77 Amendments of David CORMAND related to 2020/0340(COD)
Amendment 163 #
Proposal for a regulation
Recital 3 a (new)
Recital 3 a (new)
(3a) This Regulation is without prejudice to Regulation (EU) 2016/679, to Directive 2002/58/EC of the European Parliament and of the Council1 and Directive (EU) 2016/680. This Regulation does not create a new legal basis for the processing of personal data. In the event of conflict between the provisions of this Regulation and Union law on the protection of personal data, the latter should prevail. Data protection authorities may be considered competent authorities for the purpose of this Regulation. Where other organisations act as competent authorities under this Regulation, it should be without prejudice to the supervisory powers of data protection authorities under Regulation (EU)2016/679. ______________ 1Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37)
Amendment 164 #
Proposal for a regulation
Recital 3 b (new)
Recital 3 b (new)
(3b) In the case of a data set composed of both personal and non-personal data, where those types of data are inextricably linked, the data set is to be considered personal data.
Amendment 166 #
Proposal for a regulation
Recital 5
Recital 5
(5) The idea that data that has been generated at the expense of public budgets should benefit society has been part of Union policy for a long time. Directive (EU) 2019/1024 as well as sector-specific legislation ensure that the public sector makes more of the data it produces easily available for use and re-use. However, certain categories of data (commercially confidential data, data subject to statistical confidentiality, data protected by intellectual property rights of third parties, including trade secrets and personal data not accessible on the basis of specific national or Union legislation, such as Regulation (EU) 2016/679 and Directive (EU) 2016/680) in public databases is often not made available, not even for research or innovative activities. Due to the sensitivity of this data, certain technical and legal procedural requirements must be met before they are made available, in order to ensure the respect of rights others have over such data. Such legitimate requirements are usually time- and knowledge-intensive to fulfil. This has led to the underutilisation of such data. While some Member States are setting up structures, processes and sometimes legislate to facilitate this type of re-use, this is not the case across the Union.
Amendment 167 #
Proposal for a regulation
Recital 6
Recital 6
(6) There are techniques enabling privacy-friendly analyses on databases that contain personal data, such as anonymisation, pseudonymisation, differential privacy, generalisation, or suppression and randomisation. Application of these privacy-enhancing technologies, together with comprehensive data protection approaches should ensurebe prioritised in order to ensure privacy by design and by default, permitting the safer re-use of personal data and commercially confidential business data for research, innovation and statistical purposes. In many cases this implies that the data use and re-use in this context can only be done in a secure processing environment set in place and supervised by the public sector. There is experience at Union level with such secure processing environments that are used for research on statistical microdata on the basis of Commission Regulation (EU) 557/2013 (39 ). In general, insofar as personal data are concerned, the processing of personal data should rely upon one or more of the grounds for processing provided in Article 6 of Regulation (EU) 2016/679. __________________ 39Commission Regulation (EU) 557/2013 of 17 June 2013 implementing Regulation (EC) No 223/2009 of the European Parliament and of the Council on European Statistics as regards access to confidential data for scientific purposes and repealing Commission Regulation (EC) No 831/2002 (OJ L 164, 18.6.2013, p. 16).
Amendment 173 #
Proposal for a regulation
Recital 9
Recital 9
(9) Public sector bodies should comply with competition law when establishing the principles for re-use of data they hold, avoiding as far as possible the conclusion of agreements, which might have as their objective or effect the creation of exclusive rights for the re-use of certain data. Such agreement should be only possible when justified and necessary for the provision of a service of general interest. This may be the case when exclusive use of the data is the only way to maximise the societal benefits of the data in question, for example where there is only one entity (which has specialised in the processing of a specific dataset) capable of delivering the service or the product which allows the public sector body to provide an advanced digital service in the general interest. Such arrangements should, however, be concluded in compliance with public procurement rules and be subject to regular review based on a market analysis in order to ascertain whether such exclusivity continues to be necessary. In addition, such arrangements should comply with the relevant State aid rules, as appropriate, and should be concluded for a limited period, which should not exceed three years. In order to ensure transparency, such exclusive agreements should be published online, regardless of a possible publication of an award of a public procurement contract.
Amendment 176 #
Proposal for a regulation
Recital 11
Recital 11
(11) Conditions for re-use of protected data that apply to public sector bodies competent under national law to allow re- use, and which should be without prejudice to rights or obligations concerning access to such data, should be laid down. Those conditions should be non-discriminatory, proportionate and objectively justified, while not restricting competition. In particular, public sector bodies allowing re- use should have in place the technical means necessary to ensure the protection of rights and interests of third parties. Conditions attached to the re-use of data should be limited to what is necessary to preserve the rights and interests of others in the data and the integrity of the information technology and communication systems of the public sector bodies. Public sector bodies should apply conditions which best serve the interests of the re-user without leading torequiring a disproportionate effort for the public sector. Depending on the case at hand, before its transmission, personal data should be fully anonymised, so as to definitively not allow the identification of the data subjects, or data containing commercially confidential information modified in such a way that no confidential information is disclosed. Where provision of anonymised or modified data would not respond to the needs of the re-userthis does not create meaningful risks for the rights and interests of data subjects, on- premise or remote re-use of the data within a secure processing environment could be permitted. Data analyses in such secure processing environments should be supervised by the public sector body, so as to protect the rights and interests of others. In particular, personal data should only be transmitted for re-use to a third party where a legal basis under Regulation 2016/679 allows such transmission. The public sector body could make the use of such secure processing environment conditional on the signature by the re-user of a confidentiality agreement that prohibits the disclosure of any information that jeopardises the rights and interests of third parties that the re-user may have acquired despite the safeguards put in place. The public sector bodies, where relevant, should facilitate the re-use of personal data on the basis of informed consent of data subjects or, with regard to non-personal data, on the basis of permissions of legal persons on the re-use of data pertaining to them, through the use of adequate technical means. In this respect, the public sector body should support potential re-users in seeking such consent by establishing technical mechanisms that permit transmitting requests for consent from re-users, where practically feasible. No contact information should be given that allows re-users to contact data subjects or companies directly. When transmitting the request to consent, the public sector body should ensure that the request is presented in a neutral way and that the data subject is clearly informed about the possibility to refuse such a request, risks involved in giving consent and how to subsequently easily revoke their consent.
Amendment 179 #
Proposal for a regulation
Recital 12
Recital 12
(12) The intellectual property rights of third parties should not be affected by this Regulation. This Regulation should neither affect the existence or ownership of intellectual property rights of public sector bodies, nor should it limit the exercise of these rights in any way beyond the boundaries set by this Regulation. The obligations imposed in accordance with this Regulation should apply only insofar as they are compatible with international agreements on the protection of intellectual property rights, in particular the Berne Convention for the Protection of Literary and Artistic Works (Berne Convention), the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS Agreement) and the WIPO Copyright Treaty (WCT). Public sector bodies should, however, exercise their copyright in a way that facilitates re-use and encourages a transparent and cooperative approach to data, including by using a Creative Commons approach to licensing to data that is not already open data.
Amendment 183 #
Proposal for a regulation
Recital 14
Recital 14
(14) Companies and data subjects should be able to trust that the re-use of certain categories of protected data, which are held by the public sector, will take place in a manner that respects their rights and interests. Additional safeguards should thus be put in place for situations in which the re-use of such public sector data is taking place on the basis of a processing of the data outside the public sector. Such an additional safeguard could be found in the requirement that public sector bodies should take fully into accounrespect the rights and interests of natural and legal persons (in particular the protection of personal data, commercially sensitive data and the protection of intellectual property rights) in case. Particular care is needed when such data is transferred to third countries.
Amendment 187 #
Proposal for a regulation
Recital 15
Recital 15
(15) Furthermore, it is important to protect commercially sensitive data of non- personal nature, notably trade secrets, but also non-personal data representing content protected by intellectual property rights from unlawful access that may lead to IP theft or industrial espionage. In order to ensure the protection of fundamental rights or interests of data holders, non-personal data which is to be protected from unlawful or unauthorised access under Union or national law, and which is held by public sector bodies, should be transferred only to third-countries where appropriate safeguards for the use of data are provided. Such appropriate safeguards should be considered to exist when in that third- country there are equivalent measures in place which ensure that non-personal data benefits from a level of protection similar to that applicable by means of Union or national law in particular as regards the protection of trade secrets and the protection of intellectual property rights. To that end, the Commission may adopt implementing acts that declare that a third country provides a level of protection that is essentially equivalent to those provided by Union or national law. The assessment of the level of protection afforded in such third-country should, in particular, take into consideration the relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law concerning the access to and protection of non-personal data, any access by the public authorities of that third country to the data transferred, the existence and effective functioning of one or more independent supervisory authorities in the third country with responsibility for ensuring and enforcing compliance with the legal regime ensuring access to such data, or the third countries’ international commitments regarding the protection of data the third country concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems. The existence of effective legal remedies for data subjects and data holders, public sector bodies or data sharing providers in the third country concerned is of particular importance in the context of the transfer of non-personal data to that third country. Such safeguards should therefore include the availability of enforceable rights and of effective legal remedies.
Amendment 198 #
Proposal for a regulation
Recital 20
Recital 20
(20) Public sector bodies should be able to charge cost-based fees for the re-use of data but should also be able to decide to make the data available at lower or no cost, for example for certain categories of re- uses such as non-commercial re-use, or re- use by small and medium-sized enterprises, so as to incentivisfacilitate such re-use in order to stimulate research and innovation and support companies that are an important source of innovation and typically find it more difficult to collect relevant data themselves, in line with State aid rules. Such fees should be reasonable, transparent, published online and non- discriminatory.
Amendment 199 #
Proposal for a regulation
Recital 21
Recital 21
(21) In order to incentivisfacilitate the re-use of these categories of data, Member States should establish a single information point to act as the primary interface for re-users that seek to re-use such data held by the public sector bodies. It should have a cross-sector remit, and should complement, if necessary, arrangements at the sectoral level. In addition, Member States should designate, establish or facilitate the establishment of competent bodies to support the activities of public sector bodies allowing re-use of certain categories of protected data. Their tasks may include granting access to data, where mandated in sectoral Union or Member States legislation. Those competent bodies should provide support to public sector bodies with state-of-the-art techniques, including secure data processing environments, which allow data analysis in a manner that preserves the privacy of the information. Such support structure could support the data subjects and holders with management of the consent, including consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. DataThe competent bodies should not have a supervisory function, which is reserved for supervisory authorities under Regulation (EU)2016/679. Without prejudice to the supervisory powers of data protection authorities, processing should be performed under the responsibility of the public sector body responsible for the register containing the data, who remains a data controller in the sense of Regulation (EU) 2016/679 insofar as personal data are concerned. Member States may have in place one or several competent bodies, which could act in different sectors.
Amendment 200 #
Proposal for a regulation
Recital 22
Recital 22
(22) Providers of data sharing services (data intermediaries) are expected to play a key role in the data economy, as a tool to facilitate the aggregation and exchange of substantial amounts of relevant data. Data intermediaries offering services that connect the different actors have the potential to contribute to the efficient pooling of data as well as to the facilitation of bilateral data sharing. Specialised data intermediaries that are independent from both data holders and data users can have a facilitating role in the emergence of new data-driven ecosystems independent from any player with a significant degree of market power. This Regulation should only cover providers of data sharing services that have as a main objective the establishment of a business, a legal and potentially also technical relation between data holders, including data subjects, on the one hand, and potential users on the other hand, and assist both parties in a transaction of data assets between the two. It should only cover services aiming at intermediating between an indefinite number of data subjects and holders and data users, excluding data sharing services that are meant to be used by a closed group of data subjects and holders and users. Providers of cloud services should be excluded, as well as service providers that obtain data from data subjects and data holders, aggregate, enrich or transform the data and licence the use of the resulting data to data users, without establishing a direct relationship between data subjects and holders and data users, for example advertisement or data brokers, data consultancies, providers of data products resulting from value added to the data by the service provider. At the same time, data sharing service providers should be allowed to make adaptations to the data exchanged, to the extent that this improves the usability of the data by the data user, where the data user desires this, such as to convert it into specific formats. In addition, services that focus on the intermediation of content, in particular on copyright- protected content, should not be covered by this Regulation. Data exchange platforms that are exclusively used by one data holder in order to enable the use of data they hold as well as platforms developed in the context of objects and devices connected to the Internet-of-Things that have as their main objective to ensure functionalities of the connected object or device and allow value added services, should not be covered by this Regulation. ‘Consolidated tape providers’ in the sense of Article 4 (1) point 53 of Directive 2014/65/EU of the European Parliament and of the Council42 as well as ‘account information service providers’ in the sense of Article 4 point 19 of Directive (EU) 2015/2366 of the European Parliament and of the Council43 should not be considered as data sharing service providers for the purposes of this Regulation. Entities which restrict their activities to facilitating use of data made available on the basis of data altruism and that operate on a not-for-profit basis should not be covered by Chapter III of this Regulation, as this activity serves objectives of general interest by increasing the volume of data available for such purposes. __________________ 42Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU, OJ L 173/349. 43Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.
Amendment 202 #
Proposal for a regulation
Recital 25
Recital 25
(25) In order to increase trust in such data sharing services, in particular related to the use of data and the compliance with the conditions imposed by data subjects and data holders, it is necessary to create a Union-level regulatory framework, which would set out highly harmonised requirements related to the trustworthy, open and non-discriminatory provision of such data sharing services. This will contribute to ensuring that data subjects, data holders and data users have better control over the access to and use of their data, in accordance with Union law. Both in situations where data sharing occurs in a business-to-business context and where it occurs in a business-to- consumer context, data sharing providers should offer a novel, ‘European’ way of data governance, by providing a separation in the data economy between data provision, intermediation and use. Providers of data sharing services may also make available specific technical infrastructure for the interconnection ofbetween data subjects and data holders and data users.
Amendment 203 #
Proposal for a regulation
Recital 26
Recital 26
(26) A key element to bring trust and more control for data holder and data users in data sharing services is the neutrality of data sharing service providers as regards the data exchanged between data holderssubjects and data holders on the one hand and data users on the other. It is therefore necessary that data sharing service providers act only as intermediaries in the transactions, and do not use the data exchanged for any other purpose. This will also require structural separation between the data sharing service and any other services provided, so as to avoid issues of conflict of interest. This means that the data sharing service should be provided through a legal entity that is separate from the other activities of that data sharing provider. Where an actor provides other data-related services, in addition to data sharing services, the pricing and terms of services for the data sharing service should not be influenced by whether and to what degree a data holder or data user uses other data- related services from the same actor. Data sharing providers that intermediate the exchange of data between individuals as data holdersubjects and legal persons as data users should, in addition, bear fiduciary duty towards the individuals, to ensure that they act in the best interest of the data holdersubjects.
Amendment 205 #
Proposal for a regulation
Recital 35
Recital 35
(35) There is a strong potential in the use of data made available voluntarily by data subjects based on their consent or, where it concerns non-personal data, made available by legal persons, for purposes of general interest. Such purposes would include healthcare, combating climate change, improving mobility, facilitating the establishment of official statistics or improving the provision of public services. Support to scientific research, including for example technological development and demonstration, fundamental research, applied research and privately funded research, shouldmay also be considered as well purposes of general interest. This Regulation aims at contributing to the emergence of pools of data made available on the basis of data altruism that have a sufficient size in order to enable data analytics and machine learning, including across borders in the Union.
Amendment 208 #
Proposal for a regulation
Recital 36
Recital 36
(36) Legal entities that seek to support purposes of general interest by making available relevant data based on data altruism at scale and meet certain requirements, should be able to register as ‘EU-registered Data Altruism Organisations recognised in the Union’'. This could lead to the establishment of data repositories. As registration in a Member State would be valid across the Union, and this should facilitate cross-border data use within the Union and the emergence of data pools covering several Member States. Data subjects in this respect would consent to specific purposes of data processing, but could also subsequently be asked for consent tofor data processing in certain areas of research or parts of research projects as it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Legal persons could give permission to the processing of their non- personal data for a range of purposes not defined at the moment of giving the permission. The voluntary compliance of such registered entities with a set of requirements should bring trust that the data made available on altruistic purposes is serving a general interest purpose. Such trust should result in particular from a place of establishment within the Union, as well as from the requirement that registered entities have a not-for-profit character, from transparency requirements and from specific safeguards in place to protect rights and interests of data subjects and companies. Further safeguards should include making it possible to process relevant data within a secure processing environment operated by the registered entity, oversight mechanisms such as ethics councils or boards to ensure that the data controller maintains high standards of scientific ethics, effective technical means to withdraw or modify consent at any moment, based on the information obligations of data processors under Regulation (EU) 2016/679 as well as means for data subjects to stay informed about the use of data they made available.
Amendment 209 #
Proposal for a regulation
Recital 37
Recital 37
(37) This Regulation is without prejudice to the establishment, organisation and functioning of entities that seek to engage in data altruism pursuant to national law. It builds on national law requirements to operate lawfully in a Member State as a not-for-profit organisation. Entities which meet the requirements in this Regulation should be able to use the title of ‘EU-registered Data Altruism Organisations recognised in the Union’'.
Amendment 210 #
Proposal for a regulation
Recital 38
Recital 38
(38) EU-registered Data Altruism Organisations recognised in the Union should be able to collect relevant data directly from natural and legal persons or to process data collected by others. Typically, data altruism would rely on consent of data subjects in the sense of Article 6(1)(a) and 9(2)(a) and in compliance with requirements for lawful consent in accordance with Article 7 of Regulation (EU) 2016/679. In accordance with Regulation (EU) 2016/679, scientific research purposes can be supported by consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research or only to certain areas of research or parts of research projects. Article 5(1)(b) of Regulation (EU) 2016/679 specifies that further processing for scientific or historical research purposes or statistical purposes should, in accordance with Article 89(1) of Regulation (EU) 2016/679, not be considered to be incompatible with the initial purposes.
Amendment 212 #
Proposal for a regulation
Recital 40
Recital 40
(40) In order to successfully implement the data governance framework, a European Data Innovation Board should be established, in the form of an expert group. The Board should consist of representatives of the Member States, the Commission and representatives of relevant data spaces and specific sectors (such as health, agriculture, transport and statistics), standards-setting organisations, academia and civil society, as appropriate. The European Data Protection Board should be invited to appoint a representative to the European Data Innovation Board.
Amendment 216 #
Proposal for a regulation
Article 1 – paragraph 2 a (new)
Article 1 – paragraph 2 a (new)
(2a) Union law on the protection of personal data shall apply to any personal data processed in connection with this Regulation. In particular, this Regulation shall be without prejudice to Regulation (EU) 2016/679, Directive 2002/58/EC, and Regulation (EU) 2018/1725. In the event of conflict between the provisions of this Regulation and Union law on the protection of personal data, the latter prevails. This Regulation does not create a legal basis for the processing of personal data.
Amendment 218 #
Proposal for a regulation
Article 2 – paragraph 1 – point 3 a (new)
Article 2 – paragraph 1 – point 3 a (new)
(3a) 'personal data' means personal data as defined in point (1) of Article 4 of Regulation (EU)2016/679;
Amendment 219 #
Proposal for a regulation
Article 2 – paragraph 1 – point 3 b (new)
Article 2 – paragraph 1 – point 3 b (new)
(3b) ‘consent’ means consent as defined in point (11) of Article 4 of Regulation (EU) 2016/679;
Amendment 220 #
Proposal for a regulation
Article 2 – paragraph 1 – point 3 c (new)
Article 2 – paragraph 1 – point 3 c (new)
(3c) 'data subject' means data subject as defined in point (1) of Article 4 of Regulation (EU) 2016/679;
Amendment 221 #
Proposal for a regulation
Article 2 – paragraph 1 – point 3 d (new)
Article 2 – paragraph 1 – point 3 d (new)
(3d) 'processing’ means processing as defined in point (2) of Article 4 of Regulation (EU) 2016/679.
Amendment 222 #
Proposal for a regulation
Article 2 – paragraph 1 – point 4
Article 2 – paragraph 1 – point 4
Amendment 223 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) ‘data sharing’ means the provision by a data holder of data to a data user for the purpose of joint or individual use of the shared data, based on voluntary agreements, or the sharing of data by a data subject, based on their consent, directly or through an intermediary;
Amendment 224 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘data altruism’ means the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non-personal datavoluntary data sharing by data holders, or the consent to data processing by a data subject, without seeking or receiving a reward, for purposes of general interest, such as scientific research purposes or improving public services;healthcare, combating climate change, improving mobility, facilitating the establishment of official statistics, improving public services, or scientific research purposes
Amendment 226 #
Proposal for a regulation
Article 2 – paragraph 1 – point 14
Article 2 – paragraph 1 – point 14
(14) ‘secure processing environment’ means the physical or virtual environment and organisational means to provide the opportunity to re-use data in a manner that respects data subjects’ rights under Regulation (EU) 2016/679 as well as commercial and statistical confidentiality, that ensures compliance with applicable legislation, or that allows for the operator of the secure processing environment to determine and supervise all data processing actions, including to display, storage, download, export of the data and calculation of derivative data through computational algorithms.
Amendment 230 #
Proposal for a regulation
Article 3 – paragraph 3 a (new)
Article 3 – paragraph 3 a (new)
(3a) Where anonymisation, aggregation, or other techniques can be applied so that the protections under paragraph 1 no longer apply, public sector bodies shall make available the data for re-use as mandated by Directive (EU) 2019/1024, without prejudice to Article 5.
Amendment 245 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
(3) PWhere feasible and proportionate, public sector bodies mayshall impose an obligation to re-use only pre-processed data where such pre-processing aimserves to anonymizse or pseudonymise personal data or delete commercially confidential information, including trade secrets.
Amendment 253 #
Proposal for a regulation
Article 5 – paragraph 5 a (new)
Article 5 – paragraph 5 a (new)
(5a) Public sector bodies shall apply technical means to prevent re-users from identifying any data subject and shall require re-users to continuously assess the risk of identification and de- anonymisation, and to report to the public sector body concerned, in particular where any data breach has resulted in identification of an individual, breaches of the confidentiality, the integrity, or the security of the data have occurred, notwithstanding any reporting obligations under Union law.
Amendment 255 #
Proposal for a regulation
Article 5 – paragraph 5 b (new)
Article 5 – paragraph 5 b (new)
(5b) In the case of anonymised data, public sector bodies shall make a data protection impact assessment prior to granting access to the data. Where it can be reasonably assumed that, or where an impact assessment indicates that the processing or subsequent combination of data could lead to identification or de- anonymisation, the public sector body shall not allow access to, or re-use of the data.
Amendment 257 #
Proposal for a regulation
Article 5 – paragraph 6
Article 5 – paragraph 6
(6) Where the re-use of personal data cannot be granted in accordance with the obligations laid down in paragraphs 3 to 5 and there is no other legal basis for transmitting the data under Regulation (EU) 2016/679, the public sector body shall support entities requesting re-users in seeking valid consent of the data subjects and/or, insofar as a legal basis exists for the public sector body to collect this consent, and/or in seeking permission from the legal entitiedata holders whose rights and interests may be affected by such re-use, where it is feasible without disproportionate cost for the public sector, and where there is no reason to believe that the combination of non-personal data sets would lead to the identification of data subjects. In that task they may be assisted by the competent bodies referred to in Article 7 (1).
Amendment 259 #
Proposal for a regulation
Article 5 – paragraph 6 a (new)
Article 5 – paragraph 6 a (new)
(6a) Where public sector bodies make personal data available for re-use pursuant to this Article, they shall inform data subjects accordingly of this re-use and of their rights. The public sector body shall support data subjects in exercising their rights, including in relation to any re-users. In that task they may be assisted by the competent bodies referred to in Article 7 (1).
Amendment 261 #
Proposal for a regulation
Article 5 – paragraph 9 – introductory part
Article 5 – paragraph 9 – introductory part
(9) The Commission may adopt implementing acts declaring that the legal, supervisory and enforcement arrangements of a third country without prejudice to Article 45 of Regulation (EU) 2016/679:
Amendment 264 #
Proposal for a regulation
Article 5 – paragraph 13
Article 5 – paragraph 13
(13) Where the re-user intends to transfer non-personal data to a third country, the public sector body shall inform the data holder about the transfer of data to that third country. Data should be treated as personal if there is a foreseeable risk that the re-user may be re-identified.
Amendment 265 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
(1) Public sector bodies which allow re-use of the categories of data referred to in Article 3 (1) may charge cost-based fees for allowing the re-use of such data.
Amendment 267 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
(2) Any fees shall be non- discriminatory, proportionate and objectively justified and shall not restrict competition or inhibit use of data for the general interest.
Amendment 269 #
Proposal for a regulation
Article 6 – paragraph 4
Article 6 – paragraph 4
(4) Where they apply fees, public sector bodies shall take measures to incentivisfacilitate the re-use of the categories of data referred to in Article 3 (1) for non- commercial purposes and by small and medium-sized enterprises in line with State aid rules.
Amendment 274 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
(1) In order to carry out the tasks listed in this article, Member States shall designate one or more competent bodies, which may be sectoral, to support the public sector bodies which grant access to the re-use of the categories of data referred to in Article 3 (1) in the exercise of that task.
Amendment 275 #
Proposal for a regulation
Article 7 – paragraph 2 – point a
Article 7 – paragraph 2 – point a
(a) providing technical support by making availablto ensure a secure processing environment for providing access for the re-use of data;
Amendment 276 #
Proposal for a regulation
Article 7 – paragraph 2 – point c
Article 7 – paragraph 2 – point c
(c) assisting the public sector bodies, where relevant, to support re-users in obtaining consent for permission by re-users for re-use for altruistic and other purposere-use of personal data, or permission from data holders in line with their specific decisions of data holders, including on the jurisdiction or jurisdictions in which the data processing is intended to take place;
Amendment 284 #
Proposal for a regulation
Article 9 – paragraph 1 – point b
Article 9 – paragraph 1 – point b
(b) intermediation services between data subjects that seek to make their personal data available and potential data users, including making available the technical or other means to enable such services, in the exercise of the rights provided in Regulation (EU) 2016/679. The data sharing services shall not themselves process the personal data, but shall only allow data subjects to give consent to specific data users to allow the processing of personal data pertaining to them for specific purposes;
Amendment 285 #
Proposal for a regulation
Article 9 – paragraph 1 – point c
Article 9 – paragraph 1 – point c
(c) services of data cooperatives, that is to say services supporting data subjects or one-person companies or micro, small and medium-sized enterprises, who are members of the cooperative or who confer the power to the cooperative tonamely services that enable data subjects to exercise the rights provided for in Regulation (EU) 2016/679, such as by negotiateing terms and conditions for data processing before they freely consent, inby providing support to enable the making of informed choices before consenting to data processing, and by allowing for mechanisms to exchange views on data processing purposes and conditions that would best represent the interests of data subjects or legal persons, or which enable small and medium-sized enterprises, not-for-profit or academic institutions, to collectively negotiate terms for sharing non-personal data.
Amendment 286 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
(2) This ChapterRegulation shall be without prejudice to the application of other Union and national law to providers of data sharing services, including powers of supervisory authorities to ensure compliance with applicable law, in particular as regard the protection of personal data and competition law.
Amendment 290 #
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
(3) A provider of data sharing services that is not established in the Union, but offers the services referred to in Article 9 (1) within the Union, shall appoint a legal representative in one of the Member States in which those services are offered. The provider shall be deemed to be under the jurisdiction of the Member State in which the legal representative is established. The representative shall be mandated by the provider of data sharing services to be addressed in addition to or instead of it by, in particular, competent authorities and data subjects and data holders, on all issues related to the service, for the purposes of ensuring compliance with this Regulation. The designation of a representative by the provider of data sharing services shall be without prejudice to legal actions which could be initiated against the provider of data sharing services themselves.
Amendment 293 #
Proposal for a regulation
Article 10 – paragraph 6 – point d
Article 10 – paragraph 6 – point d
(d) a public website where information on the provider and thea full list of its activities can be found, where applicable;
Amendment 301 #
Proposal for a regulation
Article 11 – paragraph 1 – point 2
Article 11 – paragraph 1 – point 2
(2) the metadata generated by and collected from the provision of the data sharing service may be used only for the development of that service;
Amendment 302 #
Proposal for a regulation
Article 11 – paragraph 1 – point 3
Article 11 – paragraph 1 – point 3
(3) the provider shall ensure that the procedure for access to its service is fair, transparent and non-discriminatory for bothdata subjects, data holders and data users, including as regards prices;
Amendment 304 #
Proposal for a regulation
Article 11 – paragraph 1 – point 5
Article 11 – paragraph 1 – point 5
(5) the provider shall have procedures in place to detect, mitigate and prevent fraudulent or abusive practices in relation to access to data from parties seeking access through their services;
Amendment 306 #
Proposal for a regulation
Article 11 – paragraph 1 – point 6
Article 11 – paragraph 1 – point 6
(6) the provider shall ensure a reasonable continuity of provision of its services and, in the case of services which ensure storage of data, shall have sufficient guarantees in place that allow data holders and data users to obtain access to and delete their data in case of insolvency;
Amendment 307 #
Proposal for a regulation
Article 11 – paragraph 1 – point 6 a (new)
Article 11 – paragraph 1 – point 6 a (new)
(6a) the provider shall take reasonable measures to ensure interoperability with other data sharing services by means of commonly used, formal or informal, open standards in the sector in which the data sharing service providers operate;
Amendment 310 #
Proposal for a regulation
Article 11 – paragraph 1 – point 9 a (new)
Article 11 – paragraph 1 – point 9 a (new)
(9a) the provider shall have procedures in place to ensure compliance with the Union and national rules on the protection of personal data, including procedures for ensuring the exercise of data subjects’ rights. In particular, the provider shall provide the data subject with easily accessible tools allowing them a comprehensive view of how and for which specific purpose their personal data are shared by the provider;
Amendment 312 #
Proposal for a regulation
Article 11 – paragraph 1 – point 10
Article 11 – paragraph 1 – point 10
(10) the provider offering services to data subjects shall act in the data subjects’ best interest when facilitating the exercise of their rights, in particular by advising data subjects on potential data uses and standard terms and conditions attached to such uses and how consent and permissions can be withdrawn;
Amendment 314 #
Proposal for a regulation
Article 12 – paragraph 3
Article 12 – paragraph 3
(3) The powers of the designated competent authorities, the are without prejudice to the powers of data protection authorities, the national competition authorities, the authorities in charge of cybersecurity, and other relevant sectorial authorities. Those authorities shall exchange the information which is necessary for the exercise of their tasks in relation to data sharing providers. In particular, for any question requiring an assessment of compliance with Regulation (EU)2016/679, and before starting any data sharing service activities related to personal data, the competent authority shall first request an opinion or decision by the competent supervisory authority established pursuant to that Regulation by which it shall be legally bound.
Amendment 322 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
(1) Each competent authority designated pursuant to Article 20 shall keep a public register of recognised data altruism organisations.
Amendment 325 #
Proposal for a regulation
Article 15 – paragraph 3
Article 15 – paragraph 3
(3) An entity registered in the register in accordance with Article 16 may refer to itself as an ‘EU-registered data altruism organisation recognised in the Union’ in its written and spoken communication.
Amendment 327 #
Proposal for a regulation
Article 16 – paragraph 1 – point b
Article 16 – paragraph 1 – point b
(b) operate on a not-for-profit basis and be fully independent from any, both with regard to the organisation itself and with regard to its personnel, from any relevant entity that operates on a for-profit basis;
Amendment 332 #
Proposal for a regulation
Article 16 – paragraph 1 – point c
Article 16 – paragraph 1 – point c
(c) perform the activities related to data altruism take place through a legally independent structure, separate from other activities it has undertaken.
Amendment 334 #
Proposal for a regulation
Article 16 – paragraph 1 – point c a (new)
Article 16 – paragraph 1 – point c a (new)
(ca) have adequate technical, legal and organisational measures in place to prevent transfer or access to non-personal data which does not comply with Union law;
Amendment 336 #
Proposal for a regulation
Article 16 – paragraph 1 – point c b (new)
Article 16 – paragraph 1 – point c b (new)
(cb) fulfil technical and operational requirements enabling the effective application of data protection standards and the exercise of data subjects’ rights pursuant to Article 16 of the Regulation (EU) 2016/679;
Amendment 337 #
Proposal for a regulation
Article 16 – paragraph 1 – point c c (new)
Article 16 – paragraph 1 – point c c (new)
(cc) data altruism organisations shall act in the data subjects’ best interest when facilitating the exercise of their rights, in particular by advising data subjects on potential risks, potential data uses and standard terms and conditions attached to such uses
Amendment 338 #
Proposal for a regulation
Article 17 – paragraph 4 – point d
Article 17 – paragraph 4 – point d
(d) the entity’s main sources of income and start-up capital;
Amendment 340 #
Proposal for a regulation
Article 17 – paragraph 4 – point f
Article 17 – paragraph 4 – point f
(f) a website where information on the entity and the activities can be found including, as a minimum, the information referred to in points (a), (b), (d), (e), (g) and (h) of this paragraph;
Amendment 341 #
Proposal for a regulation
Article 17 – paragraph 4 – point h
Article 17 – paragraph 4 – point h
(h) the purposes of general interest it intends to promote when collecting data;
Amendment 342 #
Proposal for a regulation
Article 17 – paragraph 4 – point h a (new)
Article 17 – paragraph 4 – point h a (new)
(ha) the nature of data to be controlled, processed, or re-used by the provider, and, in the case of personal data, an indication of the categories of personal data, and the categories of recipients of personal data;
Amendment 344 #
Proposal for a regulation
Article 17 – paragraph 7 a (new)
Article 17 – paragraph 7 a (new)
(7a) Where the information provided in the application indicates that sensitive data categories could be controlled, processed, or re-used, the Data Altruism Organisation shall conduct a data protection impact assessment pursuant to Article 35, and, where applicable Article 36, of Regulation(EU) 2016/679.
Amendment 348 #
Proposal for a regulation
Article 19 – paragraph 1 – introductory part
Article 19 – paragraph 1 – introductory part
(1) AnyPrior to any data processing, the entity entered in the register of recognised data altruism organisations shall inform data subjects and holders:
Amendment 350 #
Proposal for a regulation
Article 19 – paragraph 1 – point a
Article 19 – paragraph 1 – point a
(a) about the purposes of general interest for which ithe data subject provides consent and for which the organisation permits the processing of their data by a data user in an easy-to- understand manner;
Amendment 353 #
Proposal for a regulation
Article 19 – paragraph 1 – point b
Article 19 – paragraph 1 – point b
(b) about by whom and where any processing outside the Union is envisaged.
Amendment 358 #
Proposal for a regulation
Article 21 – paragraph 5 – point a
Article 21 – paragraph 5 – point a
(a) lose its right to refer to itself as an ‘EU-registered data altruism organisation recognised in the Union’ in any written and spoken communication;
Amendment 359 #
Proposal for a regulation
Article 22 – title
Article 22 – title
European data altruism consent forminterface
Amendment 360 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
(1) In order to facilitate the collection of data based on data altruism, the Commission may adopt implementing acts developing a European data altruism consent form. The forminterface. The interface shall allow the collection ofand revocation of free and informed consent across Member States in a uniform format. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 29 (2).
Amendment 361 #
Proposal for a regulation
Article 22 – paragraph 2
Article 22 – paragraph 2
(2) The European data altruism consent forminterface shall use a modular approach allowing customisation for specific sectors and for different purposes.
Amendment 362 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
(3) Where personal data are provided, the European data altruism consent forminterface shall ensure that data subjects are able to give consent to and withdraw consent from a specific data processing operation in compliance with the requirements of Regulation (EU) 2016/679. The interface shall provide up to date information concerning what types of data have been used, with what frequency and for what purposes by users of the data altruism organisation.
Amendment 363 #
Proposal for a regulation
Article 22 – paragraph 4
Article 22 – paragraph 4
(4) The forminterface shall include a consent form which shall be available in a manner that can be printed on paper and read by humans as well as in an electronic, machine-readable form.
Amendment 372 #
Proposal for a regulation
Article 26 – paragraph 2
Article 26 – paragraph 2
(2) Stakeholders and relevant third parties, in particular, groups representing citizens' rights, may be invited to attend meetings of the Board and to participate in its work.