Chapter III – Requirements applicable to data intermediation services (Art. 10-15)
Art. 10 DGA - Data intermediation services
Art. 11 DGA - Notification by data intermediation services providers
Art. 12 DGA - Conditions for providing data intermediation services
Art. 13 DGA - Competent authorities for data intermediation services
- Each Member State shall designate one or more competent authorities to carry out the tasks related to the notification procedure for data intermediation services and shall notify the Commission of the identity of those competent authorities by 24 September 2023. Each Member State shall also notify the Commission of any subsequent change to the identity of those competent authorities.
- The competent authorities for data intermediation services shall comply with the requirements set out in Article 26.
- The powers of the competent authorities for data intermediation services are without prejudice to the powers of the data protection authorities, national competition authorities, authorities in charge of cybersecurity and other relevant sectoral authorities. In accordance with their respective competences under Union and national law, those authorities shall establish strong cooperation and exchange information as is necessary for the exercise of their tasks in relation to data intermediation services providers, and shall aim to achieve consistency in the decisions taken in applying this Regulation.
In order to provide incentives for the re-use of specific categories of data held by public sector bodies, Member States should establish a single information point to act as an interface for re-users that seek to re-use that data. It should have a cross-sector remit, and should complement, if necessary, arrangements at the sectoral level. The single information point should be able to rely on automated means where it transmits enquiries or requests for re-use. Sufficient human oversight should be ensured in the transmission process. For that purpose existing practical arrangements such as open data portals could be used. The single information point should have an asset list containing an overview of all available data resources including, where relevant, those data resources that are available at sectoral, regional or local information points, with relevant information describing the available data. In addition, Member States should designate, establish or facilitate the establishment of competent bodies to support the activities of public sector bodies allowing re-use of certain categories of protected data. Their tasks may include granting access to data, where mandated under sectoral Union or national law. Those competent bodies should provide assistance to public sector bodies with state-of-the-art techniques, including on how to best structure and store data to make data easily accessible, in particular through application programming interfaces, as well as make data interoperable, transferable and searchable, taking into account best practices for data processing, as well as any existing regulatory and technical standards and secure data processing environments, which allow data analysis in a manner that preserves the privacy of the information.
The competent bodies should act in accordance with the instructions received from the public sector body. Such an assistance structure could assist the data subjects and data holders with management of the consent or permission for re-use, including consent and permission to certain areas of scientific research where in keeping with recognised ethical standards for scientific research. The competent bodies should not have a supervisory function, which is reserved for supervisory authorities under Regulation (EU) 2016/679. Without prejudice to the supervisory powers of data protection authorities, data processing should be carried out under the responsibility of the public sector body responsible for the register containing the data, which remains a data controller as defined in Regulation (EU) 2016/679 insofar as personal data are concerned. Member States should be able to have one or more competent bodies, which could act in different sectors. The internal services of public sector bodies could also act as competent bodies. A competent body could be a public sector body assisting other public sector bodies in allowing re-use of data, where relevant, or a public sector body allowing re-use itself. Assisting other public sector bodies should entail informing them, upon request, about best practices on how to fulfil the requirements laid down in this Regulation such as the technical means to make a secure processing environment available or the technical means to ensure privacy and confidentiality where access to re-use of data within the scope of this Regulation is provided.
The competent authorities for data intermediation services designated to monitor compliance of data intermediation services providers with the requirements of this Regulation should be chosen on the basis of their capacity and expertise regarding horizontal or sectoral data sharing They should be independent of any data intermediation services provider as well as transparent and impartial in the exercise of their tasks. Member States should notify the Commission of the identity of those competent authorities for data intermediation services. The powers and competences of the competent authorities for data intermediation services should be without prejudice to the powers of the data protection authorities. In particular, for any question requiring an assessment of compliance with Regulation (EU) 2016/679, the competent authority for data intermediation services should seek, where relevant, an opinion or decision of the competent supervisory authority established pursuant to that Regulation.