Data & Privacy
- Data Act
- Data Governance Act
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
Cybersecurity
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
Data Act
- Recitals
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
BUSINESS TO CONSUMER AND BUSINESS TO BUSINESS DATA SHARINGArticles 3 — 7
CHAPTER III
OBLIGATIONS FOR DATA HOLDERS OBLIGED TO MAKE DATA AVAILABLE PURSUANT TO UNION LAWArticles 8 — 12
CHAPTER IV
UNFAIR CONTRACTUAL TERMS RELATED TO DATA ACCESS AND USE BETWEEN ENTERPRISESArticles 13 — 13
CHAPTER V
MAKING DATA AVAILABLE TO PUBLIC SECTOR BODIES, THE COMMISSION, THE EUROPEAN CENTRAL BANK AND UNION BODIES ON THE BASIS OF AN EXCEPTIONAL NEEDArticles 14 — 22
CHAPTER VI
SWITCHING BETWEEN DATA PROCESSING SERVICESArticles 23 — 31
CHAPTER VII
UNLAWFUL INTERNATIONAL GOVERNMENTAL ACCESS AND TRANSFER OF NON-PERSONAL DATAArticles 32 — 32
CHAPTER VIII
INTEROPERABILITYArticles 33 — 36
CHAPTER IX
IMPLEMENTATION AND ENFORCEMENTArticles 37 — 42
CHAPTER X
SUI GENERIS RIGHT UNDER DIRECTIVE 96/9/ECArticles 43 — 43
CHAPTER XI
FINAL PROVISIONSArticles 44 — 50
DA Article 18. Compliance with requests for data
- 1.A data holder receiving a request to make data available under this Chapter shall make the data available to the requesting public sector body, the Commission, the European Central Bank or a Union body without undue delay, taking into account necessary technical, organisational and legal measures.
- 2.Without prejudice to specific needs regarding the availability of data defined in Union or national law, a data holder may decline or seek the modification of a request to make data available under this Chapter without undue delay and, in any event, no later than five working days after the receipt of a request for the data necessary to respond to a public emergency and without undue delay and, in any event, no later than 30 working days after the receipt of such a request in other cases of an exceptional need, on any of the following grounds:
- (a)the data holder does not have control over the data requested;
- (b)a similar request for the same purpose has been previously submitted by another public sector body or the Commission, the European Central Bank or a Union body and the data holder has not been notified of the erasure of the data pursuant to Article 19(1), point (c);
- (c)the request does not meet the conditions laid down in Article 17(1) and (2).
- 3.If the data holder decides to decline the request or to seek its modification in accordance with paragraph 2, point (b), it shall indicate the identity of the public sector body or the Commission, the European Central Bank or the Union body that previously submitted a request for the same purpose.
- 4.Where the data requested includes personal data, the data holder shall properly anonymise the data, unless the compliance with the request to make data available to a public sector body, the Commission, the European Central Bank or a Union body requires the disclosure of personal data. In such cases, the data holder shall pseudonymise the data.
- 5.Where the public sector body, the Commission, the European Central Bank or the Union body wishes to challenge a data holder’s refusal to provide the data requested, or where the data holder wishes to challenge the request and the matter cannot be resolved by an appropriate modification of the request, the matter shall be referred to the competent authority designated pursuant to Article 37 of the Member State where the data holder is established.
Relevant Recitals for this Article
Data holders should have the possibility to either decline a request made by a public sector body, the Commission, the European Central Bank or a Union body or seek its modification without undue delay and, in any event, no later than within a period of five or 30 working days, depending on the nature of the exceptional need invoked in the request. Where relevant, the data holder should have this possibility where it does not have control over the data requested, namely where it does not have immediate access to the data and cannot determine its availability. A valid reason not to make the data available should exist if it can be shown that the request is similar to a previously submitted request for the same purpose by another public sector body or the Commission, the European Central Bank or a Union body and the data holder has not been notified of the erasure of the data pursuant to this Regulation. A data holder declining the request or seeking its modification should communicate the underlying justification to the public sector body, the Commission, the European Central Bank or a Union body requesting the data. Where the database rights under Directive 96/9/EC of the European Parliament and of the Council apply in relation to the requested datasets, data holders should exercise their rights in such a way that does not prevent the public sector body, the Commission, the European Central Bank or Union body from obtaining the data, or from sharing it, in accordance with this Regulation.
In the case of an exceptional need related to a public emergency response, public sector bodies should use non-personal data wherever possible. In the case of requests on the basis of an exceptional need not related to a public emergency, personal data cannot be requested. Where personal data fall within the scope of the request, the data holder should anonymise the data. Where it is strictly necessary to include personal data in the data to be made available to a public sector body, the Commission, the European Central Bank or a Union body or where anonymisation proves impossible, the entity requesting the data should demonstrate the strict necessity and the specific and limited purposes for processing. The applicable rules on personal data protection should be complied with. The making available of the data and their subsequent use should be accompanied by safeguards for the rights and interests of individuals concerned by those data.