sharing services, for the purposes of ensuring compliance with this Regulation. The designation of a representative by providers of data sharing services shall be without prejudice to legal actions which could be initiated against providers of data sharing services themselves.
Amendment 195 #
Proposal for a regulation
Article 10 – paragraph 4 a (new)
Article 10 – paragraph 4 a (new)
(4a) By way of derogation from paragraph 4, a provider of data sharing services shall notify the competent authority in the following cases: (a) the provider intends to provide services on the basis of, or can reasonably assume to process personal data, or anonymised data that was derived from personal data; (b) the provider can reasonably assume that the combination of non-personal data under the service it provides could lead to the identification or identifiability of natural persons; The provider shall not start the activity before the competent authority has not been consulted.
Amendment 198 #
Proposal for a regulation
Article 10 – paragraph 6 – point d
Article 10 – paragraph 6 – point d
(d) a publicly accessible website where information on the provider and the activities can be found, where applicableincluding as a minimum the information referred to in this paragraph, points (a),(b), (c), (e), (f), and (fa);
Amendment 199 #
Proposal for a regulation
Article 10 – paragraph 6 – point f
Article 10 – paragraph 6 – point f
(f) a description of the service the provider intends to provide and how the conditions set out in Article 11 are fulfilled;
Amendment 200 #
Proposal for a regulation
Article 10 – paragraph 6 – point f a (new)
Article 10 – paragraph 6 – point f a (new)
(fa) the nature of data to be controlled, processed, or re-used by the provider, and, in the case of personal data, an indication of the categories of personal data, and the categories of recipients of personal data;
Amendment 201 #
Proposal for a regulation
Article 10 – paragraph 6 – point f b (new)
Article 10 – paragraph 6 – point f b (new)
(fb) an indication in the case of processing of personal data or where the provider can reasonably assume that the combination of non-personal data under the service it provides could lead to the identification or identifiability of natural persons;
Amendment 202 #
Proposal for a regulation
Article 10 – paragraph 6 – point g
Article 10 – paragraph 6 – point g
(g) the estimatintended date for starting the activity, and, where applicable, the duration foreseen;
Amendment 203 #
Proposal for a regulation
Article 10 – paragraph 6 – point h
Article 10 – paragraph 6 – point h
Amendment 204 #
Proposal for a regulation
Article 10 – paragraph 9
Article 10 – paragraph 9
(9) The competent authority shall notify the Commission of each new notification. The Commission shall keep a public register of all providers of data sharing services in the Union, which shall make available the information referred to in paragraph 6,points (a), (b), (c), (d), (f), (fa), and (fb).
Amendment 211 #
Proposal for a regulation
Article 11 – paragraph 1 – point 2
Article 11 – paragraph 1 – point 2
(2) the metadata collected from the provision of the data sharingwith respect to any activity of a natural or legal person for the purposes of the provision of a data sharing service, including the date, time and geolocation data, duration of activity and connections to other natural or legal persons established by the person who uses the service may be used only for the development of that service;
Amendment 212 #
Proposal for a regulation
Article 1 – paragraph 2 a (new)
Article 1 – paragraph 2 a (new)
(2 a) Union law on the protection of personal data shall apply to any personal data processed in connection with this Regulation. In particular, this Regulation shall be without prejudice to Regulation (EU) 2016/679, Directive 2002/58/EC, and Regulation (EU) 2018/1725, including the competences and powers of supervisory authorities. In the event of conflict between the provisions of this Regulation and Union law on the protection of personal data, the latter shall prevail. This Regulation does not create a legal basis for the processing of personal data.
Amendment 213 #
Proposal for a regulation
Article 11 – paragraph 1 – point 3
Article 11 – paragraph 1 – point 3
(3) the provider shall ensure that the procedure for access to its service is fair, transparent and non-discriminatory for both data subjects and data holders, ands well as for data users, including as regards prices;
Amendment 215 #
Proposal for a regulation
Article 11 – paragraph 1 – point 4 a (new)
Article 11 – paragraph 1 – point 4 a (new)
(4a) the provider may offer additional specific services to data subjects and data holders facilitating the exchange of the data, such as storage, aggregation, curation, pseudonymisation and anonymisation;
Amendment 216 #
Proposal for a regulation
Article 11 – paragraph 1 – point 5
Article 11 – paragraph 1 – point 5
(5) the provider shall have procedures in place to prevent fraudulent or abusive practices in relation to access to data from parties seeking access through their services;
Amendment 217 #
Proposal for a regulation
Article 11 – paragraph 1 – point 6
Article 11 – paragraph 1 – point 6
(6) the provider shall ensure a reasonable continuity of provision of its services and, in the case of services which ensure storage of data, shall have sufficient guarantees in place that allow data holders and data users to obtain access to their data or, in the case of providing intermediation services between data subjects and data users, pursuant to Article 9(1), point b, that allow data subjects to exercise their rights in case of insolvency of the provider;
Amendment 218 #
Proposal for a regulation
Article 11 – paragraph 1 – point 6 a (new)
Article 11 – paragraph 1 – point 6 a (new)
(6a) the provider shall take reasonable measures to ensure interoperability with other data sharing services by means of commonly used, formal or informal, open standards in the sector in which the data sharing service providers operate;
Amendment 219 #
Proposal for a regulation
Article 11 – paragraph 1 – point 9 a (new)
Article 11 – paragraph 1 – point 9 a (new)
(9a) the provider shall have procedures in place to ensure compliance with the Union and national rules on the protection of personal data, including procedures for ensuring the exercise of data subjects’ rights; the provider shall in particular provide the data subjects with easily accessible tools, allowing them a comprehensive view of how and for which specific purpose their personal data are shared by the provider;
Amendment 220 #
Proposal for a regulation
Article 11 – paragraph 1 – point 11
Article 11 – paragraph 1 – point 11
(11) where a provider provides tools for obtaining consent from data subjects or permissions to process data made available by legal persondata holders, it shall specify the jurisdiction or jurisdictions outside the Union in which the data use is intended to take place and provide data subjects with tools to withdraw consent and data holders with tools to withdraw permissions to process data.
Amendment 221 #
Proposal for a regulation
Article 12 – paragraph 3
Article 12 – paragraph 3
(3) The powers of the designated competent authorities, are without prejudice to the powers of the data protection authorities, the national competition authorities, the authorities in charge of cybersecurity, and other relevant sectorial authorities. Those authorities shall exchange the information which is necessary for the exercise of their tasks in relation to data sharing providers. In particular, for any question requiring an assessment of compliance with Regulation (EU) 2016/679, and before starting any data sharing service activities related to personal data, the competent authority shall first request an opinion or decision by the competent supervisory authority established pursuant to that Regulation which shall be legally binding for the competent authority.
Amendment 224 #
Proposal for a regulation
Article 16 – title
Article 16 – title
General requirements for registrationPublic Interest Data Hubs
Amendment 225 #
Proposal for a regulation
Article 16 – paragraph 1 – point b
Article 16 – paragraph 1 – point b
(b) operate on a not-for-profit basis and be independent, at least with regard to its organisation and personnel, from any entity that operates on a for-profit basis;
Amendment 226 #
Proposal for a regulation
Article 16 – paragraph 1 – point c a (new)
Article 16 – paragraph 1 – point c a (new)
(ca) Where Public Interest Data Hubs provide tools for obtaining consent from data subjects or permissions to process data made available by data holders, they shall specify the jurisdiction or jurisdictions outside the Union in which the data use is intended to take place and provide data subjects with tools to withdraw consent and data holders with tools to withdraw permissions to process data.
Amendment 227 #
Proposal for a regulation
Article 17 – paragraph 4 – point f
Article 17 – paragraph 4 – point f
(f) a publicly accessible website where information on the entity and the activities can be found, including as a minimum the information referred to in points (a), (b), (d), (e), (g) and (h) of this paragraph;
Amendment 230 #
Proposal for a regulation
Article 19 – title
Article 19 – title
Specific requirements to safeguard rights and interests of data subjects and legal entitiedata holders as regards their data
Amendment 235 #
Proposal for a regulation
Article 24 – paragraph 1
Article 24 – paragraph 1
(1) Natural and legal persons shall have the right to lodge a complaint, individually or by the representatives of one or more natural persons, with the relevant national competent authority against a provider of data sharing services or an entity entered in the register of recognised data altruism organisations.
Amendment 236 #
Proposal for a regulation
Article 25 – paragraph 2
Article 25 – paragraph 2
(2) Proceedings pursuant to this Article shall be brought before the courts of the Member State in which the authority against which the judicial remedy is sought is located, individually or by the representatives of one or more natural persons.
Amendment 237 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7 a (new)
Article 2 – paragraph 1 – point 7 a (new)
(7 a) ‘data sharing service’ means a service, that, through the provision of technical, legal and other means establishes relationships between an undefined number of data subjects and data holders, on the one hand, and data users, on the other hand;
Amendment 247 #
Proposal for a regulation
Article 30 – title
Article 30 – title
International access and transfer
Amendment 248 #
Proposal for a regulation
Article 30 – paragraph -1 (new)
Article 30 – paragraph -1 (new)
-1. This Chapter shall apply to the transfer of non-personal data only.
Amendment 253 #
Proposal for a regulation
Article 30 – paragraph 5
Article 30 – paragraph 5
(5) The public sector body, the natural or legal person to which the right to re-use data was granted under Chapter 2, the data sharing provider and the entity providing data altruism shall inform the data subject or the data holder about the existence of a request of an administrative authority in a third-country to access its data, except in cases where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity.
Amendment 258 #
Proposal for a regulation
Article 5 – paragraph 5 a (new)
Article 5 – paragraph 5 a (new)
(5 a) The public sector bodies shall publish a list of categories of anonymised data made available for re-use, the methods used for anonymisation and other pre-processing, as well as methods of transmission, over a period of at least up to the last two calendar years. The information shall be provided in such a manner that does not allow to identify data subjects.
Amendment 288 #
Proposal for a regulation
Article 9 – paragraph 1 – point b
Article 9 – paragraph 1 – point b
(b) intermediation services between data subjects that seek to make their personal data available and potential data users, including making available the technical or other means to enable such services, inand in particular enabling the exercise of the data subjects' rights provided in Regulation (EU) 2016/679;
Amendment 296 #
Proposal for a regulation
Article 10 – paragraph 4 a (new)
Article 10 – paragraph 4 a (new)
(4 a) By way of derogation from paragraph 4, a provider of data sharing services shall notify the competent authority in the following cases: (a) the provider intends to provide services on the basis of, or can reasonably assume to process personal data, or anonymised data that was derived from personal data; (b) the provider can reasonably assume that the combination of non-personal data under the service it provides could lead to the identification or identifiability of natural persons; The provider shall not start the activity before the competent authority has not been consulted.