European Data Act, Final Text



Preamble 71 to 80.


(71) Data holders should have the possibility to either decline a request made by a public sector body, the Commission, the European Central Bank or a Union body or seek its modification without undue delay and, in any event, no later than within a period of five or 30 working days, depending on the nature of the exceptional need invoked in the request. Where relevant, the data holder should have this possibility where it does not have control over the data requested, namely where it does not have immediate access to the data and cannot determine its availability.

A valid reason not to make the data available should exist if it can be shown that the request is similar to a previously submitted request for the same purpose by another public sector body or the Commission, the European Central Bank or a Union body and the data holder has not been notified of the erasure of the data pursuant to this Regulation.

A data holder declining the request or seeking its modification should communicate the underlying justification to the public sector body, the Commission, the European Central Bank or a Union body requesting the data. Where the sui generis database rights under Directive 96/9/EC of the European Parliament and of the Council apply in relation to the requested datasets, data holders should exercise their rights in such a way that does not prevent the public sector body, the Commission, the European Central Bank or Union body from obtaining the data, or from sharing it, in accordance with this Regulation.


(72) In the case of an exceptional need related to a public emergency response, public sector bodies should use non-personal data wherever possible. In the case of requests on the basis of an exceptional need not related to a public emergency, personal data cannot be requested. Where personal data fall within the scope of the request, the data holder should anonymise the data.

Where it is strictly necessary to include personal data in the data to be made available to a public sector body, the Commission, the European Central Bank or a Union body or where anonymisation proves impossible, the entity requesting the data should demonstrate the strict necessity and the specific and limited purposes for processing. The applicable rules on personal data protection should be complied with. The making available of the data and their subsequent use should be accompanied by safeguards for the rights and interests of individuals concerned by those data.


(73) Data made available to public sector bodies, the Commission, the European Central Bank or Union bodies on the basis of an exceptional need should be used only for the purposes for which they were requested, unless the data holder that made the data available has expressly agreed for the data to be used for other purposes.

The data should be erased once it is no longer necessary for the purposes stated in the request, unless agreed otherwise, and the data holder should be informed thereof. This Regulation builds on the existing access regimes in the Union and the Member States and does not change the national law on public access to documents in the context of transparency obligations. Data should be erased once it is no longer needed to comply with such transparency obligations.


(74) When reusing data provided by data holders, public sector bodies, the Commission, the European Central Bank or Union bodies should respect both existing applicable Union or national law and contractual obligations to which the data holder is subject. They should refrain from developing or enhancing a connected product or related service that compete with the connected product or related service of the data holder as well as from sharing the data with a third party for those purposes.

They should likewise provide public acknowledgement to the data holders upon their request and should be responsible for maintaining the security of the data received. Where the disclosure of trade secrets of the data holder to public sector bodies, the Commission, the European Central Bank or Union bodies is strictly necessary to fulfil the purpose for which the data has been requested, confidentiality of such disclosure should be guaranteed prior to the disclosure of data.


(75) When the safeguarding of a significant public good is at stake, such as responding to public emergencies, the public sector body, the Commission, the European Central Bank or the Union body concerned should not be expected to compensate enterprises for the data obtained. Public emergencies are rare events and not all such emergencies require the use of data held by enterprises. At the same time, the obligation to provide data might constitute a considerable burden on microenterprises and small enterprises.

They should therefore be allowed to claim compensation even in the context of a public emergency response. The business activities of the data holders are therefore not likely to be negatively affected as a consequence of the public sector bodies, the Commission, the European Central Bank or Union bodies having recourse to this Regulation. However, as cases of an exceptional need, other than cases of responding to public emergencies, might be more frequent, data holders should in such cases be entitled to a reasonable compensation which should not exceed the technical and organisational costs incurred in complying with the request and the reasonable margin required for making the data available to the public sector body, the Commission, the European Central Bank or the Union body.

The compensation should not be understood as constituting payment for the data itself or as being compulsory. Data holders should not be able to claim compensation where national law prevents national statistical institutes or other national authorities responsible for the production of statistics from compensating data holders for making data available. The public sector body, the Commission, the European Central Bank or the Union body concerned should be able to challenge the level of compensation requested by the data holder by bringing the matter to the competent authority of the Member State where the data holder is established.


(76) A public sector body, the Commission, the European Central Bank or a Union body should be entitled to share the data it has obtained pursuant to the request with other entities or persons when this is necessary to carry out scientific research activities or analytical activities it cannot perform itself, provided that those activities are compatible with the purpose for which the data was requested. It should inform the data holder of such sharing in a timely manner.

Such data may also be shared under the same circumstances with the national statistical institutes and Eurostat for the development, production and dissemination of official statistics. Such research activities should, however, be compatible with the purpose for which the data was requested and the data holder should be informed about the further sharing of the data it has provided.

Individuals conducting research or research organisations with whom those data may be shared should act either on a not-for-profit basis or in the context of a public-interest mission recognised by the State. Organisations upon which commercial undertakings have a significant influence, allowing such undertakings to exercise control due to structural situations which could result in preferential access to the results of the research, should not be considered to be research organisations for the purposes of this Regulation.


(77) In order to handle a cross-border public emergency or another exceptional need, data requests may be addressed to data holders in Member States other than that of the requesting public sector body. In such a case, the requesting public sector body should notify the competent authority of the Member State where the data holder is established in order to allow it to examine the request against the criteria established in this Regulation.

The same should apply to requests made by the Commission, the European Central Bank or a Union body. Where personal data are requested, the public sector body should notify the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679 in the Member State where the public sector body is established.

The competent authority concerned should be entitled to advise the public sector body, the Commission, the European Central Bank or the Union body to cooperate with the public sector bodies of the Member State in which the data holder is established on the need to ensure a minimised administrative burden on the data holder.

When the competent authority has substantiated objections as regards the compliance of the request with this Regulation, it should reject the request of the public sector body, the Commission, the European Central Bank or the Union body, which should take those objections into account before taking any further action, including resubmitting the request.


(78) The ability of customers of data processing services, including cloud and edge services, to switch from one data processing service to another while maintaining a minimum functionality of service and without downtime of services, or to use the services of several providers simultaneously without undue obstacles and data transfer costs, is a key condition for a more competitive market with lower entry barriers for new providers of data processing services, and for ensuring further resilience for the users of those services. Customers benefiting from free-tier offerings should also benefit from the provisions for switching that are laid down in this Regulation, so that those offerings do not result in a lock-in situation for customers.


(79) Regulation (EU) 2018/1807 of the European Parliament and of the Council (30) encourages providers of data processing services to develop and effectively implement self-regulatory codes of conduct covering best practices for, inter alia, facilitating the switching of providers of data processing services and the porting of data.

Given the limited uptake of the self-regulatory frameworks developed in response, and the general unavailability of open standards and interfaces, it is necessary to adopt a set of minimum regulatory obligations for providers of data processing services to eliminate pre-commercial, commercial, technical, contractual and organisational obstacles, which are not limited to reduced speed of data transfer at the customer’s exit, which hamper effective switching between data processing services.


(80) Data processing services should cover services that allow ubiquitous and on-demand network access to a configurable, scalable and elastic shared pool of distributed computing resources. Those computing resources include resources such as networks, servers or other virtual or physical infrastructure, software, including software development tools, storage, applications and services. The capability of the customer of the data processing service to unilaterally self-provision computing capabilities, such as server time or network storage, without any human interaction by the provider of data processing services could be described as requiring minimal management effort and as entailing minimal interaction between provider and customer.

The term ‘ubiquitous’ is used to describe the computing capabilities provided over the network and accessed through mechanisms promoting the use of heterogeneous thin or thick client platforms (from web browsers to mobile devices and workstations). The term ‘scalable’ refers to computing resources that are flexibly allocated by the provider of data processing services, irrespective of the geographical location of the resources, in order to handle fluctuations in demand. The term ‘elastic’ is used to describe those computing resources that are provisioned and released according to demand in order to rapidly increase or decrease resources available depending on workload.

The term ‘shared pool’ is used to describe those computing resources that are provided to multiple users who share a common access to the service, but where the processing is carried out separately for each user, although the service is provided from the same electronic equipment. The term ‘distributed’ is used to describe those computing resources that are located on different networked computers or devices and which communicate and coordinate among themselves by message passing.

The term ‘highly distributed’ is used to describe data processing services that involve data processing closer to where data are being generated or collected, for instance in a connected data processing device. Edge computing, which is a form of such highly distributed data processing, is expected to generate new business models and cloud service delivery models, which should be open and interoperable from the outset.