Diff — Comparado Legislativo | Diff by Parlamento.ai

CHAPTER I – GENERAL PROVISIONS

Article 1 Subject matter and scope

Article 1 Subject matter and scope 1. This Regulation lays down harmonised rules on making on: (a) the design of connected products to allow access to data generated by the use of a connected product or generated during the provision of related service available services to the user of that product; (b) data holders making available data they accessed from a connected product or service, on generated during the making data available by provision of a related service to data holders subjects, users or to data recipients, and on at the making request of the user or data subject; (c) fair contractual terms for data sharing agreements; (d) the making available by of data holders to public sector bodies or Union institutions, agencies or bodies, where there is an exceptional need, need in the public interest; (e) facilitating switching between data processing services; (f) introducing safeguards against unlawful international governmental access to non-personal data; and (g) providing for the performance development of a task carried out interoperability standards and common specifications for data to be transferred and used. 1a. This Regulation covers personal and non-personal data, including the following types of data or in the public interest: 2 following contexts: (a) Chapter II applies to accessible data obtained, collected or otherwise generated by connected products or generated during the provision of related services; (b) Chapter III applies to any private sector data subject to statutory data sharing obligations; (c) Chapter IV applies to any private sector data accessed and used on the basis of contractual agreements between businesses; (d) Chapter V applies to any private sector non-personal data; (e) Chapter VI applies to any data and services processed by data processing services; (f) Chapter VII applies to any non-personal data held in the Union by providers of data processing services. 2. This Regulation applies to: (a) manufacturers of connected products and suppliers providers of related services placed on the market in the Union irrespective of their place of establishment and the users of such connected products or services; related services or in the case of personal data, identified or identifiable natural persons the data obtained, collected, or generated by the use, relates to ; (b) users of connected products or related services in the Union and data holders , irrespective of their place of establishment, that make data available to data recipients in the Union; Union or in the case of personal data, identified or identifiable natural persons the data obtained, collected, or generated by the use, relates to ; (c) data recipients in the Union to whom data are made available; (d) public sector bodies of a Member State and Union institutions, agencies or bodies that request data holders to make data available where there is an exceptional need to that data for the performance of a specific task carried out in the public interest and the data holders that provide those data in response to such request; (e) providers of data processing services , irrespective of their place of establishment, offering such services to customers in the Union. 3 3. Union law on the protection of personal data, privacy and confidentiality of communications and integrity of terminal equipment shall apply to any personal data processed in connection with the rights and obligations laid down in this Regulation. The obtaining, collection, or generation of personal data through the use of a product or related service shall require a legal basis pursuant to applicable data protection law. This Regulation shall does not affect constitute a legal basis for the applicability processing of personal data. This Regulation is without prejudice to Union law on the protection of personal data, data and privacy , in particular Regulation (EU) 2016/679 , Regulation (EU) 2018/1725, and Directive 2002/58/EC, including the rules concerning the powers and competences of supervisory authorities. In the event of a conflict between this Regulation and Union law on the protection of personal data or privacy or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data or privacy shall prevail. Insofar as the rights laid down in Chapter II of this Regulation are concerned, and where users are the data subjects of personal data data, subject to the rights and obligations under that Chapter, the provisions of this Regulation shall complement and particularise the right of data portability under Article 20 of Regulation (EU) 2016/679. 4 No provision of this Regulation shall be applied or interpreted in such a way as to diminish or limit the right to the protection of personal data or the right to privacy and confidentiality of communications. 4. This Regulation shall not affect Union and national legal acts providing for the sharing, access and use of data for the purpose of the prevention, investigation, detection or prosecution of criminal or administrative offences or the execution of criminal or administrative penalties, including Regulation (EU) 2021/784 of the European Parliament and of the Council (29) and the [e-evidence proposals [COM(2018) 225 and 226] once adopted, and international cooperation in that area. This Regulation shall not affect the collection, sharing, access to and use of data under Directive (EU) 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing and Regulation (EU) 2015/847 of the European Parliament and of the Council on information accompanying the transfer of funds. This Regulation shall not affect the competences of the Member States regarding activities concerning public security, defence, national security, customs and tax administration and the public health and the safety of citizens in accordance with Union law. This Regulation shall not apply to data collected or generated in the context of defence-related activities or by defence products or services or by products or services deployed and used for defence purposes. 4a. This Regulation complements and does not affect the applicability of Union law aiming to promote the interests of consumers and to ensure a high level of consumer protection, to protect their health, safety and economic interests, including Directives 2005/29/EC, 2011/83/EU and 93/13/EEC. 4b. Data holders shall not be obliged to provide access to data to any natural or legal person, entity or body outside the Union, unless requested by the user or otherwise provided by the Union law or national law implementing the Union law. 4c. The obligations set out in the Regulation shall not preclude voluntary lawful reciprocal non personal data sharing between users, data holders and data recipients, agreed in contracts.

Article 2 Definitions

Article 2 Definitions For the purposes of this Regulation, the following definitions apply: (1) ‘data’ means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording; (2) ‘product’ content, or data obtained, generated or collected by the connected product or transmitted to it on behalf of others for the purpose of storage or processing, shall not be covered by this Regulation. (1a) ‘personal data’ means a tangible, movable item, including where incorporated personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; (1b) ‘non-personal data’ means data other than personal data; (1c) ‘consent’ means consent as defined in Article 4, point (11), of Regulation (EU) 2016/679; (1d) ‘data subject’ means data subject as defined in Article 4, point (1), of Regulation (EU) 2016/679; (1e) ‘data user’ means a natural or legal person who has lawful access to certain personal or non-personal data and has a right to use that data for commercial or non-commercial purposes; (2) ‘ connected product’ means an immovable ▌ item, that obtains, generates or collects, accessible data concerning its use or environment, and that is able to communicate data via a publicly available an electronic communications service service, a physical, connection or on-device access and whose primary function is not the storing and , processing or transmission of data; data on behalf of others ; (3) ‘related service’ means a digital service, including software, software , but excluding electronic communication services which is incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing one or more of its functions; functions , and which involves accessing data from the connected product by the provider or the service ; (4) ‘virtual assistants’ means software that can process demands, tasks or questions including those based on audio, written input, gestures or motions, and based on those demands, tasks or questions provides access their own and third party to other services or control their own and third party devices; the functions of products ; (4a) ‘consumer’ means any natural person who, is acting for purposes which are outside that person’s trade, business, craft or profession; (5) ‘user’ means a natural or legal person that owns, rents or leases owns a connected product or receives a services; related service or to whom the owner of a connected product has transferred, on the basis of a rental or leasing agreement, temporary rights to use a connected product or receive related services and, where the connected product or related service involves the processing of personal data, the data subject ; (6) ‘data holder’ means a legal or natural person person, who has accessed data from the right connected product or has generated data during the provision of a related service and who has the contractually agreed right to use such data, and the obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data and through control of the technical design of the product and related services, the ability, law to make available certain data; data to the user or a data recipient ; (7) ‘data recipient’ means a legal or natural person, acting for purposes which are related to that person’s trade, business, craft or profession, person ▌ other than the user of a connected product or related service, to whom the a data holder makes available data available, including accessed from a third party following connected product or generated during the provision of a related service following an explicit request by the user to the data holder ▌ or in accordance with a legal obligation under Union law or national legislation implementing Union law; (8) ‘enterprise’ means a natural or legal person which in relation to contracts and practices covered by this Regulation is acting for purposes which are related to that person’s trade, business, craft or profession; (9) ‘public sector body’ means national, regional or local authorities of the Member States and bodies governed by public law of the Member States, or associations formed by one or more such authorities or one or more such bodies; (10) ‘public emergency’ means an exceptional situation , limited in time such as public health emergencies, emergencies resulting from natural disasters, as well as human-induced major disasters, including major cybersecurity incidents, negatively affecting the population of the Union, a Member State or part of it, with a risk of serious and lasting repercussions on living conditions or economic stability, financial stability, or the substantial and immediate degradation of economic assets in the Union or the relevant Member State(s); State(s) and which is determined and officially declared according to the relevant procedures under Union or national law ; (10a) ‘official statistics’ means ‘European statistics’ within the meaning of Regulation (EC) No 223/2009 (30); (11) ‘processing’ means any operation or set of operations which is performed on data or on sets of data in electronic format, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; (12) ‘data processing service’ means a digital service other than an online content service as defined in Article 2(5) of Regulation (EU) 2017/1128, provided to a customer, which enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources of a centralised, distributed or highly distributed nature; (13) ‘service type’ means a set of data processing services that share the same primary objective and basic data processing service model; (14) ‘functional equivalence’ means the maintenance of a minimum level of functionality in the environment of a new data processing service after the switching process, to such an extent that, in response to an input action by the user on core elements of the service, the destination service will deliver the same output at the same performance and with the same level of security, operational resilience and quality of service as the originating service at the time of termination of the contract; (15) ‘open interoperability specifications’ standards’, mean ICT technical specifications, as defined in Regulation (EU) No 1025/2012, ▌ which are performance oriented towards achieving interoperability between data processing services; (16) ‘smart contract’ means a computer program stored in an electronic ledger system wherein the outcome of the execution of the program is recorded on the electronic ledger; (17) ‘electronic ledger’ means services and which are adopted through an electronic ledger within the meaning of Article 3, point (53), of Regulation (EU) No 910/2014; inclusive, collaborative, consensus-based and transparent process from which materially affected and interested parties cannot be excluded ; ▌ (18) ‘common specifications’ means a document, other than a standard, containing technical solutions providing a means to comply with certain requirements and obligations established under this Regulation; (19) ‘interoperability’ means the ability of two or more data-based serviced, including data spaces or communication networks, systems, products, applications or components to process, exchange and use data in order to perform their functions; functions in an accurate, effective and consistent manner ; (19a) ‘portability’ means the ability of a customer to move imported or directly generated data that can be clearly assigned to the customer between their own system and cloud services, and between cloud services of different cloud service providers; (20) ‘harmonised standard’ means a harmonised standard as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012. 1025/2012; (20a) ‘common European data spaces’ means purpose- or sector-specific or cross-sectoral interoperable frameworks of common standards and practices to share or jointly process data for, inter alia, development of new products and services, scientific research or civil society initiatives; (20b) ‘metadata’ means a structured description of the contents of the use of data facilitating the discovery or use of that data; (20c) ‘data intermediation service’ means data intermediation service as referred to in Article 2, point (8), of Regulation (EU) 2022/868; (20d) ‘data altruism’ means the voluntary sharing of data as defined in Article 2(16)of Regulation (EU) 2022/868; (20e) ‘trade secret’ means information which meets all the requirements of Article 2, point (1) of Directive (EU) 2016/943; (20f) ‘trade secret holder’ should be understood as per Article 2, point (2) of Directive (EU) 2016/943.

CHAPTER II – BUSINESS TO CONSUMER AND BUSINESS TO BUSINESS DATA SHARING

Article 3 Obligation to make data generated by the use of products or related services accessible

1 Products shall be designed and manufactured, and Article 3 Obligation to make data accessed from connected products or generated during the provision of related services accessible to the user. 1. Connected products shall be provided, designed and manufactured in such a manner that data generated by their use they collect, generate or otherwise obtain, which are accessible to data holders or data recipients are, by default, default free of charge to the user, and easily, securely and, where relevant and appropriate, technically feasible , directly accessible to it, in a comprehensive, structured, commonly used and machine-readable format. Data shall be available in the user. 2 form in which they have been collected, obtained or generated by the connected product, along with only the minimal adaptations necessary to make them useable by a third party, including related metadata necessary to interpret and use the data. Information derived or inferred from this data by means of complex proprietary algorithms, in particular where it combines the output of multiple sensors in the connected product, shall not be considered within the scope of a data holder’s obligation to share data with users or data recipients unless agreed differently between the user and the data holder. In case that user is a data subject, connected products shall offer possibilities to directly exercise the data subjects’ rights, where technically feasible. Connected products shall be designed and manufactured in such a way that a data subject, irrespective of their legal title over the connected product, is offered the possibility to use the products covered by this Regulation in the least privacy-invasive way possible. The requirements set out in the first subparagraph shall be met without inhibiting the functionality of the connected product and related services and in accordance with data security requirements as laid down by Union law . 1a. Data holders may reject a request for data if access to the data is prohibited by Union or national law. 2. Before concluding a contract for the purchase, rent or lease purchase of a product connected product, the manufacturer, or a related service, where relevant the vendor, shall provide at least the following information shall be provided ▌ to the user, in a simple manner and in a clear and comprehensible format: (a) the nature and volume type of data, format, sampling frequency, the data likely to be generated by in-device storage capacity, and the use estimated volume of accessible data which the connected product is capable of collecting, generating or related service; otherwise obtaining ; (b) whether the data connected product is likely to be generated capable of generating data continuously and in real-time; (ba) whether data will be stored on-device or on a remote server, including the period during which it shall be stored; (c) how the user may access free of charge, and, where relevant, retrieve and request the deletion of those data; (d) whether (ca) The technical means to access the manufacturer supplying data, such as Software Development Kits or application programming interfaces, and their terms of use and quality of service shall be sufficiently described to enable the development of such means of access; (cb) Whether a data holder is the holder of trade secrets or other intellectual property rights contained in the data likely to be accessed from the connected product or generated during the provision of related service, and, if not, the identity of the trade secret holder, such as its trading name and the geographical address at which it is established. ▌ 2a. Related services shall be provided in such a manner that data generated during their provision, which represent the digitalisation of user actions or events, are free of charge to the user and, by default, easily, securely and, where relevant and technically feasible, directly accessible to the user in a structured, commonly used and machine-readable format, along with the relevant metadata necessary to interpret and use it. 2b. Before the user concludes an agreement with a provider of related services, which involves the provider’s access to data from the connected product during the provision of such services, in line with Article 4(6) of this Regulation, the agreement shall address: (a) the nature, volume, collection frequency and format of data accessed by the provider of related services from the connected product and, where relevant, the modalities for the user to access or retrieve such data, including the period during which it shall be stored; (b) the nature and estimated volume of data generated during the provision of the related service, as well as modalities for the user to access or retrieve such data; (c) granular, meaningful consent options for data processing, within the meaning of Article 4(11) of Regulation (EU) 2016/679; (d) whether the service provider providing the related service service, in its role as data holder, intends to use the data accessed from the connected product itself or allow a one or more third party parties to use the data and, if so, the purposes for which those data will be used; (e) whether purposes agreed upon with the seller, renter or lessor is user; (e) the data holder and, if not, trading name of the identity provider of the data holder, such as related service, its trading name legal entity identifier, contact details and the geographical address at which it is established; and where applicable, other data processing parties; (f) where relevant, the means of communication which enable the user to contact the data holder provider quickly and communicate with that data holder its staff efficiently; (g) how the user may request that the data are shared with a third-party; data recipient, and, where relevant, withdraw the consent for data sharing; (h) Whether a data holder is the holder of trade secrets or other intellectual property rights contained in the data likely to be accessed from the connected product or generated during the provision of related service, and, if not, the identity of the trade secret holder, such as its trading name, legal identity identifier and the geographical address at which it is established; (i) how the user is able to manage permissions to allow the use of data, where possible with granular permission options, and including the option to withdraw permissions to a data holder for the use of the user’s data, to the third parties nominated by a data holder, or to exclude geographical addresses; (j) the duration of the agreement between the user and the provider of the related service, as well as the modalities to terminate such an agreement prematurely; as well as the minimal period for which the related service is guaranteed to receive security and functionality updates; (k) the user’s right to lodge a complaint alleging a violation of the provisions of this Chapter with the competent authority data coordinator referred to in Article 31.

Article 4 The right of users to access and use data generated by the use of products or related services

1 Article 4 The rights and obligations of users and data holders to access , use and make available data accessed from connected products or generated during the provision of related services 1. Where data cannot be directly accessed by the user from the product, the data holder holders shall make available to the user the any data generated accessed by its use of them from a connected product or generated during the provision of a related service without undue delay, easily, securely, in a comprehensive, structured, commonly used and machine-readable format, free of charge and, where applicable, relevant and technically feasible , continuously and in real-time. This real-time , including making any personal data derived from such data available to a data subject pursuant to Article 15 of Regulation (EU) 2016/679, accompanied with relevant metadata. Data shall be provided in the form in which they have been accessed from the connected product or generated by the related service, with only the minimal adaptations necessary to make them useable by a third party, including related metadata necessary to interpret and use the data. Information derived or inferred from this data by means of complex proprietary algorithms, in particular where it combines the output of multiple sensors in the connected product, shall not be considered within the scope of a data holder’s obligation to share data with users or data recipients, unless agreed differently between the user and the data holder. Any data access request to a data holder should be done on the basis of a simple request through electronic means where technically feasible. 2 The feasible and, where appropriate, indicate the type, nature or scope of data requested . 1a. Data holders may reject a request for data if access to the data is prohibited by Union or national law; 1b. Users and data holders may agree contractually on restricting or prohibiting the access, use of or further sharing of data, which could undermine security of the product as laid down by law. Each party may refer the case to the data coordinator, to assess whether such restriction is justified, in particular in light of serious adverse effect on the health, safety or security of human beings. Sectoral competent authorities will be given the possibility to provide technical expertise in this context. 1c. Where in compliance with all the provisions established within this Regulation, and the terms and conditions agreed in the contractual agreement between the parties, a data holder shall not be liable towards the user for any damage arising from data made available, provided that the data holder has processed the data lawfully in accordance with Union and national law and has complied with relevant cybersecurity requirements and where applicable, with the technical and organisational measures to preserve the confidentiality of the shared data. When complying with this Regulation, a user, who lawfully makes available data accessed from the connected product or received following a request under Article 4 paragraph 1 to a third party, or a data recipient, who is lawfully sharing data made available to it by a data holder, to a third party, shall not be liable for damage arising from sharing such data, provided that the user or data recipient have processed the data in accordance with Union and national laws and have complied with relevant cybersecurity requirement and where applicable, with the technical and organisational measures to preserve the confidentiality of the shared data. 1d. Data holders shall not make the exercise of the rights or choices of users unduly difficult, including by offering choices to the users in a non-neutral manner or by subverting or impair the autonomy, decision-making or free choices of the user via the structure, design, function or manner of operation of a user interface or a part thereof. 2. Data holders shall not require the user to provide any information beyond what is necessary to verify the quality as a user pursuant to paragraph 1. The data holder Data holders shall not keep any information on the user’s access to the data requested beyond what is necessary for the sound execution of the user’s access request and for the security and the maintenance of the data infrastructure. 3 Where identification is legally requires, data holders shall enable the possibility for users to identify and authenticate through the European Digital Identity Wallets, pursuant to Regulation (EU) No 910/2014. 3. Trade secrets shall be preserved and shall only be disclosed provided that all specific necessary measures pursuant to Directive (EU) 2016/943 are taken in advance to preserve the confidentiality of trade secrets their confidentiality, in particular with respect to third parties. The data holder and or the user trade secret holder if it is not simultaneously the data holder, shall identify the data which are protected as trade secrets and can agree with the user any technical and organisational measures to preserve the confidentiality of the shared data, in particular in relation to third parties. 4 parties , as well as on liability provisions. Such technical and organisational measures include, as appropriate, model contractual terms, confidential agreements, strict access protocols, technical standards and the application of codes of conduct. In cases where the user fails to implement those measures or undermines the confidentiality of trade secrets, the data holder shall be able to suspend the sharing of data identified as trade secrets. In such cases, the data holder must immediately notify the data coordinator of the Member State in which the data holder is established, pursuant to Article 31 of this Regulation, that it has suspended the sharing of data and identify which measures have not been implemented or which trade secrets have had their confidentiality undermined. Where the user wishes to challenge the data holder’s decision to suspend the sharing of data, the data coordinator shall decide, within a reasonable period of time, whether the data sharing shall be resumed or not and if yes, indicate under which conditions . 4. The user shall not use the ▌ data obtained pursuant to a request referred to in paragraph 1 to develop a product that directly competes with the product product, from which the data originate. 5 originate and shall not use such data to derive insights about the economic situation, assets and production methods of the manufacturer . 4a. The user shall not deploy coercive means or abuse gaps in the technical infrastructure of a data holder designed to protect the data in order to obtain access to data. 4b. Users have the right to either directly share, through a data holder or through providers of data intermediation services as set in the Regulation (EU) 2022/868, non-personal data accessed from the connected product or obtained pursuant to a request referred in paragraph 1 to any data recipient for commercial or non-commercial purposes. The data sharing between a user and a data recipient shall be carried out by means of contractual agreements; the provisions of Chapter IV on fair, reasonable and non-discriminatory terms shall apply mutatis mutandis to the contractual agreements between users and data recipients. 5. Where the user is not a data subject, any personal data generated by the use of a product or related service shall only be made available by the data holder to the user where all conditions and rules provided by the applicable data protection law are complied with, in particular where there is a valid legal basis under Article 6(1) 6 of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive 2002/58/EC are fulfilled. 6 The data holder 6. Data holders shall only use any non-personal data accessed from a connected product or generated by during the use provision of a product or related service on the basis of a contractual agreement with the user. The data holder shall not make the use of the product or related service dependent on the user allowing it to process data not required for the functionality of the product or provision of the related service. The data holder shall delete the data when they are no longer necessary for the purpose contractually agreed. Data holders and the users shall not use such data obtained, collected or generated by the use of the product or related service to derive insights about the economic situation, assets and production methods of or the use of the product or related service by the user other party that could undermine the commercial position of the user other party in the markets in which the user is active. 6a. Data holders shall not make available non-personal data accessed by them from the connected product, referred to in point (a) of Article 3(2), to third parties for commercial or non-commercial purposes other than the fulfilment of their contractual obligations to the user. Where relevant, data holders shall contractually bind third parties not to further share data received from them. 6b. Where the contractual agreement between the user and a data holder allows for the use of non personal data accessed by them from the connected product, referred to in point (a) of Article 3(2a), the data holder shall be able to use that data for any of the following purposes: (a) improving the functioning of the connected product or related services; (b) developing new products or services; (c) enriching or manipulating it or aggregating it with other data, including with the aim of making available the resulting data set to third parties, as long as such derived data set does not allow the identification of the specific data items transmitted to the data holder from the connected product, or allow a third party to derive those data items from the data set. 6c. Users, in business-to- business relations, have the right to make data available to data recipients or data holders under any lawful contractual condition, including by agreeing to limit or restrict further sharing of such data, and to be compensated proportionately in exchange for foregoing their right to use or share such data lawfully. Data recipients or data holders shall not make the offer of a related service, or its commercial terms, including pricing, contingent on such agreement by the user, or coerce, deceive or manipulate in any other way the user to make available data under such contractual conditions.

Article 5 Right to share data with third parties

1 Article 5 Right of the user to share data with third parties 1. Upon request by a user, or by a party acting on behalf of a user, such as an authorised data intermediation service in the meaning of the Regulation (EU) 2022/868, data holder holders shall make available the data generated accessed by the use of them from a connected product or generated during the provision of a related service to a third party, without undue delay, easily, securely, in a comprehensive, structured, commonly used and machine-readable format, free of charge to the user, of the same quality as is available to the data holder and, where applicable, relevant and technically feasible continuously and in real-time. 2 Where the user is a data subject, personal data shall be processed for purposes specified by the data subject, such as the following: (a) the provision of after-market services, such as the maintenance and repair of the product, including after-market services in competition with a connected product or service provided by a data holder; (b) enabling the user to update the software of the connected product or related services in particular to fix security and usability problems; (c) specific data intermediation services recognised in the Union or specific services provided by data altruism organisations recognised in the Union under the conditions and requirements of Chapters III and IV of Regulation (EU) 2022/868. Data shall be provided in the form in which they have accessed from the product, with only the minimal adaptations necessary to make them useable by a third party, including related metadata necessary to interpret and use the data. Information derived or inferred from this data by means of complex proprietary algorithms, in particular where it combines the output of multiple sensors in the connected product, shall not be considered within the scope of a data holder’s obligation to share data with users or data recipients, unless agreed differently between the user and the data holder. 1a. The right under paragraph 1 shall not apply to data resulting from the use of a product or related service in the context of testing of other new products, substances or processes that are not yet placed on the market unless use by a third party is permitted by the agreement with the enterprise with whom the user agreed to use one of its products for testing of other new products, substances or processes. 2. Any undertaking providing core platform services for which one or more of such services have been designated as a gatekeeper, pursuant to Article […] of [Regulation XXX on contestable and fair markets in the digital sector (Digital Markets Act) ], ▌ Regulation (EU) 2022/1925 , shall not be an eligible third party data recipient under this Article and therefore shall not: (a) solicit or commercially incentivise a user in any manner, including by providing monetary or any other compensation, to make data available to one of its services that the user has obtained pursuant to a request under Article 4(1); (b) solicit or commercially incentivise a user to request the data holder to make data available to one of its services pursuant to paragraph 1 of this Article; (c) receive data from a user that the user has obtained pursuant to a request under Article 4(1). 3 3. The user or third party the data recipient shall not be required to provide any information beyond what is necessary to verify the quality as user or as third party data recipient pursuant to paragraph 1. The data holder Data holders shall not keep any information on the third party’s data recipient ’s access to the data requested beyond what is necessary for the sound execution of the third party’s data recipient ’s access request and for the security and the maintenance of the data infrastructure. 4 4. The third party data recipient shall not deploy coercive means or abuse evident ▌ gaps in the technical infrastructure of the a data holder designed to protect the data in order to obtain access to data. 5 5. The data holder shall not use any non-personal data obtained, collected or generated by the use of the product or related service to derive insights about the economic situation, assets and production methods of or use by the third party that could undermine the commercial position of the third party on the markets in which the third party is active, unless the third party has expressly consented to such use and has the technical possibility to easily withdraw that consent at any time. 6 Where 6. In the user is not case of a data subject, subject who is not the user requesting access , any personal data obtained, collected, or generated by the their use of a product or related service , and data derived and inferred from that use, shall only be made available by the data holder to the third party where there is a valid legal basis under Article 6(1) 6 of Regulation (EU) 2016/679 and where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive 2002/58/EC are fulfilled. 7 7. Any failure on the part of the data holder and the third party to agree on arrangements for transmitting the data shall not hinder, prevent or interfere with the exercise of the rights of the data subject under Regulation (EU) 2016/679 and, in particular, with the right to data portability under Article 20 of that Regulation. 8 8. Trade secrets shall only be disclosed to third parties to the extent that they are strictly necessary to fulfil the purpose of the request agreed between the user and the third party and all specific necessary measures agreed between the data holder , or between the trade secrets holder if it is not simultaneously the data holder, and the third party are taken prior to the disclosure by the third party to preserve the confidentiality of the trade secret. In such a case, the nature of data holder or the trade secret holder, shall identify the data which are protected as trade secrets and the technical and organisational measures for preserving the their confidentiality , as well as on liability provisions. Such technical and organisational measures shall be specified in the agreement between the data or trade secret holder and the third party. 9 party , including, as appropriate through model contractual terms, strict access protocols, confidential agreements, technical standards and the application of codes of conduct. In cases where the third party fails to implement those measures or undermines the confidentiality of trade secrets, the data holder shall be able to suspend the sharing of data identified as trade secrets. In such cases, the data holder must immediately notify the data coordinator of the Member State in which the data holder is established, pursuant to Article 31, that it has suspended the sharing of data and identify which measures have not been implemented or which trade secrets have had their confidentiality undermined. Where the third party wishes to challenge the data holder’s decision to suspend the sharing of data, the data coordinator shall decide, within a reasonable period of time, whether the data sharing shall be resumed or not and if yes, indicate under which conditions . 9. The right referred to in paragraph 1 shall not adversely affect data protection the rights of others. data subjects of others pursuant to the applicable data protection law .

Article 6 Obligations of third parties receiving data at the request of the user

1 Article 6 Obligations of data recipients receiving data at the request of the user 1. A third party data recipient shall process the ▌ data made available to it pursuant to Article 5 only for the purposes and under the conditions agreed with the user, and where all conditions and rules provided by the applicable data protection law are complied with, notably where there is a valid legal basis under Article 6(1) of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive 2002/58/EC are fulfilled, and subject to the rights of the data subject insofar as personal data are concerned, and concerned . The data recipient shall delete the data when they are no longer necessary for the agreed purpose. 2 purpose , unless otherwise agreed with the user . 2. The third party data recipient shall not: (a) make the exercise of the rights or choices of users unduly difficult including by offering choices to the users in a non-neutral manner, or coerce, deceive or manipulate the user in any way, or by subverting or impairing the autonomy, decision-making or choices of the user, including by means of a digital interface with the user; user or a part thereof, including its structure, design, function or manner of operation ; (b) use the data it receives for the profiling of natural persons within the meaning of Article 4(4) 4, point (4), of Regulation (EU) 2016/679, unless it is necessary to provide the service requested by the user; other than in accordance with that Regulation ; (c) make the data available ▌ it receives available to another third party, party without making the user aware in raw, aggregated or derived form, unless this is necessary to provide a clear and easily accessible way and seeking its the service requested explicit contractual permission by the user; (d) make the data available it receives to an undertaking providing core platform services for which one or more of such services have been designated as a gatekeeper pursuant to Article […] 3 of [Regulation on contestable and fair markets in the digital sector (EU) 2022/1925 (Digital Markets Act)]; (e) use the data it receives to develop a product that competes with the product from which the accessed data originate or share the data with another third party for that purpose; (f) prevent data recipients shall also not use any non-personal data generated by the user, including through contractual commitments, from making use of the product or related service to derive insights about the economic situation, assets and production methods of or use by the data holder that could undermine the commercial position of the data holder on the markets in which the data holder is active; (ea) use the data it receives available in a manner that adversely impacts the security of the product or related service(s); (eb) where relevant, disregard the specific measures agreed with a data holder or with the trade secrets holder pursuant to other parties. article 5 (8) of this Regulation and break the confidentiality of trade secrets; (ec) use the data to disrupt sensitive critical infrastructure protection information within the meaning of Article 2(d) of Directive 2008/114/EC. ▌ 2a. The third party shall bear the responsibility to ensure the security and protection of the data it receives from a data holder.

Article 7 Scope of business to consumer and business to business data sharing obligations

1 Article 7 Scope of business to consumer and business to business data sharing obligations 1. The obligations of this Chapter shall not apply to data generated by the use of products manufactured or related services provided by ▌ enterprises that qualify as micro or small enterprises, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the Annex to Recommendation 2003/361/EC which do not qualify as a micro or small enterprise. 2 enterprise and where the micro and small enterprise is not subcontracted to manufacture or design a product or provide a related service . 2. Where this Regulation refers to products or related services, such reference shall also be understood to include virtual assistants, insofar as they are used to access or control a product or related service.

CHAPTER III – OBLIGATIONS FOR DATA HOLDERS LEGALLY OBLIGED TO MAKE DATA AVAILABLE

Article 8 Conditions under which data holders make data available to data recipients

1 Article 8 Conditions under which data holders make data available to data recipients ▌ 1. Where a data holder is obliged to make data available to a data recipient under Article 5 or under other Union law or national legislation implementing Union law, it shall agree, with a data recipient the modalities for making the data available and shall do so under fair, reasonable and non-discriminatory terms and in a transparent manner in accordance with the provisions of this Chapter and Chapter IV. 2 A data holder shall agree with a data recipient the terms for making the data available. 2. ▌ A contractual term concerning the access to and use of the data or the liability and remedies for the breach or the termination of data related obligations shall not be binding if it fulfils the conditions of Article 13 or if it excludes the application of, derogates from or varies the effect of the user’s rights under Chapter II. 3 3. A data holder shall not discriminate with respect to the modalities of data sharing between comparable categories of data recipients, including partner enterprises or linked enterprises, as defined in Article 3 of the Annex to Recommendation 2003/361/EC, of the data holder, when making data available. Where a data recipient considers holds reasonable doubt that the conditions under which data has been made available to it to be discriminatory, it shall be for the data holder to demonstrate shall , without undue delay, provide the data recipient with the evidence demonstrating that there has been no discrimination. 4 A data holder shall not make data available to a data recipient on an exclusive basis unless requested by the user under Chapter II. 5 ▌ 5. Data holders and data recipients shall not be required to provide any information beyond what is necessary to verify compliance with the contractual terms agreed for making data available or their obligations under this Regulation or other applicable Union law or national legislation implementing Union law. 6 5a. Data holders and data recipients shall take all necessary legal, organisational and technical measures to ensure the security and integrity of the data transfers. 6. Unless otherwise provided by Union law, including Article Articles 4(3), 5(8) and 6 of this Regulation, or by national legislation implementing Union law, an obligation to make data available to a data recipient shall not oblige the disclosure of trade secrets within the meaning of Directive (EU) 2016/943.

Article 9 Compensation for making data available

1 Article 9 Compensation for making data available 1. Any compensation agreed between a data holder and a data recipient for making data available in business- to- business relations shall be non — discriminatory and reasonable. 2 A data holder, a data recipient or a third party shall not directly or indirectly charge consumers or data subjects a fee, compensation or costs for sharing data or accessing it. 2. Where the data recipient is a micro, small non- profit research organisation or medium enterprise, a SME , as defined in Article 2 of the Annex to Recommendation 2003/361/EC, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the Annex to Recommendation 2003/361/EC and do not qualify as an SME, any compensation agreed shall not exceed the costs directly related to making the data available to the data recipient and which are attributable to the request. Article 8(3) shall apply accordingly. 3 In case of an SME, the data holder shall actively inform of the obligation to provide the data preferably on the basis of a cost-based model. 2a. The Commission shall develop guidelines to determine criteria for categories of costs related to making data available, which shall be the basis for awarding compensation pursuant to paragraph 1. 3. This Article shall not preclude other Union law or national legislation implementing Union law from excluding compensation for making data available or providing for lower compensation. 4 4. The data holder shall provide the data recipient with information setting out the basis for the calculation of the compensation in sufficient detail so that the data recipient can verify that the requirements of paragraph 1 and, where applicable, paragraph 2 are met.

Article 10 Dispute settlement

1 Data Article 10 Dispute settlement 1. Users, data holders and data recipients shall have access to dispute settlement bodies, certified in accordance with paragraph 2 of this Article, to settle disputes in relation to fulfilment of the data holder’s obligation to make data available to the data recipient, upon the request of the user, the determination of fair, reasonable and non-discriminatory terms for and the transparent manner of making data available in accordance with Articles 8 , 9 and 9. 2 13 . 2. The Member State where the dispute settlement body is established shall, at the request of that body, certify the body, where the body has demonstrated that it meets all of the following conditions: (a) it is impartial and independent, and it will issue its decisions in accordance with clear and fair rules of procedure; (b) it has the necessary expertise in relation to the determination of fair, reasonable and non-discriminatory terms for and the transparent manner of making data available, allowing the body to effectively determine those terms; (c) it is easily accessible through electronic communication technology; (d) it is capable of issuing its decisions in a swift, efficient and cost-effective manner and in at least one official language of the Union. Member State where the body is established. If no dispute settlement body is certified in a Member State by [date of application of the Regulation], that Member State shall establish and certify a dispute settlement body that fulfils the conditions set out in points (a) to (d) of this paragraph. 3 3. Member States shall notify to the Commission the dispute settlement bodies certified in accordance with paragraph 2. The Commission shall publish a list of those bodies on a dedicated website and keep it updated. 4 4. Dispute settlement bodies shall make the fees, or the mechanisms used to determine the fees, known to the parties concerned before those parties request a decision. 5 5. Dispute settlement bodies shall refuse to deal with a request to resolve a dispute that has already been brought before another dispute settlement body or before a court or a tribunal of a Member State. 6 6. Dispute settlement bodies shall grant the parties the possibility, within a reasonable period of time, to express their point of view on matters those parties have brought before those bodies. In that context, dispute settlement bodies shall provide those parties with the submissions of the other party and any statements made by experts. Those bodies shall grant the parties the possibility to comment on those submissions and statements. 7 7. Dispute settlement bodies shall issue their decision on matters referred to them no later than 90 days after the request for a decision has been made. Those decisions shall be in writing or on a durable medium and shall be supported by a statement of reasons supporting the decision. 8 7a. Dispute settlement bodies shall make annual activity reports publicly available. Each annual report shall include in particular the following information: (a) the number of disputes received; (b) an aggregation of the outcomes of those disputes; (c) the average time taken to resolve the disputes; (d) the most common reasons that lead to disputes between the parties. 7b. In order to facilitate the exchange of information and best practices, the public dispute settlement body may decide to include recommendations as to how such problems can be avoided or resolved. 8. The decision of the dispute settlement body shall only be binding on the parties if the parties have explicitly consented to its binding nature prior to the start of the dispute settlement proceedings. 9 9. This Article does not affect the right of the parties to seek an effective remedy before a court or tribunal of a Member State.

Article 11 Technical protection measures and provisions on unauthorised use or disclosure of data

1 Article 11 Technical protection measures and provisions on unauthorised use or disclosure of data 1. The data holder may apply appropriate technical protection measures, including smart contracts, contracts and encryption , to prevent unauthorised disclosure of and access to the data , including metadata, and to ensure compliance with Articles 4, 5, 6, 8, 9 and 10, as well as with the agreed contractual terms for making data available. Such technical protection measures shall not be used as a means to hinder neither discriminate between data recipients nor hinder, the user’s right to effectively obtain a copy, retrieve, use or access data or provide data to third parties pursuant to Article 5 or any right of a third party under Union law or national legislation implementing Union law as referred to in Article 8(1). 2 A Where a user or data holder provides tangible relevant evidence for unlawful use or unauthorised disclosure to a third party by the data recipient, the data recipient shall, upon request of the user or data holder, provide information on how the data has been used, or with whom it has been shared. 2. Where a data recipient that has, for the purposes of obtaining data, provided inaccurate or ▌ false information to the data holder, deployed deceptive or coercive means or abused evident gaps in the technical infrastructure of the data holder designed to protect the data, has used the data made available for unauthorised purposes , including the development of a competing product within the meaning of Article 6 (2) (e) or has unlawfully disclosed those ▌ data to another party, the data recipient shall be liable for the damages to the party without suffering from the misuse or disclosure of such data holder’s authorisation, and shall comply without undue delay, unless delay with the requests of the data holder or the user instruct otherwise: trade secret holder when they are not the same legal person to : (a) destroy erase the data made available by the data holder ▌ and any copies thereof; (b) end the production, offering, placing on the market or use of goods, derivative data or services produced on the basis of knowledge obtained through such data, or the importation, export or storage of infringing goods for those purposes, and destroy any infringing goods. 3 Paragraph 2, point (b), shall not apply in either (ba) inform the user of the following cases: (a) unauthorised use or disclosure of the data has not caused significant harm and measures taken to put an end to the data holder; (b) it would be disproportionate in light unauthorised use or disclosure of the interests data. (bb) notify the data holder about the disclosure of such data. 2a. The user shall enjoy the same prerogatives as the data holder. holder, and the data recipient, the same obligation as those stated in paragraph 2 when the data recipient has infringed Article 6 (2) (a) and (b). ▌

Article 12 Scope of obligations for data holders legally obliged to make data available

1 Article 12 Scope of obligations for data holders legally obliged to make data available 1. This Chapter shall apply where a data holder is obliged under Article 5, or under Union law or national legislation implementing Union law, to make data available to a data recipient. 2 2. Any contractual term in a data sharing agreement which, to the detriment of one party, or, where applicable, to the detriment of the user, excludes the application of this Chapter, derogates from it, or varies its effect, shall not be binding on that party. 3 void. 2a. Any contractual term in a data sharing agreement between data holders and data recipients which, to the detriment of the data subjects, undermines the application of their rights to privacy and data protection, derogates from it, or varies its effect, shall be void. 3. This Chapter shall only apply in relation to obligations to make data available under Union law or national legislation implementing Union law, which enter into force after [date of application of the Regulation].

CHAPTER IV – UNFAIR TERMS RELATED TO DATA ACCESS AND USE BETWEEN ENTERPRISES

Article 13 Unfair contractual terms unilaterally imposed on a micro, small or medium-sized enterprise

1 Article 13 Unfair contractual terms unilaterally imposed on a ▌ enterprise 1. A contractual term, concerning the access to and use of data or the liability and remedies for the breach or the termination of data related obligations which has been unilaterally imposed by an enterprise on a micro, small or medium-sized another enterprise as defined in Article 2 of the Annex to Recommendation 2003/361/EC ▌ shall not be binding on the latter enterprise , the data recipient or user respectively, if it is unfair. 2 1a. A contractual term is not to be considered unfair where it arises from applicable Union law. 2. A contractual term is unfair if it is of such a nature that objectively impairs the ability of the party upon whom the term has been unilaterally imposed to protect its legitimate commercial interest in the data in question or its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing. 3 or creates a significant imbalance between the rights and the obligations of the parties in the contract. 3. A contractual term is unfair for the purposes of this Article if its object or effect is to: (a) exclude or limit the liability of the party that unilaterally imposed the term for intentional acts or gross negligence; (b) exclude the remedies available to the party upon whom the term has been unilaterally imposed in the case of non-performance of contractual obligations or the liability of the party that unilaterally imposed the term in the case of a breach of those obligations; (c) give the party that unilaterally imposed the term the exclusive right to determine whether the data supplied are in conformity with the contract or to interpret any term of the contract. 4 4. A contractual term is presumed unfair for the purposes of this Article if its object or effect is to: (a) inappropriately limit the remedies in the case of non-performance of contractual obligations or the liability in the case of a breach of those obligations; (b) allow the party that unilaterally imposed the term to access and use data of the other contracting party in a manner that is significantly detrimental to the legitimate interests of the other contracting party; party , including when such data contains commercially sensitive data or are protected by trade secrets or by intellectual property rights, without the prior consent of the relevant parties ; (c) prevent the party upon whom the term has been unilaterally imposed from using the data contributed or generated by that party during the period of the contract, or to limit the use of such data to the extent that that party is not entitled to use, capture, access or control such data or exploit the value of such data in a proportionate manner; (ca) impose the unilateral choice of the competent jurisdiction or the payment of the cost related to the procedure; (cb) prevent the party upon whom the term has been unilaterally imposed for terminating the agreement within a reasonable time period; (d) prevent the party upon whom the term has been unilaterally imposed from obtaining a copy of the data contributed or generated by that party during the period of the contract or within a reasonable period after the termination thereof; (e) enable the party that unilaterally imposed the term to substantially vary the upfront price payable under the contract, or any other substantial condition on the data to be shared, without the right of the other party to terminate the contract, or enable the party that unilaterally imposed the term to terminate the contract with an unreasonably short notice, taking into consideration the reasonable possibilities of the other contracting party to switch to an alternative and comparable service and the financial detriment caused by such termination, except where there are serious grounds for doing so. 5 5. A contractual term shall be considered to be unilaterally imposed within the meaning of this Article if it has been supplied by one contracting party and the other contracting party has not been able to influence its content despite an attempt to negotiate it. The contracting party that supplied a contractual term bears the burden of proving that that term has not been unilaterally imposed. 6 6. Where the unfair contractual term is severable from the remaining terms of the contract, those remaining terms shall remain binding. 7 6a. The party that supplied the contested term may not argue that the term is an unfair term. 7. This Article does not apply to contractual terms defining the main subject matter of the contract or and shall not affect the parties' ability to contractual terms determining negotiate the price to be paid. 8 8. The parties to a contract covered by paragraph 1 may shall not exclude the application of this Article, derogate from it, or vary its effects. 8a. This Article shall apply to all new contracts entered into after … [date of entry into force of this Regulation. Businesses shall be given three-years following that date to review existing contractual obligations that are subject to this Regulation. 8b. Given the rapidity in which innovations occur in the markets, the list of unfair contractual terms within Article 13 shall be reviewed regularly by the Commission and be updated to new business practices if necessary.

CHAPTER V – MAKING DATA AVAILABLE TO PUBLIC SECTOR BODIES AND UNION INSTITUTIONS, AGENCIES OR BODIES BASED ON EXCEPTIONAL NEED

Article 14 Obligation to make data available based on exceptional need

1 Article 14 Obligation to make data available based on exceptional need 1. Upon request, a specified duly justified request limited in time and scope , a data holder that is a legal person shall make non-personal data which are available at the time of the request, including metadata available to a public sector body or to a Union institution, agency or body demonstrating an exceptional need to use the data requested. 2 2. This Chapter shall not apply to small and micro enterprises as defined in Article 2 of the Annex to Recommendation 2003/361/EC. 2a. This Chapter shall not preclude voluntary arrangements between businesses and public sector bodies and union institutions, agencies or bodies for the sharing of data for purpose of delivering public services, including for exceptional needs if stipulated in their contracts.

Article 15 Exceptional need to use data

Article 15 Exceptional need to use data ▌ An exceptional need to use non-personal data within the meaning of this Chapter shall be limited in time and scope and shall be deemed to exist in any of ▌ the following circumstances: (a) where the data requested is necessary to respond to a ▌ public emergency; (b) where the data request is limited in time and scope and necessary to prevent a public emergency or to assist the recovery from a public emergency; (c) non-emergency situations, where the lack of available data prevents the public sector body or Union institution, agency or body from fulfilling is acting on the basis of Union or national law and has identified specific data, which is unavailable to it and which is necessary to fulfil, a specific task in the public interest that has been explicitly provided by law; law such as the prevention or recovery from a public emergency and (1) which the public sector body or Union institution, agency or body has been unable to obtain such data by alternative means, including any of the following means: voluntary agreement ; by purchasing the data on the market at market rates or by relying on existing obligations to make data available, and the adoption of new legislative measures cannot ensure the timely availability of the data; or (2) obtaining the data in line with the procedure laid down in this Chapter would substantively reduce the administrative burden for data holders or other enterprises. available. ▌

Article 16 Relationship with other obligations to make data available to public sector bodies and Union institutions, agencies and bodies

1 Article 16 Relationship with other obligations to make data available to public sector bodies and Union institutions, agencies and bodies ▌ 1. This Chapter shall not affect obligations laid down in Union or national law for the purposes of reporting, complying with information requests or demonstrating or verifying compliance with legal obligations. 2 The rights from this 2. ▌This Chapter shall not be exercised by apply to public sector bodies and Union institutions, agencies and bodies in order to that carry out activities for the prevention, investigation, detection or prosecution of criminal or administrative offences or the execution of criminal penalties, or for to customs or taxation administration. This Chapter does not affect the applicable Union and national law on the prevention, investigation, detection or prosecution of criminal or administrative offences or the execution of criminal or administrative penalties, or for customs or taxation administration. 2a. Enterprises that fall within the scope of this Chapter shall inform their users of the possibility that data may be shared in the case of exceptional circumstances.

Article 17 Requests for data to be made available

1 Where requesting Article 17 Requests for data to be made available 1. In a request for data pursuant to Article 14(1), a public sector body or a Union institution, agency or body shall: (a) request data within their remit and specify what data datasets are required; (b) demonstrate the exceptional need for which the data are requested; requested and compliance with the conditions mentioned in Article 15 ; (c) explain the purpose of the request, the intended use of the data requested, and the duration of that use; (ca) specify, if possible, when the data is expected to be deleted by all parties that have access to it; (cb) justify the choice of data holder to which the request is addressed; (cc) specify any other public sector bodies, Union institutions, agencies or bodies and the third parties with which the data requested is expected to be shared with; (cd) disclose the identity of the third party referred to in paragraph 4 of this Article, and in Article 21 of this Regulation; (ce) apply all relevant ICT security measures concerning the transfer and storage of data; (d) state the legal basis for requesting the data; (da) specify the geographical limits that apply to the request for data; (e) specify the deadline by which the data are to be made available or and within which the data holder may request the public sector body, Union institution, agency or body to modify or withdraw the request. 2 request; (ea) submit a declaration on the lawful and secure handling of the data requested, including the confidentiality of trade secrets; (eb) ensure that making the data available does not put the data holder in a situation that violates Union or national law or confer liability on the data holder for any infringement or damage resulting from the data access that a public sector body or a Union institution, agency or body has requested. 2. A request for data made pursuant to paragraph 1 of this Article shall: (a) be made in writing and be expressed in clear, concise and plain language understandable to the data holder; (aa) be submitted through the competent authority; (ab) be specific with regards to the type of data is requested and correspond to data which the data holder has available at the time of the request; (b) be justified and proportionate to the exceptional need, in terms of the granularity and volume of the data requested and frequency of access of the data requested; (c) respect the legitimate aims of the data holder, taking into account the protection of trade secrets and the cost and effort required to make the data available; (d) concern, insofar available . Where applicable, specify the measures to be taken pursuant to Article 19(2) to preserve the confidentiality of trade secrets, including, as possible, appropriate, through the use of model contractual terms, technical standards and codes of conduct ; (d) concern only non-personal data; (e) inform the data holder of the penalties that shall be imposed pursuant to Article 33 by a competent authority data coordinator referred to in Article 31 in the event of non-compliance with the request; (f) be made transmitted to the data coordinator referred to in Article 31, who shall make the request publicly available online without undue delay. 3 delay; the data coordinator may inform the public sector body or Union institution, agency or body if the data holder already provided the requested data in response to previously submitted request for the same purpose by another public sector body or Union institution agency or body. 3. A public sector body or a Union institution, agency or body shall not make data obtained pursuant to this Chapter available for reuse within the meaning of Directive (EU) 2019/1024. 2019/1024 and Regulation (EU) 2022/868 . Directive (EU) 2019/1024 and Regulation (EU) 2022/868 shall not apply to the data held by public sector bodies obtained pursuant to this Chapter. 4 4. Paragraph 3 does not preclude a public sector body or a Union institution, agency or body to exchange data obtained pursuant to this Chapter with another public sector body, Union institution, agency or body, in view for the purpose of completing the tasks in Article 15 which was included the request in accordance with paragraph 1(cc), or to make the data available to a third party in cases where it has outsourced, by means of a publicly available agreement, technical inspections or other functions to this third party. The obligations on public sector bodies, Union institutions, agencies or bodies pursuant It shall bind the third party contractually not to Article 19 apply. use the data for any other purposes and not to share is with any other third parties, Where a public sector body or a Union institution, agency or body transmits or makes data available under this paragraph, it shall notify the data holder from whom the data was received. received without undue delay. Within five working days of that notification, the data holder shall have the right to submit a reasoned objection to such transmission or making available of data. In the case of a rejection of the reasoned objection by the public sector body or a Union institution, agency or body, the data holder may bring the matter to the data coordinator referred to in Article 31. The receiving public sector bodies, Union institutions, agencies or bodies and third parties shall be bound by the obligations laid down in Article 19 ▌ . Data obtained pursuant this chapter shall be used only for the purpose specified in the request. Public sector bodies, Union institutions, agencies or bodies shall bind contractually third parties with whom they agreed to share data pursuant paragraph 4 not to use the data for any other purpose and not to share it with other parties.

Article 18 Compliance with requests for data

1 Article 18 Compliance with requests for data 1. A data holder receiving a request for access to data under this Chapter shall make the data available to the requesting public sector body or a Union institution, agency or body without undue delay. 2 delay , taking into account provision of time and necessary technical, organisational and legal measures . 2. Without prejudice to specific needs regarding the availability of data defined in sectoral legislation, the data holder may decline or seek the modification of the request within 5 five working days following the receipt of a request for the data necessary to respond to a public emergency and within 15 30 working days in other cases of exceptional need, on either of the following grounds: (a) the data is unavailable; (b) the request does not meet the conditions laid down in Article 17(1) and (2). 3 In case of a request for data necessary to respond available to a public emergency, the data holder may also decline or seek modification at the time of the request if the data holder already ; (aa) provided the requested data in response to previously submitted security measures concerning transfer, storing and maintaining confidentiality are insufficient; (ab) a similar request for the same purpose has been previously submitted by another public sector body or Union institution institution, agency or body and the data holder has not been notified of the destruction of the data pursuant to Article 19(1), 19(1) point (c). 4 (c); (b) the request does not meet the conditions laid down in Article 17(1) and (2). ▌ 4. If the data holder decides to decline the request or to seek its modification in accordance with paragraph 3, it shall indicate the identity of the public sector body or Union institution agency or body that previously submitted a request for the same purpose. 5 5. Where compliance with the request to make data available to a public sector body or a Union institution, agency or body requires the disclosure of personal data, the data holder shall take reasonable efforts to ▌ pseudonymise the data, insofar as the request can personal data to be fulfilled with pseudonymised data. 6 made available . 6. Where the public sector body or the Union institution, agency or body wishes to challenge a data holder’s refusal to provide the data requested, or to seek modification of the request, or where the data holder wishes to challenge the request, the matter shall be brought to the competent authority data coordinator referred to in Article 31. 31 , without prejudice to the right to submit a dispute to a civil or administrative court, in accordance with Union or national law .

Article 19 Obligations of public sector bodies and Union institutions, agencies and bodies

1 Article 19 Obligations of public sector bodies and Union institutions, agencies and bodies 1. A public sector body or a Union institution, agency or body having received data pursuant to a request made under Article 14 shall: (a) not use the and statistical or research organisations receiving data in pursuant to a manner incompatible with the purpose for which they were requested; request made under Article 21(1) shall: ▌ (b) implement, insofar as the processing of personal data is necessary, technical and organisational measures that safeguard the rights and freedoms of data subjects; subjects and guarantee a high level of security and prevent the unauthorised disclosure of data ; (ba) implement the necessary technical and organisational measures to manage cyber risk that could affect the confidentiality, integrity or availability of the requested data; (bb) notify the data holder from whom has received the data of any cybersecurity incident affecting the confidentiality, integrity, or availability of the received data as soon as possible but not later than 72 hours after having determined that the incident has occurred without prejudice to the reporting obligations under Regulation(EU) XXX/XXXX (EUIBAL) and Directive (EU) 2022/2555. Those entities shall be liable by damages due to a cybersecurity breach if they have not had the measures in place pursuant to paragraph 1, point (ba); (c) destroy erase the data as soon as they are no longer necessary for the stated purpose and inform without undue delay the data holder that the data have been destroyed. 2 Disclosure erased . 1a. A public sector body, Union institution, agency, body, or a third party receiving data under this Chapter shall not: (a) use the data to develop a product or a service that competes with the product or service or enhance an existing product or service from which the accessed data originates; (b) derive insights about the economic situation, assets and production or operation methods of trade secrets the data holder, or alleged share the data with another third party for that purpose; or (c) share the data with another third party for any of those purposes. 2. Disclosure of trade secrets ▌ to a public sector body or to a Union institution, agency or body shall only be required to the extent that it is strictly necessary to achieve the purpose of the request. a request under Article 15 . In such a case, the data holder shall identify the data which are protected as trade secrets. The public sector body or the Union institution, agency or body shall take in advance all the necessary and appropriate technical and organisational measures agreed with the data holder or with the trade secrets holder if it is not simultaneously the same legal person, to preserve the confidentiality of those trade secrets including as appropriate through the use of model contractual terms, technical standards and the application of codes of conduct . 2a. Where a public sector body or a Union institution, agency or body transmits or makes data available to third parties to perform the tasks that have been outsourced to it as a result of the outsourcing of technical inspections or other functions pursuant to Article 17(4), trade secrets as identified by the data holder, shall only be disclosed to the extent that they are strictly necessary for the third party to perform the tasks that have been outsourced and provided that all specific necessary measures agreed between the data holder and the third party are taken in advance, including technical and organisational measures to preserve the confidentiality of those trade secrets, including as appropriate through the use of model contractual terms, technical standards and the application of codes of conduct. 2b. In cases where the public sector body or a Union institution, agency or body that submitted the request for data or the third party to which data were made available pursuant to Article 17(4) fails to implement those measures or undermines the confidentiality of trade secrets, the data holder shall be able to suspend the sharing of data identified as trade secrets. In such cases, the data holder shall immediately notify the data coordinator of the Member State in which the data holder is established, pursuant to Article 31, that it has suspended the sharing of data and identify which measures have not been implemented or which trade secrets have had their confidentiality undermined. Where the public sector body or Union institution, agency or body or the third party wishes to challenge the data holder’s decision to suspend the sharing of data, the data coordinator shall decide within a reasonable period of time, whether the data sharing shall be resumed or not and if yes, indicate under which conditions. 2c. A public sector body or a Union institution, agency or body shall be responsible for the security of the data that they receive. 2d. A public sector body or a Union institution, agency or body shall notify the data holder in the event of a security breach as soon as possible, but within 48 hours at the latest.

Article 20 Compensation in cases of exceptional need

1 Data Article 20 Compensation in cases of exceptional need 1. Unless specified otherwise in Union or national law, data made available to respond to a public emergency pursuant to Article 15, point (a), shall be provided free of charge. 2 Where The public sector body or the Union institution, agency or body that has received data shall provide public recognition to the data holder claims compensation if requested by the data holder. 2. ▌The data holder shall be entitled to fair remuneration for making data available in compliance with a request made pursuant to Article 15, points point (b) or (c), , such compensation shall not exceed at least cover the technical and organisational costs incurred to comply with the request including, where necessary, applicable , the costs of anonymisation and of technical adaptation, plus a reasonable margin. Upon request of the public sector body or the Union institution, agency or body requesting the data, the data holder shall provide information on the basis for the calculation of the costs and the reasonable margin. 2a. Where the public-sector body or the Union institution, agency or body wishes to challenge the level of remuneration requested by the data holder, the matter shall be brought to the attention of the data coordinator referred to in Article 31 of the Member State where the data holder is established.

Article 21 Contribution of research organisations or statistical bodies in the context of exceptional needs

1 Article 21 Contribution of research organisations or statistical bodies in the context of exceptional needs 1. A public sector body or a Union institution, agency or body shall be entitled to share data received under this Chapter with individuals or organisations in view of carrying out scientific research or analytics compatible with necessary to fulfil the purpose for which the data was requested, or to national statistical institutes , the members of the European System of Central Banks and Eurostat for the compilation of official statistics. 2 2. Individuals or organisations receiving the data pursuant to paragraph 1 shall act exclusively on a not-for-profit basis or in the context of a public-interest mission recognised in Union or Member State law. They shall not include organisations upon which commercial undertakings have a decisive influence or significant influence, which could result in preferential access to the results of the research. 3 3. Individuals or organisations receiving the data pursuant to paragraph 1 shall comply with the provisions of Article 17(3) and Article 19. 4 4. Where a public sector body or a Union institution, agency or body transmits intends to transmit or makes make data available under paragraph 1, it shall notify the data holder from whom the data was received. That notification shall include the identity and the contact details of individuals or organisations receiving the data, the purpose of the transmission or making available of the data and the period for which the data will be used by the receiving entity. Within five working days of the notification referred to in the first subparagraph of this paragraph, the data holder shall have the right to submit a reasoned objection to such transmission or making available of data. In the case of a rejection of the objection by the public sector body, Union institution, agency or body, the data holder may bring the reasoned objection to the data coordinator referred to in Article 31.

Article 22 Mutual assistance and cross-border cooperation

1 Article 22 Mutual assistance and cross-border cooperation 1. Public sector bodies and Union institutions, agencies and bodies shall cooperate and assist one another, to implement this Chapter in a consistent manner. 2 2. Any data exchanged in the context of assistance requested and provided pursuant to paragraph 1 shall not be used in a manner incompatible with the purpose for which they were requested. 3 3. Where a public sector body intends to request data from a data holder established in another Member State, it shall first notify the competent authority data coordinator of that Member State as referred to in Article 31, of that intention. This requirement shall also apply to requests by Union institutions, agencies and bodies. 4 The request shall be evaluated by the competent authority of the Member State where the data holder is established. 4. After having been notified in accordance with paragraph 3, the relevant competent authority data coordinator shall advise the requesting public sector body of the need, if any, to cooperate with public sector bodies of the Member State in which the data holder is established, with the aim of reducing the administrative burden on the data holder in complying with the request. The requesting public sector body shall take the advice of the relevant competent authority data coordinator into account.

CHAPTER VI – SWITCHING BETWEEN DATA PROCESSING SERVICES

Article 23 Removing obstacles to effective switching between providers of data processing services

1 Article 23 Removing obstacles to effective switching between providers of data processing services 1. Providers of a data processing service shall , within their capacity, take the measures provided for in Articles 24, 24a, 24b, 25 and 26 to ensure that enable customers of their service can to switch to another data processing service, covering the same equivalent service type, ▌ , which is provided by a different service provider. provider of data processing services or, where relevant, to use several providers of data processing services at the same time . In particular, providers of a data processing service shall not impose and shall remove commercial, technical, contractual and organisational obstacles, which inhibit customers from: (a) terminating, after a maximum notice period of 30 60 calendar days, the contractual agreement of the service; service , unless an alternative notice period is mutually and explicitly agreed between the customer and the provider where both parties are able equally to influence the content of the contractual agreement ; (b) concluding new contractual agreements with a different provider of data processing services covering the same equivalent service type; ▌; (c) porting its the customer’s exportable data, applications and other digital assets to another provider of data processing services; services or to an on-premise ICT infrastracture, including after having benefited from a free-tier offering ; (d) maintaining achieving functional equivalence in the use of the new service in the IT-environment of the different provider or providers of data processing services covering the same equivalent service type, ▌ , in accordance with Article 26. 2 2. Paragraph 1 shall only apply to obstacles that are related to the services, contractual agreements or commercial practices provided by the original provider. source provider of data processing services .

Article 24 Contractual terms concerning switching between providers of data processing services

1 Article 24 Contractual terms concerning switching between providers of data processing services 1. The rights of the customer and the obligations of the provider of a data processing service in relation to switching between providers of such services or, where applicable, to an on-premise ICT infrastructure shall be clearly set out in a written contract. contract which is made available to the customer in a user-friendly manner prior to signing the contract . Without prejudice to Directive (EU) 2019/770, the provider of a data processing service shall ensure that that contract shall include includes at least the following: (a) clauses allowing the customer, upon request, to switch to a data processing service offered by another provider of data processing service services or to port all data, exportable data ▌ applications and digital assets generated directly or indirectly by the customer to an on-premise system, ICT infrastructure, without undue delay and in particular the establishment of a any event no longer than mandatory maximum transition period of 30 90 calendar days, during which the provider of data processing service provider services shall: (1) (i) reasonably assist and, where technically feasible, complete through and facilitate the switching process; (2) (ii) act with due care to maintain business continuity and a high level of security of the service and, taking into account the advancement in the switching process, ensure full , to the greatest extent possible, continuity in the provision of the relevant functions or services within the capacity of the source provider of data processing services and in accordance with contractual obligations . (iia) provide clear information concerning known risks to continuity in the provision of the respective functions or services on the part of the provider of source data processing services. (b) (aa) a list of additional services that customers can obtain facilitating the switching process, such as the test of the switching process; (ab) an exhaustive obligation on the provider of data processing services to support the development of the customer’s exit strategy relevant to the contracted services, including through providing all relevant information; (b) a detailed specification of all data and application categories exportable that can be ported during the switching process, including, at a minimum, all data imported by the customer at the inception of the service agreement and all exportable data and metadata created by the customer and by the use of the service during the period the service was provided, including, but not limited to, configuration parameters, security settings, access rights and access logs to the service; ; (c) a minimum period for data retrieval of at least 30 calendar days, starting after the termination of the transition period that was agreed between the customer and the service provider, provider of data processing services , in accordance with paragraph 1, point (a) and paragraph 2; (ca) an obligation on the provider of data processing services to delete all of the former customer’s exportable data after the expiration of the period set out in paragraph 1, point (c), of this Article; 2. 2 Where the mandatory transition period as defined in paragraph 1, points (a) and (c) of this Article is technically unfeasible, the provider of data processing services shall notify the customer within 7 14 working days after the switching request has been made, and shall duly motivating motivate the technical unfeasibility with a detailed report and indicating indicate an alternative transition period, which may not exceed 6 9 months. In accordance with paragraph 1 of this Article, full ▌ service continuity shall be ensured throughout the alternative transition period against reduced charges, referred to in Article 25(2). The customer shall retain the right to extend that period, if needed, prior to or during the switching process.

Article 25 Gradual withdrawal of switching charges

1 Article 25 Gradual withdrawal of switching charges 1. From [date X+3yrs] [ the date of entry into force of this Regulation ] onwards, providers of data processing services shall not impose any charges on the customer customers who are consumers for the switching process. 2 2. From [date X, the date of entry into force of the Data Act] this Regulation ] until [date X+3yrs], providers of data processing services may impose reduced charges on customers in the customer context of business-to-business relations for the switching process , with particular reference to egress fees . 2a. From [3 years after the date of entry into force of this Regulation] onwards, providers of data processing services shall not impose any charges for the switching process. 3 3. The charges referred to in paragraph 2 shall not exceed the costs incurred by the provider of data processing services that are directly linked to the switching process concerned. 4 concerned and shall be linked to the mandatory operations that providers of data processing services must perform as part of the switching process . 3a. Standard subscription or service fees and charges for professional transition services work undertaken by the provider of data processing services at the customer’s request for support in the switching process shall not be considered switching charges for the purposes of this Article. 3b. Before entering into a contractual agreement with a customer, the provider of data processing services shall provide the customer with clear information describing the charges imposed on the customer for the switching process in accordance with paragraph 2, as well as the fees and charges referred to in paragraph 3a, and, where relevant, shall provide information on services that involve highly complex or costly switching or for which it is impossible to switch without significant interference in the data, application or service architecture. Where applicable, the provider of data processing services shall make this information publicly available to customers via a dedicated section of their website or in any other easily accessible way. 4. The Commission is empowered to adopt delegated acts in accordance with Article 38 to supplement this Regulation in order to introduce a monitoring mechanism for the Commission to monitor switching charges imposed by providers of data processing service providers services on the market to ensure that the withdrawal and reduction of switching charges as described in paragraph paragraphs 1 and 2 of this Article will be attained in accordance with the deadline provided in the same paragraph. those paragraphs .

Article 26 Technical aspects of switching

1 Article 26 Technical aspects of switching 1. Providers of data processing services that concern scalable and elastic computing resources limited to infrastructural elements such as servers, networks and the virtual resources necessary for operating the infrastructure, but that do not provide access to the operating services, software and applications that are stored, otherwise processed, or deployed on those infrastructural elements, shall ensure take reasonable measures within their power to facilitate that the customer, after switching to a service covering the same service type offered by a different provider of data processing services, enjoys achieves functional equivalence in the use of the new service. 2 For service , provided that the functional equivalence is established by the destination provider of data processing services. The source provider of data processing services other than those covered by paragraph 1, providers shall facilitate the process through providing capabilities, adequate information, documentation, technical support and, where appropriate, the necessary tools . 2. Providers of data processing services ▌ , including providers of destination data processing services, shall make open interfaces publicly available and free of charge. 3 For data processing services other than charge in order to facilitate switching between those covered by services and data portability and interoperability. In accordance with paragraph 1, providers 1 of this Article, those services shall also make it possible that a specific service, where there are no major obstacles, can be unbundled from the contract and made available for switching in an interoperable manner . 3. ▌Providers of data processing services shall ensure compatibility with open interoperability and portability specifications or European standards for interoperability that are identified in accordance with Article 29(5) ▌. 3a. Providers of data processing services for which a new open interoperability and portability specification or European standard was published in the repository referred to in Article 29(5) shall have the right to a one-year transition for compliance with the obligation referred to in paragraph 3 of this Regulation. 4 Article. 4. Where the open interoperability and portability specifications or European standards referred to in paragraph 3 of this Article do not exist for the equivalent service type ▌ concerned, the provider of data processing services shall, at the request of the customer, where technically feasible, export all data generated or co-generated, including the relevant data formats and exportable data structures, in a structured, commonly used and machine-readable format. format as indicated to the customer in accordance with the exit strategy referred to in Article 24(1), point (ab), unless another format is accepted by the customer . 4a. Providers of data processing services shall not be required to develop new technologies or services, disclose or transfer proprietary or confidential data or technology to a customer or to another provider of data processing services or compromise the customer’s or provider’s security and integrity of service;

CHAPTER VII – INTERNATIONAL CONTEXTS NON-PERSONAL DATA SAFEGUARDS

Article 27 International access and transfer

1 Article 27 International access and transfer 1. Providers of data processing services shall take all reasonable ▌ technical, legal and organisational measures, including contractual arrangements, in order to prevent international transfer or and third-country governmental access to such non-personal data held in the Union where such transfer or access would create a conflict with be in contravention of Union law or the national law of the relevant Member State, without prejudice to paragraph 2 or 3. 2 2. Any decision or judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a provider of data processing services to transfer from or give access to non-personal data falling within the scope of this Regulation held in the Union may shall only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or any such agreement between the requesting third country and a Member State. 3 3. In the absence of such an international agreement, where a provider of data processing services is the addressee of a decision of a court or a tribunal or a decision of an administrative authority of a third country to transfer from or give access to non-personal data falling within the scope of this Regulation held in the Union and compliance with such a decision would risk putting the addressee in conflict with Union law or with the national law of the relevant Member State, transfer to or access to such data by that third-country authority shall take place only: only following a review by the relevant competent bodies or authorities, pursuant to this Regulation to assess if, in addition to complying with the provisions of any relevant Union or national o law, the following conditions have been met : (a) where the third-country system requires the reasons and proportionality of the decision or judgement to be set out, and it requires such decision or judgement, as the case may be, to be specific in character, for instance by establishing a sufficient link to certain suspected persons, or infringements; (b) the reasoned objection of the addressee is subject to a review by a competent court or tribunal in the third-country; and (c) the competent court or tribunal issuing the decision or judgement or reviewing the decision of an administrative authority is empowered under the law of that country to take duly into account the relevant legal interests of the provider of the data protected by Union law or national law of the relevant Member State. The addressee of the decision may ask the opinion of the Commission, the data coordinator pursuant to this Regulation or relevant competent bodies or authorities, pursuant to this Regulation, authorities , in order to determine whether these conditions are met, notably when it considers that the decision may relate to trade secrets and other commercially sensitive data, data as well as to content protected by intellectual property rights , or may impinge on national security or defence interests of the Union or its Member States. If the addressee has not received a reply within a month, or if the opinion of the competent authorities concludes that the conditions are not met, the addressee shall deny the request for transfer or access on those grounds. The European Data Innovation Board established under Regulation [xxx – DGA] (EU) 2022/868 and referred to in Article 31a of this Regulation shall advise and assist the Commission in developing guidelines on the assessment of whether these conditions are met. 4 4. If the conditions in paragraph 2 or 3 are met, the provider of data processing services shall provide the minimum amount of data permissible in response to a request, based on a reasonable interpretation thereof. 5 thereof by the relevant competent body or authority . 4a. Where the provider of data processing services has reason to believe that the transfer of or access to non-personal data may lead to the risk of re-identification of non-personal, or anonymised data, the provider shall request the relevant bodies or authorities competent pursuant to applicable data protection legislation for authorisation before transferring or giving access to data. 5. The provider of data processing services shall inform the data holder about the existence of a request of an administrative authority in a third-country to access its data before complying with its request, except in cases where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity.

CHAPTER VIII – INTEROPERABILITY

Article 28 Essential requirements regarding interoperability

1 Operators Article 28 Essential requirements regarding interoperability of data spaces 1. Participants of data spaces that offer data or data services to other participants, shall comply with, the following essential requirements to facilitate interoperability of data, data sharing mechanisms and services: (a) the dataset content, use restrictions, licences, data collection methodology, data quality and uncertainty shall be sufficiently described in a machine-readable format to allow the recipient to find, access and use the data; (b) the data structures, data formats, vocabularies, classification schemes, taxonomies and code lists shall be described in a publicly available and consistent manner; (c) the technical means to access the data, such as application programming interfaces, and their terms of use and quality of service shall be sufficiently described to enable automatic access and transmission of data between parties, including continuously or in real-time ▌ in a machine-readable format; format where that is technically feasible and does not hamper the good functioning of the product ; (d) the means to enable the interoperability of smart ▌ contracts for data sharing within their services and activities shall be provided. These requirements can have a generic nature or concern specific sectors, while taking fully into account the interrelation with requirements coming from other Union or national sectoral legislation. 2 2. The Commission is empowered to adopt delegated acts, after consulting the European Data Innovation Board pursuant to Article 29 and Article 30, points (f) and (h), of Regulation (EU) 2022/868 and in accordance with Article 38 of this Regulation, to supplement this Regulation by further specifying the essential requirements referred to in paragraph 1. 3 Operators 1 of this Article . 3. The participants of data spaces that offer data or data services to other participants of data spaces that meet the harmonised standards or parts thereof published by reference in the Official Journal of the European Union shall be presumed to be in conformity with the essential requirements referred to in paragraph 1 of this Article, ▌, to the extent those standards cover those requirements. 4 3a. Participants within a particular data space shall agree on the rules by which the accountabilities regarding those requirements are defined between the participants. 4. The Commission may, in accordance with Article 10 of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft harmonised standards that satisfy the essential requirements under paragraph 1 of this Article 5 ,developed in an open, transparent, technology-neutral, industry-led and inclusive manner, in accordance with Chapter II of Regulation (EU) No 1025/2012, taking into account, where relevant, existing international standards, good practices, norms, technical specifications and relevant open source norms as well as the needs of SMEs. 5. The Commission shall, may , by way of implementing acts, adopt common specifications, where harmonised standards referred to in paragraph 4 of this Article do not exist or in case if it considers that the relevant harmonised standards are insufficient to ensure conformity with the essential requirements in paragraph 1 of this Article, where necessary, with respect necessary . Prior to any or all of the requirements laid down in paragraph 1 of this Article. Those adopting those implementing acts the Commission shall seek advice from and take into account relevant positions adopted by the European Data Innovation Board, as referred to in Article 30, point (f), of Regulation (EU) 2022/868 and be adopted in accordance with the examination procedure referred to in Article 39(2). 6 6. The Commission may adopt guidelines proposed by the European Data Innovation Board in accordance with Article 30, point (h), of Regulation (EU) 2022/868 laying down interoperability specifications for the functioning of common European data spaces, such as architectural models and technical standards implementing legal rules and arrangements between parties that foster data sharing, such as regarding rights to access and technical translation of consent or permission.

Article 29 Interoperability for data processing services

1 Article 29 Interoperability and portability for data processing services 1. Open interoperability and portability specifications and European standards for the interoperability and portability of data processing services shall: (a) where technically feasible, be performance oriented towards achieving interoperability and portability between different data processing services that cover the same service type; equivalent services ; (b) enhance portability of digital assets between different data processing services that cover the same service type; equivalent services ; (c) guarantee, facilitate , where technically feasible, functional equivalence between different data processing services referred to in paragraph 1 of Article 26 that cover equivalent services; (ca) shall not adversely impact the same service type. 2 security and integrity of services and data; (cb) be designed in a way to allow for technical advances and inclusion of new functions and innovation in data processing services. 2. Open interoperability and portability specifications and European standards for the interoperability and portability of data processing services shall address: 3 (a) the cloud interoperability aspects of transport interoperability, syntactic interoperability, semantic data interoperability, behavioural interoperability and policy interoperability; (b) the cloud data portability aspects of data syntactic portability, data semantic portability and data policy portability; (c) the cloud application aspects of application syntactic portability, application instruction portability, application metadata portability, application behaviour portability and application policy portability. 3. Open interoperability and portability specifications shall comply with paragraph 3 and 4 of Annex II of to Regulation (EU) No 1025/2012. 4 The 3a. Open interoperability and portability specifications and European standards shall not distort the data processing services market or limit the development of any new competing and innovative technologies or solutions or any technologies or solutions that are based on them. 4. After taking into account relevant international and European standards and self-regulating initiatives, the Commission may, in accordance with Article 10 of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft European standards applicable to specific service types equivalent services of data processing services. 5 The standardisation shall take into account the needs of SMEs. 5. For the purposes of Article 26(3) of this Regulation, the Commission , after consulting the European Data Innovation Board pursuant to Article 29 and Article 30, points (f) and (h), of Regulation (EU) 2022/868, shall be empowered to adopt delegated acts, supplementing this Regulation, in accordance with Article 38, 38 of this Regulation , to publish the reference of open interoperability specifications and European ▌ standards for the interoperability and portability of data processing services in central Union standards repository for the interoperability and portability of data processing services, services developed by relevant standardisation organisations or organisations referred to in paragraph 3 of Annex II to Regulation (EU) No 1025/2012, , where these satisfy the criteria specified in paragraph 1 and 2 of this Article.

Article 30 Essential requirements regarding smart contracts for data sharing

1 The vendor of an application using Article 30 Essential requirements regarding smart contracts or, in the absence thereof, the person whose trade, business or profession involves the deployment of for data sharing ▌The party offering smart contracts for others ▌ in the context of an agreement to make data available shall comply with the following essential requirements: (a) robustness: robustness and access control : ensure that the smart contract has been designed to offer rigorous access control mechanisms and a very high degree of robustness to avoid functional errors and to withstand manipulation by third parties; (b) safe termination and interruption: ensure that a mechanism exists to terminate the continued execution of transactions: the smart contract shall include internal functions which can reset or instruct the contract to stop or interrupt the operation to avoid future (accidental) executions; (c) data archiving and continuity: foresee, if a smart contract must be terminated or deactivated, a possibility to archive transactional data, the smart contract logic and code to keep the record of the operations performed on the data in this regard, the past (auditability); and (d) access control: conditions under which a smart contract shall could be protected through rigorous access control mechanisms at the governance and smart contract layers. 2 The vendor of a smart contract or, in the absence thereof, the person whose trade, business reset or profession involves the deployment of smart contracts for others in the context of an agreement to make data available shall perform a conformity assessment with a view instructed to fulfilling the essential requirements under paragraph 1 and, on the fulfilment of the requirements, issue an EU declaration of conformity. 3 By drawing up the EU declaration of conformity, the vendor of an application using smart contracts or, in the absence thereof, the person whose trade, business stop or profession involves the deployment of smart contracts for others in the context of an agreement to make data available shall interrupted, should be responsible for compliance with the requirements clearly and transparently defined. Especially, it should be assessed under paragraph 1. 4 A which conditions non-consensual termination or interruption should be permissible; (ba) equivalence;: a smart contract that meets the harmonised standards or the relevant parts thereof drawn up and published in the Official Journal of the European Union shall be presumed to be in conformity with the essential requirements under paragraph 1 of this Article to afford the extent those standards cover those requirements. 5 The Commission may, in accordance with Article 10 same level of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft harmonised standards that satisfy the essential the requirements under paragraph 1 protection and legal certainty as any other contracts generated through different means. (bb) protection of this Article. 6 Where harmonised standards referred to in paragraph 4 confidentiality of this Article do not exist or where the Commission considers trade secrets: ensure that the relevant harmonised standards are insufficient a smart contract has been designed to ensure conformity with the essential requirements in paragraph 1 of this Article in a cross-border context, the Commission may, by way of implementing acts, adopt common specifications in respect of the essential requirements set out in paragraph 1 confidentiality of this Article. Those implementing acts shall be adopted trade secrets, in accordance with the examination procedure referred to in Article 39(2). this Regulation. ▌

CHAPTER IX – IMPLEMENTATION AND ENFORCEMENT

Article 31 Competent authorities

1 Article 31 Data coordinator 1. Each Member State shall designate one or more an independent competent authorities coordinating authority (‘data coordinator’) as responsible for the application and enforcement of this Regulation. Regulation , for coordinating the activities entrusted to that Member States may establish one or more new authorities or rely on existing authorities. 2 Without prejudice State, for acting as the single contact point towards the Commission, with regard to paragraph 1 the implementation of this Article: (a) Regulation and for representing the Member State at the European Data Innovation Board, as referred to in Article 31a . 1a. The independent supervisory authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall be responsible for monitoring the application of this Regulation insofar as the protection of personal data is concerned. Chapters VI and VII of Regulation (EU) 2016/679 shall apply mutatis mutandis. The European Data Protection Supervisor shall be responsible for monitoring the application of this Regulation insofar as it concerns the Union institutions, bodies, offices and agencies. Where relevant, Article 62 of Regulation (EU) 2018/1725 shall apply mutatis mutandis. The tasks and powers of the supervisory authorities shall be exercised with regard to the processing of personal data; data. 2. Without prejudice to paragraph 1 of this Article , the data coordinator shall ensure cooperation among the national competent authorities that are responsible for the monitoring of other Union or national legal acts in the field of data and electronic communication services, namely : ▌ (b) for specific sectoral data exchange access issues related to the implementation of this Regulation, the competence of sectoral authorities shall be respected; respected without prejudice to the rules on conflicts of competences; (c) the national competent authority responsible for the application and enforcement of Chapter VI of this Regulation shall have experience in the field of data and electronic communications services. 3 3. Member States shall ensure that the respective tasks and powers of the competent authorities designated pursuant to paragraph 1 of this Article data coordinator are clearly defined and include: (a) promoting awareness among users and entities falling within the scope of this Regulation of the rights and obligations under this Regulation; (b) handling and deciding on complaints arising from alleged violations of this Regulation, and investigating, to the extent appropriate, the subject matter of the complaint and regularly informing the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another competent authority is necessary; (c) conducting investigations into matters that concern the application of this Regulation, including on the basis of information received from another competent authority or other public authority; (d) imposing, through administrative procedures, imposing effective, proportionate and dissuasive financial penalties which may include periodic penalties and penalties with retroactive effect, or initiating legal proceedings for the imposition of fines; (e) monitoring technological and commercial developments of relevance for the making available and use of data; data with a view of better enforcing this Regulation ; (f) cooperating with competent authorities the data coordinators of other Member States to ensure the consistent , swift and effective application of this Regulation, including the exchange of all relevant information by electronic means, without undue delay; (fa) cooperating with all relevant competent authorities pursuant to other Union law, and with the European Data Protection Board and the European Data Innovation Board to ensure that the obligations of this Regulation are enforced coherently with other Union law; (g) ensuring the online public availability of requests for access to data made by public sector bodies in the case of public emergencies under Chapter V; (h) cooperating with all relevant competent authorities to ensure that the obligations of Chapter VI are enforced consistently with other Union legislation and self-regulation applicable to providers of data processing service; (i) ensuring that charges for the switching between providers of data processing services are withdrawn in accordance with Article 25. 4 4. Where a Member State designates more than one competent authority, the competent authorities data coordinator shall, in the exercise of the tasks and powers assigned to them under paragraph 3 of this Article, cooperate with each other, other and with the European Data Innovation Board , including, as appropriate, with the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679, 2016/679 and with the European Data Protection Supervisor , to ensure the consistent application of this Regulation. In such cases, relevant Member States shall designate a coordinating competent authority. 5 5. Member States shall communicate the name of the designated competent authorities data coordinators and their respective tasks and powers and, where applicable, the name of the coordinating competent authority to the Commission. Commission and Data Innovation Board . The Commission shall maintain a public register of those authorities. 6 6. When carrying out their tasks and exercising their powers in accordance with this Regulation, the competent authorities data coordinators shall in an independent and impartial manner and remain free from any external influence, whether direct or indirect, and shall neither seek nor take instructions from any other public authority or any private party. 7 7. Member States shall ensure that the designated competent authorities are data coordinator is provided with the necessary sufficient human and technical resources , expertise, premises and infrastructure necessary for the effective performance to adequately carry out their tasks in accordance with this Regulation. 7a. Entities falling within the scope of this Regulation shall be subject to the jurisdiction of the Member State where the entity is established. 7b. A user, data holder or data recipient that is a legal person and is not established in the Union, but which is subject to obligations under this Regulation, shall designate a legal representative in one of the Member States in which its relevant counterparties are established. 7c. The competent authorities under this Regulation shall have the power to request from users, data holders or data recipients, that are legal persons, or their legal representatives all the information that is necessary to verify compliance with the requirements of this Regulation. Any request for information shall be proportionate to the performance of the task and shall be reasoned. 7d. Where a user, data holder or data recipient, that is a legal person and not established in the Union fails to designate a legal representative or the legal representative fails, upon request of the competent authority, to provide the necessary information that comprehensively demonstrates compliance with this Regulation, the competent authority shall have the power to postpone the commencement of or to suspend the provision of related services by data holders or requests for data access from data holders by users or data recipients, that are legal persons, until the legal representative is designated or the necessary information is provided.

Article 32 Right to lodge a complaint with a competent authority

1 Article 32 Right to lodge a complaint with a data coordinator 1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, or ▌ collectively, with the relevant competent authority data coordinator in the Member State of their habitual residence, place of work or establishment if they consider that their rights under this Regulation have been infringed. 2 Such complaint may arise from the suspension of sharing of data identified as trade secrets, after receiving the notification by the data holder pursuant to Articles 4(3), 5(8) or 19 (2b). 2. The competent authority data coordinator with which the complaint has been lodged shall inform the complainant , in accordance with national law, of the progress of the proceedings and of the decision taken. 3 3. Competent authorities shall cooperate from the beginning of the process to handle and resolve complaints, complaints effectively and in a timely manner , including by setting reasonable deadlines for adopting formal decisions, ensuring equality of the parties, ensuring the right to be heard from complainants and access to the file throughout the process, and by exchanging all relevant information by electronic means, without undue delay. This cooperation shall not affect the specific cooperation mechanism provided for by Chapters VI and VII of Regulation (EU) 2016/679.

Article 33 Penalties

1 Article 33 Penalties 1. Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. 2 1a. Member States shall take into account the following non-exhaustive criteria for the imposition of penalties for infringements of this Regulation; (a) the nature, gravity, scale and duration of the infringement; (b) any action taken by the infringing party to mitigate or remedy the damage caused by the infringement; (c) any previous infringements by the infringing party; (d) the financial benefits gained or losses avoided by the infringing party due to the infringement, insofar as such benefits or losses can be reliably established; (e) any other aggravating or mitigating factors applicable to the circumstances of the case. 2. Member States shall by [date of application of the Regulation] notify the Commission , the European Data Protection Board and the European Data Innovation Board of those rules and measures and shall notify it them without delay of any subsequent amendment affecting them. 3 The Commission shall regularly update and maintain an easily accessible public register of those measures. 3. For infringements of the obligations laid down in Chapter II, III and V of this Regulation, the supervisory authorities referred to in Article 51 of the Regulation (EU) 2016/679 may within their scope of competence impose administrative fines in line with Article 83 of Regulation (EU) 2016/679 and up to the amount referred to in Article 83(5) of that Regulation. 4 4. For infringements of the obligations laid down in Chapter V of this Regulation, the supervisory authority referred to in Article 52 of Regulation (EU) 2018/1725 may impose within its scope of competence administrative fines in accordance with Article 66 of Regulation (EU) 2018/1725 up to the amount referred to in Article 66(3) of that Regulation.

Article 34 Model contractual terms

Article 34 Model contractual terms The Commission shall develop and recommend non-binding model contractual terms on data access and use and standard contractual clauses for cloud computing contracts, based on Fair, Reasonable and Non-Discriminatory (FRAND) principles, to assist parties in drafting and negotiating contracts with balanced contractual rights and obligations. Such model contractual terms shall address at least the following elements: (a) right to early termination of the contract and conditions for compensation in the case of early termination; (b) data retention and storage policies; (c) readability of the data for the user, including information on metadata and decryption; (d) the protection and preservation of the confidentiality of trade secrets, in accordance with this Regulation. The model contractual terms referred to in the first subparagraph shall be published and shall be available free of charge in easily usable electronic format.

CHAPTER X – SUI GENERIS RIGHT UNDER DIRECTIVE 1996/9/EC

Article 35 Databases containing certain data

In order not to hinder the exercise of the right of users to access and use such data in accordance with Article 4 of this Regulation or of the right to share such 35 Databases containing certain data with third parties in accordance with Article 5 of this Regulation, the ▌The sui generis right provided for in Article 7 of Directive 96/9/EC does not apply to databases containing data obtained from or generated by the use of a product or a related service. service falling within the scope of this Regulation .

CHAPTER XI – FINAL PROVISIONS

Article 36 Amendment to Regulation (EU) No 2017/2394

In the Annex to Regulation (EU) No 2017/2394 the following point is added: ‘29. [Regulation (EU) XXX of the European Parliament and of the Council [Data Act]].’

Article 37 Amendment to Directive (EU) 2020/1828

In the Annex to Directive (EU) 2020/1828 the following point is added: ‘67. [Regulation (EU) XXX of the European Parliament and of the Council [Data Act]]’

Article 38 Exercise of the delegation

1 Article 38 Exercise of the delegation 1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article. 2 2. The power to adopt delegated acts referred to in Articles 25(4), 28(2) and 29(5) shall be conferred on the Commission for an indeterminate period of time from […]. 3 3. The delegation of power referred to in Articles 25(4), 28(2) and 29(5) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. 4 4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 2016. 5 5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. 6 6. A delegated act adopted pursuant to Articles 25(4), 28(2) and 29(5) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of three months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.

Article 39 Committee procedure

1 Article 39 Committee procedure 1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011. 2 2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Article 40 Other Union legal acts governing rights and obligations on data access and use

1 Article 40 Other Union legal acts governing rights and obligations on data access and use 1. The specific obligations for the making available of data between businesses, between businesses and consumers, and on exceptional basis between businesses and public bodies, in Union legal acts that entered into force on or before [xx XXX xxx], and delegated or implementing acts based thereupon, shall remain unaffected. 2 2. This Regulation is without prejudice to Union legislation specifying, in light of the needs of a sector, a common European data space, or an area of public interest, further requirements, in particular in relation to: (a) technical aspects of data access; (b) limits on the rights of data holders to access or use certain data provided by users; (c) aspects going beyond data access and use.

Article 41 Evaluation and review

Article 41 Evaluation and review 1. By [two years after the date of application of this Regulation], the Commission shall carry out an evaluation of this Regulation and submit a report on its main findings to the European Parliament and to the Council as well as to the European Economic and Social Committee. That evaluation shall assess, in particular: (-a) the use of data by users, data holders, data recipients and third parties, the development of monetisation practices in the European data economy as well as the development of the arrangements for data sharing, including competitive dynamics in data spaces and data intermediation services; (-aa) the effects of technical and administrative obligations to comply with this Regulation, in particular with Chapter II thereof on industry participants, also in view of the SME exemptions; (a) other categories or types of data to be made accessible; (b) the exclusion of certain categories of enterprises as beneficiaries under Article 5; (ba) whether the provisions of this Regulation related to trade secrets ensure respect for trade secrets while not hampering the access to and sharing of data; in particular, the evaluation shall assess whether and how the confidentiality of trade secrets is ensured in practice despite their disclosure both in the context of data sharing with third parties and in the business-to-government context. This assessment shall be carried out in close relationship with the evaluation report on Directive (EU) 2016/943 expected by 9 June 2026 pursuant to Article 18(3) of the directive thereof; (c) other situations to be deemed as exceptional needs for the purpose of Article 15; (d) changes in contractual practices of data processing service providers and whether this results in sufficient compliance with Article 24; (e) diminution of charges imposed by data processing service providers for the switching process, in line with the gradual withdrawal of switching charges pursuant to Article 25. 25; (ea) the interaction between the this Regulation and other relevant Union law to assess possible conflicting regulation, overregulation or legislative gaps; (eb) the contribution of this Regulation to ensuring the economic attractiveness of the collection and use of high quality data sets by Union companies; (ec) the contribution of this Regulation to innovation and to promoting the development of high-tech start-ups and SMEs, as well as to enabling access for European users to state-of-the-art computing services; (ed) the application and functioning of Article 27 on the international access and transfer of data. 1a On the basis of that report, the Commission shall, where appropriate, submit a legislative proposal to the Parliament and the Council to amend this Regulation.

Article 42 Entry into force and application

Article 42 Entry into force and application This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. It shall apply from [12 18 months after the date of entry into force of this Regulation]. (1) Ursula von der Leyen, A Union that strives for more - My agenda for Europe, Political guidelines for the next European Commission 2019-2024 , 16 July 2019 (2) European Commission, Annexes to the Commission Work Programme 2020 - A Union that strives for more , COM(2020) 37, 29 January 2020 (3) COM/2020/66 final (4) European Council, European Council meeting (21-22 October 2021) - Conclusion EUCO 17/21, 2021 , p. 2. (5) European Council, Statement of the members of the European Council meeting (25 March 2021) – Statement SN 18/21 , p. 4. (6) European Council, European Council meeting (1-2 October 2020) - Conclusion EUCO 13/20, 2020 , p. 5. (7) European Commission (2020). Commission welcomes Member States' declaration on EU cloud federation , Press Release. (8) European Parliament resolution of 25 March 2021 on a European strategy for data ( 2020/2217(INI) ) (9) OJ L 77, 27.3.1996, p. 20–28 (10) OJ L 119, 4.5.2016, p. 1–88 . (11) OJ L 201, 31.7.2002, p. 37–47 (12) OJ L 303, 28.11.2018, p. 59–68 ; SWIPO (2021), see website . (13) OJ L 95, 21.4.1993, p. 29–34 . (14) OJ L 335, 18.12.2010, p. 36–42 . (15) OJ L 77, 27.3.1996, p. 20–28 . (16) OJ L 186, 11.7.2019, p. 57–79 . (17) OJ L 172, 26.6.2019, p. 56–83 . (18) OJ L 318, 4.12.2015, p. 1-16 . (19) COM/2020/767 final . (20) OJ L 186, 11.7.2019, p. 57–79 . (21) COM/2020/98 final. (22) GreenData4All initiative (REFIT) | Legislative train schedule | European Parliament (europa.eu) (23) OJ L 108, 25.4.2007, p. 1–14 (24) OJ L 158, 14.6.2019, p. 54–124 . (25) OJ L 158, 14.6.2019, p. 125–199 . (26) OJ L 337, 23.12.2015, p. 35–127 OJ L 337, 23.12.2015, p. 35–127 . (27) OJ L 151, 14.6.2018, p. 1–218 ; OJ L 60, 2.3.2013, p. 1–51 . (28) OJ L 207, 06.08.2010, p. 1-13 . (29) OJ L 96, 31.3.2004, p. 1–9 ; OJ L 96, 31.3.2004, p. 10–19 ; OJ L 96, 31.3.2004, p. 20–25 . (30) OJ L 308, 29.10.2014, p. 82–87 . (31) OJ L 96, 12.4.2016, p. 46–49 . (32) COM/2021/559 final (33) COM/2020/67 final . (34) OJ L 57, 18.2.2021, p. 17 . (35) COM(2021) 400 final (36) COM/2019/640 final (37) Digitalisation for the Benefit of the Environment, 11 December 2020 , Council conclusions on the new circular economy action plan, 11 December 2020 , Council conclusions on the biodiversity strategy for 2030, 16 October 2020 , Conclusions on the improvement of air quality, 5 March 2020 (38) Climate and environmental emergency - Thursday, 28 November 2019 (europa.eu) (39) COM/2021/350 final . (40) COM/2020/66 final . (41) COM/2020/760 final . (42) COM/2021/102 final . (43) OJ L 151, 7.6.2019 (44) COM/2017/09 final ; SWD(2018) 146 final, section 5.4.2; Study to Support an Impact Assessment for the Review of the Database Directive. (45) COM/2017/09 final ; COM/2020/66 final ; COM/2020/760 final . (46) Fixtures Marketing Ltd v. Oy Veikkaus Ab (C-46/02, 9/11/2004), Fixtures Marketing Ltd v. Svenska Spel Ab (C-338/02, 9/11/2004) British Horseracing Board Ltd v. William Hill (C-203/02, 9/11/2004) Fixtures Marketing Ltd v. OPAP (C-444/02, 9/11/2004). (47) COM/2017/09 final . (48) European Commission (2020). Outcome of the online consultation on the European strategy for data . (49) European Commission webpage : Have your Say - Data Act & amended rules on the legal protection of databases. (50) European Commission (2021). Public consultation on the Data Act: summary report . (51) COM(2018)232 final ; SWD(2018)125 final of 25.4.2018. (52) EDPS Opinion 3/2020 on the European Strategy for Data Regulation ▌ . (53) [Links to final document and to the summary sheet The obligations resulting from Article 4(1) shall apply to be added.] (54) SWD(2021) 305 final . (55) For more explanations on the unfairness test and the principle of contractual freedom see Impact Assessment, Annex 11. (56) For more explanations on the unfairness test, including related services placed on the functioning in practice, see Annex 11 of the Impact Assessment. (57) OJ C , , p. . (58) OJ C , , p. . (59) Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of within five years prior to the European Parliament and entry into force of the Council and this Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’) (OJ L 149, 11.6.2005, p. 22). (60) Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council. (61) Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts. Directive (EU) 2019/2161 of the European Parliament and of the Council of 27 November 2019 amending Council Directive 93/13/EEC and Directives 98/6/EC, 2005/29/EC and 2011/83/EU of the European Parliament and of the Council as regards the better enforcement and modernisation of Union consumer protection rules. (62) Directive (EU) 2019/882 of only where the European Parliament and provider of a related service is able to remotely deploy mechanisms to ensure the Council fulfilment of 17 April 2019 on the accessibility requirements for products and services OJ L 151, 7.6.2019 (63) Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (64) OJ L 303, 28.11.2018, p. 59–68 . (65) Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (OJ L 172, 26.6.2019, p. 56). (66) Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases (OJ L 77, 27.3.1996, p. 20). (67) Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services (OJ L 136, 22.5.2019, p. 1). (68) Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws and repealing Regulation (EC) No 2006/2004 (OJ L 345, 27.12.2017, p. 1). (69) Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, 4.12.2020, p. 1). (70) OJ L 123, 12.5.2016, p. 1 . (71) Regulation (EU) No 182/2011 of the European Parliament pursuant to Article 4(1) and of where the Council deployment of 16 February 2011 laying down the rules and general principles concerning such mechanisms for control by the Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p.13). (72) Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 would not place a disproportionate burden on addressing the dissemination manufacturer or provider of terrorist content online (OJ L 172, 17.5.2021, p. 79). (73) OJ […]. related services. Done at, ELI: http://data.europa.eu/eli/C/2023/419/oj ISSN 1977-091X (electronic edition)