Data requests must meet the conditions laid down in Chapter V of the Data Act. If a request meets the conditions, the data holder is required to make the data available without undue delay. This aims to ensure that public sector bodies have access to the necessary data in a timely and reliable manner. There are two scenarios in which an exceptional need to use data may exist: in the event of a public emergency, and for the purposes of fulfilling a task that has been provided for by law. The conditions for data access differ, depending on the scenario.
- Response to a public emergency
Access to non-personal data and, under certain conditions, to personal data can be requested when the data is necessary to respond to a public emergency (Article 15(1) point (a) of the Data Act). A public emergency means a situation declared as such under national or Union law. A public emergency can be a public health emergency resulting from a natural disaster or a human-induced disaster such as a cybersecurity incident. The data must generally be made available free of charge, but microenterprises and small enterprises are entitled to fair compensation for making data available.
- Fulfilment of another task provided for by law
If there is no public emergency, access only to non-personal data can be requested when the data is necessary to fulfil a task that has been provided for by law (Article 15(1) point (b) of the Data Act). The governmental bodies and Union bodies must first have exhausted all other means at their disposal to obtain such data. Microenterprises and small enterprises are not required to make data available. Data holders are generally entitled to fair compensation for making data available.
Comparison between the two scenarios for data requests under Chapter V of the Data Act| Response to a public emergency | Fulfilment of another task provided for by law |
|---|
| Non-personal data and personal data | Non-personal data |
| Data holders | Data holders except for microenterprises and small enterprises |
| No compensation except for microenterprises and small enterprises | Reasonable compensation |
Under the Data Act, public sector bodies may not request data necessary for criminal prosecution, customs administration or taxation administration.
To avoid unnecessary bureaucratic work, the same data cannot be requested more than once by more than one public sector body or Union body (once-only principle). For this reason, all data requests from public sector bodies must be published by the relevant data coordinator or the authority responsible for the application of the Data Act in the country where the requesting public sector body is established. Data requests from the European Commission, the European Central Bank and other Union bodies will be published in due course.
Data requests from public sector bodies established in Germany will be published here in due course, subject to responsibility for the application and implementation of the Data Act being transferred to the Bundesnetzagentur.
Which data have to be made available?
Generally speaking, only the data that are necessary to respond to a public emergency or to fulfil a task provided for by law must be made available. This includes the metadata necessary to interpret and use the data.
The requirement to make data available primarily concerns non-personal data. Personal data can only be requested when the data are necessary to respond to a public emergency. In this case, stricter requirements apply. Personal data can only be requested, and can only be requested in pseudonymised form, when it is not possible to anonymise the data and non-personal data are insufficient to respond to the public emergency. In addition, technical and organisational measures must be taken to safeguard the data. If personal data are requested, the public sector body or Union body must notify the competent data protection authority without undue delay. In the case of data requests from federal authorities, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) must be notified. In the case of data requests from municipal bodies or federal state authorities, the data protection authority responsible under federal state law must be notified.
Who is required to make data available?
The data holders typically required to make data available under Chapter V of the Data Act are private entities. Governmental bodies are generally not required to make data available. Other rules may apply to public undertakings. Research-performing organisations may be organised as public sector bodies or bodies governed by public law. Microenterprises and small enterprises are only required to make data available that are necessary to respond to a public emergency.
Who can make a request for data?
Public sector bodies, the European Commission, the European Central Bank and Union bodies can request data to carry out their statutory duties in the public interest. These bodies can share the data with not-for-profit research organisations and statistical institutes.
Which requirements do requests for data have to meet?
A request for data must meet very specific criteria and conditions that aim to protect data holders. First, the public sector body or Union body must demonstrate the existence of an exceptional need to use the data requested (see Article 15 of the Data Act). A request must be made in writing and must be precise, understandable, proportionate and clearly justified. A request must specify exactly which data are requested for which purposes and period of time and why the request is addressed to the data holder. Trade and business secrets must be preserved. If personal data are requested to respond to a public emergency and the data cannot be anonymised, safeguards such as pseudonymisation and technical and organisational measures must also be implemented.
What can I do if I think that a data request is unjustified or the rules on using and safeguarding data have not been followed?
In the event of a dispute about a request for data, an enterprise requested to make data available can lodge a complaint with the competent authority in the Member State where the enterprise is established. The Bundesnetzagentur is to be the competent authority for the application and implementation of the Data Act for enterprises whose main establishment is in Germany, subject to a relevant decision by the legislature.
If a public sector body wants to challenge a data holder’s refusal to provide data or if a data holder wants to challenge a request for data, the matter must be referred to the competent authority in the Member State where the data holder is established. The Bundesnetzagentur is to be the competent authority for data holders whose main establishment is in Germany, subject to a relevant decision by the legislature.
Can a request for data be declined?
A data holder can decline a request for data or can ask for a request to be modified for various reasons, including:
- The data holder has no control over the data requested.
- A similar request for the same purpose has already been submitted by another public sector body or Union body. Data requests from the European Commission, the European Central Bank and other Union bodies will be published in due course. Data requests from public sector bodies established in Germany will be published here in due course, subject to responsibility for the application and implementation of the Data Act being transferred to the Bundesnetzagentur.
In this case, the data holder must specify which body – a public sector body, the European Commission, the European Central Bank or a Union body – has already requested data for the same purpose.
- The request for data does not meet the specific conditions laid down in Article 17(1) and (2) of the Data Act.
A data holder has a specified period of time to decline a request for data. If a request is for data necessary to respond to a public emergency, the data holder must decline the request without undue delay, but no later than five working days after receipt of the request. In other cases of an exceptional need, the data holder must decline the request for data without undue delay, but no later than 30 working days after receipt of the request.
If a public sector body wants to challenge a data holder’s refusal to provide data requested or if a data holder wants to challenge a request for data, the matter must be referred to the competent authority in the Member State where the data holder is established. The Bundesnetzagentur is to be the competent authority for data holders whose main establishment is in Germany, subject to a relevant decision by the legislature.
Are the costs for making data available reimbursed?
Data necessary to respond to a public emergency must generally be made available free of charge, but microenterprises and small enterprises are entitled to fair compensation for making data available.
If data are made available for the fulfilment of a task carried out in the public interest that has been provided for by law, data holders are generally entitled to fair compensation, unless the specific task carried out in the public interest is the production of official statistics and the purchase of data is not allowed by national law.
The compensation must cover the technical and organisational costs incurred to make the data available, including any costs for measures such as anonymisation and a reasonable margin calculated in each individual case.
Can the data be shared with third parties?
Public sector bodies, the European Commission, the European Central Bank and Union bodies can share the data received with not-for-profit research organisations and statistical institutes for research or analysis purposes and for the production of official statistics. Certain conditions must be met when data are shared. For example, sharing must be compatible with the purpose for which the data were requested, and the data holder must be notified of the identity and contact details of the third party receiving the data and of the purpose and period for which the data will be used. Third parties receiving data must comply with the same obligations that are applicable to public sector bodies, the European Commission, the European Central Bank and Union bodies (see Article 17(3) and Article 19 of the Data Act).
Can data holders challenge the decision to share data with third parties?
If a data holder disagrees with data being transmitted, the data holder may lodge a complaint with the competent authority in the Member State where the data holder is established. The Bundesnetzagentur is to be the competent authority for enterprises whose main establishment is in Germany, subject to a relevant decision by the legislature.
