Preamble 51 to 63
(51) The competent authorities for the registration of data altruism organisations designated to monitor compliance of recognised data altruism organisations with the requirements of this Regulation should be chosen on the basis of their capacity and expertise. They should be independent of any data altruism organisation as well as transparent and impartial in the exercise of their tasks.
Member States should notify the Commission of the identity of those competent authorities for the registration of data altruism organisations. The powers and competences of the competent authorities for the registration of data altruism organisations should be without prejudice to the powers of the data protection authorities. In particular, for any question requiring an assessment of compliance with Regulation (EU) 2016/679, the competent authority for the registration of data altruism organisations should seek, where relevant, an opinion or decision of the competent supervisory authority established pursuant to that Regulation.
(52) To promote trust and bring additional legal certainty and user-friendliness to the process of granting and withdrawing consent, in particular in the context of scientific research and statistical use of data made available on an altruistic basis, a European data altruism consent form should be developed and used in the context of altruistic data sharing.
Such a form should contribute to additional transparency for data subjects that their data will be accessed and used in accordance with their consent and also in full compliance with the data protection rules. It should also facilitate the granting and withdrawing of consent and be used to streamline data altruism carried out by undertakings and provide a mechanism allowing such undertakings to withdraw their permission to use the data.
In order to take into account the specificities of individual sectors, including from a data protection perspective, the European data altruism consent form should use a modular approach allowing customisation for specific sectors and for different purposes.
(53) In order to successfully implement the data governance framework, a European Data Innovation Board should be established, in the form of an expert group. The European Data Innovation Board should consist of representatives of the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations of all Member States, the European Data Protection Board, the European Data Protection Supervisor, the European Union Agency for Cybersecurity (ENISA), the Commission, the EU SME Envoy or a representative appointed by the network of SME envoys, and other representatives of relevant bodies in specific sectors as well as bodies with specific expertise.
The European Data Innovation Board should consist of a number of subgroups, including a subgroup for stakeholder involvement composed of relevant representatives of industry, such as health, environment, agriculture, transport, energy, industrial manufacturing, media, cultural and creative sectors, and statistics, as well as of research, academia, civil society, standardisation organisations, relevant common European data spaces and other relevant stakeholders and third parties, inter alia bodies with specific expertise such as national statistical offices.
(54) The European Data Innovation Board should assist the Commission in coordinating national practices and policies on the topics covered by this Regulation, and in supporting cross-sector data use by adhering to the European Interoperability Framework principles and through the use of European and international standards and specifications, including through the EU Multi-Stakeholder Platform for ICT Standardisation, the Core Vocabularies and the CEF Building Blocks, and should take into account standardisation work taking place in specific sectors or domains.
Work on technical standardisation could include the identification of priorities for the development of standards and establishing and maintaining a set of technical and legal standards for transmitting data between two processing environments that allows data spaces to be organised, in particular clarifying and distinguishing which standards and practices are cross-sectoral and which are sectoral.
The European Data Innovation Board should cooperate with sectoral bodies, networks or expert groups, or other cross-sectoral organisations dealing with the re-use of data. Regarding data altruism, the European Data Innovation Board should assist the Commission in the development of the data altruism consent form, after consulting the European Data Protection Board. By proposing guidelines on common European data spaces, the European Data Innovation Board should support the development of a functioning European data economy on the basis of those data spaces, as set out in the European strategy for data.
(55) Member States should lay down rules on penalties applicable to infringements of this Regulation and should take all measures necessary to ensure that they are implemented. The penalties provided for should be effective, proportionate and dissuasive. Large discrepancies between rules on penalties could lead to distortion of competition in the digital single market. The harmonisation of such rules could be of benefit in that regard.
(56) In order to provide for an efficient enforcement of this Regulation and to ensure that data intermediation services providers and entities that wish to register as recognised data altruism organisations are able to access and complete the procedures of notification and registration fully online and in a cross-border manner, such procedures should be offered through the single digital gateway established pursuant to Regulation (EU) 2018/1724 of the European Parliament and of the Council (29). Those procedures should be added to the list of procedures included in Annex II to Regulation (EU) 2018/1724.
(57) Regulation (EU) 2018/1724 should therefore be amended accordingly.
(58) In order to ensure the effectiveness of this Regulation, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission for the purpose of supplementing this Regulation by laying down special conditions applicable to transfers to third countries of certain non-personal data categories deemed to be highly sensitive in specific Union legislative acts and by establishing a rulebook for recognised data altruism organisations, with which those organisations are to comply, that provides for information, technical and security requirements as well as communication roadmaps and interoperability standards.
It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (30). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
(59) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to assist public sector bodies and re-users in their compliance with conditions for re-use set out in this Regulation by establishing model contractual clauses for the transfer by re-users of non-personal data to a third country, to declare that the legal, supervisory and enforcement arrangements of a third country are equivalent to the protection ensured under Union law, to develop the design of the common logo for data intermediation services providers and of the common logo for recognised data altruism organisations, and to establish and develop the European data altruism consent form. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council.
(60) This Regulation should not affect the application of the rules on competition, and in particular Articles 101 and 102 TFEU. The measures provided for in this Regulation should not be used to restrict competition in a manner contrary to the TFEU. This concerns in particular the rules on the exchange of competitively sensitive information between actual or potential competitors through data intermediation services.
(61) The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered their opinion on 10 March 2021.
(62) This Regulation uses as its guiding principles the respect for the fundamental rights and principles recognised in particular by the Charter of Fundamental Rights of the European Union, including the right to privacy, the protection of personal data, the freedom to conduct a business, the right to property and the integration of persons with disabilities. In the context of the latter, the public service bodies and services under this Regulation should, where relevant, comply with Directives (EU) 2016/2102 and (EU) 2019/882 of the European Parliament and of the Council.
Furthermore, Design for All in the context of information and communications technology, which is the conscious and systematic effort to proactively apply principles, methods and tools to promote universal design in computer-related technologies, including internet-based technologies, thus avoiding the need for a posteriori adaptations or specialised design, should be taken into account.
(63) Since the objectives of this Regulation, namely the re-use, within the Union, of certain categories of data held by public sector bodies as well as the establishment of a notification and supervisory framework for the provision of data intermediation services, a framework for voluntary registration of entities which make data available for altruistic purposes and a framework for the establishment of a European Data Innovation Board, cannot be sufficiently achieved by the Member States, but can rather, by reason of its scale and effects, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives,
HAVE ADOPTED THIS REGULATION:
Understanding Cybersecurity in the European Union.