Complying with the GDPR and securing personal data is top of mind for most companies today. It’s an exciting time as there is a new kid on the block: the EU Data Governance Act (“DGA”), which applies to data (not just personal data). 

Timeframe 

The DGA was published in the Official Journal of the European Union on 3 June 2022, it is effective 23 June 2022, and it will apply to companies on 24 September 2023. 

Context 

In February 2020, the European Commission presented its data and artificial intelligence strategy. The DGA is the first legislative initiative adopted under the European Strategy for Data and AI for 2020-2025, with the goal of creating a single data market for Europe’s global competitiveness. 

Top Five Considerations 

  • DGA and GDPR - The DGA applies to ‘data,’  defined as ‘any digital representation of acts, facts or information…’ The DGA covers the processing of personal data (as defined in the GDPR) and non-personal data. Often, companies handle sets of data containing both personal and non-personal data. In case of a conflict between the DGA and the EU GDPR/national law, the EU GDPR/national law should prevail. 
  • Reuse of Public Sector Data - The DGA encourages the reuse of certain categories of protected data held by public sector bodies. Protected data means ‘data which are protected on the ground of: 
    • commercial confidentiality, including business, professional, and company secrets; 
    • statistical confidentiality; 
    • the protection of intellectual property rights of third parties; or 
    • the protection of personal data, insofar as such data fall outside the scope of Directive (EU) 2019/1024.’  (See Article 3 of the DGA)
  • Data Intermediation Services (DIS) and Data Altruism - DIS are described in Article 10 of the DGA. Data intermediaries are organisations setting up commercial arrangements between data holders and data users. The DGA also encourages data altruism, where individuals and organisations make data voluntarily available for the common good. Data intermediaries (such as Ad-tech companies) and recognised data altruism providers should carefully consider requirements under the new DGA. 
  • European Data Innovation Board (EDIB) - The EDIB is the new supervisory authority overseeing the implementation of the DGA’s data governance framework. 
  • Data Transfer and Penalties - The DGA contains restrictions on transfers of non-personal data. It will be for the Member States to establish and enforce the rules on penalties applicable to infringements of the obligations regarding transfers of non-personal data to third countries (for further information, please see DGA Article 31 and Article 34). 

Please contact us to discuss how Elevate can support you in complying with the DGA.