GDPR

Adatvédelem mindenkinek / Data protection for everyone

Regulation on the free flow of non-personal data

2019. május 13. 08:00 - poklaszlo

Last November, 2018/1807/EU Regulation on a framework for the free flow of non-personal data in the European Union was adopted and it shall be applicable from May 29, 2019 in all Member States.

The Regulation no. 2018/1807 applies to any data that is not covered by the GDPR, i.e. any data that is not personal data.

The Regulation is based on the recognition of the followings (see Paragraph 1 of the Preamble):

The digitisation of the economy is accelerating. Information and Communications Technology is no longer a specific sector, but the foundation of all modern innovative economic systems and societies. Electronic data are at the centre of those systems and can generate great value when analysed or combined with services and products. At the same time, the rapid development of the data economy and emerging technologies such as Artificial Intelligence, Internet of Things products and services, autonomous systems, and 5G are raising novel legal issues surrounding questions of access to and reuse of data, liability, ethics and solidarity. Work should be considered on the issue of liability, in particular through the implementation of self-regulatory codes and other best practices, taking into account recommendations, decisions and actions taken without human interaction along the entire value chain of data processing. Such work might also include appropriate mechanisms for determining liability, for transferring responsibility among cooperating services, for insurance and for auditing.

1. Scope and aims of the Regulation

The effective and efficient functioning of data processing, and the development of the data economy in the Union, are hampered, in particular, by two types of obstacles to data mobility and to the internal market:

  • data localisation requirements put in place by Member States' authorities and
  • vendor lock-in practices in the private sector.

This Regulation applies to the processing of electronic data other than personal data in the Union, which is:

  • provided as a service to users residing or having an establishment in the Union, regardless of whether the service provider is established or not in the Union; or
  • carried out by a natural or legal person residing or having an establishment in the Union for its own needs.

In line with the purposes defined in the Preamble of the Regulation, the Regulation aims to ensure the free flow of data other than personal data within the Union by laying down rules relating to

  • data localisation requirements,
  • the availability of data to competent authorities and
  • the porting of data for professional users.  

2. Definitions

Data localisation requirement means any obligation, prohibition, condition, limit or other requirement provided for in the laws, regulations or administrative provisions of a Member State or resulting from general and consistent administrative practices in a Member State and in bodies governed by public law, including in the field of public procurement, without prejudice to Directive 2014/24/EU, which imposes the processing of data in the territory of a specific Member State or hinders the processing of data in any other Member State.

Competent authority means an authority of a Member State or any other entity authorised by national law to perform a public function or to exercise official authority, that has the power to obtain access to data processed by a natural or legal person for the performance of its official duties, as provided for by Union or national law.

Processing has a same meaning as in the GDPR.

Regulation no. 2018/1807 also defines the notion of service provider (a natural or legal person who provides data processing services), user (a natural or legal person, including a public authority or a body governed by public law, using or requesting a data processing service) and professional user (a natural or legal person, including a public authority or a body governed by public law, using or requesting a data processing service for purposes related to its trade, business, craft, profession or task).

3. Free flow of data vs. data localization

According to the general rule, data localisation requirements shall be prohibited, unless they are justified on grounds of public security in compliance with the principle of proportionality.

Member States shall immediately communicate to the Commission any draft act which introduces a new data localisation requirement or makes changes to an existing data localisation requirement.

By 30 May 2021, Member States shall ensure that any existing data localisation requirement that is laid down in a law, regulation or administrative provision of a general nature and that is not in compliance with the above (i.e. not justified on grounds of public security in compliance with the principle of proportionality) is repealed. If a Member State considers that an existing measure containing a data localisation requirement is in compliance with the above requirement and can therefore remain in force, it shall communicate that measure to the Commission, together with a justification for maintaining it in force.

Member States shall make the details of any data localisation requirements laid down in a law, regulation or administrative provision of a general nature and applicable in their territory publicly available via a national online single information point which they shall keep up-to-date, or provide up-to-date details of any such localisation requirements to a central information point established under another Union act.

4. Data availability for competent authorities

The Regulation shall not affect the powers of competent authorities to request, or obtain, access to data for the performance of their official duties in accordance with Union or national law. Access to data by competent authorities may not be refused on the basis that the data are processed in another Member State.

Where, after requesting access to a user's data, a competent authority does not obtain access and if no specific cooperation mechanism exists under Union law or international agreements to exchange data between competent authorities of different Member States, that competent authority may request assistance from a competent authority in another Member State.

Each Member State shall designate a single point of contact which shall liaise with the single points of contact of other Member States and the Commission regarding the application of the Regulation.

5. Porting of data

One of the main novelties of the GDPR was the so-called right to data portability, whereby the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: 

  • the processing is based on consent or on a contract, and
  • the processing is carried out by automated means. (See Article 20 of the GDPR.)

Similarly to the GDPR, the Commission shall encourage and facilitate the development of self-regulatory codes of conduct at Union level (‘codes of conduct’), in order to contribute to a competitive data economy, based on the principles of transparency and interoperability and taking due account of open standards, covering, inter alia, the following aspects:

  • best practices for facilitating the switching of service providers and the porting of data in a structured, commonly used and machine-readable format including open standard formats where required or requested by the service provider receiving the data;
  • minimum information requirements to ensure that professional users are provided, before a contract for data processing is concluded, with sufficiently detailed, clear and transparent information regarding the processes, technical requirements, timeframes and charges that apply in case a professional user wants to switch to another service provider or port data back to its own IT Systems;
  • approaches to certification schemes that facilitate the comparison of data processing products and services for professional users, taking into account established national or international norms, to facilitate the comparability of those products and services. Such approaches may include, inter alia, quality management, information security management, business continuity management and environmental management;
  • communication roadmaps taking a multi-disciplinary approach to raise awareness of the codes of conduct among relevant stakeholders.

The Commission shall also encourage service providers to complete the development of the codes of conduct by 29 November 2019 and to effectively implement them by 29 May 2020. 

Codes of conduct, certification mechanisms, standards and interoperable platforms to be developed for non-personal data can also have a significant impact on the processing of personal data and can encourage the operation of data portability, certification mechanism and codes of conduct regulated by the GDPR regarding the processing of personal data.

6. Next steps

By 29 May 2019, the Commission shall publish informative guidance on the interaction of Regulation no. 2018/1807 and the GDPR, especially as regards data sets composed of both personal and non-personal data. Update (31.05.2019): The Commission published its guidance (avaialble here). 

Szólj hozzá!
Címkék: EN data portability 2018/1807 Regulation non-personal data free flow of non-personal data data economy data localization

Ajánlott bejegyzések:

A bejegyzés trackback címe:

https://gdpr.blog.hu/api/trackback/id/tr314822042

Kommentek:

A hozzászólások a vonatkozó jogszabályok  értelmében felhasználói tartalomnak minősülnek, értük a szolgáltatás technikai  üzemeltetője semmilyen felelősséget nem vállal, azokat nem ellenőrzi. Kifogás esetén forduljon a blog szerkesztőjéhez. Részletek a  Felhasználási feltételekben és az adatvédelmi tájékoztatóban.

Nincsenek hozzászólások.
süti beállítások módosítása