Securiti announces a $75M Series C Funding Round


EU Data Governance Act: What do you need to know?


As part of the European Digital Strategy, the European Commission proposed the Data Governance Act (DGA) which is now published in the Official Journal of the European Union. It will enter into effect on 23 June 2022 and apply in full form from 24 September 2023.

The DGA aims to create a secure environment for the processing and re-use of public sector data for purposes other than the ones for which the data was originally collected. It applies to both personal and non-personal data and imposes obligations on data sharing service providers (data intermediation services) and data altruism organizations. The DGA also ensures safer and wider re-use of protected public-sector data, this includes trade secrets, personal data and data protected by intellectual property rights.

Let’s look into a quick overview of the Data Governance Act, especially the data privacy obligations it has come up with and see how well it aligns with the existing EU privacy legal framework.

Key provisions of the DGA:

  • Broad Definition of Data

    Data means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording. Data includes both personal and non-personal data.
  • Data Intermediation Services Providers

    The DGA creates a legal framework for data intermediation services providers for easier sharing and re-use of data in the public sector. Data intermediation services providers are those entities that aim to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other hand.Data holder means any natural or legal person who is not a data subject with respect to the specific data in question but has the right to grant access to or to share certain personal or non-personal data. Data user, on the other hand, is a natural or legal person who has lawful access to certain personal or non-personal data, to use that data for commercial or noncommercial purposes.

    Data intermediation services providers can be established in the EU and can also be located outside the EU, in that case, they must designate a representative in the EU.

  • Notification requirement for data intermediation services providers

    Any data intermediation services provider that intends to provide the data intermediation services must submit a notification of such intention to the designated competent public authority of the relevant EU member state. Such notification will grant data intermediation services providers the right to start offering their services within the EU.The following kinds of data intermediation services are subject to the notification procedure:

    • Intermediation services between data holders and potential data users. This includes bilateral or multilateral exchanges of data or the creation of platforms or databases enabling the exchange or joint use of data as well as the establishment of other specific infrastructure for the interconnection of data holders with data users.
    • Intermediation services between data subjects that seek to make their personal data available or non-personal data available and potential data users.
    • Services of data cooperatives. These include data cooperatives that support individual or small and medium-sized enterprises to negotiate terms and conditions for data processing.
  • Neutrality of data intermediaries

    Data intermediation services providers are required to remain neutral such that they must not use data for their own purposes. To achieve neutrality, data intermediaries must distinguish their data sharing services from their other commercial operations and are prohibited from using the data exchanged for any other purposes.The data intermediation service should be provided through a legal person that is separate from other activities of the intermediary. Moreover, data intermediation services providers are required to ensure fair price of their services. Also, certain services that have been excluded from becoming new data intermediaries include cloud service providers and data advertising brokers, data consultancies, or providers of data products.

  • Data subjects rights fulfillment under the GDPR

    Under the DGA, data intermediation services providers have a fiduciary duty towards individuals to always act in the best interests of the data subjects. In furtherance of this, they are required to assist individuals in exercising their rights under the GDPR.This includes their rights to grant and withdraw consent, the right of access to their data, the right to rectification or erasure of data, the right to restrict the processing of data, and the right to data portability.

  • Prohibition of certain exclusive agreements

    The DGA prohibits any agreements or arrangements that grant exclusive rights to parties or limit the availability of data to those parties pertaining to the re-use of certain categories of data held by public sector bodies.Protected public-sector data refers to the data in the possession of public sector bodies and are protected on the grounds of commercial or statistical confidentiality, protection of intellectual property rights, or protection of personal data.

  • Data altruism

    Data altruism refers to the voluntary sharing of data for wider societal benefits on the basis of data subjects’ consent for making data available for general interests such as healthcare, combating climate change, improving mobility, facilitating the development, production and dissemination of official statistics, improving the provision of public services, public policy making or scientific research purposes or interest provided for in the relevant national law.In order to qualify as a recognised data altruism organization in the public national register, the entities must meet certain criteria under the DGA. For example, they must operate on a not-for-profit basis and be legally independent from any entity that operates on a for-profit basis and carry out data altruism activities through a structure that is functionally separate from its other activities.

  • Data altruism consent form

    In order to facilitate data altruism and the collection of consent across member states in a uniform format, the DGA empowers the European Commission to develop a common European data altruism consent form. The consent form will ensure that data subjects are able to consent and withdraw permissions to specific data processing operations in compliance with the requirements of the GDPR.
  • Transparency requirements for data altruism organizations

    Recognized data altruism organizations are required to inform data subjects or data holders of the general interest for which the data is intended to be available, the specified, explicit and legitimate purposes of the processing of the data, as well as the location where the processing is to be carried out.Data altruism organizations are also required to maintain accurate and complete records of all natural or legal persons that were given the possibility to process the data held by them, the date or duration of the processing of personal data or use of non-personal data as well as the purpose of the processing as declared by the natural or legal person. In addition, they must inform data subjects where they intend to facilitate data use in third countries.
  • Data security for non-personal data

    Recognized data altruism organizations must take measures to ensure an appropriate level of security for the storage and processing of non-personal data that they have collected on the basis of data altruism.Data sharing service providers are also required to ensure the protection of sensitive and confidential data. They must put in place adequate technical, organizational, and legal safeguards to prevent any data abusive practices and ensure reasonable continuity of data intermediation services.
  • Cross-border transfer of non-personal data

    The DGA puts conditions for the cross-border transfer of non-personal data similar to the requirements of Article 45 of the GDPR. Data intermediaries and recognized data altruism providers are allowed to transfer data to a third country only if the third country ensures appropriate safeguards for the use of data. Appropriate safeguards refer to equivalent level of data protection in the third country as in the EU and include, for example, a requirement that a public sector body transmits protected data to a re-user only if that re-user makes contractual commitments in the interests of the protection of the data.Moreover, where a re-user intends to transfer non-personal data to a third country, it must inform the public sector body of its intention and the purposes of such transfer at the time of requesting the re-use of such data. Such transfer is allowed only when the legal person permits it. Legal persons whose rights and interests may be affected by the cross-border transfer of data must be informed of such intention and purpose as well as appropriate safeguards.
  • Conditions for re-use of data by public sector bodies

    to grant access for the re-use of data only where the public sector body or the competent body, following the request for re-use has ensured that data has been anonymised, in the case of personal data and modified, aggregated, or treated by any other method of disclosure control, in the case of commercially confidential information, including trade secrets or content protected by intellectual property access and re-use the data remotely within a secure processing environment that is provided or controlled by the public sector body

    to access and re-use the data within the physical premises in which the secure processing environment is located in accordance with high security standards, provided that remote access cannot be allowed without jeopardizing the rights and interests of third parties

    This indicates that any re-use of data must take place in compliance with any responsibilities arising from competition and intellectual property laws. The responsibilities imposed by the DGA are without any prejudice to the application of competition law or any sector-specific EU or member state law that requires public sector bodies, data intermediation services providers or recognised data altruism organizations to comply with specific additional technical, administrative or organizational requirements.

  • European Data Innovation Board

    The DGA also provides for the establishment of the European Data Innovation Board for ensuring consistent practices regarding the notification framework for data sharing services providers and data altruism as well as facilitating best practices by member states’ authorities regarding the re-use of data.The Board will oversee the data sharing service providers and provide advice on best practices for data sharing.

In light of the above, it appears that the DGA has added several layers to the regulation of data protection. It not just regulates personal data but also non-personal data. From a privacy standpoint, it aims to protect the digital fundamental rights and safeguards of data holders and data subjects as well as allow data intermediary service providers to ensure data subjects rights fulfillment in line with the provisions of the GDPR. It must be read together with the GDPR.

Securiti offers Data Intelligence and a whole host of automated solutions that will enable you to discover, analyze and protect large datasets. Our solutions are purposefully designed and fully automated for handling large volumes of data and ensuring compliance with applicable legal requirements.

Ask for a DEMO.

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Users love Securiti on G2 G2 leader spring 2022 G2 leader summer 2022 G2 leader easiest business 2022 RSAC Leader Forrester Badge IAPP Innovation award 2020 Gartner Cool Vendor Award Sinet Innovator Award