Preamble 41 to 50
(41) The main establishment of a data intermediation services provider in the Union should be the place of its central administration in the Union. The main establishment of a data intermediation services provider in the Union should be determined in accordance with objective criteria and should imply the effective and real exercise of management activities. Activities of a data intermediation services provider should comply with the national law of the Member State in which it has its main establishment.
(42) In order to ensure the compliance of data intermediation services providers with this Regulation, they should have their main establishment in the Union. Where a data intermediation services provider not established in the Union offers services within the Union, it should designate a legal representative.
The designation of a legal representative in such cases is necessary, given that such data intermediation services providers handle personal data as well as commercially confidential data, which necessitates the close monitoring of the compliance of data intermediation services providers with this Regulation. In order to determine whether such a data intermediation services provider is offering services within the Union, it should be ascertained whether it is apparent that the data intermediation services provider is planning to offer services to persons in one or more Member States.
The mere accessibility in the Union of the website or of an email address and other contact details of the data intermediation services provider, or the use of a language generally used in the third country where the data intermediation services provider is established, should be considered to be insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that language, or the mentioning of users who are in the Union, could make it apparent that the data intermediation services provider is planning to offer services within the Union.
A designated legal representative should act on behalf of the data intermediation services provider and it should be possible for competent authorities for data intermediation services to address the legal representative in addition to or instead of a data intermediation services provider, including in the case of an infringement, for the purpose of initiating enforcement proceedings against a non-compliant data intermediation services provider not established in the Union. The legal representative should be designated by a written mandate of the data intermediation services provider to act on the latter’s behalf with regard to the latter’s obligations under this Regulation.
(43) In order to assist data subjects and data holders to easily identify, and thereby increase their trust in, data intermediation services providers recognised in the Union, a common logo recognisable throughout the Union should be established, in addition to the label ‘data intermediation services provider recognised in the Union’.
(44) The competent authorities for data intermediation services designated to monitor compliance of data intermediation services providers with the requirements of this Regulation should be chosen on the basis of their capacity and expertise regarding horizontal or sectoral data sharing They should be independent of any data intermediation services provider as well as transparent and impartial in the exercise of their tasks.
Member States should notify the Commission of the identity of those competent authorities for data intermediation services. The powers and competences of the competent authorities for data intermediation services should be without prejudice to the powers of the data protection authorities. In particular, for any question requiring an assessment of compliance with Regulation (EU) 2016/679, the competent authority for data intermediation services should seek, where relevant, an opinion or decision of the competent supervisory authority established pursuant to that Regulation.
(45) There is a strong potential for objectives of general interest in the use of data made available voluntarily by data subjects on the basis of their informed consent or, where it concerns non-personal data, made available by data holders. Such objectives would include healthcare, combating climate change, improving mobility, facilitating the development, production and dissemination of official statistics, improving the provision of public services, or public policy making. Support to scientific research should also be considered to be an objective of general interest.
This Regulation should aim to contribute to the emergence of sufficiently-sized data pools made available on the basis of data altruism in order to enable data analytics and machine learning, including across the Union. In order to achieve that objective, Member States should be able to have in place organisational or technical arrangements, or both, which would facilitate data altruism.
Such arrangements could include the availability of easily useable tools for data subjects or data holders for giving consent or permission for the altruistic use of their data, the organisation of awareness campaigns, or a structured exchange between competent authorities on how public policies, such as improving traffic, public health and combating climate change, benefit from data altruism. To that end, Member States should be able to establish national policies for data altruism. Data subjects should be able to receive compensation related only to the costs they incur when making their data available for objectives of general interest.
(46) The registration of recognised data altruism organisations and use of the label ‘data altruism organisation recognised in the Union’ is expected to lead to the establishment of data repositories. Registration in a Member State would be valid across the Union and is expected to facilitate cross-border data use within the Union and the emergence of data pools covering several Member States.
Data holders could give permission to the processing of their non-personal data for a range of purposes not established at the moment of giving the permission. The compliance of such recognised data altruism organisations with a set of requirements as laid down in this Regulation should bring trust that the data made available for altruistic purposes is serving an objective of general interest.
Such trust should result in particular from having a place of establishment or a legal representative within the Union, as well as from the requirement that recognised data altruism organisations are not-for-profit organisations, from transparency requirements and from specific safeguards in place to protect rights and interests of data subjects and undertakings.
Further safeguards should include making it possible to process relevant data within a secure processing environment operated by the recognised data altruism organisations, oversight mechanisms such as ethics councils or boards, including representatives from civil society to ensure that the data controller maintains high standards of scientific ethics and protection of fundamental rights, effective and clearly communicated technical means to withdraw or modify consent at any moment, on the basis of the information obligations of data processors under Regulation (EU) 2016/679, as well as means for data subjects to stay informed about the use of data they made available.
Registration as a recognised data altruism organisation should not be a precondition for exercising data altruism activities. The Commission should, by means of delegated acts, prepare a rulebook in close cooperation with data altruism organisations and relevant stakeholders. Compliance with that rulebook should be a requirement for registration as a recognised data altruism organisation.
(47) In order to assist data subjects and data holders to easily identify, and thereby to increase their trust in, recognised data altruism organisations, a common logo that is recognisable throughout the Union should be established. The common logo should be accompanied by a QR code with a link to the public Union register of recognised data altruism organisations.
(48) This Regulation should be without prejudice to the establishment, organisation and functioning of entities that seek to engage in data altruism pursuant to national law and build on national law requirements to operate lawfully in a Member State as a not-for-profit organisation.
(49) This Regulation should be without prejudice to the establishment, organisation and functioning of entities other than public sector bodies that engage in the sharing of data and content on the basis of open licenses, thereby contributing to the creation of common resources available to all. This should include open collaborative knowledge sharing platforms, open access scientific and academic repositories, open source software development platforms and open access content aggregation platforms.
(50) Recognised data altruism organisations should be able to collect relevant data directly from natural and legal persons or to process data collected by others. Processing of collected data could be done by data altruism organisations for purposes which they establish themselves or, where relevant, they could allow the processing by third parties for those purposes. Where recognised data altruism organisations are data controllers or processors as defined in Regulation (EU) 2016/679, they should comply with that Regulation.
Typically, data altruism would rely on consent of data subjects within the meaning of Article 6(1), point (a), and Article 9(2), point (a), of Regulation (EU) 2016/679 that should be in compliance with requirements for lawful consent in accordance with Articles 7 and 8 of that Regulation. In accordance with Regulation (EU) 2016/679, scientific research purposes could be supported by consent to certain areas of scientific research where in keeping with recognised ethical standards for scientific research or only to certain areas of research or parts of research projects.
Article 5(1), point (b), of Regulation (EU) 2016/679 specifies that further processing for scientific or historical research purposes or statistical purposes should, in accordance with Article 89(1) of Regulation (EU) 2016/679, not be considered to be incompatible with the initial purposes. For non-personal data the usage limitations should be found in the permission given by the data holder.
Understanding Cybersecurity in the European Union.