DGA Article 5. Conditions for re-use

The re-use regime provided for in this Regulation should apply to data the supply of which forms part of the public tasks of the public sector bodies concerned under law or other binding rules in the Member States. In the absence of such rules, the public tasks should be defined in accordance with common administrative practice in the Member States, provided that the scope of the public tasks is transparent and subject to review. The public tasks could be defined generally or on a case-by-case basis for individual public sector bodies. As public undertakings are not covered by the definition of public sector body, the data held by public undertakings should not be covered by this Regulation. Data held by cultural establishments, such as libraries, archives and museums as well as orchestras, operas, ballets and theatres, and by educational establishments should not be covered by this Regulation since the works and other documents they hold are predominantly covered by third party intellectual property rights. Research-performing organisations and research-funding organisations could also be organised as public sector bodies or bodies governed by public law.

Public sector bodies should comply with competition law when establishing the principles for re-use of data they hold, avoiding the conclusion of agreements which might have as their objective or effect the creation of exclusive rights for the re-use of certain data. Such agreements should be possible only where justified and necessary for the provision of a service or the supply of a product in the general interest. This may be the case where the exclusive use of the data is the only way to maximise the societal benefits of the data in question, for example where there is only one entity (which has specialised in the processing of a specific dataset) capable of providing the service or supplying the product which allows the public sector body to provide a service or supply a product in the general interest. Such arrangements should, however, be concluded in accordance with applicable Union or national law and be subject to regular review based on a market analysis in order to ascertain whether such exclusivity continues to be necessary. In addition, such arrangements should comply with the relevant State aid rules, as appropriate, and should be concluded for a limited duration which should not exceed 12 months. In order to ensure transparency, such exclusive agreements should be published online, in a form that complies with relevant Union law on public procurement. Where an exclusive right to re-use data does not comply with this Regulation, that exclusive right should be invalid.

Prohibited exclusive agreements and other practices or arrangements pertaining to the re-use of data held by public sector bodies which do not expressly grant exclusive rights but which can reasonably be expected to restrict the availability of data for re-use that have been concluded or were already in place before the date of entry into force of this Regulation should not be renewed after the expiry of their term. In the case of indefinite or longer-term agreements, they should be terminated within 30 months of the date of entry into force of this Regulation.

This Regulation should lay down conditions for re-use of protected data that apply to public sector bodies designated as competent under national law to grant or refuse access for re-use, and which are without prejudice to rights or obligations concerning access to such data. Those conditions should be non-discriminatory, transparent, proportionate and objectively justified, while not restricting competition, with a specific focus on promoting access to such data by SMEs and start-ups. The conditions for re-use should be designed in a manner promoting scientific research so that, for example, privileging scientific research should, as a rule, be considered to be non-discriminatory. Public sector bodies allowing re-use should have in place the technical means necessary to ensure the protection of rights and interests of third parties and should be empowered to request the necessary information from the re-user. Conditions attached to the re-use of data should be limited to what is necessary to preserve the rights and interests of third parties in the data and the integrity of the information technology and communication systems of the public sector bodies. Public sector bodies should apply conditions which best serve the interests of the re-user without leading to a disproportionate burden on the public sector bodies. Conditions attached to the re-use of data should be designed to ensure effective safeguards with regard to the protection of personal data. Before transmission, personal data should be anonymised, in order not to allow the identification of the data subjects, and data containing commercially confidential information should be modified in such a way that no confidential information is disclosed. Where the provision of anonymised or modified data would not respond to the needs of the re-user, subject to fulfilling any requirements to carry out a data protection impact assessment and consult the supervisory authority pursuant to Articles 35 and 36 of Regulation (EU) 2016/679 and where the risks to the rights and interests of data subjects have been found to be minimal, on-premise or remote re-use of the data within a secure processing environment could be allowed.

The intellectual property rights of third parties should not be affected by this Regulation. This Regulation should neither affect the existence or ownership of intellectual property rights of public sector bodies nor limit the exercise of those rights in any way. The obligations imposed in accordance with this Regulation should apply only insofar as they are compatible with international agreements on the protection of intellectual property rights, in particular the Berne Convention for the Protection of Literary and Artistic Works (Berne Convention), the Agreement on Trade-related Aspects of Intellectual Property Rights (TRIPS Agreement) and the World Intellectual Property Organization Copyright Treaty (WCT), and Union or national intellectual property law. Public sector bodies should, however, exercise their copyright in a way that facilitates re-use.

Data subject to intellectual property rights as well as trade secrets should be transmitted to a third party only where such transmission is lawful by virtue of Union or national law or with the agreement of the rights holder. Where public sector bodies are holders of the right of the maker of a database provided for in Article 7(1) of Directive 96/9/EC of the European Parliament and of the Council they should not exercise that right in order to prevent the re-use of data or to restrict re-use beyond the limits set by this Regulation.

Undertakings and data subjects should be able to have confidence in the fact that the re-use of certain categories of protected data which are held by the public sector bodies will take place in a manner that respects their rights and interests. Additional safeguards should therefore be put in place for situations in which the re-use of such public sector data takes place on the basis of a processing of the data outside the public sector, such as a requirement that public sector bodies ensure that the rights and interests of natural and legal persons are fully protected, in particular with regard to personal data, commercially sensitive data and intellectual property rights, in all cases, including where such data is transferred to third countries. Public sector bodies should not allow the re-use of information stored in e-health applications by insurance undertakings or any other service provider for the purpose of discriminating in the setting of prices, as this would run counter to the fundamental right of access to health.

Furthermore, in order to preserve fair competition and the open market economy it is of the utmost importance to safeguard protected data of non-personal nature, in particular trade secrets, but also non-personal data representing content protected by intellectual property rights from unlawful access that may lead to intellectual property theft or industrial espionage. In order to ensure the protection of the rights or interests of data holders, it should be possible to transfer non-personal data which is to be protected from unlawful or unauthorised access in accordance with Union or national law and which is held by public sector bodies to third countries, but only where appropriate safeguards for the use of data are provided. Such appropriate safeguards should include a requirement that the public sector body transmit protected data to a re-user only if that re-user makes contractual commitments in the interest of the protection of the data. A re-user that intends to transfer the protected data to a third country should comply with the obligations laid down in this Regulation even after the data has been transferred to the third country. To ensure the proper enforcement of such obligations, the re-user should also accept the jurisdiction of the Member State of the public sector body that allowed the re-use for the judicial settlement of disputes.

Appropriate safeguards should also be considered to be implemented where, in the third country to which non-personal data is being transferred, there are equivalent measures in place which ensure that data benefit from a level of protection similar to that applicable by means of Union law, in particular with regard to the protection of trade secrets and intellectual property rights. To that end, the Commission should be able to declare, by means of implementing acts, where justified because of the substantial number of requests across the Union concerning the re-use of non-personal data in specific third countries, that a third country provides a level of protection that is essentially equivalent to that provided by Union law. The Commission should assess the necessity of such implementing acts on the basis of information provided by the Member States through the European Data Innovation Board. Such implementing acts would reassure public sector bodies that re-use of data held by public sector bodies in the third country concerned would not compromise the protected nature of that data. The assessment of the level of protection afforded in the third country concerned should, in particular, take into consideration the relevant general and sectoral law, including on public security, defence, national security and criminal law, concerning access to and protection of non-personal data, any access by the public sector bodies of that third country to the data transferred, the existence and effective functioning of one or more independent supervisory authorities in the third country with responsibility for ensuring and enforcing compliance with the legal regime ensuring access to such data, the third country’s international commitments regarding the protection of data, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems.

Some third countries adopt laws, regulations and other legal acts which aim to directly transfer or provide governmental access to non-personal data in the Union under the control of natural and legal persons under the jurisdiction of the Member States. Decisions and judgments of third-country courts or tribunals or decisions of third-country administrative authorities requiring such transfer of or access to non-personal data should be enforceable where they are based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. In some cases, situations may arise where the obligation to transfer or provide access to non-personal data arising from a third country law conflicts with a competing obligation to protect such data under Union or national law, in particular with regard to the protection of the fundamental rights of the individual or of the fundamental interests of a Member State related to national security or defence, as well as the protection of commercially sensitive data and the protection of intellectual property rights, including contractual undertakings regarding confidentiality in accordance with such law. In the absence of international agreements regulating such matters, the transfer of or access to non-personal data should be allowed only if, in particular, it has been verified that the third-country’s legal system requires the reasons and proportionality of the decision or judgment to be set out, that the decision or judgment is specific in character, and that the reasoned objection of the addressee is subject to a review by a competent third-country court or tribunal, which is empowered to take duly into account the relevant legal interests of the provider of such data.