EU: Commission publishes guidance for the Data Governance Act

 On September 24, 2024, the European Commission published a guidance document on Implementing the Data Governance Act (DGA). This follows the entrance into force of the DGA on September 24, 2023.

The guidance clarifies that the DGA aims to facilitate data sharing, with measures to:

  • regulate the re-use of publicly held data such as personal data or commercially confidential data;
  • boost data sharing through data intermediation services;
  • encourage data sharing for altruistic purposes; and
  • establish the European Data Innovation Board to ensure best practices.

The guidance clarifies that both personal and non-personal data are within the scope of the DGA, and that the General Data Protection Regulation (GDPR) will apply in addition, where personal data is involved. The guidance reiterates that the GDPR is not modified by the DGA and the role of supervisory authorities is not touched upon in the GDPR.

Regarding the re-use of protected data held by public sector bodies, the guidance clarifies that the DGA does not create a right to re-use or a new legal basis in the sense of the GDPR for the re-use of personal data. However, where the re-use of publicly held data is allowed, it must be done in accordance with the DGA. The DGA does not apply to publicly held, protected data:

  • that is protected for reasons of public security, defense, or national security; and
  • data that public sector bodies hold for purposes other than the performance of their defined public tasks.

The DGA also limits the reliance on exclusive data re-use agreements, such as a public sector body granting exclusive rights to a company in specific cases of public interest.

On international data transfers, the DGA only sets rules for international transfers of non-personal data, with the GDPR setting rules for personal data transfers. International transfers of non-personal data transfers have two steps, namely:

  • informing the public sector body in advance when requesting re-use, about the intention to transfer and the purpose; and
  • contractual commitments, including ensuring the data is not breached after the transfers, and accepting the jurisdiction of the Member State or public sector body in case any dispute arises.

The role of re-users is also examined. The guidance specifies that re-users under the DGA:

  • are prohibited from re-identifying data subjects, taking technical and operational measures to prevent re-identification; and
  • in the case of re-identification of a natural person:
    • inform the public sector body that granted the re-use permission in accordance with Article 33 of the GDPR; and
    • in the case of the non-authorized use of non-personal data, inform the legal persons concerned. Where the protected nature of a trade secret is compromised, the re-user must inform the company that owns the trade secrets, and where necessary, get assistance from the public sector body that initially granted permission.

The Commission clarified that the guidance will be subject to periodic updates as the DGA is implemented.

You can read the press release here and download the guidance here.

Juristi.blog

Author & Editor

Has laoreet percipitur ad. Vide interesset in mei, no his legimus verterem. Et nostrum imperdiet appellantur usu, mnesarchum referrentur id vim.

September 25, 2024

0 Comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Copyrights @ Këshilla Ligjore - KeshillaLigjore Kërko çdo gjë. | KeshillaLigjore