Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

EU Data Governance Act: What do you need to know?

By Anas Baig | Reviewed By Maria Khan

Published August 16, 2023 / Updated December 13, 2023

As part of the European Digital Strategy, the European Commission proposed the Data Governance Act (DGA) which is now published in the Official Journal of the European Union. It will enter into effect on 23 June 2022 and apply in full form from 24 September 2023.

The DGA aims to create a secure environment for the processing and re-use of public sector data for purposes other than the ones for which the data was originally collected. It applies to both personal and non-personal data and imposes obligations on data sharing service providers (data intermediation services) and data altruism organizations. The DGA also ensures safer and wider re-use of protected public-sector data, this includes trade secrets, personal data and data protected by intellectual property rights.

Let’s look into a quick overview of the Data Governance Act, especially the data privacy obligations it has come up with and see how well it aligns with the existing EU privacy legal framework.

Key provisions of the DGA:

Broad Definition of Data

Data means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording. Data includes both personal and non-personal data.
Data Intermediation Services ProvidersThe DGA creates a legal framework for data intermediation services providers for easier sharing and re-use of data in the public sector. Data intermediation services providers are those entities that aim to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other hand. Data holder means any natural or legal person who is not a data subject with respect to the specific data in question but has the right to grant access to or to share certain personal or non-personal data. Data user, on the other hand, is a natural or legal person who has lawful access to certain personal or non-personal data, to use that data for commercial or noncommercial purposes. Data intermediation services providers can be established in the EU and can also be located outside the EU, in that case, they must designate a representative in the EU.
Notification requirement for data intermediation services providersAny data intermediation services provider that intends to provide the data intermediation services must submit a notification of such intention to the designated competent public authority of the relevant EU member state. Such notification will grant data intermediation services providers the right to start offering their services within the EU.The following kinds of data intermediation services are subject to the notification procedure:
- Intermediation services between data holders and potential data users. This includes bilateral or multilateral exchanges of data or the creation of platforms or databases enabling the exchange or joint use of data as well as the establishment of other specific infrastructure for the interconnection of data holders with data users.
- Intermediation services between data subjects that seek to make their personal data available or non-personal data available and potential data users.
- Services of data cooperatives. These include data cooperatives that support individual or small and medium-sized enterprises to negotiate terms and conditions for data processing.
Neutrality of data intermediariesData intermediation services providers are required to remain neutral such that they must not use data for their own purposes. To achieve neutrality, data intermediaries must distinguish their data sharing services from their other commercial operations and are prohibited from using the data exchanged for any other purposes.The data intermediation service should be provided through a legal person that is separate from other activities of the intermediary. Moreover, data intermediation services providers are required to ensure fair price of their services. Also, certain services that have been excluded from becoming new data intermediaries include cloud service providers and data advertising brokers, data consultancies, or providers of data products.
Data subjects rights fulfillment under the GDPRUnder the DGA, data intermediation services providers have a fiduciary duty towards individuals to always act in the best interests of the data subjects. In furtherance of this, they are required to assist individuals in exercising their rights under the GDPR. This includes their rights to grant and withdraw consent, the right of access to their data, the right to rectification or erasure of data, the right to restrict the processing of data, and the right to data portability.
Prohibition of certain exclusive agreementsThe DGA prohibits any agreements or arrangements that grant exclusive rights to parties or limit the availability of data to those parties pertaining to the re-use of certain categories of data held by public sector bodies. Protected public-sector data refers to the data in the possession of public sector bodies and are protected on the grounds of commercial or statistical confidentiality, protection of intellectual property rights, or protection of personal data.
Data altruismData altruism refers to the voluntary sharing of data for wider societal benefits on the basis of data subjects’ consent for making data available for general interests such as healthcare, combating climate change, improving mobility, facilitating the development, production and dissemination of official statistics, improving the provision of public services, public policy making or scientific research purposes or interest provided for in the relevant national law.In order to qualify as a recognised data altruism organization in the public national register, the entities must meet certain criteria under the DGA. For example, they must operate on a not-for-profit basis and be legally independent from any entity that operates on a for-profit basis and carry out data altruism activities through a structure that is functionally separate from its other activities.
Data altruism consent form

In order to facilitate data altruism and the collection of consent across member states in a uniform format, the DGA empowers the European Commission to develop a common European data altruism consent form. The consent form will ensure that data subjects are able to consent and withdraw permissions to specific data processing operations in compliance with the requirements of the GDPR.
Transparency requirements for data altruism organizations

Recognized data altruism organizations are required to inform data subjects or data holders of the general interest for which the data is intended to be available, the specified, explicit and legitimate purposes of the processing of the data, as well as the location where the processing is to be carried out. Data altruism organizations are also required to maintain accurate and complete records of all natural or legal persons that were given the possibility to process the data held by them, the date or duration of the processing of personal data or use of non-personal data as well as the purpose of the processing as declared by the natural or legal person. In addition, they must inform data subjects where they intend to facilitate data use in third countries.
Data security for non-personal data

Recognized data altruism organizations must take measures to ensure an appropriate level of security for the storage and processing of non-personal data that they have collected on the basis of data altruism. Data sharing service providers are also required to ensure the protection of sensitive and confidential data. They must put in place adequate technical, organizational, and legal safeguards to prevent any data abusive practices and ensure reasonable continuity of data intermediation services.
Cross-border transfer of non-personal data

The DGA puts conditions for the cross-border transfer of non-personal data similar to the requirements of Article 45 of the GDPR. Data intermediaries and recognized data altruism providers are allowed to transfer data to a third country only if the third country ensures appropriate safeguards for the use of data. Appropriate safeguards refer to equivalent level of data protection in the third country as in the EU and include, for example, a requirement that a public sector body transmits protected data to a re-user only if that re-user makes contractual commitments in the interests of the protection of the data. Moreover, where a re-user intends to transfer non-personal data to a third country, it must inform the public sector body of its intention and the purposes of such transfer at the time of requesting the re-use of such data. Such transfer is allowed only when the legal person permits it. Legal persons whose rights and interests may be affected by the cross-border transfer of data must be informed of such intention and purpose as well as appropriate safeguards.
Conditions for re-use of data by public sector bodies

to grant access for the re-use of data only where the public sector body or the competent body, following the request for re-use has ensured that data has been anonymized, in the case of personal data and modified, aggregated, or treated by any other method of disclosure control, in the case of commercially confidential information, including trade secrets or content protected by intellectual property rights.to access and re-use the data remotely within a secure processing environment that is provided or controlled by the public sector body to access and re-use the data within the physical premises in which the secure processing environment is located in accordance with high security standards, provided that remote access cannot be allowed without jeopardizing the rights and interests of third partiesThis indicates that any re-use of data must take place in compliance with any responsibilities arising from competition and intellectual property laws. The responsibilities imposed by the DGA are without any prejudice to the application of competition law or any sector-specific EU or member state law that requires public sector bodies, data intermediation services providers or recognised data altruism organizations to comply with specific additional technical, administrative or organizational requirements.
European Data Innovation Board

The DGA also provides for the establishment of the European Data Innovation Board for ensuring consistent practices regarding the notification framework for data sharing services providers and data altruism as well as facilitating best practices by member states’ authorities regarding the re-use of data. The Board will oversee the data sharing service providers and provide advice on best practices for data sharing.

In light of the above, it appears that the DGA has added several layers to the regulation of data protection. It not just regulates personal data but also non-personal data. From a privacy standpoint, it aims to protect the digital fundamental rights and safeguards of data holders and data subjects as well as allow data intermediary service providers to ensure data subjects rights fulfillment in line with the provisions of the GDPR. It must be read together with the GDPR.

Securiti offers Data Intelligence and a whole host of automated solutions that will enable you to discover, analyze and protect large datasets. Our solutions are purposefully designed and fully automated for handling large volumes of data and ensuring compliance with applicable legal requirements.

Ask for a DEMO.

The European Data Governance Act enables data sharing across sectors and EU member states to maximize the value of data for EU citizens and businesses. It increases the sustainability and efficiency of various economic sectors, promotes transparent governance, and enhances the efficiency of public services.

GDPR (General Data Protection Regulation) is a comprehensive data protection regulation, while DGA (Data Governance Act) focuses on data sharing, access, and interoperability across sectors within the EU. The DGA seeks to establish a secure framework for utilizin public sector data beyond its original collection purposes. It encompasses both personal and non-personal data and places certain responsibilities on organizations.

On April 6, 2022, the European Parliament adopted the DGA. As a Regulation, EU Member States are not required to transpose it into national law. The DGA became effective on June 23, 2022, and will be applicable after a 15-month transitional period, starting from September 24, 2023.

EU Data Governance Act: What do you need to know?

Frequently Asked Questions (FAQs)

More Stories that May Interest You

Newsletter

Company

Resources

Terms

Get in touch

EU Data Governance Act: What do you need to know?

Frequently Asked Questions (FAQs)

Join Our Newsletter

Share

More Stories that May Interest You

China’s New Measures on the Administration of Internet Advertising: Basics To Know

China’s Renewed Cross-Border Data Transfer Regime

SOC 2 Compliance Checklist: Step by Step Guide for an Audit

Newsletter

Company

Resources

Terms

Get in touch

Follow