Data Act - Text adopted 14 March 2023

estimated reading time: 206 min

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee(1),

Having regard to the opinion of the Committee of the Regions(2),

Acting in accordance with the ordinary legislative procedure,

Whereas:

(1)  In recent years, data-driven technologies have had transformative effects on all sectors of the economy. The proliferation in products connected to the Internet ▌ in particular has increased the volume and potential value of data for consumers, businesses and society. High quality and interoperable data from different domains increase competitiveness and innovation and ensure sustainable economic growth. The same dataset may potentially be used and reused for a variety of purposes and to an unlimited degree, without any loss in its quality or quantity.

(2)  In a context where the European Union holds a global competitive position in manufacturing and is leader in industrial software and robotics, barriers to data sharing prevent an optimal allocation of data to the benefit of society. These barriers include a lack of incentives for data holders to enter voluntarily into data sharing agreements, uncertainty about rights and obligations in relation to data, the economic value of data sets, the costs of contracting and implementing technical interfaces, the high level of fragmentation of information in data silos, poor metadata management, the absence of standards for semantic and technical interoperability, bottlenecks impeding data access, a lack of common data sharing practices and abuse of contractual imbalances with regards to data access and use.

(3)  In sectors characterised by the presence of micro, small and medium-sized enterprises (SMEs), there is often a lack of digital capacities and skills to collect, analyse and use data, and access is frequently restricted where one actor holds it in the system or due to a lack of interoperability between data, between data services or across borders.

(4)  In order to respond to the needs of the digital economy, avoid the fragmentation of the internal market that could emerge from national legislation and to remove barriers to a well-functioning internal market for data, it is necessary to lay down a harmonised framework specifying who, is entitled to use accessible data collected, obtained or otherwise generated by connected products or related services, under which conditions and on what basis. Accordingly, Member States should not adopt or maintain additional national requirements on those matters falling within the scope of this Regulation, unless explicitly provided for in this Regulation, since this would affect the direct and uniform application of this Regulation.

(5)  This Regulation ensures that manufacturers of connected products and providers of related services must design the products and services in a way that users of a connected product or related service in the Union can access, in a timely manner, the data accessible from the product or generated during the provision of a related service and that those users can use the data, including by sharing them with third parties of their choice. It imposes the obligation on data holders to make data available to users and data recipients nominated by the users ▌ . It also ensures that data holders make data available to data recipients in the Union under fair, reasonable and non-discriminatory terms and in a transparent manner. Private law rules are key in the overall framework of data sharing. Therefore, this Regulation adapts rules of contract law and prevents the exploitation of contractual imbalances that hinder fair data access and use ▌ . This Regulation also ensures that data holders make data available to public sector bodies of the Member States and to Union institutions, agencies or bodies, where there is an exceptional need ▌ . In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and data sharing mechanisms and services in the Union. This Regulation should not be interpreted as recognising or creating any legal basis for data holders to hold, have access to or process data, or as conferring any new right on a data holder to use data accessed from a connected product or generated during the provision of a related service. Instead, it recognises that users may agree to grant access and use permissions over data accessed from connected products or generated during the provision of related services to data holders, which may often be manufacturers, and which may contractually agree with the user to perform one or more related services.

(6)  Data generation is a function of the manufacturer’s design of a connected product, in particular the inclusion of sensors and processing software within the device, of the actions of the user and, depending on the operating modalities, of the provision of one or more related service. Many connected products, for example in the civil infrastructure, energy generation or transport sectors, are recording data about their environment or interaction with other elements of that infrastructure without any actions by the user or any third party. Such data may often be non-personal in nature and valuable for the user or third parties, which may use it to improve their operations, the overall functioning of a network or system or by making it available to others. This gives rise to questions of fairness in the digital economy, because the data accessed from connected products or generated during the provision of related services are an important input for aftermarket, ancillary and other services. In order to realise the important economic benefits of data ▌ for the economy and society, a general approach to assigning access and usage rights on data is preferable to awarding exclusive rights of access and use. However, it is also important that data sharing based on voluntary agreements continues to develop in order to facilitate the development of data-driven value growth of European companies.

(7)  The fundamental right to the protection of personal data is safeguarded in particular under Regulations (EU) 2016/679(3) and ▌ (EU) 2018/1725(4) of the European Parliament and of the Council. Directive 2002/58/EC of the European Parliament and of the Council(5) additionally protects private life and the confidentiality of communications, including providing conditions to any personal and non-personal data storing in and access from terminal equipment. These instruments provide the basis for sustainable and responsible data processing, including where datasets include a mix of personal and non-personal data. This Regulation complements and is without prejudice to Union law on data protection and privacy, in particular Regulation (EU) 2016/679 and Directive 2002/58/EC. No provision of this Regulation should be applied or interpreted in such a way as to diminish or limit the right to the protection of personal data or the right to privacy and confidentiality of communications. This Regulation should not be read as creating a new legal basis for the processing of personal data for any of the regulated activities, or as amending the information requirements laid down in Regulation (EU) 2016/679. In the event of a conflict between this Regulation and Union law on the protection of personal data or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data should prevail.

(8)  The principles of data min imisation and data protection by design and by default are essential when processing involves significant risks to the fundamental rights of individuals. Taking into account the state of the art, all parties to data sharing, including where within scope of this Regulation, should implement technical and organisational measures to protect these rights. Such measures include not only pseudonymisation and encryption, but also the use of increasingly available technology that permits algorithms to be brought to the data and allow valuable insights to be derived without the transmission between parties or unnecessary copying of the raw or structured data themselves.

(9)  This Regulation complements and is without prejudice to Union law aiming to promote the interests of consumers and to ensure a high level of consumer protection, to protect their health, safety and economic interests, in particular Directive 2005/29/EC of the European Parliament and of the Council(6), Directive 2011/83/EU of the European Parliament and of the Council(7) and Directive 93/13/EEC of the European Parliament and of the Council(8).

(10)  This Regulation is without prejudice to Union legal acts providing for the sharing of, the access to and the use of data for the purpose of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, or for customs and taxation purposes, irrespective of the legal basis under the Treaty on the Functioning of the European Union on which basis they were adopted. Such acts include Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online, the [e-evidence proposals [COM(2018) 225 and 226] once adopted], the [Proposal for] a Regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC, as well as international cooperation in this context in particular on the basis of the Council of Europe 2001 Convention on Cybercrime ("Budapest Convention"). This Regulation is without prejudice to the competences of the Member States regarding activities concerning public security, defence and national security in accordance with Union law, and activities from customs on risk management and in general, verification of compliance with the Customs Code by economic operators.

(11)  Union law setting physical design and data requirements for products to be placed on the Union market should not be affected beyond the obligations of Article 3(1) of this Regulation.

(12)  This Regulation complements and is without prejudice to Union law aiming at setting accessibility requirements on certain products and services, in particular Directive 2019/882(9).

(13)  This Regulation is without prejudice to the competences of the Member States regarding activities concerning public security, defence and national security in accordance with Union law, and activities from customs on risk management and in general, verification of compliance with the Customs Code by economic operators.

(13a)   This Regulation also aims at strengthening the position and business models of third parties, for example suppliers, through a horizontal approach. To account for the specific situation and complexity of the respective sector, this Regulation should be followed by sectoral legislation, for example the mobility data space. That legislation could set out further rules for the right for suppliers to improved or direct access to data from their own smart components for issues such as quality monitoring, product development or safety improvements and clarifies the role of providers of components in relation to connected products.

(13b)   This Regulation is without prejudice to Union and national legal acts providing for the protection of intellectual property rights, including Directives 2001/29/EC(10), 2004/48/EC(11), and (EU) 2019/790(12) of the European Parliament and of the Council.

(14)  Physical products that obtain, generate or collect, by means of their components, data concerning their performance, use or environment and that are able to communicate that data via an electronic communications service, a physical connection, or on-device (often referred to as the Internet of Things) should be covered by this Regulation with the exception of prototypes. Electronic communications services include land-based telephone networks, television cable networks, satellite-based networks and near-field communication networks. Such connected products are found in all aspects of the economy and society, including in private, civil or commercial infrastructure, vehicles, ships, aircraft, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery or energy production and transmission facilities. Data obtained, generated or collected by a connected product that is accessible to any data holders or data recipients should always be accessible to the owner of the product, or a third party to whom the owner of the product has transferred certain rights to the product based on a rental or lease contract. The owner or such third party should be referred to as the user for the purpose of this Regulation. Those access rights should in no way alter or interfere with the fundamental rights of data subjects, who may be interacting with connected product, to personal data generated by the product. Manufacturers' design choices, the users’ demands and, where relevant, sectoral legislation to address sector-specific needs and objectives, or antitrust decisions, should determine which data a connected product is capable of making accessible to any data holders or data recipients at the point of sale. This Regulation applies to products placed on the market in the Union and thus does not apply to products in development stage such as prototypes.

(15)  In contrast, content, or data obtained, generated or accessed from the connected product or transmitted to it for the purpose of storage or processing on behalf of third parties, such as in the case of servers or cloud infrastructure, amongst others for the use by an online service should not be covered by this Regulation.

(16)  It is also necessary to lay down rules applying to related services that are incorporated or are interconnected with a connected product in such a way that the absence of the service would prevent the product from performing one or more of its functions, and which involve the transfer of data between the connected product and the provider of the related services Where a provider of a related service accesses data from a connected product or has access to data generated during the provision of the related service and has the right to use non-personal data, in accordance with Article 4(6), it should be considered a data holder for the data it accessed from the product or generated during the provision of the related service. Such related services can be part of the sale. These related services may themselves generate data of value to the user independently of the data collection capabilities of the connected product with which they are interconnected. Such data may represent the digitalisation of user actions and events and should accordingly be accessible to the user. Such data are potentially valuable to the user and support innovation and the development of digital and other services protecting the environment, health and the circular economy, including particular through facilitating the maintenance and repair of the products in question or the development of products or services. Information derived or inferred from non-personal data by a data holder or a data recipient after it has been accessed from the connected product, other than in those generated during the provision of a related service, should not be considered to fall within scope of this Regulation. This Regulation should also apply to a related service that is not supplied by the seller, renter or lessor itself, but is supplied, under the sales, rental or lease contract, by a third party. In the event of doubt as to whether the provision of a related service is necessary to maintain the functional operation of the connected product, supply of service forms part of the sale, rent or lease contract, this Regulation should apply. Neither the power supply nor the supply of the connectivity are to be interpreted as related services under this Regulation.

(17)  Data accessed from a connected product or generated during the provision of a related service include data recorded intentionally by the user. Such data include also data generated as a by-product of the user’s action, such as diagnostics data, and without any action by the user, such as data about the connected product’s environment or interactions, including when the product is in ‘standby mode’, and data recorded during periods when the product is switched off. Such data should include data in the form and format in which they are accessed from the product, and be compiled in a comprehensible, structured, commonly used and machine-readable format and including the relevant metadata, but not pertain to data resulting from value-add via a software process that calculates derivative data where such software process is be subject to trade secrets and intellectual property rights. Where data is accessed in an encrypted format, the user should be provided with all necessary means to decrypt such data and make it accessible.

(17a)   Further efforts must be made to consolidate the data economy and data governance. In particular, increasing and supporting data literacy is essential so that users and businesses are aware and motivated to offer and provide access to their data in compliance with the relevant legal rules. This is on the basis of a sustainable data society. The spread of data literacy measures would imply the reduction of digital inequalities, contribute to improving working conditions, and ultimately sustain the consolidation and the innovation path of the data economy in the Union. In order to deliver high-quality job opportunities, the acquisition and development of data literacy skills, enabling the acquisition of digital competences by citizens and workers, should be ensured especially in the case of employees from start-ups and SMEs.

(18)  The user of a connected product should be understood as the legal or natural person, such as a business, consumer or public sector body which has acquired the connected product or receives related services, or to whom the owner of the connected product has transferred, on the basis of a rental or lease agreement, temporary rights to use the connected product or receive related services. Such a user bears the risks and enjoys the benefits of using the connected product and should ▌ therefore be entitled to derive benefit from data accessed from the connected product and generated during the provision of any related service.

(18a)   'Data literacy’ refers to skills, knowledge and understanding that allows users, consumers and businesses, in particular medium, small and micro companies, to gain awareness on the potential value of the data they generated, produce and share, in the context of their rights and obligations set out in this Regulation and in other Union data related Regulations. Data literacy should go beyond learning about tools and technologies and aiming to equip citizens and businesses with the ability to benefit from a fair data market. It is therefore necessary that the Commission and the Member States, in cooperation with all relevant stakeholders, promote the development of data literacy, in all sectors of society, for citizens of all ages, including women and girls. Consequently, the Union and its Member states should allocate more investments in education and training to spread data literacy, and that progress in that regard is closely followed Accordingly businesses should also promote tools and take measures to ensure data literacy skills of their staff dealing with data access and use and data transfers, and where applicable, of other persons processing data on their behalf, taking into account their technical knowledge, experience, education and training and considering the users or groups of users from which data is produced or generated.

(19)  In practice, not all data generated by connected products or related services are easily accessible to their users, and there are often limited possibilities for the portability of data generated by products connected to the Internet ▌ . Users are unable to obtain data necessary to make use of providers of repair and other services, and businesses are unable to launch innovative, more efficient and convenient services. In many sectors, manufacturers are often able to determine, through their control of the technical design of the product or related services, what data are generated and how they can be accessed, even though they have no legal right to the data. It is therefore necessary to ensure that connected products are designed and manufactured and related services are provided in such a manner that data generated by their use are always easily accessible to the user, free of charge in a comprehensive, structured, commonly used and machine-readable format, including for the purpose of retrieving, using or sharing the data. Unless specified otherwise by Union or Member State law or relevant antitrust rulings, such data should be accessible at the level of processing, including by means of software contained in the connected product, which the manufacturer’s design choice permit ahead of the sale to the user. Data should be available in the form in which they are accessible from the product with only the min imal adaptations necessary to make them useable by a third party, including related metadata necessary to interpret and use the data. This requires the removal of technical barriers to ensure that users, where it is technically possible, will have direct real-time access to their data without extensive individual verification procedures. In order to facilitate third-party access to the required data, cost-efficient access to software tools is also necessary. Where subsequent updates or alterations to the connected product, by the manufacturer or another party, lead to additional accessible data or a restriction of initially accessible data, such changes should be communicated to the user in the context of the update or alteration. This Regulation does not set an obligation to store data additionally on the central computing unit of a product where this would be disproportionate in relation to the expected use. This does not prevent a manufacturer or data holder to voluntarily agree with the user on making such adaptation.

(20)  In cases of co-ownership of the connected product and related services

provided, where several persons or entities own a product or are party to a lease or rent agreement ▌ the design of the connected product or related service or the relevant interface should enable all persons to have access to data they generate. Users of connected products that generate data typically require a user account to be set up. This allows for identification of the user by a data holder, which may be the manufacturer as well as a means to communicate to exercise and process data access requests. For identification and authentication purposes, manufacturers and providers of related services should enable users to use European Digital Identity Wallets issued pursuant to Regulation (EU) 910/2014(13). Manufacturers or designers of a product that is typically used by several persons should put in place the necessary mechanism that allow separate user accounts for individual persons, where relevant, or the possibility for several persons to use the same user account. Access should be granted to the user upon simple request mechanisms granting automatic execution, not requiring examination or clearance by a manufacturer or data holder. This means that data should only be made available when the user actually wants this. Where automated execution of the data access request is not possible, for instance, via a user account or accompanying mobile application provided with the product or service, the manufacturer should inform the user how the data may be accessed. User accounts should enable users to revoke consent for processing and data sharing, as well as request deletion of the data generated through the use of the connected product, particularly in cases when the users of the product intend to transfer the ownership of the product to another party.

(21)  Products may be designed to make certain data directly available from an on-device data storage or from a remote server to which the data are communicated. Access to the on-device data storage may be enabled via cable-based or wireless local area networks connected to a publicly available electronic communications service or a mobile network. The server may be the manufacturer’s own local server capacity or that of a third party or a cloud. Data processors as defined in Regulation (EU) 2016/679 are by default not considered to act as data holders, unless specifically tasked by the data controller. They may be designed to permit the user or a third party to process the data on the product or on a computing instance of the manufacturer.

(22)  Virtual assistants play an increasing role in digitising consumer and professional environments and serve as an easy-to-use interface to play content, obtain information, or activate physical objects connected to the Internet ▌ . Virtual assistants can act as a single gateway in, for example, a smart home environment and record significant amounts of relevant data on how users interact with products connected to the Internet ▌ , including those manufactured by other parties and can replace the use of manufacturer-provided interfaces such as touchscreens or smart phone apps. The user may wish to make available such data with third party manufacturers and enable novel smart home services. Such virtual assistants should be covered by the data access right provided for in this Regulation also regarding data recorded before the virtual assistant’s activation by the wake word and data generated when a user interacts with a connected product via a virtual assistant provided by an entity other than the manufacturer of the connected product ▌ .

(23)  Before concluding a contract for the purchase of a connected product, clear and sufficient information should be provided by the manufacturer, or where relevant the vendor, to the user with regard to the data which is accessible from the connected product, including the type, format, sampling frequency and the estimated volume of accessible data. This should include information on data structures, data formats, vocabularies, classification schemes, taxonomies and code lists, where available, as well as information on how the data ▌ may be stored, retrieved or accessed, including the provision of software development kits or application programming interfaces, along with their terms of use and quality of service descriptions. This obligation provides transparency over the accessible data generated and enhances the easy access for the user. The transparency obligation could be fulfilled by a data holder for example by, maintaining a stable uniform resource locator (URL) on the web, which can be distributed as a web link or QR code, pointing to the relevant information. Such URL could be provided by the manufacturer or where relevant seller, to the user before concluding the contract for the purchase, of a connected product. It is in any case necessary that the user is enabled to store the information in a way that is accessible for future reference and that allows the unchanged reproduction of the information stored. This obligation to provide information does not affect the obligation for the controller to provide information to the data subject pursuant to Article 12, 13 and 14 of Regulation (EU) 2016/679.

(23a)   Related services should be provided in such a manner that data generated during their provision, which represent the digitalisation of user actions or events, are, by default, easily, securely and, where relevant and technically feasible, directly accessible to the user free of charge, in a structured, commonly used and machine-readable format, along with the relevant metadata necessary to interpret and use it. Information derived or inferred from this data by means of complex proprietary algorithms, in particular where it combines the output of multiple sensors in the connected product, should not be considered within the scope of a data holder’s obligation to share data with users or data recipients, unless agreed differently. Before concluding an agreement with a user on the provision of a related service, which involves the provider’s access to data from the connected product, in line with Article 4(6) of this Regulation, the provider should agree with the user on the nature, volume, collection frequency and format of data accessed by the provider of related services from the connected product, as well as the nature and estimated volume of data generated during the provision of the related service and, where relevant, the modalities for the user to access or retrieve such data, including the period during which it should be stored.

(24)  This Regulation imposes the obligation on data holders to make data available in certain circumstances. Insofar as personal data are processed, a data holder should be a controller under Regulation (EU) 2016/679. Where users are data subjects, data holders should be obliged to provide them access to their data and to make the data available to third parties of the user’s choice in accordance with this Regulation. However, this Regulation does not create a legal basis under Regulation (EU) 2016/679 for data holders to provide access to personal data or make it available to a third party when requested by a user that is not a data subject and should not be understood as conferring any new right on data holders to use data accessed from the connected product or generated during the provision of a related service. This applies in particular where the manufacturer is a data holder. In that case, the basis for the manufacturer to use non-personal data should be a contractual agreement between the manufacturer and the user. This agreement may be part of the sale agreement relating to the connected product. The user should be given a reasonable opportunity to reject this agreement. If a user choses to reject the contractual terms and conditions, this should not prevent the user from using the relevant product of the service, unless the product of the service cannot function without the user’s acceptance of the contractual terms. Any contractual term in the agreement stipulating that a data holder may use the data generated by the user of a product or related service should be transparent to the user, including as regards the purpose for which a data holder intends to use the data. This Regulation should not prevent contractual conditions, whose effect is to exclude or limit the use of the data, or certain categories thereof, by a data holder. This Regulation should also not prevent sector-specific regulatory requirements under Union law, or national law compatible with Union law, which would exclude or limit the use of certain such data by a data holder on well-defined public policy grounds.

(24a)   It is currently often difficult for businesses to justify the personnel or computing costs that are necessary for preparing non-personal data sets or data products and offer them to potential counterparties via data marketplaces, including data intermediation services, as defined in Regulation (EU) 2022/868 of the European Parliament and of the Council(14). A substantial hurdle to non-personal data sharing by businesses thus results from the lack of predictability of economic returns from investing in the curation and making available of data sets or data products. In order to allow for the emergence of liquid, efficient and fair markets for non-personal data in the Union, it must be clarified which party has the right to offer such data on a marketplace. Users should therefore have the right to share non-personal data with data recipients for commercial and non-commercial purposes. Such data sharing could be performed directly by the user, upon the request of the user via a data holder or through data intermediation services. Data intermediation services, as regulated by Regulation (EU) 2022/868 could facilitate a data economy by establishing commercial relationships between users, data recipients and third parties and may support users in exercising their right to use data, such as ensuring the proper anonymisation of the data or aggregation of access to data from multiple individual users. In order to protect the incentives for users to monetise non-personal data from connected products they own, data holders should only be able to monetise aggregated data sets from multiple users and should not make available non-personal data accessed by them from the connected product to third parties for commercial or non-commercial purposes, other than the fulfilment of their contractual obligations to the user. At the same time, where data holders have contractually agreed with users the right to use such data, they should be free to use it for a wide range of purposes, including improving the functioning of the connected product or related services, developing new products or services or enriching or manipulating it or aggregating it with other data, including with the aim of making available the resulting data set with third parties, as long as such derived data set does not allow the identification of the specific data items accessed by the data holder from the connected product, or allow a third party to derive those data items from the data set without a significant effort.

(24b)   Where products generate data, that is derived or inferred from other data generated by the connected product by means of proprietary, complex algorithms, including those that are a part of proprietary software, within the meaning of Directive 2009/24/EC of the European Parliament and of the Council(15), such data should be considered to fall outside the scope of this Regulation and consequently not be subject to the obligation for a data holder to make it available to a user or data recipient, unless agreed otherwise between the user and the data holder. Such data should include in particular information derived by means of sensor fusion, inferring or deriving data from multiple sensors, collected in the connected product, using complex, proprietary algorithms. However, data inferred or derived from processing of raw data collected from a single sensor or a connected group of sensors, for the purpose of making the collected data comprehensible for wider use-cases by determining a physical quantity or quality or the change in a physical quantity, such as temperature, pressure, flow rate, pH, liquid level, position, acceleration or speed, should be included in the obligation for data holders to make data available to users and data recipients. Sectorial legislation should further define accessible data based on the specificities of the sector.

(24c)   In principle, to foster the emergence of liquid, fair and efficient markets for non-personal data, users of connected products should be able to share data with others, including for commercial purposes, with min imal legal and technical effort. Ahead of sharing data, a user should be able to share data with a high degree of certainty that they will not face adverse legal consequence after the data has been shared. Therefore, where data is excluded from a data holder's obligation to make it available to users or data recipients, the scope of such data should be specified in the contractual agreement between the user and the data holder for the provision of a related service in a comprehensible and clear format, in a way that users can easily determine which data is available for them for sharing with data recipients or third parties without further obligations to protect such data.

(24d)   There are many reasons why certain data generated by the use of a product remain inaccessible to a data holder and consequently would not fall under the sharing obligations of chapter II. Data may be highly volatile (values recorded at high frequency) and either instantly or quickly overwritten. They may be collected only for activating a very specific function, such as the activity of windshield wipers or headlights, and there is currently no use case and the design of the product does not foresee such data to be stored in the product in light of the cost related to storage of such data, to connecting the data-capturing sensor to a central computing component from which data could be exported and the costs of connectivity for transmitting the data when volumes are considerable. In this regard, sector-specific regulations should further specify relevancy of accessible data according to their specificities in order to ensure the availability of at least data, which is essential for the repairing or servicing of the connected products and related services.

(25)  In sectors characterised by the concentration of a small number of manufacturers or providers of related services supplying end users, the ability of users to bargain for access to data transferred by the connected product or generated during the provision of related services is limited due to the bargaining power of the manufacturer or provider of related service. In such circumstances, contractual agreements may be insufficient to achieve the objective of user empowerment. The data tends to remain under the control of the manufacturers or providers of related services, making it difficult for users to obtain value from the data generated by the equipment they own. Consequently, there is limited potential for innovative smaller businesses to offer data-based solutions in a competitive manner and for a diverse data economy in Europe. This Regulation should therefore build on recent developments in specific sectors, such as the Code of Conduct on agricultural data sharing by contractual agreement. Sectoral legislation may be brought forward to address sector-specific needs, security concerns and objectives. Furthermore, data holders should not use any data accessed by them from the connected product or generated during the provision of related services in order to derive insights about the economic situation of the user or its assets or production methods or the use in any other way that could undermine the commercial position of the user on the markets it is active on. This would, for instance, involve using knowledge about the overall performance of a business or a farm in contractual negotiations with the user on potential acquisition of the user’s products or agricultural produce to the user’s detriment, or for instance, using such information to feed in larger databases on certain markets in the aggregate ( ▌ e.g. databases on crop yields for the upcoming harvesting season) as such use could affect the user negatively in an indirect manner. The user should be given the necessary technical interface to manage permissions, preferably with granular permission options (such as "allow once" or "allow while using this app or service"), including the option to withdraw permission.

(26)  In contracts between a data holder and a consumer as a user of connected products or related service generating data, EU consumer law applies, Directive 2005/29/EC, which applies against unfair commercial practices, and Directive 93/13/EEC applies to the terms of the contract to ensure that a consumer is not subject to unfair contractual terms. For unfair contractual terms unilaterally imposed ▌ this Regulation provides that such unfair terms should not be binding on that enterprise.

(27)  Data holders may require appropriate user identification to verify the user’s entitlement to access the data. In the case of personal data processed by a processor on behalf of the controller, data holders should ensure that the access request is received and handled by the processor.

(28)  The user should be free to use the data for any lawful purpose. This includes providing the data the user has received exercising the right under this Regulation to a data recipient offering an aftermarket service that may be in competition with a service provided by a data holder, or to instruct the data holder to do so. The request should also be valid regardless of whether the request is put forward by the user or an authorised third party acting on user’s behalf, such as authorised data intermediation service in the meaning of the Regulation (EU) 2022/868. Data holders should ensure that the data made available to a data recipient is as accurate, complete, reliable, relevant and up-to-date as the data the data holder itself may be able or entitled to access from the use of the connected product or related service. Any trade secrets or intellectual property rights should be fully respected in handling the data. It is important to preserve incentives to invest in products with functionalities based on the use of data from sensors built into that product. The aim of this Regulation should accordingly be understood as to foster the development of new, innovative products or related services, stimulate innovation on aftermarkets, but also stimulate the development of entirely novel services making use of the data, including based on data from a variety of products or related services. At the same time, it aims to avoid undermining the investment incentives for the type of product from which the data are obtained, for instance, by the use of data to develop a competing product. Other lawful purposes in this context include reverse engineering, when allowed pursuant to Directive (EU) of the European Parliament and of the Council 2016/943(16) as a lawful means of independent discovery of know-how or information, provided that it does not lead to unfair competition and it is without prejudice of the obligation not to develop a competing product using the data received under this Regulation. This may be the case for the purposes of repairing, prolonging the lifetime of a product or providing aftermarket services to connected products when the manufacturer or provider of related services has ended their production or provision.

(28a)   This Regulation should be interpreted in a manner to preserve the protection awarded to trade secrets under Directive (EU) 2016/943. To that end, data holders should be able to require the user, or third parties of the users’ choice, to preserve the confidentiality of data considered as trade secrets. Trade secrets should be identified prior to the disclosure. However, data holders cannot undermine the right of the users to request access and use of data in accordance with this Regulation on the basis of certain data being considered as trade secrets by the data holder. The data holder, or the trade secret holder where it is not the data holder, should have the possibility to agree with the user, or third parties of the users’ choice, on appropriate measures to preserve their confidentiality, including by the use of model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct. In cases where the user or third parties of the users’ choice fail to implement those measures or undermine the confidentiality of trade secrets, the data holder should be able to suspend the sharing of data identified as trade secrets, pending review by the data coordinator of the Member State. In such cases, the data holder should immediately notify the data coordinator of the Member State in which the data holder is established, pursuant to Article 31 of this Regulation, that it has suspended the sharing of data and identify which measures have not been implemented or which trade secrets have had their confidentiality undermined. Where the user, or a third party of the user’s choice, wishes to challenge the data holder’s decision to suspend the sharing of data, the data coordinator should decide, within a reasonable period of time, whether the data sharing should be resumed or not and if yes, indicate under which conditions. The Commission, assisted by the European Data Innovation Board, should develop model contractual terms, and should be able to develop technical standards. The Commission, assisted by the European Innovation Board, could also encourage the establishment of codes of conduct in relation with the respect of trade secrets or intellectual property rights in handling the data, in order to help achieving the aim of this Regulation.

(29)  A data recipient to whom data is made available may be a natural or legal person, enterprise, a research organisation or a not-for-profit organisation or an intermediary, including data intermediation services or data altruism organisations as defined in Regulation (EU) 2022/868. In making the data available to a data recipient, data holders should not abuse their position to seek a competitive advantage in markets where a data holder and data recipient may be in direct competition. Data holders should not therefore use any data accessed from the connected product or generated during the provision of a related service in order to derive insights about the economic situation of the third party or its assets or production methods or the use in any other way that could undermine the commercial position of the third party on the markets it is active on. The user should have the right to share non-personal data with third parties for commercial purposes. Upon the agreement with the user, and subject to the provisions of this Regulation, data recipients should be able to transfer the data access rights granted by the user to third parties, including in exchange for compensation. Data intermediation services [as regulated by Regulation (EU) 2022/868] may support users or data recipients in establishing a commercial relation for any lawful purpose on the basis of data falling within the scope of this Regulation. They could play an instrumental role in aggregating access to data from a large number of individual potential data users so that Big Data analyses or machine learning can be facilitated, as long as such users remain in full control on whether to contribute their data to such aggregation and the commercial terms under which their data will be used.

(30)  The use of a product or related service may, in particular when the user is a natural person, generate data that relates to an identified or identifiable natural person (the data subject). processing of such data is subject to the rules established under Regulation (EU) 2016/679, including where personal and non-personal data in a data set are inextricably linked(17). The data subject may be the user or another natural person. Personal data may only be requested by a controller or a data subject. A user who is the data subject is under certain circumstances entitled under Regulation (EU) 2016/679 to access personal data concerning them, and such rights are unaffected by this Regulation. Under this Regulation, the user who is a natural person is further entitled to access all data generated by the product, personal and non-personal. Where the user is not the data subject but an enterprise, including a sole trader, and not in cases of shared household use of the product, the user will be a controller within the meaning of Regulation (EU) 2016/679. Accordingly, such a user as controller intending to request personal data generated by the use of a product or related service is required to have a legal basis for processing the data under Article 6(1) of Regulation (EU) 2016/679, such as the consent of the data subject or legitimate interest. This user should ensure that the data subject is appropriately informed of the specified, explicit and legitimate purposes for processing those data, and how the data subject may effectively exercise their rights. Where the data holder and the user are joint controllers within the meaning of Article 26 of Regulation (EU) 2016/679, they are required to determine, in a transparent manner by means of an arrangement between them, their respective responsibilities for compliance with that Regulation. It should be understood that such a user, once data has been made available, may in turn become a data holder, if they meet the criteria under this Regulation and thus become subject to the obligations to make data available under this Regulation.

(31)  Data accessed from a connected product or generated during the provision of a related service should only be made available to a third party at the request of the user. This Regulation accordingly complements the right provided under Article 20 of Regulation (EU) 2016/679. That Article provides for a right of data subjects to receive personal data concerning them in a structured, commonly used and machine-readable format, and to port those data to other controllers, where those data are processed on the basis of Article 6(1), point (a), or Article 9(2), point (a), or of a contract pursuant to Article 6(1), point (b). Data subjects also have the right to have the personal data transmitted directly from one controller to another, but only where technically feasible. Article 20 specifies that it pertains to data provided by the data subject but does not specify whether this necessitates active behaviour on the side of the data subject or whether it also applies to situations where a product or related service by its design observes the behaviour of a data subject or other information in relation to a data subject in a passive manner. The right under this Regulation complements the right to receive and port personal data under Article 20 of Regulation (EU) 2016/679 in several ways. It grants users the right to access and make available to a data recipient to any data accessed from the connected product or generated during the provision of a related service, irrespective of its nature as personal data, of the distinction between actively provided or passively observed data, and irrespective of the legal basis of processing. Unlike the technical obligations provided for in Article 20 of Regulation (EU) 2016/679, this Regulation mandates and ensures the technical feasibility of third party access for all types of data coming within its scope, whether personal or non-personal. It also allows data holders to set reasonable compensation to be met by data recipients, but not by the user, for any cost incurred in providing direct access to the data generated by the user’s product. If a data holder and third party are unable to agree terms for such direct access, the data subject should be in no way prevented from exercising the rights contained in Regulation (EU) 2016/679, including the right to data portability, by seeking remedies in accordance with that Regulation. It is to be understood in this context that, in accordance with Regulation (EU) 2016/679, a contractual agreement does not allow for the processing of special categories of personal data by data holders or data recipient.

(32)  Access to any data stored in and accessed from terminal equipment is subject to Directive 2002/58/EC and requires the consent of the subscriber or user within the meaning of that Directive unless it is strictly necessary for the provision of an information society service explicitly requested by the user or subscriber (or for the sole purpose of the transmission of a communication). Directive 2002/58/EC (‘ePrivacy Directive’) (and the proposed ePrivacy Regulation) protect the integrity of the user's terminal equipment as regards the use of processing and storage capabilities and the collection of information. Internet of Things equipment is considered terminal equipment if it is directly or indirectly connected to a public communications network.

(33)  In order to prevent the exploitation of users, data recipients to whom data has been made available upon request of the user should only process the data for the purposes agreed with the user and not share it with another third party without unequivocally informing the user in a timely manner and having its explicit agreement to such sharing.

(34)  Data recipients should only access additional information that is necessary for the provision of the service requested by the user. Having received access to data, the data recipient should process it exclusively for the purposes agreed with the user, without interference from the data holder. It should be as easy for the user to refuse or discontinue access by the data recipient to the data as it is for the user to authorise access. A data recipient or data holder should not make the exercise of the rights or choices of users unduly difficult including by offering choices to users in a non-neutral manner, or coerce, deceive or manipulate the user in any way, or by subverting or impairing the autonomy, decision-making or choices of the user, including by means of a digital interface or a part thereof, including its structure, design, function or manner of operation with the user. In this context, third parties or data holders should not rely on so-called Dark Patterns in designing their digital interfaces. Dark Patterns are design techniques that push or deceive consumers into decisions that have negative consequences for them. These manipulative techniques can be used to persuade users, particularly vulnerable consumers, to engage in unwanted behaviours, and to deceive users by nudging them into decisions on data disclosure transactions or to unreasonably bias the decision-making of the users of the service, in a way that subverts and impairs their autonomy, decision-making and choice. Common and legitimate commercial practices that are in compliance with Union law should not in themselves be regarded as constituting dark patterns. Third parties and data holders should comply with their obligations under relevant Union law, including the requirements set out in Directive 2005/29/EC, Directive 2011/83/EU, Directive 2000/31/EC and Directive 98/6/EC.

(35)  Data holders and data recipients should also refrain from using the data to profile individuals unless these processing activities are strictly necessary to provide the service requested by the user. The requirement to delete personal data when no longer required for the purpose agreed with the user complements the right to erasure of the data subject pursuant to Article 17 of Regulation (EU) 2016/679. Where a data recipient is a provider of a data intermediation service within the meaning of Regulation (EU) 2022/868, the safeguards for the data subject provided for by that Regulation apply. The third party may use the data to develop a new and innovative product or related service but not to develop a competing product.

(36)  Start-ups, SMEs and companies from traditional sectors with less-developed digital capabilities struggle to obtain access to relevant data. This Regulation aims to facilitate access to data for these entities, while ensuring that the corresponding obligations are scoped as proportionately as possible to avoid overreach. At the same time, a small number of very large companies have emerged with considerable economic power in the digital economy through the accumulation and aggregation of vast volumes of data and the technological infrastructure for monetising them. These companies include undertakings that provide core platform services controlling whole platform ecosystems in the digital economy and whom existing or new market operators are unable to challenge or contest. The Regulation (EU) 2022/1925 of the European Parliament and of the Council(18) aims to redress these inefficiencies and imbalances by allowing the Commission to designate a provider as a “gatekeeper”, and imposes a number of obligations on such designated gatekeepers, including a prohibition to combine certain data without consent, and an obligation to ensure effective rights to Data Portability under Article 20 of Regulation (EU) 2016/679. Consistent with the ▌ Regulation (EU) 2022/1925, and given the unrivalled ability of these companies to acquire data, it would not be necessary to achieve the objective of this Regulation, and would thus be disproportionate in relation to data holders made subject to such obligations, to include such gatekeeper undertakings as beneficiaries of the data access right. This means that an undertaking providing core platform services that has been designated as a gatekeeper cannot request or be granted access to users’ data generated by the use of a product or related service or by a virtual assistant based on the provisions of Chapter II of this Regulation. An undertaking providing core platform services designated as a gatekeeper pursuant to Regulation (EU) 2022/1925 should be understood to include all legal entities of a group of companies where one legal entity provides a core platform service. Furthermore, third parties to whom data are made available at the request of the user may not make the data available to a designated gatekeeper. For instance, the third party may not sub-contract the service provision to a gatekeeper. However, this does not prevent third parties from using data processing services offered by a designated gatekeeper. This exclusion of designated gatekeepers from the scope of the access right under this Regulation does not prevent these companies from obtaining data through other lawful means.

(37)  Micro and small enterprises should be excluded from the obligations of Chapter II. That is not the case, however, where a micro or small enterprise is sub-contracted to manufacture or design a product. In such situations, the enterprise, which has sub-contracted to the micro or small enterprise, is able to compensate the sub-contractor appropriately. A micro or small enterprise may nevertheless be subject to the requirements laid down by this Regulation as data holder, where it is not the manufacturer of the product or a provider of related services.

(38)  This Regulation contains ▌ rules, whenever a data holder is obliged by law to make data available to a data recipient. Such access should be based on fair, reasonable, non-discriminatory and transparent conditions to ensure consistency of data sharing practices in the internal market, including across sectors, and to encourage and promote fair data sharing practices even in areas where no such right to data access is provided. These general access rules do not apply to obligations to make data available under Regulation (EU) 2016/679. Voluntary data sharing remains unaffected by these rules.

(39)  Based on the principle of contractual freedom, the parties should remain free to negotiate the precise conditions for making data available in their contracts, within the framework of the general access rules for making data available.

(40)  In order to ensure that the conditions for mandatory data access are fair for both parties, the general rules on data access rights should refer to the rule on avoiding unfair contract terms.

(41)  Any agreement concluded for making the data available should not discriminate between comparable categories of data recipients, independently whether they are large companies or micro, small or medium-sized enterprises. In order to compensate for the lack of information on the conditions of different contracts, which makes it difficult for the data recipient to assess if the terms for making the data available are non-discriminatory, it should be the responsibility of the data holders to demonstrate that a contractual term is not discriminatory. The Commission, while involving all affected stakeholders, should establish practical guidelines on what constitutes non-discriminatory terms. It is not unlawful discrimination, where a data holder uses different contractual terms for making data available ▌ , if those differences are justified by objective reasons. These obligations are without prejudice to Regulation (EU) 2016/679.

(42)  In order to incentivise the continued investment in generating and making available valuable data, including investments in relevant technical tools, this Regulation contains the principle that data holders may request reasonable compensation when legally obliged to make data available to the data recipient in business- to business relations. These provisions should not be understood as paying for the data itself, but to allow data holders to be reasonably compensated for making data available or, in the case of micro, small or medium-sized enterprises and of research organisations using the data on a not-for-profit basis, for the direct costs incurred and investment required for making the data available. The Commission should develop guidance detailing what qualifies as a reasonable compensation in the data economy.

(42a)   Such reasonable compensation may include firstly the costs incurred and, except for micro and small enterprises, investment required for making the data available. Those costs can be technical costs, such as the costs necessary for data reproduction, dissemination via electronic means and storage, but not of data collection or production. Such technical costs could include also the costs for processing, necessary to make data available. Costs related to making the data available may also include the costs of facilitating concrete data sharing requests. They may also vary depending on the arrangements taken for making the data available. Long-term arrangements between data holders and data recipients, for instance via a subscription model or the use of smart contracts, could reduce the costs in regular or repetitive transactions in a business relationship. Costs related to making data available are either specific to a particular request or shared with other requests. In the latter case, a single data recipient should not pay the full costs of making the data available. Reasonable compensation may include, except for micro and small enterprises, secondly a margin. Such margin may vary depending on factors related to the data itself, such as volume, format or nature of the data, or on the supply of and demand for the data. It may consider the costs for collecting the data. The margin may therefore decrease where the data holder has collected the data for its own business without significant investments or may increase where the investments in the data collection for the purposes of the data holder’s business are high. The margin may also depend on the follow-on use of the data by the data recipient. It may be limited or even excluded in situations where the use of the data by the data recipient does not affect the own activities of the data holder. The fact that the data is co-generated by a connected product owned by the user could also lower the amount of the compensation in comparison to other situations where the data are generated by the data holder for example during the provision of a related service.

(43)  In duly justified cases, including the need to safeguard consumer participation and competition or to promote innovation in certain markets, Union law or national legislation implementing Union law may impose regulated compensation for making available specific data types.

(44)  To protect micro, small or medium-sized enterprises from excessive economic burdens which would make it commercially too difficult for them to develop and run innovative business models, the compensation for making data available to be paid by them should not exceed the direct cost of making the data available and be non-discriminatory. The same regime should apply to those research organisations that use the data on a not-for-profit basis.

(45)  Direct costs for making data available are the costs necessary for data reproduction, dissemination via electronic means and storage but not of data collection or production. Direct costs for making data available should be limited to the share attributable to the individual requests, taking into account that the necessary technical interfaces or related software and connectivity will have to be set up permanently by the data holder. Long-term arrangements between data holders and data recipients, for instance via a subscription model, could reduce the costs linked to making the data available in regular or repetitive transactions in a business relationship. The data holder, if not an SME, should actively provide the calculation showing that his price is a cost-based, when he knows, or should have known, that his counterparty is an SME. In any case, he should state that he is obliged to make the data available to an SME at cost price and that he is obliged to make detailed information available when requested.

(46)  It is not necessary to intervene in the case of data sharing between large companies, or when the data holder is a small or medium-sized enterprise and the data recipient is a large company. In such cases, the companies are considered capable of negotiating any compensation if it is reasonable, taking into account factors such as the volume, format, nature, or supply of and demand for the data as well as the costs for collecting and making the data available to the data recipient. In the case of misuse or disclosure of data, the data recipient should be liable for the damages to the party suffering from it and should comply without undue delay with the requests of the data holder.

(47)  Transparency is an important principle to ensure that the compensation requested by a data holder is reasonable, or, if the data recipient is an SME, that the compensation does not exceed the costs directly related to making the data available to the data recipient and is attributable to the individual request. In order to put data recipients in the position to assess and verify that the compensation complies with the requirements under this Regulation, the data holder should provide to the data recipient the information for the calculation of the compensation with a sufficient degree of detail.

(48)  Ensuring access to alternative ways of resolving domestic and cross-border disputes that arise in connection with making data available should benefit data holders and data recipients and therefore strengthen trust in data sharing. In cases where parties cannot agree on fair, reasonable and non-discriminatory terms of making data available, dispute settlement bodies should offer a simple, fast and low-cost solution to the parties.

(49)  To avoid that two or more dispute settlement bodies are seized for the same dispute, particularly in a cross-border setting, a dispute settlement body should be able to reject a request to resolve a dispute that has already been brought before another dispute settlement body or before a court or a tribunal of a Member State.

(50)  Parties to dispute settlement proceedings should not be prevented from exercising their fundamental rights to an effective remedy and to a fair trial. Therefore, the decision to submit a dispute to a dispute settlement body should not deprive those parties of their right to seek redress before a court or a tribunal of a Member State. Dispute settlement bodies should make annual activity reports publicly available.

(51)  Where one party is in a stronger bargaining position, there is a risk that that party could leverage such position to the detriment of the other contracting party when negotiating access to data and make access to data commercially less viable and sometimes economically prohibitive. Such contractual imbalances harm enterprises without a meaningful ability to negotiate the conditions for access to data, who may have no other choice than to accept ‘take-it-or-leave-it’ contractual terms. Therefore, unfair contract terms regulating the access to and use of data or the liability and remedies for the breach or the termination of data related obligations should not be binding on micro, small or medium-sized enterprises when they have been unilaterally imposed on them.

(52)  Rules on contractual terms should take into account the principle of contractual freedom as an essential concept in business-to-business relationships. ▌ . This concerns ‘take-it-or-leave-it’ situations where one party supplies a certain contractual term and the other enterprise cannot influence the content of that term despite an attempt to negotiate it. A contractual term that is simply provided by one party and accepted by the other enterprise or a term that is negotiated and subsequently agreed in an amended way between contracting parties should not be considered as unilaterally imposed. All contractual agreements should be in line with Fair, Reasonable and Non-Discriminatory (FRAND) principles.

(53)  Furthermore, the rules on unfair contractual terms should only apply to those elements of a contract that are related to making data available, that is contractual terms concerning the access to and use of data as well as liability or remedies for breach and termination of data related obligations. Other parts of the same contract, unrelated to making data available, should not be subject to the unfairness test laid down in this Regulation.

(54)  Criteria to identify unfair contractual terms should be applied only to excessive contractual terms, where a stronger bargaining position is abused. The vast majority of contractual terms that are commercially more favourable to one party than to the other, including those that are normal in business-to-business contracts, are a normal expression of the principle of contractual freedom and ▌ continue to apply.

(55)  If a contractual term is not included in the list of terms that are always considered unfair or that are presumed to be unfair, the general unfairness provision applies. In this regard, the terms listed as unfair terms should serve as a yardstick to interpret the general unfairness provision. Finally, model contractual terms for business-to-business data sharing contracts to be developed and recommended by the Commission may also be helpful to commercial parties when negotiating contracts.

(56)  In situations of exceptional need, it may be necessary for public sector bodies or Union institutions, agencies or bodies to use data held by an enterprise or that it is currently collecting or has previously obtained, collected or otherwise generated and which it retains at the time of the request, to respond to public emergencies or in other exceptional cases. Research-performing organisations and research-funding organisations could also be organised as public sector bodies or bodies governed by public law. To limit the burden on businesses, micro and small enterprises should be exempted from the obligation to provide public sector bodies and Union institutions, agencies or bodies data in situations of exceptional need.

(57)  In case of public emergencies, such as public health emergencies, emergencies resulting from environmental degradation and major natural disasters including those aggravated by climate change, as well as human-induced major disasters, such as major cybersecurity incidents, the public interest resulting from the use of the data will outweigh the interests of the data holders to dispose freely of the data they hold. In such a case, data holders should be placed under an obligation to make the data available to public sector bodies or to Union institutions, agencies or bodies upon their request and subject to conditions and other safeguards set out in this Regulation or other Union or national law. The existence of a public emergency is determined according to the respective procedures in the Member States or of relevant international organisations.

(58)  An exceptional need may also stem from non-emergency situations when a public sector body can demonstrate that the data are necessary for the fulfilment of a specific task in the public interest that has been explicitly provided and defined by national law, such as preventing or assisting the recovery from a public emergency. Such a request can be made only when the ▌ public sector body or the Union institution, agency or body has identified specific data which is unavailable and only if it has exhausted all of the following three alternative means to obtain data: requesting the data through voluntary agreements; purchasing the data on the market or by relying on existing obligations to make data available.

(59)  This Regulation should not apply to, nor pre-empt, voluntary arrangements for the exchange of non-personal data between private and public entities. ▌ Requirements to access data to verify compliance with applicable rules, including in cases where public sector bodies assign the task of the verification of compliance to entities other than public sector bodies, should also not be affected by this Regulation.

(60)  For the exercise of their tasks in the areas of prevention, investigation, detection or prosecution of criminal and administrative offences, the execution of criminal and administrative penalties, as well as the collection of data for taxation or customs purposes, public sector bodies and Union institutions, agencies and bodies should rely on their powers under sectoral legislation. This Regulation accordingly does not affect instruments for the sharing, access and use of data in those areas.

(61)  A proportionate, limited and predictable framework at Union level is necessary for the making available of data by data holders, in cases of exceptional needs, to public sector bodies and to Union institution, agencies or bodies both to ensure legal certainty and to min imise the administrative burdens placed on businesses. To this end, data requests by public sector bodies and by Union institution, agencies and bodies to data holders should be based on Union or national law, specific, transparent and proportionate in terms of their scope of content and their granularity. The purpose of the request and the intended use of the data requested should be specific and clearly explained, while allowing appropriate flexibility for the requesting entity to perform its tasks in the public interest. The request should also respect the legitimate interests of the businesses to whom the request is made. The burden on data holders should be min imised by obliging requesting entities to respect the once-only principle, which prevents the same data from being requested more than once by more than one public sector body or Union institution, agency or body where those data are needed to respond to a public emergency. To ensure transparency and an appropriate coordination, data requests made by public sector bodies and by Union institutions, agencies or bodies should be communicated without undue delay by the entity requesting the data to the data coordinator of that Member State that will ensure that those request are to be included in an online public available list of all requests justified by an exceptional need.

(62)  The objective of the obligation to provide the data is to ensure that public sector bodies and Union institutions, agencies or bodies have the necessary knowledge to respond to, prevent or recover from public emergencies or to maintain the capacity to fulfil specific tasks explicitly provided by law. The data obtained by those entities may be commercially sensitive. Therefore, Regulation (EU) 2022/868, as well as Directive (EU) 2019/1024 of the European Parliament and of the Council(19) should not apply to data made available under this Regulation and should not be considered as open data available for reuse by third parties. This however should not affect the applicability of Directive (EU) 2019/1024 to the reuse of official statistics for the production of which data obtained pursuant to this Regulation was used, provided the reuse does not include the underlying data. In addition, it should not affect the possibility of sharing the data for conducting research or for the compilation of official statistics, provided the conditions laid down in this Regulation are met. Where allowed by Union or national law, public sector bodies should also be allowed to exchange data obtained pursuant to this Regulation with other public sector bodies to address the exceptional needs for which the data has been requested. provided that the data holder is informed in a timely manner and all bodies respect the same rules on transparency as the original requester of the data and protection of trade secrets and intellectual property rights is ensured.

(63)  Data holders should have the possibility to either ask for a modification of the request made by a public sector body or Union institution, agency and body or its cancellation in a period of 5 or 15 working days depending on the nature of the exceptional need invoked in the request. In case of requests motivated by a public emergency, justified reason not to make the data available should exist if it can be shown that the request is similar or identical to a previously submitted request for the same purpose by another public sector body or by another Union institution, agency or body or if the data holder is not currently collecting or has not previously collected, obtained or otherwise generated the requested data and does not retain it at the time of the request. A data holder rejecting the request or seeking its modification should communicate the underlying justification for refusing the request to the public sector body or to the Union institution, agency or body requesting the data. In case the sui generis database rights under Directive 96/9/EC of the European Parliament and of the Council(20) apply in relation to the requested datasets, data holders should exercise their rights in a way that does not prevent the public sector body and Union institutions, agencies or bodies from obtaining the data, or from sharing it, in accordance with this Regulation.

▌

(65)  Data made available to public sector bodies and to Union institutions, agencies and bodies on the basis of exceptional need should only be used for the purpose for which they were requested ▌ . The data should be destroyed once it is no longer necessary for the purpose stated in the request, unless agreed otherwise, and the data holder should be informed thereof. Public sector bodies and to Union institutions, agencies and bodies should ensure, including through the application of proportionate security measures, where applicable in accordance with Union and national law, that any protected nature of data is preserved and unauthorised access is avoided.

(66)  When reusing data provided by data holders, public sector bodies and Union institutions, agencies or bodies should respect both existing applicable legislation and contractual obligations to which the data holder is subject. Where the disclosure of trade secrets of the data holder to public sector bodies or to Union institutions, agencies or bodies is strictly necessary to fulfil the purpose for which the data has been requested, confidentiality of such disclosure should be ensured in advance to the data holder or the trade secret holder, including as appropriate, by the use of model contractual clauses, technical standards and the application of codes of conduct. In cases where the public sector body or the Union institutions, agency or body or the third parties that received the data to perform the task that have been outsourced to it, fail to implement those measures or undermine the confidentiality of trade secrets, the data holder should be able to suspend the sharing of data identified as trade secrets. Such a decision to suspend the sharing of data might be challenged by the public sector body or the Union institutions, agency or body or the third parties to which data were transmitted and subject to review by the data coordinator of the Member State.

(67)  When the safeguarding of a significant public good is at stake, such as is the case of responding to public emergencies, the public sector body or the Union institution, agency or body should not be expected to compensate enterprises for the data obtained provided that the request is limited in time and scope, proportionate to the state of the public emergency. Public emergencies are rare events and not all such emergencies require the use of data held by enterprises. The business activities of the data holders are therefore not likely to be negatively affected as a consequence of the public sector bodies or Union institutions, agencies or bodies having recourse to this Regulation. However, as cases of an exceptional need other than responding to a public emergency might be more frequent, including cases of prevention of or recovery from a public emergency, data holders should in such cases be entitled to a reasonable compensation. This Regulation should not affect existing Union or national arrangements in which data is shared free of charge, or prevent public sector bodies, Union institutions, agencies or bodies, and data holders from entering into voluntary data sharing agreements free of charge.

(68)  The public sector body or Union institution, agency or body may share the data it has obtained pursuant to the request with other entities or persons when this is needed to carry out scientific research activities or analytical activities it cannot perform itself provided that those activities are strictly necessary to respond to the emergency need. It should inform the data holder of such sharing in a timely manner. Such data may also be shared under the same circumstances with the national statistical institutes and Eurostat for the compilation of official statistics. Such research activities should however be compatible with the purpose for which the data was requested and the data holder should be informed about the further sharing of the data it had provided. Individuals conducting research or research organisations with whom these data may be shared should act either on a not-for-profit basis or in the context of a public-interest mission recognised by the State. Organisations upon which commercial or public undertakings have a decisive influence allowing such undertakings to exercise control because of structural situations, which could result in preferential access to the results of the research, should not be considered research organisations for the purposes of this Regulation.

(69)  The ability for customers of data processing services, including cloud and edge services, to switch from one data processing service to another, while avoiding downtime of services, or to use the services of several providers simultaneously without undue data transfer costs, is a key condition for a more competitive market with lower entry barriers for new service providers, and for ensuring further resilience for the users of those services. Guarantees for effective switching should also include customers benefiting from large-scale free-tier offerings, so that does not result in a lock-in situation for customers. Facilitating a multi-cloud approach for customers of data processing services can also contribute to increasing their digital operational resilience, as recognised for financial service institutions in the Digital Operational Resilience Act (DORA).

(69a)   Switching charges are charges imposed by providers of cloud computing on their customers for the switching process. Typically, those charges are intended to pass on costs, which the source provider may incur because of the switching process, to the customer that wishes to switch. Examples of common switching charges are costs related to the transfer of data from one provider to the other or to an on-premise system (‘egress fees’) or the costs incurred for specific support actions during the switching process. Unnecessarily high egress fees and other unjustified charges unrelated to actual switching costs, inhibit customers’ switching, restrict the free flow of data, have the potential to limit competition and cause lock-in effects for the customers of data processing services, by reducing incentives to choose a different or additional service provider. As a result of the new obligations foreseen in this Regulation, the source provider of data processing services might outsource certain tasks and renumerate third party entities in order to comply with those obligations. The customer should not bare costs arising from the outsourcing of services concluded by the source provider of data processing services during the switching process and such costs should be considered as unjustified. Nothing in the Data Act prevents a customer to remunerate third party entities for support in the migration process. Egress fees are charged to customers by providers of source data processing services when the customers are willing to take their data out from a cloud provider’s network to an external location, especially when switching from one provider to one or several providers of destination, to relocate their data from one location to another while using the same cloud service provider. Therefore, in order to foster competition, the gradual withdrawal of the charges associated with switching data processing services should specifically include withdrawing egress fees charged by the data processing service to a customer.

(70)  Regulation (EU) 2018/1807 of the European Parliament and of the Council encourages ▌ providers of data processing services to effectively develop and implement self-regulatory codes of conduct covering best practices for, inter alia, facilitating the switching of providers of data processing service ▌ and the porting of data. Given the limited uptake of the self-regulatory frameworks developed in response, and the general unavailability of open standards and interfaces, it is necessary to adopt a set of min imum regulatory obligations on providers of data processing services to eliminate contractual, commercial, organisational, economic and technical barriers, which are not limited to an impeded speed of data transfer at the customer’s exit, which hamper effective switching between data processing services.

(71)  Data processing services should cover services that allow ubiquitous and on-demand network access to a configurable, scalable and elastic shared pool of ▌ distributed computing resources. Those computing resources include resources such as networks, servers or other virtual or physical infrastructure ▌ , software, including software development tools, storage, applications and services. The deployment models of data processing services should include private and public cloud. Such services and deployment models should be the same as defined by international standards. The capability of the customer of the data processing service to unilaterally self-provision computing capabilities, such as server time or network storage, without any human interaction by the provider of data processing services could be described as requiring min imal management effort and as entailing min imal interaction between provider and customer. The term ‘ubiquitous’ is used to describe that the computing capabilities are provided over the network and accessed through mechanisms promoting the use of heterogeneous thin or thick client platforms (from web browsers to mobile devices and workstations). The term ‘scalable’ refers to computing resources that are flexibly allocated by the provider of data processing services, irrespective of the geographical location of the resources, in order to handle fluctuations in demand. The term ‘elastic ▌ ’ is used to describe those computing resources that are provisioned and released according to demand in order to rapidly increase or decrease resources available depending on workload. The term ‘shared pool’ is used to describe those computing resources that are provided to multiple users who share a common access to the service, but where the processing is carried out separately for each user, although the service is provided from the same electronic equipment. The term ‘distributed’ is used to describe those computing resources that are located on different networked computers or devices and which communicate and coordinate among themselves by message passing. The term ‘highly distributed’ is used to describe data processing services that involve data processing closer to where data are being generated or collected, for instance in a connected data processing device. Edge computing, which is a form of such highly distributed data processing, is expected to generate new business models and cloud service delivery models, which should be open and interoperable from the outset. Digital services considered as an online platform as defined in point (i) of Article 3 of [the Digital Services Act] and an online content service as defined in Article 2(5) of Regulation (EU) 2017/1128 of the European Parliament and of the Council (21) should not be considered as ‘data processing services’ within the meaning of this Regulation.

(71a)   Data processing services fall into one or more of the following three data processing service delivery models: IaaS (infrastructure-as-a-service), PaaS (platform-as-a-service) and SaaS (software-as-a-service). Those service delivery models represent a specific, pre-packaged combination of IT resources offered by a provider of data processing service. Three base cloud delivery models are further completed by emerging variations, each comprised of a distinct combination of IT resources, such as Storage-as-a-Service and Database-as-a-Service. For the purpose of this Regulation, data processing services can be categorised in more granular and a non-exhaustive multiplicity of different ‘equivalent services’, meaning sets of data processing services that share the same primary objective and main functionalities as well as the same type of data processing models, that are not related to the service operational characteristics. In an example two databases might appear to share the same primary objective, but after considering their data processing model, distribution model and targeted use-case, such databases should fall into a more granular subcategory of equivalent services. Equivalent services may have different and competing characteristics such as performance, security, resilience, and quality of service.

(71b)   Extracting the data that belongs to the customer from the source provider of data processing services remains one of the challenges that impedes restoration of the service functionalities in the destination provider infrastructure. In order to properly plan the exit strategy, avoid unnecessary and burdensome tasks and to ensure that the customer does not lose any of its data as a consequence of the switching process, the source provider of data processing services should include in the contract the mandatory information on the scope of the data that can be exported by the customer once he or she decides to switch to a different service, other provider of data processing services or move to on-premise ICT infrastructure. The scope of exportable data should include at a min imum input and output data, including relevant data formats, data structures and metadata directly or indirectly generated or co-generated by the customer’s use of the data processing service, and that can be clearly assigned to the customer. The exportable data should exclude any data processing service, or third party’s assets or data protected by intellectual property rights or constituting a trade secret or confidential information, such as data related to the integrity and security of the service provided by the data processing service, and should also exclude data used by the provider to operate, maintain and improve the service.

(72)  This Regulation aims to facilitate switching between data processing services, which encompasses all relevant conditions and actions that are necessary for a customer to terminate a contractual agreement of a data processing service, to conclude one or multiple new contracts with different providers of data processing services, to port all its digital assets, including data, to the concerned other providers and to continue to use them in the new environment and benefit from functional equivalence. It should be noted that the data processing services in scope are those where the data processing service, as defined under this Regulation, forms part of the core business of a provider. Digital assets refer to elements in digital format for which the customer has the right of use, including data, applications, virtual machines and other manifestations of virtualisation technologies, such as containers. Switching is a customer-driven operation consisting in three main steps, namely (i) data extraction, i.e. downloading data from a source provider’s ecosystem; (ii) transformation, when the data is structured in a way that does not match the schema of the target location; and (iii) the uploading of the data in a new destination location. In a specific situation outlined in this Regulation, unbundling of a particular service from the contract and moving it to another provider should also be considered as switching. The switching process is sometimes managed on behalf of the customer by a third-party entity. Accordingly, all right and obligations of the customer established by this Regulation, including the obligation to collaborate in good faith, should be understood to apply to such a third-party entity in those circumstances. Providers of cloud computing services and customers have different levels of responsibilities, depending on the steps of the process referred to. For instance, the source provider of data processing services is responsible to extract the data to a machine-readable format, but it is the customer and the destination provider who will upload the data to the new environment, unless specific professional transition service has been obtained. Obstacles to switching are of a different nature, depending on which step of the switching process is referred to. Functional equivalence means the possibility to re-establish, on the basis of the customer’s data, a min imum level of functionality of a service in the environment of a new data processing service after switching, where the destination service delivers a comparable outcome in response to the same input for shared functionality supplied to the customer under the contractual agreement. Different services may only achieve functional equivalence for the shared core functionalities, where both the source and destination service providers independently offer the same core functionalities. This Regulation does not instance an obligation of facilitating functional equivalence for data processing service delivery models of the PaaS or SaaS. Relevant meta-data, generated by the customer’s use of a service, should also be portable pursuant to this Regulation’s provisions on switching and falls within the definition of exportable data. Data processing services are used across sectors and vary in complexity and service type. This is an important consideration with regard to the porting process and timeframes.

(72a)   An ambitious and innovation inspiring regulatory approach to interoperability is needed, in order to overcome vendor lock-in, which undermines competition and the development of new services. Interoperability between equivalent data processing services involves multiple interfaces and layers of infrastructure and software and is rarely confined to a binary test of being achievable or not. Instea