My favourites

Chapter III – Requirements applicable to data intermediation services (Art. 10-15)

Art. 10 DGA - Data intermediation services arrow_right_alt

Art. 11 DGA - Notification by data intermediation services providers arrow_right_alt

Art. 12 DGA - Conditions for providing data intermediation services arrow_right_alt

The provision of data intermediation services referred in Article 10 shall be subject to the following conditions:

    1. the data intermediation services provider shall not use the data for which it provides data intermediation services for purposes other than to put them at the disposal of data users and shall provide data intermediation services through a separate legal person;
    2. the commercial terms, including pricing, for the provision of data intermediation services to a data holder or data user shall not be dependent upon whether the data holder or data user uses other services provided by the same data intermediation services provider or by a related entity, and if so to what degree the data holder or data user uses such other services;
    3. the data collected with respect to any activity of a natural or legal person for the purpose of the provision of the data intermediation service, including the date, time and geolocation data, duration of activity and connections to other natural or legal persons established by the person who uses the data intermediation service, shall be used only for the development of that data intermediation service, which may entail the use of data for the detection of fraud or cybersecurity, and shall be made available to the data holders upon request;
    4. the data intermediation services provider shall facilitate the exchange of the data in the format in which it receives it from a data subject or a data holder, shall convert the data into specific formats only to enhance interoperability within and across sectors or if requested by the data user or where mandated by Union law or to ensure harmonisation with international or European data standards and shall offer an opt-out possibility regarding those conversions to data subjects or data holders, unless the conversion is mandated by Union law;
    5. data intermediation services may include offering additional specific tools and services to data holders or data subjects for the specific purpose of facilitating the exchange of data, such as temporary storage, curation, conversion, anonymisation and pseudonymisation, such tools being used only at the explicit request or approval of the data holder or data subject and third-party tools offered in that context not being used for other purposes;
    6. the data intermediation services provider shall ensure that the procedure for access to its service is fair, transparent and non-discriminatory for both data subjects and data holders, as well as for data users, including with regard to prices and terms of service;
    7. the data intermediation services provider shall have procedures in place to prevent fraudulent or abusive practices in relation to parties seeking access through its data intermediation services;
    8. the data intermediation services provider shall, in the event of its insolvency, ensure a reasonable continuity of the provision of its data intermediation services and, where such data intermediation services ensure the storage of data, shall have mechanisms in place to allow data holders and data users to obtain access to, to transfer or to retrieve their data and, where such data intermediation services are provided between data subjects and data users, to allow data subjects to exercise their rights;
    9. the data intermediation services provider shall take appropriate measures to ensure interoperability with other data intermediation services, inter alia, by means of commonly used open standards in the sector in which the data intermediation services provider operates;
    10. the data intermediation services provider shall put in place adequate technical, legal and organisational measures in order to prevent the transfer of or access to non-personal data that is unlawful under Union law or the national law of the relevant Member State;
    11. the data intermediation services provider shall without delay inform data holders in the event of an unauthorised transfer, access or use of the non-personal data that it has shared;
    12. the data intermediation services provider shall take necessary measures to ensure an appropriate level of security for the storage, processing and transmission of non-personal data, and the data intermediation services provider shall further ensure the highest level of security for the storage and transmission of competitively sensitive information;
    13. the data intermediation services provider offering services to data subjects shall act in the data subjects’ best interest where it facilitates the exercise of their rights, in particular by informing and, where appropriate, advising data subjects in a concise, transparent, intelligible and easily accessible manner about intended data uses by data users and standard terms and conditions attached to such uses before data subjects give consent;
    14. where a data intermediation services provider provides tools for obtaining consent from data subjects or permissions to process data made available by data holders, it shall, where relevant, specify the third-country jurisdiction in which the data use is intended to take place and provide data subjects with tools to both give and withdraw consent and data holders with tools to both give and withdraw permissions to process data;
    15. the data intermediation services provider shall maintain a log record of the data intermediation activity.
Related
Close tabsclose
  • 32
  • 33
  • 36

Recital 32

In order to increase trust in such data intermediation services, in particular related to the use of data and compliance with the conditions imposed by data subjects and data holders, it is necessary to create a Union-level regulatory framework which establishes highly harmonised requirements related to the trustworthy provision of such data intermediation services, and which is implemented by the competent authorities. That framework will contribute to ensuring that data subjects and data holders, as well as data users, have better control over access to and use of their data, in accordance with Union law. The Commission could also encourage and facilitate the development of codes of conduct at Union level, involving relevant stakeholders, in particular on interoperability. Both in situations where data sharing occurs in a business-to-business context and where it occurs in a business-to-consumer context, data intermediation services providers should offer a novel, ‘European’ way of data governance, by providing a separation in the data economy between data provision, intermediation and use. Data intermediation services providers could also make available specific technical infrastructure for the interconnection of data subjects and data holders with data users. In that regard, it is of particular importance to shape that infrastructure in such a way that SMEs and start-ups encounter no technical or other barriers to their participation in the data economy.

Data intermediation services providers should be allowed to offer additional specific tools and services to data holders or data subjects for the specific purpose of facilitating the exchange of data, such as temporary storage, curation, conversion, anonymisation and pseudonymisation. Those tools and services should be used only at the explicit request or approval of the data holder or data subject and third-party tools offered in that context should not use data for other purposes. At the same time, data intermediation services providers should be allowed to adapt the data exchanged in order to improve the usability of the data by the data user where the data user so desires, or to improve interoperability by, for example, converting the data into specific formats.

Recital 33

It is important to enable a competitive environment for data sharing. A key element by which to increase the trust and control of data holders, data subjects and data users in data intermediation services is the neutrality of data intermediation services providers with regard to the data exchanged between data holders or data subjects and data users. It is therefore necessary that data intermediation services providers act only as intermediaries in the transactions, and do not use the data exchanged for any other purpose. The commercial terms, including pricing, for the provision of data intermediation services should not be dependent on whether a potential data holder or data user is using other services, including storage, analytics, artificial intelligence or other data-based applications, provided by the same data intermediation services provider or by a related entity, and if so to what degree the data holder or data user uses such other services. This will also require structural separation between the data intermediation service and any other services provided, so as to avoid conflicts of interest. This means that the data intermediation service should be provided through a legal person that is separate from the other activities of that data intermediation services provider. However, the data intermediation services providers should be able to use the data provided by the data holder for the improvement of their data intermediation services.

Data intermediation services providers should be able to put at the disposal of data holders, data subjects or data users their own or third-party tools for the purpose of facilitating the exchange of data, for example tools for the conversion or curation of data only at the explicit request or approval of the data subject or data holder. The third-party tools offered in that context should not use data for purposes other than those related to data intermediation services. Data intermediation services providers that intermediate the exchange of data between individuals as data subjects and legal persons as data users should, in addition, bear fiduciary duty towards the individuals, to ensure that they act in the best interest of the data subjects. Questions of liability for all material and immaterial damage and detriment resulting from any conduct of the data intermediation services provider could be addressed in the relevant contract, on the basis of national liability regimes.

Recital 36

Data intermediation services providers are expected to have in place procedures and measures to impose penalties for fraudulent or abusive practices in relation to parties seeking access through their data intermediation services, including measures such as the exclusion of data users that breach the terms of service or infringe existing law.

Art. 13 DGA - Competent authorities for data intermediation services arrow_right_alt

Art. 14 DGA - Monitoring of compliance arrow_right_alt

Art. 15 DGA - Exceptions arrow_right_alt