Activities of Sergey LAGODINSKY related to 2022/0047(COD)
Legal basis opinions (0)
Amendments (123)
Amendment 122 #
Proposal for a regulation
Recital 7
Recital 7
(7) The fundamental right to the protection of personal data is safeguarded in particular under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725. Directive 2002/58/EC additionally protects private life and the confidentiality of communications, including providing conditions to any personal and non- personal data storing in and access from terminal equipment. These instruments provide the basis for sustainable and responsible data processing, including where datasets include a mix of personal and non-personal data. This Regulation complements and is without prejudice to Union law on data protection and privacy, in particular Regulation (EU) 2016/679 and Directive 2002/58/EC. No provision of this Regulation should be applied or interpreted in such a way as to diminish or limit the right to the protection of personal data or the right to privacy and confidentiality of communications. In the event of a conflict between this Regulation and Union law on the protection of personal data and privacy or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data and privacy should prevail.
Amendment 124 #
Proposal for a regulation
Recital 8
Recital 8
(8) The principles of data minimisation and data protection by design and by default are essential whenas processing involvescan lead to significant risks to the fundamental rights of individuals. Taking into account the state of the art, all parties to data sharing, including where within scope of this Regulation, should implement technical and organisational measures to protect these rights. Such measures include not only pseudonymisation and encryption, but also the use of increasingly available technology that permits algorithms to be brought to the data and allow valuable insights to be derived without the transmission between parties or unnecessary copying of the raw or structured data themselvesand facilitate the exercise of data subjects' rights. Such measures include not only deletion and anonymisation where possible, and aggregation and pseudonymisation where the aforementioned aren’t possible to fulfill the purposes of the processing, as well as encryption.
Amendment 125 #
Proposal for a regulation
Recital 8 a (new)
Recital 8 a (new)
(8 a) The goal of anonymisation is to prevent identification. In accordance with Regulation (EU) 2016/679, anonymised data have been processed in such a way as to remove the possibility to relate them to an identified or identifiable natural person and rendered anonymous in such a manner that the data subject is not or no longer identifiable. Although improbable, the combination of non-personal data sets could lead to the identification or, in the case of previously anonymised data, the re-identification and therefore reattribution to a natural person.
Amendment 134 #
Proposal for a regulation
Recital 18
Recital 18
(18) The user of a product should be understood as the legal or natural person, such as a business or consumer, which has purchased, rented or leased the product. Depending on the legal title under which he or she uses it, such a user bears the risks and enjoys the benefits of using the connected product and should enjoy also the access to the data it generates. The user should therefore be entitled to derive benefit from data generated by that product and any related service. A product or service may have been purchased, rented or leased by a business, and provided or otherwise made available to one or more employees. Where such provision of a product or service results in the data concerned to be personal data, such data are subject to applicable Union law, in particular on the protection of personal data, of privacy, and the protection of employees.
Amendment 135 #
Proposal for a regulation
Recital 18 a (new)
Recital 18 a (new)
(18 a) Where the right to access data is exercised by a legal person, the notion of ‘right’ is understood to describe the claim to the obligation of the data holder to provide access to data to a recipient as laid down in this Regulation, subject to all conditions and limits of Union law on the protection of personal data.
Amendment 136 #
Proposal for a regulation
Recital 19
Recital 19
(19) In practice, not all data generated by products or related services are easily accessible to their users, and there are often limited possibilities for the portability of data generated by products connected to the Internet of Things. Users are unable to obtain data necessary to make use of providers of repair and other services, and businesses are unable to launch innovative, more efficient and convenient services. In many sectors, manufacturers are often able to determine, through their control of the technical design of the product or related services, what data are generated and how they can be accessed, even though they have no legal right to the data. It is therefore necessary to ensure that products are designed and manufactured and related services are provided in such a manner that data generated by their use are always easily accessible to the user. (This amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout.)
Amendment 139 #
Proposal for a regulation
Recital 24
Recital 24
(24) This Regulation imposes the obligation on data holders to make data available in certain circumstances. Insofar as personal data are processed, the data holder ishould be a controller underpursuant to Regulation (EU) 2016/679. Where users are data subjects, data holders should be obliged to provide them access to their data and to make the data available to third parties of the user’s choice in accordance with this Regulation. However, this Regulation does not create a legal basis under Regulation (EU) 2016/679 for the data holder to provide access to personal data or make it available to a third party when requested by a user that is not a data subject and should not be understood as conferring any new right on the data holder to use data generated by the use of a product or related service. This applies in particular where the manufacturer is the data holder. In that case, tThe performance of a contract can only be a legal ground for processing of personal data if the data subject is a party or if steps are being taken at the request of the data subject prior to entering into a contract. The necessity requirement for processing personal data for the performance of a contract pursuant to Article 6(1)(b) of Regulation (EU) 2016/679 can not be fulfilled by merely providing for processing in a contractual clause. Assessing what is objectively necessary must be fact-based, and this legal ground should be allowed only in situations where it is not possible to perform service or provide product which the data subject has actively requested or signed up for without processing of specific data. Personal data necessary for the controller’s wider business mode but not necessary for the individual services requested by the data subject, do not fulfil this requirement. The basis for the manufacturer to use non-personal data should be a contractual agreement between the manufacturer and the user. This agreement may be part of the sale, rent or lease agreement relating to the product. Any contractual term in the agreement stipulating that the data holder may use the data generated by the user of a product or related service should be transparent to the user, including as regards the purpose for which the data holder intends to use the data. This Regulation should not prevent contractual conditions, whose effect is to exclude or limit the use of the data, or certain categories thereof, by the data holder. This Regulation should also not prevent sector-specific regulatory requirements under Union law, or national law compatible with Union law, which would exclude or limit the use of certain such data by the data holder on well- defined public policy grounds.
Amendment 142 #
Proposal for a regulation
Recital 27
Recital 27
(27) The data holder may require appropriate user identification or authentication to verify the user’s entitlement to access the data. In the case of personal data processed by a processor on behalf of the controller, the data holder should ensure that the access request is received and handled by the processor.
Amendment 143 #
Proposal for a regulation
Recital 28
Recital 28
(28) The user should be free to use the data for any lawful purpose. This includes providing the data the user has received exercising the right under this Regulation to a third party offering an aftermarket service that may be in competition with a service provided by the data holder, or to instruct the data holder to do so. TIn order to comply with the user’s request, the data holder should ensure that the data made available to the third party is as accurate, complete, reliable, relevant and, up-to-date and accessible as the data the data holder itself may be able or entitled to access from the use of the product or related service. Any trade secrets or intellectual property rights should be respected in handling the data. However, data holders should not undermine the right of the users to request access and use of data in accordance with this Regulation on the basis of certain data that the data holder could still consider to be trade secrets or confidential business information. This bearing in mind that the disclosure of trade secrets within the meaning of Directive (EU) 2016/943 serves the interest of innovation and of competition, notably in allowing reverse engineering of a lawfully acquired product, which should be considered as a lawful means of acquiring information. It is important to preserve incentives to invest in products with functionalities based on the use of data from sensors built into that product. The aim of this Regulation should accordingly be understood as to foster the development of new, innovative products or related services, stimulate innovation on aftermarkets, but also stimulate the development of entirely novel services making use of the data, including based on data from a variety of products or related services. At the same time, it aims to avoid undermining the investment incentives for the type of product from which the data are obtained, for instance, by the use of data to develop a competing product.
Amendment 148 #
Proposal for a regulation
Recital 30
Recital 30
(30) The use of a product or related service may, in particular when the user is a natural person, generate data that relates to an identified or identifiable natural person (the data subject). Processing of such data is subject to the rules established under Regulation (EU) 2016/679, including where personal and non-personal data in a data set are inextricably linked64 . The data subject may be the user or another natural person. PSuch generation and further processing of personal data mayis only be requested by a controller or a data subjecpermitted to begin with where one of the legal grounds pursuant to Articles 6(1) and 9 of that Regulation is met. A user who is the data subject is under certain circumstances entitled under Regulation (EU) 2016/679 to access personal data concerning them, and such rights are unaffected by this Regulation. Under this Regulation, the user who is a natural person is further entitled to access all data generated by the product, personal and non-personal. Where the user is not the data subject but an enterprise, including a sole trader, and not in caAccordingly, such a user intending to request personal data generated by the uses of shared househola product or related use of the product, the user will be a controller withrvice is required to have a legal basis for processing the meaningdata under Article 6(1) of Regulation (EU) 2016/679. Accordingly, such a user as controller intending to request personal data generated by the use of a product or related service is required to have a legal basis for processing the data under Article 6(1) of Regulation (EU) 2016/679, such as, such as the consent of the data subject, a contractual arrangement, or a legal obligation. The legitimate interest of such a user, or of the provider of a product or service, should not be considered a legal basis for generating, further processing, and accessing personal data. The data subject can expect products and services to not collect, obtain, or generate data about them without their consent of the data subject or legitimate interesr a freely entered contractual agreement. This user should ensure that the data subject is appropriately informed of the specified, explicit and legitimate purposes for processing those data, and how the data subject may effectively exercise their rights. Where the data holder and the user are joint controllers within the meaning of Article 26 of Regulation (EU) 2016/679, they are required to determine, in a transparent manner by means of an arrangement between them, their respective responsibilities for compliance with that Regulation. It should be understood that such a user, once data has been made available, may in turn become a data holder, if they meet the criteria under this Regulation and thus become subject to the obligations to make data available under this Regulation. Where the user is a Union institution, agency or body, Regulation (EU) 2018/1725 should apply unprejudiced. _________________ 64 OJ L 303, 28.11.2018, p. 59–68.
Amendment 149 #
Proposal for a regulation
Recital 34
Recital 34
(34) In line with the data minimisation principle, the third party should only access additional information that is necessary for the provision of the service requested by the user. Having received access to data, the third party should process it exclusively for the purposes agreed with the user, without interference from the data holder. It should be as easy for the user to refuse or discontinue access by the third party to the data as it is for the user to authorise access. The third party should not coerce, deceive or manipulate the user in any way, by subverting or impairing the autonomy, decision-making or choices of the user, including by means of a digital interface with the user. in this context, third parties should not rely on so-called dark patterns in designing their digital interfaces. Dark patterns are design techniques that push or deceive consumers into decisions that have negative consequences for them. These manipulative techniques can be used to persuade users, particularly vulnerable consumers, to engage in unwanted behaviours, and to deceive users by nudging them into decisions on data disclosure transactions or to unreasonably bias the decision-making of the users of the service, in a way that subverts and impairs their autonomy, decision-making and choice. Common and legitimate commercial practices that are in compliance with Union law should not in themselves be regarded as constituting dark patterns. Third parties should comply with their obligations under relevant Union law, in particular the requirements set out in Directive 2005/29/EC, Directive 2011/83/EU, Directive 2000/31/EC and Directive 98/6/EC.
Amendment 154 #
Proposal for a regulation
Recital 56
Recital 56
Amendment 157 #
Proposal for a regulation
Recital 57
Recital 57
Amendment 159 #
Proposal for a regulation
Recital 58
Recital 58
Amendment 162 #
Proposal for a regulation
Recital 59
Recital 59
(59) This Regulation should not apply to, nor pre-empt, voluntary arrangements for the exchange of non-personal data between private and public entities. Obligations placed on data holders to provide data that are motivated by needs of a non-exceptional nature, notably where the range of data and of data holders is known and where data use can take place on a regular basis, as in the case of reporting obligations and internal market obligations, should not be affected by this Regulation. Requirements to access data to verify compliance with applicable rules, including in cases where public sector bodies assign the task of the verification of compliance to entities other than public sector bodies, should also not be affected by this Regulation.
Amendment 163 #
Proposal for a regulation
Recital 61
Recital 61
Amendment 164 #
Proposal for a regulation
Recital 62
Recital 62
Amendment 166 #
Proposal for a regulation
Recital 63
Recital 63
Amendment 167 #
Proposal for a regulation
Recital 64
Recital 64
Amendment 168 #
Proposal for a regulation
Recital 65
Recital 65
Amendment 172 #
Proposal for a regulation
Recital 66
Recital 66
Amendment 173 #
Proposal for a regulation
Recital 67
Recital 67
Amendment 174 #
Proposal for a regulation
Recital 68
Recital 68
Amendment 178 #
Proposal for a regulation
Recital 83
Recital 83
(83) Member States competent authorities should ensure that infringements of the obligations laid down in this Regulation are sanctioned by penalties. When doing so, they should take into account the nature, gravity, recurrence and duration of the infringement in view of the public interest at stake, the scope and kind of activities carried out, as well as the economic capacity of the infringer. They should take into account whether the infringer systematically or recurrently fails to comply with its obligations stemming from this Regulation. In order to help enterprises to draft and negotiate contracts, the Commission should develop and recommend non-mandatory model contractual terms for business-to-business data sharing contracts, where necessary taking into account the conditions in specific sectors and the existing practices with voluntary data sharing mechanisms. These model contractual terms should notably address the preservation of the confidentiality of trade secrets in the framework of this Regulation. These model contractual terms should be primarily a practical tool to help in particular smaller enterprises to conclude a contract. When used widely and integrally, these model contractual terms should also have the beneficial effect of influencing the design of contracts about access to and use of data and therefore lead more broadly towards fairer contractual relations when accessing and sharing data. To that end, the adaptation of Directive 93/13/EEC on unfair terms in consumer contracts to the data economy should be particularly scrutinised.
Amendment 179 #
Proposal for a regulation
Recital 84
Recital 84
(84) In order to eliminate the risk that holders of data bases containing databases obtained or generated by means of physical components, such as sensors, of a connected product and a related service claim the sui generis right under Article 7 of Directive 96/9/EC where such databases do not qualify for the sui generis right, and in so doing hinder the effective exercise of the right of users to access and use data and the right to share data with third parties under this Regulation, this Regulation should, namely machine-generated data, claim the sui generis right under Article 7 of Directive 96/9/EC this Regulation clarifyies that the sui generis right does not apply to such databases as the requirements for protection would not be fulfilled.
Amendment 181 #
Proposal for a regulation
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Regulation lays down harmonised rules on making data lawfully obtained, collected, or generated by the use of a product or data lawfully obtained, collected, or generated during the provision of a related service available to the user of that product, orn providers of related services, on the making data available by data holders to data recipients, and on the making data available by data holders to public sector bodies or Union institutions, agencies or bodies, where there is an exceptional need, for the performance of a task carried out in the public interest: upon request by a user or data subject to data recipients , and on contractual terms between users and data holder, and users and data recipients.
Amendment 183 #
Proposal for a regulation
Article 1 – paragraph 2 – point a
Article 1 – paragraph 2 – point a
(a) manufacturers of products and suppliproviders of related services placed on the market in the Union and the users of such products or services, or in the case of personal data, identified or identifiable natural person the information generated by the use of such products or related services relates to;
Amendment 184 #
Proposal for a regulation
Article 1 – paragraph 2 – point d
Article 1 – paragraph 2 – point d
Amendment 186 #
Proposal for a regulation
Article 1 – paragraph 3
Article 1 – paragraph 3
3. Union law on the protection of personal data, privacy and confidentiality of communications and integrity of terminal equipment shall apply to personal data processed in connection with the rights and obligations laid down in this Regulation. This Regulation shall not affect the applicability ofe obtaining, collection, or generation of personal data through the use of a product or related service requires a legal basis pursuant to data protection law. This Regulation does not create a legal basis for the processing of personal data, nor does it affect any of the rights and obligations set out in Regulations (EU) 2016/679 or (EU) 2018/1725 or Directives 2002/58/EC or (EU) 2016/680. The legitimate interest, as laid down in Article 6 paragraph 1 point f of Regulation (EU) 2016/679, of the manufacturer of a product or the provider of a related service shall not constitute a legal basis for this. This Regulation is without prejudice to Union law on the protection of personal data and privacy, in particular Regulation (EU) 2016/679 and Directive 2002/58/EC, including the powers and competences of supervisory authorities, Regulation (EU) 2018/1725, Directive 2002/58/EC, and Directive (EU) 2016(680), including the powers and competences of supervisory authorities. In the event of a conflict between this Regulation and Union law on the protection of personal data or privacy or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data or privacy shall prevail. Insofar as the rights laid down in Chapter II of this Regulation are concerned, and where users are the data subjects of personal data subject to the rights and obligations under that Chapter, the provisions of this Regulation shall complement and particularise the right of data portability under Article 20 of Regulation (EU) 2016/679, and shall not adversely affect data protection rights of others. Insofar the processing of personal data, that is made available to a data recipient pursuant to Article 5 of this Regulation, is restricted in Article 6 of this Regulation, these provisions shall take precedence over Article 6 of Regulation (EU) 2016/679.
Amendment 190 #
Proposal for a regulation
Article 1 – paragraph 4
Article 1 – paragraph 4
4. This Regulation shall not affect Union and national legal acts providing for the sharing, access and use of data for the purpose of the prevention, investigation, detection or prosecution of criminal or administrative offences or the execution of criminal or administrative penalties, including Regulation (EU) 2021/784 of the European Parliament and of the Council72 and the [e-evidence proposals [COM(2018) 225 and 226] once adopted, and international cooperation in that area. This Regulation shall not affect the collection, sharing, access to and use of data under Directive (EU) 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing and Regulation (EU) 2015/847 of the European Parliament and of the Council on information accompanying the transfer of funds. This Regulation shall not affect the competences of the Member States regarding activities concerning public security, defence, national security, customs and tax administration and the healthshall be implemented with due consideration to public health, the fundamental rights and the safety of citizens in accordance with Union law. _________________ 72 Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online (OJ L 172, 17.5.2021, p. 79).
Amendment 194 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 a (new)
Article 2 – paragraph 1 – point 1 a (new)
(1 a) ‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;
Amendment 196 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 b (new)
Article 2 – paragraph 1 – point 1 b (new)
(1 b) ‘non-personal data’ means data other than personal data;
Amendment 198 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 c (new)
Article 2 – paragraph 1 – point 1 c (new)
(1 c) ‘consent’ means consent as defined in Article 4, point (11), of Regulation (EU) 2016/679;
Amendment 200 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 d (new)
Article 2 – paragraph 1 – point 1 d (new)
(1 d) ‘data subject’ means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679;
Amendment 203 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 e (new)
Article 2 – paragraph 1 – point 1 e (new)
(1 e) ‘controller’ means controller as defined in Article 4, point (7), of Regulation (EU) 2016/679;
Amendment 204 #
Proposal for a regulation
Article 2 – paragraph 1 – point 2
Article 2 – paragraph 1 – point 2
(2) ‘product’ means a tangible, movable item, including where incorporated in an immovable item, that obtains, generates or collects, data concerning its use or environment, and that is able to communicate data via a publicly available electronic communications service and whose primary function is not the storing and processing of data item, that, through its design and features, including sensors or in-device software, obtains, collects, or generates, data concerning its use or environment, and that is able to communicate data, and whose primary function is not the storing and processing of data , with the exception of products that are primarily designed to display or play content, or to record and transmit content, amongst others for the use by an online service should not be covered by this Regulation;
Amendment 206 #
Proposal for a regulation
Article 2 – paragraph 1 – point 3
Article 2 – paragraph 1 – point 3
(3) ‘related service’ means a digital service, including software, which is incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing onenecessary in order for the product to perform one or more of its functions and which involves communicating data from the product to the related service, and deriving ofr its functionsnferring data;
Amendment 207 #
Proposal for a regulation
Article 2 – paragraph 1 – point 4
Article 2 – paragraph 1 – point 4
(4) ‘virtual assistants’ means software that can process demands, tasks or questions including based on audio, written input, gestures or motions, and based on those demands, tasks or questions provides access their own and third party services or control their own and third party deviceo related services or control products;
Amendment 210 #
Proposal for a regulation
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) ‘user’ means a natural or legal person that owns, rents or leases a product or receives arelated services, and the data subject;
Amendment 214 #
Proposal for a regulation
Article 2 – paragraph 1 – point 6
Article 2 – paragraph 1 – point 6
(6) ‘data holder’ means a legal or natural person that is not the user, who has access to data communicated to it, or accessed by it, including derived or inferred data during the provision of a related service, and who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data and through control of the technical design of the product and related services, the ability, tothe contractually agreed right to process and make available certain data;
Amendment 216 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) ‘data recipient’ means a legal or natural person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a product or related service, to whom the data holder makes data available, including a third party following a request by the user or the data subject to the data holder or in accordance with a legal obligation under Union law or national legislation implementing Union law, and including a third party to whom the data is directly made available by the user or the data subject;
Amendment 219 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9 a (new)
Article 2 – paragraph 1 – point 9 a (new)
(9 a) ‘trade secret’ means a trade secret as defined in Directive (EU) 2016/943 that meets all the requirements of Article 2, point (1) of the same Directive;
Amendment 220 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
Amendment 223 #
Proposal for a regulation
Article 2 – paragraph 1 – point 11 a (new)
Article 2 – paragraph 1 – point 11 a (new)
(11 a) ‘making available of data obtained, collected, or generated by the use of a product or a related service’ means the making accessible of data, including derived and inferred data, by a simple request through electronic means, enabling the user or a third party to copy the data and to receive the data in a structured, commonly used, interoperable and machine-readable format;
Amendment 224 #
Proposal for a regulation
Article 2 – paragraph 1 – point 12
Article 2 – paragraph 1 – point 12
(12) ‘data processing service’ means a digital service other than an online content service as defined in Article 2(5) of Regulation (EU) 2017/1128, provided to a customer, which enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources of a centralised, distributed or highly distributed naturestorage and computing resources;
Amendment 226 #
Proposal for a regulation
Article 2 – paragraph 1 – point 19
Article 2 – paragraph 1 – point 19
(19) ‘interoperability’ means the ability of two or more data spaces or communication networks, systems, products, applications or, components, or services to exchange and use data in order to perform their functions;
Amendment 229 #
Proposal for a regulation
Article 3 – title
Article 3 – title
Obligation to make dataof designers, manufacturers and providers of related services regarding data obtained, collected, or generated by the use of products or related services accessible
Amendment 231 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data obtained, collected, or generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the user. at user in a structured, commonly used and machine-readable format, including access to derived or inferred data. In the case that user is a data subject, products shall offer possibilities to directly exercise the data subjects’ rights. Products shall be designed and manufactured, and related services shall be provided, in such a way that a data subject is offered the possibility to use the products covered by this Regulation anonymously.
Amendment 238 #
Proposal for a regulation
Article 3 – paragraph 2 – introductory part
Article 3 – paragraph 2 – introductory part
2. Before the user concludinges a contract for the purchase, rent or lease of a product or a related service, at least the following information shall be provided to the user, in a clear and comprehensible format:
Amendment 240 #
Proposal for a regulation
Article 3 – paragraph 2 – point a
Article 3 – paragraph 2 – point a
(a) the nature and volume of the data likely to be generated by the use of the produ, format, estimated volume and collection frequency of the data which the product is capable to obtain, collect, or related servicgenerate;
Amendment 242 #
Proposal for a regulation
Article 3 – paragraph 2 – point b
Article 3 – paragraph 2 – point b
(b) whether the data isare likely to be obtained, collected, or generated continuously and in real-time;
Amendment 245 #
Proposal for a regulation
Article 3 – paragraph 2 – point d
Article 3 – paragraph 2 – point d
Amendment 247 #
Proposal for a regulation
Article 3 – paragraph 2 – point e
Article 3 – paragraph 2 – point e
Amendment 248 #
Amendment 250 #
Proposal for a regulation
Article 3 – paragraph 2 – point g
Article 3 – paragraph 2 – point g
Amendment 251 #
Proposal for a regulation
Article 3 – paragraph 2 – point h
Article 3 – paragraph 2 – point h
Amendment 254 #
Proposal for a regulation
Article 3 – paragraph 2 a (new)
Article 3 – paragraph 2 a (new)
Amendment 257 #
Proposal for a regulation
Article 3 – paragraph 2 b (new)
Article 3 – paragraph 2 b (new)
2 b. The user may grant or withdraw at any time consent to the data holder for the use of their data or to the third party nominated by the data holder (opt out).
Amendment 258 #
Proposal for a regulation
Article 4 – title
Article 4 – title
The right of users to access and use data obtained, collected, or generated by their use of products or related services, and the obligation of data holders to provide access to such data
Amendment 259 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Where data cannot be directly accessed by the user from the product, the data holder shall make available to the user theany data generated by its use of a product or related service without undue delay, free of charge and, where applicable, continuously and in real-timecommunicated to the data holder from the product or obtained, collected, or generated during the provision of the related service without undue delay, free of charge and, where applicable, continuously and in real-time, in a structured, commonly used and machine-readable format, including access to derived or inferred data, and including the relevant metadata. This shall be done on the basis of a simple request through electronic means w. Where this is not technically feasible, the data holder shall provide a functionally equivalent alternative.
Amendment 263 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. The data holder shall not require the user to provide any information beyond what is necessary to verify their quality as athe user pursuant to paragraph 1. The data holder shall not keep any information on the user’s access to the data requested beyond what is necessary for the sound execution of the user’s access request and for the security and the maintenance of the data infrastructure.
Amendment 267 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. Trade secrets shall only be disclosed provided that all specific necessary measures are takenhe confidentiality of Trade secrets shall be preserved in particular with respect to third parties by taking specific necessary measures. The data holder and the user can agree measures to preserve the confidentiality of trade secretshe shared data, in particular with respectin relation to third parties. TWhe data holder and the user can agree measures to preserve the confidentiality of the shared data, in particular in relation to third partiesre a user has lawfully acquired a product, the disclosure of a trade secret according to Directive (EU) 2016/943 shall be encouraged in the interest of innovation and of competition, notably in allowing reverse engineering, which should be considered as a lawful means of acquiring information.
Amendment 272 #
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
4. TUnless where that data can be directly accessed by the user from the product, the user shall not use the data obtained pursuant to a request referred to in paragraph 1 to develop a product that competes with the product from which the data originate.
Amendment 278 #
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
5. Where the user is not a data subject, any personal data generated by the use of a product or related service shall only be made available by the data holder to the user where all conditions and rules provided by data protection legislation are complied with, notably where there is a valid legal basis under Article 6(1) of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive 2002/58/EC are fulfilled.
Amendment 280 #
Proposal for a regulation
Article 4 – paragraph 6
Article 4 – paragraph 6
6. The data holder shall only use any non-personal data obtained, collected, or generated by the use of a product or related service on the basis of a contractual agreement with the user. The data holder shall not use such data obtained, collected, or generated by the use of the product or related service to derive insights about the economic situation, assets and production methods of or the use by the user that could undermine the commercial position of the user in the markets in which the user is active and shall delete the data when they are no longer necessary for the purpose contractually agreed.
Amendment 281 #
Proposal for a regulation
Article 5 – title
Article 5 – title
Right to shareof users and data subjects to share, and the obligation of data holders to provide for the sharing of data with third parties
Amendment 284 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. Upon request by a data subject, or a user, or by a party acting on behalf of a user, the data holder shall make available the data obtained, collected, or generated by the use of a product or related service to a third party, without undue delay, free of charge to the data subject or the user, of the same quality as is available to the data holder and, where applicable, continuously and in real-time. and only for the purposes of:
Amendment 286 #
Proposal for a regulation
Article 5 – paragraph 1 – point a (new)
Article 5 – paragraph 1 – point a (new)
(a) enabling the user or data subject to obtain repair or maintenance, or aftermarket services regarding the product, including competing or unrelated services;
Amendment 287 #
Proposal for a regulation
Article 5 – paragraph 1 – point b (new)
Article 5 – paragraph 1 – point b (new)
(b) enabling the user or data subject to update the software of its product or related services in particular to fix security and usability problems;
Amendment 288 #
Proposal for a regulation
Article 5 – paragraph 1 – point c (new)
Article 5 – paragraph 1 – point c (new)
(c) enabling the user or data subject to share data with recognised data altruism organisations pursuant to [Data Governance Act].
Amendment 289 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1 (new)
Article 5 – paragraph 1 – subparagraph 1 (new)
A third party may not solicit or commercially incentivise a user or data subject in any manner, including by providing monetary or any other compensation, to make data available the consumer or data subject has obtained pursuant to a request under Article 4(1) as a mere tradeable commodity. These data may notably not be used by the third party for purposes of direct marketing or advertising, employee monitoring, credit scoring and profiling.
Amendment 291 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
3. The user or third party shall not be required to provide any information beyond what is necessary to verify their quality as the user or as third party pursuant to paragraph 1. The data holder shall not keep any information on the third party’s access to the data requested beyond what is necessary for the sound execution of the third party’s access request and for the security and the maintenance of the data infrastructure.
Amendment 292 #
Proposal for a regulation
Article 5 – paragraph 4
Article 5 – paragraph 4
4. The third party shall not deploy coercive means or abuse evident gaps in the data holder's technical infrastructure of the data holderutside of the concerned product, designed to protect the data in order to obtain access to data.
Amendment 296 #
Proposal for a regulation
Article 5 – paragraph 5
Article 5 – paragraph 5
5. The data holder shall not use any non-personal data obtained, collected, or generated by the use of the product or related service to derive insights about the economic situation, assets and production methods of or use by the third party that could undermine the commercial position of the third party on the markets in which the third party is active, unless the third party has consented to such use and has the technical possibility to withdraw that consent at any time.
Amendment 298 #
Proposal for a regulation
Article 5 – paragraph 6
Article 5 – paragraph 6
6. Where the user is not a data subject, any personal dataa data subject is concerned, that is not the user or data subject requesting access , any personal data obtained, collected, or generated by their use of a product or related service shall only be made available, and data derived and inferred from that use, shall only be made available by the data holder to the third party where there is a valid legal basis under points (a) or (b) of Article 6(1) of Regulation (EU) 2016/679 and where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive 2002/58/EC are fulfilled.
Amendment 305 #
Proposal for a regulation
Article 5 – paragraph 8
Article 5 – paragraph 8
8. Trade secrets shall only be disclosed to third parties to the extent that they are strictly necessary to fulfil the purpose agreed between thhird parties shall take all specific and necessary measures to preserve the confidentiality of trade secrets agreed between the third party and the data holder to preserve the confidentiality of trade user and the third party and all specific necessary measurescrets disclosed to the third party in order to fulfil the purpose agreed between the data holduser and the third party are taken by the third party to preserve the confidentiality of the trade secretnd any right of the user or data subject to data sharing. In such a case, the nature of the data as trade secrets and the measures for preserving the confidentiality shall be specified in the agreement between the data holder and the third party.
Amendment 306 #
Proposal for a regulation
Article 5 – paragraph 9
Article 5 – paragraph 9
9. The right referred to in paragraph 1 shall not adversely affect data protectionsubject rights of others pursuant to applicable data protection legislation.
Amendment 308 #
Proposal for a regulation
Article 6 – title
Article 6 – title
Obligations of third parties receiving data at the request of the user or the data subject
Amendment 309 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
1. A third party shall process thepersonal data made available to it pursuant to Article 5 only for the purposes and under the conditions agreed with the user, and where all conditions and rules provided by data protection legislation are complied with, notably where there is a valid legal basis under points (a) or (b) of Article 6(1) of Regulation (EU) 2016/679, and where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive 2002/58/EC are fulfilled and subject to the rights of the data subject, insofar as personal data are concerned, and. The third party shall delete the data when they are no longer necessary for the agreed purpose.
Amendment 310 #
Proposal for a regulation
Article 6 – paragraph 2 – point a
Article 6 – paragraph 2 – point a
(a) make the exercise of the rights or choices of users unduly difficult including by offering choices to the end-users in a non-neutral manner, or coerce, deceive or manipulate the user in any way, byor subverting or impairing the autonomy, decision-making or choices of the user, including by means of a digital interface with the user; or a part thereof, including its structure, design, function, or manner of operation;
Amendment 312 #
Proposal for a regulation
Article 6 – paragraph 2 – point b
Article 6 – paragraph 2 – point b
(b) use the data it receives for the profiling of natural persons within the meaning of Article 4(4) of Regulation (EU) 2016/679, unless it is necessary to provide the service requested by the user;
Amendment 313 #
Proposal for a regulation
Article 6 – paragraph 2 – point b a (new)
Article 6 – paragraph 2 – point b a (new)
(b a) use data it receives to re-identify any data subject to whom the data relates and shall take technical and operational measures to prevent re-identification; it shall notify any data breach resulting in the re-identification of the data subjects concerned to a data protection authority;
Amendment 316 #
Proposal for a regulation
Article 6 – paragraph 2 – point f a (new)
Article 6 – paragraph 2 – point f a (new)
(f a) commercially incentivise the data subject by providing monetary or other compensation for making personal data available.
Amendment 319 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. The obligations of this Chapter shall not apply to non-personal data generated by the use of products manufactured or related services provided by enterprises that qualify as micro or small enterprises, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the Annex to Recommendation 2003/361/EC which do not qualify as a micro or small enterprise.
Amendment 322 #
Proposal for a regulation
Article 8 – paragraph 6
Article 8 – paragraph 6
6. Unless otherwise provided by Union law, including Articles 4(3), 5(8), and 6 of this Regulation, or by national legislation implementing Union law, an obligation to make data available to a data recipient shall not oblige the disclosure of trade secrets within the meaning of Directive (EU) 2016/943.
Amendment 323 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Any compensation agreed between a data holder and a data recipient for making data available shall be reasonable. the costs incurred and investment required for making data available shall, in the case of non-personal data, be fair and reasonable, and strictly proportionate in the case of personal data.
Amendment 326 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
1. Data holders and data recipients shall have access to dispute settlement bodies, certified in accordance with paragraph 2 of this Article, to settle disputes in relation to the determination of fair, reasonable and non-discriminatory terms for and the transparent manner of making data available in accordance with Articles 8 and 9. This is without prejudice to the data subjects’ rights to seek redress before a supervisory authority, and to the controller’s data protection obligations.
Amendment 331 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. The data holder may apply appropriate technical protection measures, including smart contracts, to prevent unauthorised disclosure of and access to the data, and to ensure compliance with Articles 4, 5, 6, 8, 9 and 10, as well as with the agreed contractual terms for making data available. Such technical protection measures shall not be used as a means to hinder the user’s right to effectively provide data to third parties pursuant to Article 5 or any right of a third party under Union law or national legislation implementing Union law as referred to in Article 8(1). Such technical protection measures shall not be used as a means to prevent interoperability of the data which the data holder is under an obligation to make available. Where personal data are concerned, these technical measures shall be consistent with the obligation of the data controller to implement appropriate technical and organisational measures so as to ensure a level of security appropriate to the risk of the personal data processing pursuant to data protection legislation.
Amendment 333 #
2. A data recipient that has, for the purposes of obtaining data, provided inaccurate or false information to the data holder, deployed deceptive or coercive means or abused evident gaps in the technical infrastructure of the data holder designed to protect the data, has used the data made available for unauthorised purposes or has disclosed those data to another party without the data holder’s authorisation or in the case of personal data, an appropriate legal basis, shall without undue delay, unless the data holder or the user instruct otherwise:
Amendment 335 #
Proposal for a regulation
Article 11 – paragraph 2 – point a a (new)
Article 11 – paragraph 2 – point a a (new)
(a a) inform the user of the unauthorised use or disclosure of data as well as of the measures taken to put an end to the unauthorised use or disclosure of data;
Amendment 336 #
Proposal for a regulation
Article 11 – paragraph 3 – introductory part
Article 11 – paragraph 3 – introductory part
3. Paragraph 2, point (b), shall not apply in either of the following cases where non-personal data are concerned:
Amendment 337 #
Proposal for a regulation
Article 12 – paragraph 2 a (new)
Article 12 – paragraph 2 a (new)
2 a. Any contractual term in a data sharing agreement between data holders and data recipients which, to the detriment of the data subjects, undermines the application of their rights to privacy and data protection, derogates from it, or varies its effect, shall not be binding on that party.
Amendment 338 #
Proposal for a regulation
Article 12 – paragraph 3
Article 12 – paragraph 3
3. This Chapter shall only apply in relation to obligations to make data available under Union law or national legislation implementing Union law, which enter into force after [date of application of the Regulation]. As regards obligations which have entered into force before [date of application of the Regulation], their provisions shall be aligned with this Regulation within two years after the date of application of this Regulation.
Amendment 339 #
Proposal for a regulation
Article 13 – title
Article 13 – title
Unfair contractual terms unilaterally imposed on a micro, small or medium- sized enterprisewithout individual negotiation
Amendment 345 #
Proposal for a regulation
Article 13 – paragraph 1
Article 13 – paragraph 1
1. A contractual term, concerning the access to and use of data or the liability and remedies for the breach or the termination of data related obligations which has been unilaterally imposed by an enterprise on a micro, small or medium-sized enterprise as defined inve not been individually negotiated shall not be binding on any legal or natural person except consumers in the sense of Article 2(b) of the Annex to Recommendation 2003/361/EC shall not be binding on the latter enterpriseCouncil Directive 93/13/EEC if it is unfair.
Amendment 350 #
Proposal for a regulation
Article 13 – paragraph 5
Article 13 – paragraph 5
5. A contractual term shall be considered to be unilaterally imposnot individually negotiated within the meaning of this Article if it has been supplied by one contracting party and the other contracting party has not been able to influence its content despite an attempt to negotiate it. The contracting party that supplied a contractual term bears the burddrafted in advance and the other party has therefore not been able to influence the substance of the term, particularly in the context of a pre- formulated standard contract. A contractual term which has not been individually negotiated shall be regarded as unfair if, contrary to the requirement of proving that that term has not been unilaterally imposedgood faith, it causes a significant imbalance in the parties' rights and obligations arising under the contract, to the detriment of the consumer.
Amendment 352 #
Proposal for a regulation
Article 13 – paragraph 8
Article 13 – paragraph 8
8. The parties to a contract covered by paragraph 1 mayshall not exclude the application of this Article, derogate from it, or vary its effects.
Amendment 354 #
Proposal for a regulation
Chapter V – title
Chapter V – title
V MAKING DATA AVAILABLE TO PUBLIC SECTOR BODIES AND UNION INSTITUTIONS, AGENCIES OR BODIES BASED ON EXCEPTIONAL NEED(deleted)
Amendment 356 #
Proposal for a regulation
Article 14
Article 14
Amendment 362 #
Proposal for a regulation
Article 15
Article 15
An exceptional need to use data within the meaning of this Chapter shall be deemed to exist in any of the following circumstances: (a) where the data requested is necessary to respond to a public emergency; (b) where the data request is limited in time and scope and necessary to prevent a public emergency or to assist the recovery from a public emergency; (c) where the lack of available data prevents the public sector body or Union institution, agency or body from fulfilling a specific task in the public interest that has been explicitly provided by law; and (1) the public sector body or Union institution, agency or body has been unable to obtain such data by alternative means, including by purchasing the data on the market at market rates or by relying on existing obligations to make data available, and the adoption of new legislative measures cannot ensure the timely availability of the data; or (2) obtaining the data in line with the procedure laid down in this Chapter would substantively reduce the administrative burden for data holders or other enterprises.rticle 15 deleted Exceptional need to use data
Amendment 377 #
Proposal for a regulation
Article 16
Article 16
Amendment 378 #
Proposal for a regulation
Article 17
Article 17
Amendment 396 #
Proposal for a regulation
Article 18
Article 18
Amendment 403 #
Proposal for a regulation
Article 19
Article 19
Amendment 412 #
Proposal for a regulation
Article 20
Article 20
Amendment 419 #
Proposal for a regulation
Article 21
Article 21
Amendment 424 #
Proposal for a regulation
Article 22
Article 22
Amendment 426 #
Proposal for a regulation
Article 23 – paragraph 1 – point a
Article 23 – paragraph 1 – point a
(a) terminating, after a maximum notice period of 30 calendar daysspecified in the contract in accordance with Article 24, the contractual agreement of the service;
Amendment 428 #
Proposal for a regulation
Article 23 – paragraph 1 – point c
Article 23 – paragraph 1 – point c
(c) porting its data, including metadata created by the customer and by the use of the originating service, and/or the customer's applications and other digital assets to another provider of data processing services;
Amendment 430 #
Proposal for a regulation
Article 24 – paragraph 1 – point a – introductory part
Article 24 – paragraph 1 – point a – introductory part
(a) clauses allowing the customer, upon request, to switch to a data processing service offered by another provider of data processing service or to port all data, applications and digital assets generated directly or indirectly by the customer to an on-premise system, in particular the establishment of a mandatory maximum transition period of 30 calendar days, during whichto be initiated after the maximum notice period referred to in Article 23 point (aa), during which the service contract remains applicable and the data processing service provider shall:
Amendment 433 #
Proposal for a regulation
Article 24 – paragraph 1 – point a a (new)
Article 24 – paragraph 1 – point a a (new)
(a a) a maximum notice period for termination of the contract by the user, which shall not exceed 2 months;
Amendment 440 #
Proposal for a regulation
Article 27 – paragraph 1
Article 27 – paragraph 1
1. Providers of data processing services shall take all reasonablappropriate technical, legal and organisational measures, including contractual arrangements, in order to prevent international transfer or governmental access to non-personal data held in the Union where such transfer or access would create a conflict with Union law or the national law of the relevant Member State, without prejudice to paragraph 2 or 3.
Amendment 448 #
Proposal for a regulation
Article 27 – paragraph 3 – subparagraph 2
Article 27 – paragraph 3 – subparagraph 2
The addressee of the decision may askrequest the opinion of the relevant competent bodies or authorities, pursuant to this Regulation, in order to determine whether these conditions are met, notably when it considers that the decision may relate to commercially sensitive data, or may impinge on national security or defence interests of the Union or its Member States. Relevant competent bodies or authorities shall reply within 10 working days. If the addressee has not received a reply after this time, or if the opinion of the competent authorities concludes that the conditions are not met, the addressee shall deny the request for transfer or access on those grounds.
Amendment 452 #
Proposal for a regulation
Article 27 – paragraph 4 a (new)
Article 27 – paragraph 4 a (new)
4 a. Where the provider of data processing services has reason to believe that the transfer of or access to non- personal data may lead to the risk of re- identification of non-personal, or anonymised data, the provider shall request the relevant bodies or authorities competent pursuant to applicable data protection legislation for authorisation before transferring or giving access to data.
Amendment 456 #
Proposal for a regulation
Article 31 – paragraph 1 a (new)
Article 31 – paragraph 1 a (new)
Amendment 457 #
Proposal for a regulation
Article 31 – paragraph 2 – point a
Article 31 – paragraph 2 – point a
Amendment 459 #
Proposal for a regulation
Article 31 – paragraph 3 – point g
Article 31 – paragraph 3 – point g
Amendment 462 #
Proposal for a regulation
Article 31 – paragraph 4
Article 31 – paragraph 4
4. Where a Member State designates more than one competent authority, the competent authorities shall, in the exercise of the tasks and powers assigned to them under paragraph 3 of this Article, cooperate with each other, including, as appropri. In such cases, relevant Member States shall designate a coordinating competent authority. Competent authorities shall cooperate, with the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679, to ensure the consistent application of this Regulation. In such cases, relevant Member States shall designate a coordinating competent authority.
Amendment 465 #
1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the coordinating competent authority, or any other relevant competent authority in the Member State of their habitual residence, place of work or establishment if they consider that their rights under this Regulation have been infringed.
Amendment 467 #
Proposal for a regulation
Article 34 – paragraph 1
Article 34 – paragraph 1
The Commission shall develop and recommend non-binding model contractual terms on data access and use to assist parties in drafting and negotiating contracts with balanced contractual rights and obligations. The Commission shall consult the European Data Protection Board when developing such model contractual terms, as far as personal data are concerned.
Amendment 469 #
Proposal for a regulation
Chapter X – title
Chapter X – title
X INAPPLICABILITY OF THE SUI GENERIS RIGHT UNDER DIRECTIVE 1996/9/EC TO DATABASES COVERED BY THIS REGULATION
Amendment 470 #
Proposal for a regulation
Article 35 – paragraph 1
Article 35 – paragraph 1
Amendment 472 #
Proposal for a regulation
Article 41 – paragraph 1 – point a a (new)
Article 41 – paragraph 1 – point a a (new)
(a a) whether the provisions of this Regulation related to trade secrets ensure respect for trade secrets while not hampering the access to and sharing of data; in particular, the evaluation shall assess whether and how the confidentiality of trade secrets is ensured in practice despite their disclosure both in the context of data sharing with third parties [and in the business-to- government context]. This assessment shall be carried out in close relationship with the evaluation report on Directive (EU) 2016/943 expected by 9 June 2026 pursuant to Article 18(3) of the directive thereof.