Skip to content

Files

Latest commit

ddca3c5 · Dec 17, 2020

History

History
109 lines (55 loc) · 10.2 KB

chapter3.md

File metadata and controls

109 lines (55 loc) · 10.2 KB

CHAPTER III REQUIREMENTS APPLICABLE TO DATA SHARING SERVICES

Article 9 Providers of data sharing services

(1) The provision of the following data sharing services shall be subject to a notification procedure:

(a) intermediation services between data holders which are legal persons and potential data users, including making available the technical or other means to enable such services; those services may include bilateral or multilateral exchanges of data or the creation of platforms or databases enabling the exchange or joint exploitation of data, as well as the establishment of a specific infrastructure for the interconnection of data holders and data users;

(b) intermediation services between data subjects that seek to make their personal data available and potential data users, including making available the technical or other means to enable such services, in the exercise of the rights provided in Regulation (EU) 2016/679;

(c) services of data cooperatives, that is to say services supporting data subjects or one-person companies or micro, small and medium-sized enterprises, who are members of the cooperative or who confer the power to the cooperative to negotiate terms and conditions for data processing before they consent, in making informed choices before consenting to data processing, and allowing for mechanisms to exchange views on data processing purposes and conditions that would best represent the interests of data subjects or legal persons.

(2) This Chapter shall be without prejudice to the application of other Union and national law to providers of data sharing services, including powers of supervisory authorities to ensure compliance with applicable law, in particular as regard the protection of personal data and competition law.

Article 10 Notification of data sharing service providers

(1) Any provider of data sharing services who intends to provide the services referred to in Article 9 (1) shall submit a notification to the competent authority referred to in Article 12.

(2) For the purposes of this Regulation, a provider of data sharing services with establishments in more than one Member State, shall be deemed to be under the jurisdiction of the Member State in which it has its main establishment.

(3) A provider of data sharing services that is not established in the Union, but offers the services referred to in Article 9 (1) within the Union, shall appoint a legal representative in one of the Member States in which those services are offered. The provider shall be deemed to be under the jurisdiction of the Member State in which the legal representative is established.

(4) Upon notification, the provider of data sharing services may start the activity subject to the conditions laid down in this Chapter.

(5) The notification shall entitle the provider to provide data sharing services in all Member States.

(6) The notification shall include the following information:

(a) the name of the provider of data sharing services;

(b) the provider’s legal status, form and registration number, where the provider is registered in trade or in another similar public register;

(c) the address of the provider’s main establishment in the Union, if any, and, where applicable, any secondary branch in another Member State or that of the legal representative designated pursuant to paragraph 3;

(d) a website where information on the provider and the activities can be found, where applicable;

(e) the provider’s contact persons and contact details;

(f) a description of the service the provider intends to provide;

(g) the estimated date for starting the activity;

(h) the Member States where the provider intends to provide services.

(7) At the request of the provider, the competent authority shall, within one week, issue a standardised declaration, confirming that the provider has submitted the notification referred to in paragraph 4.

(8) The competent authority shall forward each notification to the national competent authorities of the Member States by electronic means, without delay.

(9) The competent authority shall notify the Commission of each new notification. The Commission shall keep a register of providers of data sharing services.

(10) The competent authority may charge fees. Such fees shall be proportionate and objective and be based on the administrative costs related to the monitoring of compliance and other market control activities of the competent authorities in relation to notifications of data sharing services.

(11) Where a provider of data sharing services ceases its activities, it shall notify the relevant competent authority determined pursuant to paragraphs 1, 2 and 3 within 15 days. The competent authority shall forward without delay each such notification to the national competent authorities in the Member States and to the Commission by electronic means.

Article 11 Conditions for providing data sharing services

The provision of data sharing services referred in Article 9 (1) shall be subject to the following conditions:

(1) the provider may not use the data for which it provides services for other purposes than to put them at the disposal of data users and data sharing services shall be placed in a separate legal entity;

(2) the metadata collected from the provision of the data sharing service may be used only for the development of that service;

(3) the provider shall ensure that the procedure for access to its service is fair, transparent and non-discriminatory for both data holders and data users, including as regards prices;

(4) the provider shall facilitate the exchange of the data in the format in which it receives it from the data holder and shall convert the data into specific formats only to enhance interoperability within and across sectors or if requested by the data user or where mandated by Union law or to ensure harmonisation with international or European data standards;

(5) the provider shall have procedures in place to prevent fraudulent or abusive practices in relation to access to data from parties seeking access through their services;

(6) the provider shall ensure a reasonable continuity of provision of its services and, in the case of services which ensure storage of data, shall have sufficient guarantees in place that allow data holders and data users to obtain access to their data in case of insolvency;

(7) the provider shall put in place adequate technical, legal and organisational measures in order to prevent transfer or access to non-personal data that is unlawful under Union law;

(8) the provider shall take measures to ensure a high level of security for the storage and transmission of non-personal data;

(9) the provider shall have procedures in place to ensure compliance with the Union and national rules on competition;

(10) the provider offering services to data subjects shall act in the data subjects’ best interest when facilitating the exercise of their rights, in particular by advising data subjects on potential data uses and standard terms and conditions attached to such uses;

(11) where a provider provides tools for obtaining consent from data subjects or permissions to process data made available by legal persons, it shall specify the jurisdiction or jurisdictions in which the data use is intended to take place.

Article 12 Competent authorities

(1) Each Member State shall designate in its territory one or more authorities competent to carry out the tasks related to the notification framework and shall communicate to the Commission the identity of those designated authorities by [date of application of this Regulation]. It shall also communicate to the Commission any subsequent modification.

(2) The designated competent authorities shall comply with Article 23.

(3) The designated competent authorities, the data protection authorities, the national competition authorities, the authorities in charge of cybersecurity, and other relevant sectorial authorities shall exchange the information which is necessary for the exercise of their tasks in relation to data sharing providers.

Article 13 Monitoring of compliance

(1) The competent authority shall monitor and supervise compliance with this Chapter.

(2) The competent authority shall have the power to request from providers of data sharing services all the information that is necessary to verify compliance with the requirements laid down in Articles 10 and 11. Any request for information shall be proportionate to the performance of the task and shall be reasoned.

(3) Where the competent authority finds that a provider of data sharing services does not comply with one or more of the requirements laid down in Article 10 or 11, it shall notify that provider of those findings and give it the opportunity to state its views, within a reasonable time limit.

(4) The competent authority shall have the power to require the cessation of the breach referred to in paragraph 3 either immediately or within a reasonable time limit and shall take appropriate and proportionate measures aimed at ensuring compliance. In this regard, the competent authorities shall be able, where appropriate:

(a) to impose dissuasive financial penalties which may include periodic penalties with retroactive effect;

(b) to require cessation or postponement of the provision of the data sharing service.

(5) The competent authorities shall communicate the measures imposed pursuant to paragraph 4 and the reasons on which they are based to the entity concerned without delay and shall stipulate a reasonable period for the entity to comply with the measures.

(6) If a provider of data sharing services has its main establishment or legal representative in a Member State, but provides services in other Member States, the competent authority of the Member State of the main establishment or where the legal representative is located and the competent authorities of those other Member States shall cooperate and assist each other. Such assistance and cooperation may cover information exchanges between the competent authorities concerned and requests to take the measures referred to in this Article.

Article 14 Exceptions

This Chapter shall not apply to not-for-profit entities whose activities consist only in seeking to collect data for objectives of general interest, made available by natural or legal persons on the basis of data altruism.