The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

Data Governance Act -2

We resume our analysis of the EU Regulation known as the Data Governance Act, examining the re-use of data held by public sector bodies and its implications with data protection regulations.
The first part of this analysis was published in the bulletin of  June 23, 2022.

To determine which GDPR regulations apply to data governance, a distinction must be made between:

  1. Re-use of data held by public sector bodies
  2. Data intermediation services
  3. Data altruism services

 

1.   Re-use of data held by public sector bodies

Chapter II of the DGA addresses the issue of making available protected public sector data for their re-use within the Union. The regulation defines “re-use” as “the use by natural or legal persons of data held by public sector bodies, for commercial or non- commercial purposes other than the initial purpose within the public task for which the data were produced (…)” [Article 2(2)].

Re-use (i.e., granting access to data for re-use by third parties) is an option granted by the national law to public sector bodies; when it is recognized, they shall make publicly available the conditions and the application procedure through a single information point and may be assisted by competent assistance bodies.

The re-use of “personal data” held by public bodies raises the issue of reconciling the two regimes. Article 1(3) of the DGA specifies that the GDPR applies to any use of personal data that falls within the scope of the Data Governance Regulation and adds that in case of conflict between the two provisions, the GDPR together with the relevant national implementing laws prevail.

Prior anonymization of data

To address this issue, the DGA makes the granting of access for re-use conditional on the prior anonymization of personal data by the public sector body or the competent body (Article 5(3)(a)(i) of the DGA); in this way, subsequent operations performed by the data re-user do not fall under the scope of the GDPR and the national compliance laws. The data re-user, on its part, is prohibited to make any attempt to re-identify the anonymized data [Art. 5(5) DGA].

The legal basis for the processing operation consisting of the anonymization is not specifically identified, but it could be considered that this secondary purpose – that is, to transform personal data into non-personal data for re-use – could be regarded as a compatible purpose under Article 5(1)(b) GDPR, thus not requiring a new legal basis.

Re-use of personal data

If anonymization is not feasible, re-use will involve information that preserves its nature as personal data. This eventuality causes the full application of the GDPR and does not seem to be recalled comprehensively in the DGA.

Processing operations of personal data

The re-use of personal data held by public sector bodies theoretically involves two types of processing:

  • the communication of data from the public body to third parties (data users) for purposes other than the initial purpose
  • the processing carried out by the data user for its own commercial or non-commercial purposes.

In both cases, the processing of personal data must always be based on one of the legal basis of Article 6 GDPR and the exemptions of Article 9 when it involves special categories of personal data.