To determine which GDPR regulations apply to data governance, a distinction must be made between:
- Re-use of data held by public sector bodies
- Data intermediation services
- Data altruism services
1. Re-use of data held by public sector bodies
Chapter II of the DGA addresses the issue of making available protected public sector data for their re-use within the Union. The regulation defines “re-use” as “the use by natural or legal persons of data held by public sector bodies, for commercial or non- commercial purposes other than the initial purpose within the public task for which the data were produced (…)” [Article 2(2)].
Re-use (i.e., granting access to data for re-use by third parties) is an option granted by the national law to public sector bodies; when it is recognized, they shall make publicly available the conditions and the application procedure through a single information point and may be assisted by competent assistance bodies.
The re-use of “personal data” held by public bodies raises the issue of reconciling the two regimes. Article 1(3) of the DGA specifies that the GDPR applies to any use of personal data that falls within the scope of the Data Governance Regulation and adds that in case of conflict between the two provisions, the GDPR together with the relevant national implementing laws prevail.
Prior anonymization of data
To address this issue, the DGA makes the granting of access for re-use conditional on the prior anonymization of personal data by the public sector body or the competent body (Article 5(3)(a)(i) of the DGA); in this way, subsequent operations performed by the data re-user do not fall under the scope of the GDPR and the national compliance laws. The data re-user, on its part, is prohibited to make any attempt to re-identify the anonymized data [Art. 5(5) DGA].
Re-use of personal data
Processing operations of personal data
The re-use of personal data held by public sector bodies theoretically involves two types of processing:
- the communication of data from the public body to third parties (data users) for purposes other than the initial purpose
- the processing carried out by the data user for its own commercial or non-commercial purposes.
In both cases, the processing of personal data must always be based on one of the legal basis of Article 6 GDPR and the exemptions of Article 9 when it involves special categories of personal data.