regulación | datos.gob.es

The obligation to provide data to public bodies in exceptional situations in the Data Regulations (Data Act)

Blog

The recent Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules for fair access to and use of data (Data Act) introduces important new developments in European legislation to facilitate access to data generated by connected products and related services. In addition to establishing measures to boost interoperability in data spaces, data processing services and smart contracts, the new regulation also incorporates an important novelty by regulating data sharing with public entities in exceptional situations.

A new orientation in European regulation?

The main aim of the regulation on the re-use of public sector information was to facilitate access to data generated by public sector entities in order to foster the development of value-added services based on technological innovation. In fact, as expressly stated in the 2019 Directive, the reform it carried out was largely justified by the need to update the applicable regulatory framework to the new challenges posed by digital technology and, in particular, Artificial Intelligence or the Internet of Things.

Subsequently, under the European Data Strategy, a regulation on governance was approved, data spaces have been promoted and the Data Act was published only a few months ago. The latter implies an important shift from the point of view of the subjects concerned since, unlike the previous regulations focused on the obligations of public sector entities, on the one hand, it disciplines relations between private parties and, on the other hand, it establishes an important measure aimed at private entities providing data to public bodies under certain singular conditions.

In which situations should data be provided?

First of all, it is necessary to emphasise that the Data Act is not intended to extend the cases in which private entities have to hand over data to public bodies in compliance with their supervisory and enforcement powers, such as in the case of prevention, investigation and imposition of criminal or administrative sanctions. Thus, it does not affect the obligations that private parties already have to fulfil in order that, on the basis of the data requested, public bodies may carry out their usual activities in the exercise of a public service mission such as those indicated.

On the other hand, it is a regulation intended to deal with exceptional, unforeseeable and time-limited situations that may arise:

or to the need to obtain data to respond to a public emergency that are not available by alternative means under equivalent conditions, such as the provision of data in existing environments and platforms that have already been deployed for another purpose (e.g. provision of a service, implementation of a collaborative project...);
or, as the case may be, the impossibility for the public body to dispose of specific data in order to fulfil a task assigned by law and performed in the public interest when all other means at its disposal have been exhausted, such as the purchase of non-personal data on the market by the public body, the consultation of a public database or their collection on the basis of previously existing obligations for private subjects.

In the latter case, i.e. when the need for the data is not justified by the requirement to respond to emergency situations, the subject of the request may not refer to personal data unless, by the very nature of the request, it is essential to be able to know at some point in time the identity of the data subject. In this case, pseudonymisation will be necessary. Consequently, given that the data would not be anonymised, the guarantees established by data protection regulations must be taken into account. Specifically:

Data must be separated from the data subject so that the data subject cannot be identified by another unauthorised person
Technical and organisational measures must be taken to prevent the re-identification of the data subject, except by those entitled to do so where necessary.

For which purposes may the data not be used?

Unless expressly authorised by the private entity providing the data, public bodies may not use the data for a purpose other than that for which they were made available. However, in the field of official statistics or when it is necessary to carry out scientific research or analytical activities which cannot be carried out by the public bodies requesting the data themselves, it is permitted that the data may be transferred to other bodies for the purpose of carrying out such activities. However, there are important limitations to this possibility, as such activities must be compatible with the purposes for which the data were obtained, which would prevent for example using the data to train algorithms that can then be used for the exercise of other functions or competences of the public body not related to research or analysis. Furthermore, the data may only be made available to non-profit or public interest entities such as universities and public research organisations.

Nor may the data be used to develop or improve products and services related to the entity providing the data, or shared with third parties for such purposes. This would prevent, for example, the use of the data to train Artificial Intelligence systems by the public entity or one of its contractors that would negatively affect the object of the normal business of the entity that provided the data.

Finally, the data obtained in application of this regulation cannot be made available to other subjects under the open data and public sector re-use regulation, so its application is expressly excluded.

what safeguards are provided for the data subject obliged to hand over the data?

The request for the data must be made by the public body by means of a formal request in which it is necessary to identify the data needed and to justify why it is addressed to the entity receiving the request. In addition, it will be essential to explain the exceptional reasons supporting the request and, in particular, why it is not possible to obtain the data by other means.

As a general rule, the data subject has the right to lodge a complaint against the request for the data, which must be addressed to the competent authority designated by each State to ensure the application of the Regulation and which will be included in the register to be set up by the European Commission.

Finally, in certain cases, the data subject has the right to request reasonable compensation for the costs and a reasonable margin necessary to make the data available to the public entity, although the latter may challenge the requested compensation before the authority referred to above. However, where the request for access to the data is justified by the need to respond to public emergencies or the safeguarding of a significant public interest, no compensation to data subjects is envisaged. This would be the case of an event of natural origin (earthquakes, floods, etc.) or unforeseen and serious situations affecting the normal functioning of society in essential areas such as health or public order.

In short, the obligation of private parties to provide data to public entities in these cases goes beyond the objective of promoting a single market for data at the level of the European Union, a goal that had largely underpinned the progress in data regulation in recent years. However, the seriousness of the situation generated as a result of COVID-19 has highlighted the need to establish a general regulatory framework to ensure that public entities can have the necessary data at their disposal to deal with exceptional situations in the public interest. In any case, the effectiveness of these measures can only be verified as of September 2025, when they are expected to be effectively implemented.

Content prepared by Julián Valero, Professor at the University of Murcia and Coordinator of the Research Group "Innovation, Law and Technology" (iDerTec). The contents and points of view reflected in this publication are the sole responsibility of its author.

28/05/2024

User access to data from connected products and related services in the new European Data Regulation ( Data Act)

Blog

The adoption of the Regulation (EU) of the European Parliament and of the Council of 13 December 2023 on harmonised rules for fair access to and use of data (Data Law) is an important step forward in the regulation of the European Union to facilitate data accessibility. This is an initiative already included in the European Data Strategy , the main aims of which are:

Regulate the provision of data topublic entities in exceptional situations.
Promote the development of interoperability criteria for data spaces, data processing services and smart contracts.
And, from the perspective that interests us now, to promote the provision of the data generated by connected products and services, either to those who use them or to the third parties they indicate.

In this respect, in view of users' difficulties in accessing data, the Regulation seeks to facilitate their free choice of providers of repair and other services, as it has been found that in many areas manufacturers try to reserve their use on an exclusive basis. Among other issues, it is intended to promote the user's right to decide for what purposes and by whom the data may be used, without prejudice to the existence of a series of limitations and conditions that are provided for in the Regulation itself.

A major shift in regulatory focus

While the Open Data and Re-use of Public Sector Information Directive and the Data Governance Regulation focus on establishing rules and safeguards to promote access to data held by public bodies, the new regulation pays special attention to relations between private parties. In other words, it allows public bodies to demand data from certain private subjects under exceptional conditions and for reasons of public interest.

One of the main objectives of the Data Regulation is to encourage not only "the development of new and innovative connected products or related services and to stimulate innovation in the aftermarkets, but also to stimulate the development of entirely new services using the data inquestion, including those based on data from a variety of connected products or related services".

To this end, it has been considered essential to establish clear and precise obligations for manufacturers of connected products, suppliers of connected products and related service providers to share the data generated with users.

What obligations are in place?

Prior to contracting the products and services, the owner of the data - i.e. the supplier of the product or service, which may also be the manufacturer -‑‑, shall provide the user with information on:

The amount and conditions of the data that can be generated
How this data can be accessed
How they can be suppressed

In this respect, the design of products and services is required to take appropriate measures to ensure that, by default, data are accessible, free of charge and directly, in particular in a structured, machine-readable format.

However, this right is subject to certain conditions and limitations in order to ensure that other legal interests and interests are not affected:

The data subject may not make it difficult for the user to access his or her data, but may require the user to identify himself or herself, even if he or she is prohibited from keeping the information generated indefinitely.
It may establish restrictions in the contract when, as a result of the user's access to the data, there is a risk to the functioning of the product that may affect the health or safetyof persons.
Under no circumstances may you use the data obtained during the use of the product or the provision of the service to make them available to a third party, unless it is strictly essential for the fulfilment of the contract.
It is also expressly forbidden to use the data to make enquiries about the user's circumstances and activity, such as, for example, the user's financial situation.

For his part, the user is also subject to a number of obligations specifically aimed at ensuring the good faith of his legal relationship with the holder:

You are not allowed to use the data to compete with the latter, either directly or through a third party to whom you may provide it,
You may not use access to them to make enquiries about the activity of the manufacturer of the product or, where applicable, of the data subject.
In addition to these obligations, you have the right to share the data with a third party, who may only use it for the purposes for which you authorise them to do so. In particular, it may not create profiles unless this is necessary to provide the service, make them available to another party or develop a product that competes with the one from which the data originally originated.

In any case, the regulation establishes an important limitation to be taken into account by users, as micro and small enterprises are excluded from this regime. With one exception: they have been commissioned to develop the product or provide the service by a subject that falls within the scope of the Regulation.

what safeguards are in place to ensure the effectiveness of this regulation?

As is generally the case in any area, the user may bring the matter before a judicial body to enforce his or her rights. In addition, the new regulation establishes the possibility of approaching the designated authority at State level to ensure the application and enforcement of the provisions of the Regulation. If the problem concerns the processing of personal data, you may also exercise your rights before the competent authority in this area.

In this respect, the European Commission will have to make public a list of the relevant authorities on the basis of the information provided by the States. They may designate more than one authority, indicating which one has the coordinating role. These authorities shall have sufficient means: their members shall have the expertise required for the performance of their duties and their impartiality shall be guaranteed, so that they may not receive instructions from other entities.

Apart from this channel, the data subject and the user - or, where appropriate, the third party to whom the user permits the use of the data - may voluntarily agree to submit to a certified dispute resolution body, whose decision must be taken within a maximum of 90 days. Such a body shall be accredited to the State where it is established. To this end, he or she must justify his or her impartiality, capacity and independence. It must also demonstrate that it has adequate procedural rules and that it is easily accessible by electronic means.

In short, the new Data Law has not only established a regulatory framework that reinforces users' access to the data generated by the connected products they acquire and the related services they enjoy, but it has also enshrined a series of guarantees specifically aimed at ensuring effective compliance.

infographic Data Law

Download the infographic in PDF here

This infographic is also available in two pages

05/03/2024

UNE specifications - Government, management, and data quality

Blog

Motivation

According to the European Data Proposal Law, data is a fundamental component of the digital economy and an essential resource for ensuring ecological and digital transitions. In recent years, the volume of data generated by humans and machines has experienced an exponential increase. It is essential to unlock the potential of this data by creating opportunities for its reuse, removing obstacles to the development of the data economy, and respecting European norms and values. In line with the mission of reducing the digital divide, measures must be promoted that allow everyone to benefit from these opportunities fairly and equitably.

However, a downside of the high availability of data is that as more data accumulates, chaos ensues when it is not managed properly. The increase in volume, velocity, and variety of data also implies a greater difficulty in ensuring its quality. And in situations where data quality levels are inadequate, as analytical techniques used to process datasets become more sophisticated, individuals and communities can be affected in new and unexpected ways.

In this changing scenario, it is necessary to establish common processes applicable to data assets throughout an organization's lifecycle, maximizing their value through data governance initiatives that ensure a structured, managed, coherent, and standardized approach to all activities, operations, and services related to data. Ultimately, it must be ensured that the definition, creation, storage, maintenance, access, and use of data (data management) are done following a data strategy aligned with organizational strategies (data governance), and that the data used is suitable for the intended use (data quality).

UNE Specifications for Data Governance, Management, and Quality

The Data Office, a unit responsible for promoting the sharing, management, and use of data across all productive sectors of the Spanish economy and society, in response to the need for a reference framework that supports both public and private organizations in their efforts to ensure adequate data governance, management, and quality, has sponsored, promoted, and participated in the development of national UNE specifications in this regard.

The UNE 0077:2023 Data Governance, UNE 0078:2023 Data Management, and UNE 0079:2023 Data Quality Management specifications are designed to be applied jointly, enabling the creation of a solid and harmonized reference framework that promotes the adoption of sustainable and effective data practices.

Coordination is driven by data governance, which establishes the necessary mechanisms to ensure the proper use and exploitation of data through the implementation and execution of data management processes and data quality management processes, all in accordance with the needs of the relevant business process and taking into account the limitations and possibilities of the organizations that use the data.

Each regulatory specification is presented with a process-oriented approach, and each of the presented processes is described in terms of its contribution to the seven components of a data governance and management system, as introduced in COBIT 2019:

Process, detailing its purpose, outcome, tasks, and products according to ISO 8000-61.
Principles, policies, and frameworks.
Organizational structures, identifying the data governance bodies and decision-making structures.
Information, required and generated in each process.
Culture, ethics, and behavior, as a set of individual and collective behaviors of people and the organization.
People, skills, and competencies needed to complete all activities and make decisions and corrective actions.
Services, infrastructure, and applications that include technology-related aspects to support data management, data quality management, and data governance processes.

UNE 0077:2023 Specification_Data Governance

The UNE 0077:2023 specification covers aspects related to data governance. It describes the creation of a data governance framework to evaluate, direct, and monitor the use of an organization's data, so that it contributes to its overall performance by obtaining the maximum value from the data while mitigating risks associated with its use. Therefore, data governance has a strategic character, while data management has a more operational focus aimed at achieving the goals set in the strategy.

The implementation of proper data governance involves the correct execution of the following processes:

Establishment of data strategy
Establishment of data policies, best practices, and procedures
Establishment of organizational structures
Optimization of data risks
Optimization of data value

UNE 0078:2023 Specification_Data Management

The UNE 0078:2023 specification covers the aspects related to data management. Data management is defined as the set of activities aimed at ensuring the successful delivery of relevant data with adequate levels of quality to the agents involved throughout the data life cycle, supporting the business processes established in the organizational strategy, following the guidelines of data governance, and in accordance with the principles of data quality management.

The implementation of adequate data management involves the development of thirteen processes:

Data processing
Management of the technological infrastructure
Management of data requirements
Management of data configuration
Historical data management
Data security management
Metadata management
Management of data architecture and design
Data sharing, intermediation and integration
Master data management
Human resource management
Data lifecycle management
Data analysis

UNE 0079:2023 Specification_Data Quality Management

The UNE 0079:2023 specification covers the data quality management processes necessary to establish a framework for improving data quality. Data quality management is defined as the set of activities aimed at ensuring that data has adequate quality levels for use that allows an organization's strategy to be satisfied. Having quality data will allow an organization to achieve the maximum potential of data through its business processes.

According to Deming's continuous improvement PDCA cycle, data quality management involves four processes:

Data quality planning,
Data quality control and monitoring,
Data quality assurance, and
Data quality improvement.

The data quality management processes are intended to ensure that data meets the data quality requirements expressed in accordance with the ISO/IEC 25012 standard.

Maturity Model

As a joint application framework for the different specifications, a data maturity model is outlined that integrates the processes of governance, management, and data quality management, showing how the progressive implementation of processes and their capabilities can be carried out, defining a path of improvement and excellence across different levels to become a mature data organization.

The Data Office will promote the development of the UNE 0080 specification to provide a data maturity assessment model that complies with the content of the governance, management, and data quality management specifications and the aforementioned framework.

The content of this guide, as well as the rest of the UNE specifications mentioned, can be viewed freely and free of charge from the AENOR portal through the link below by accessing the purchase section and marking “read” in the dropdown where “pdf” is pre-selected. Access to this family of UNE data specifications is sponsored by the Secretary of State for Digitalization and Artificial Intelligence, Directorate General for Data. Although viewing requires prior registration, a 100% discount on the total price is applied at the time of finalizing the purchase. After finalizing the purchase, the selected standard or standards can be accessed from the customer area in the my products section.

The content of this guide can be downloaded freely and free of charge from the AENOR portal through the link below by accessing the purchase section. Access to this family of UNE data specifications is sponsored by the Secretary of State for Digitalization and Artificial Intelligence, Directorate General for Data. Although the download requires prior registration, a 100% discount on the total price is applied at the time of finalizing the purchase. After finalizing the purchase, the selected standard or standards can be accessed from the customer area in the my products section.