My favourites

Chapter II – Re-use of certain categories of protected data held by public sector bodies (Art. 3-9)

Art. 3 DGA - Categories of data arrow_right_alt

Art. 4 DGA - Prohibition of exclusive arrangements arrow_right_alt

Art. 5 DGA - Conditions for re-use arrow_right_alt

Art. 6 DGA - Fees arrow_right_alt

Art. 7 DGA - Competent bodies arrow_right_alt

Art. 8 DGA - Single information points arrow_right_alt

Art. 9 DGA - Procedure for requests for re-use arrow_right_alt

  1. Unless shorter time limits have been established in accordance with national law, the competent public sector bodies or the competent bodies referred to in Article 7(1) shall adopt a decision on the request for the re-use of the categories of data referred to in Article 3(1) within two months of the date of receipt of the request.

In the case of exceptionally extensive and complex requests for re-use, that two-month period may be extended by up to 30 days. In such cases the competent public sector bodies or the competent bodies referred to in Article 7(1) shall notify the applicant as soon as possible that more time is needed for conducting the procedure, together with the reasons for the delay.

  1.  Any natural or legal person directly affected by a decision as referred to in paragraph 1 shall have an effective right of redress in the Member State where the relevant body is located. Such a right of redress shall be laid down in national law and shall include the possibility of review by an impartial body with the appropriate expertise, such as the national competition authority, the relevant access-to-documents authority, the supervisory authority established in accordance with Regulation (EU) 2016/679 or a national judicial authority, whose decisions are binding upon the public sector body or the competent body concerned.
Close tabsclose
  • 15

Recital 15

This Regulation should lay down conditions for re-use of protected data that apply to public sector bodies designated as competent under national law to grant or refuse access for re-use, and which are without prejudice to rights or obligations concerning access to such data. Those conditions should be non-discriminatory, transparent, proportionate and objectively justified, while not restricting competition, with a specific focus on promoting access to such data by SMEs and start-ups. The conditions for re-use should be designed in a manner promoting scientific research so that, for example, privileging scientific research should, as a rule, be considered to be non-discriminatory. Public sector bodies allowing re-use should have in place the technical means necessary to ensure the protection of rights and interests of third parties and should be empowered to request the necessary information from the re-user. Conditions attached to the re-use of data should be limited to what is necessary to preserve the rights and interests of third parties in the data and the integrity of the information technology and communication systems of the public sector bodies. Public sector bodies should apply conditions which best serve the interests of the re-user without leading to a disproportionate burden on the public sector bodies. Conditions attached to the re-use of data should be designed to ensure effective safeguards with regard to the protection of personal data. Before transmission, personal data should be anonymised, in order not to allow the identification of the data subjects, and data containing commercially confidential information should be modified in such a way that no confidential information is disclosed. Where the provision of anonymised or modified data would not respond to the needs of the re-user, subject to fulfilling any requirements to carry out a data protection impact assessment and consult the supervisory authority pursuant to Articles 35 and 36 of Regulation (EU) 2016/679 and where the risks to the rights and interests of data subjects have been found to be minimal, on-premise or remote re-use of the data within a secure processing environment could be allowed.

This could be a suitable arrangement for the re-use of pseudonymised data. Data analyses in such secure processing environments should be supervised by the public sector body, so as to protect the rights and interests of third parties. In particular, personal data should be transmitted to a third party for re-use only where a legal basis under data protection law allows such transmission. Non-personal data should be transmitted only where there is no reason to believe that the combination of non-personal data sets would lead to the identification of data subjects. This should also apply to pseudonymised data which retain their status as personal data. In the event of the reidentification of data subjects, an obligation to notify such a data breach to the public sector body should apply in addition to an obligation to notify such a data breach to a supervisory authority and to the data subject in accordance with Regulation (EU) 2016/679. Where relevant, the public sector bodies should facilitate the re-use of data on the basis of the consent of data subjects or the permission of data holders on the re-use of data pertaining to them through adequate technical means. In that respect, the public sector body should make best efforts to provide assistance to potential re-users in seeking such consent or permission by establishing technical mechanisms that permit transmitting requests for consent or permission from re-users, where practically feasible. No contact information should be given that allows re-users to contact data subjects or data holders directly. Where the public sector body transmits a request for consent or permission, it should ensure that the data subject or data holder is clearly informed of the possibility to refuse consent or permission.