Data intermediation services providers

The DGA encourages voluntary data sharing between different entities, inter alia, by creating a legal regime for so-called data intermediation services providers, i.e. entities that intermediate the sharing of personal and non-personal data between data subjects and data holders on the one hand and potential data users on the other. It is therefore an intermediary that steps in between data subjects/holders and their users to facilitate the exchange of data and to guarantee that the exchange takes place in a neutral and secure manner. The aim of the business model is to restructure the data market in the EU by redistributing data away from entities with excessive data concentration and facilitating the data sharing process. This means in practice that the data of the entities that hold the data (the data holder) can be, thanks to the DGA, more easily sold to users who will process it for objectives such as research, innovation or dealing with societal crises.

 

The European register of data intermediation services providers is available here.

The DGA distinguishes between three types of data intermediation:

  • Intermediation services between data holders and potential data users (B2B),
  • Intermediation services between individuals who wish to disclose their personal or non-personal data and potential data users (C2B),
  • Data cooperatives.

The key obligations of data intermediation services providers:

  • They must not use the data obtained for any purpose other than data intermediation,
  • The services must be provided on the basis of a business relationship,
  • They must allow the provision of the service to an unspecified number of data subjects/holders and users,
  • They must be legally separated from any other services provided,
  • They must take the necessary measures to ensure the security of data storage, processing and transmission.

Obligations of data intermediation service providers towards CTU:

  • Submit a notification of the provision of data intermediation services pursuant to Article 11(1) of the DGA. The notification must include:
  1. name of the data intermediation services provider;
  2. data intermediation services provider’s legal status, form, ownership structure, relevant subsidiaries and, where the data intermediation services provider is registered in a trade or other similar public national register, registration number;
  3. address of the data intermediation services provider’s main establishment in the Union, if any, and, where applicable, of any secondary branch in another Member State or that of the legal representative;
  4. a public website where complete and up-to-date information on the data intermediation services provider and the activities can be found, including as a minimum the information referred to in points (a), (b), (c) and (f);
  5. data intermediation services provider’s contact persons and contact details;
  6. description of the data intermediation service the data intermediation services provider intends to provide, and an indication of the categories listed in Article 10 under which such data intermediation service falls;
  7. estimated date for starting the activity, if different from the date of the notification.
  • Notify within 14 days any changes to the information provided pursuant to Article 11(6) of the DGA.
  • Notify within 15 days any termination of the data intermediation activity.

Currently, CTU cannot accept notifications of the provision of data intermediation services.

Top