Main Categories | Law | Data Act

DA.132 GDPR: Holder needs legal basis for transfer

 

 

Art. 5 (6) Data Act - Trialogue Agreement

 

Where the user is not the data subject whose personal data is requested, any personal data generated by the use of a product or related service, including data derived and inferred from that use, shall only be made available where there is a valid legal basis under Article 6 of Regulation (EU) 2016/679 and where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of  Directive (EU) 2002/58 are fulfilled.

 

 

Recital 7 Data Act - Trialogue Agreement

 

The fundamental right to the protection of personal data is safeguarded in particular under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725. Directive 2002/58/EC additionally protects private life and the confidentiality of communications, including providing conditions to any personal and non-personal data storing in and access from terminal equipment. These instruments provide the basis for sustainable and responsible data processing, including where datasets include a mix of personal and non-personal data. This Regulation complements and is without prejudice to Union law on data protection and privacy, in particular Regulation (EU) 2016/679 and Directive 2002/58/EC. No provision of this Regulation should be applied or interpreted in such a way as to diminish or limit the right to the protection of personal data or the right to privacy and confidentiality of communications. Any processing of personal data in accordance with this Regulation should comply with all conditions and rules provided by data protection legislation, including but not limited to the need for a valid legal basis under Article 6 of Regulation (EU) 2016/679, where relevant the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive 2002/58/EC. This Regulation does not constitute a legal basis for the collection or generation of personal data by the data holder. However, in certain circumstances this Regulation imposes the obligation on data holders to make data available by providing that, where users are data subjects, data holders should be obliged to provide them access to their data and to make the data available to third parties of the user’s choice. The access should be provided to personal data that are processed by the data holder based on any of the legal bases mentioned in Article 6 of Regulation (EU) 2016/679. Where the user is not the data subject, this Regulation does not create a legal basis to provide access to personal data or make it available to a third party and should not be understood as conferring any new right on the data holder to use personal data generated by the use of a product or related service. In these cases, it could be in the interest of the user to facilitate meeting the requirements of Article 6 of Regulation (EU) 2016/679. As this Regulation should not adversely affect the data protection rights of others, including the data subject, the data holder can comply with requests inter alia by anonymising personal data or transferring only personal data relating to the user.

 

 

Recital 30 Data Act - Trialogue Agreement

 

The use of a product or related service may, in particular when the user is a natural person, generate data that relates to an identified or identifiable natural person (the data subject). Processing of such data is subject to the rules established under Regulation (EU) 2016/679, including where personal and non-personal data in a data set are inextricably linked. The data subject may be the user or another natural person. Personal data may only be requested by a controller or a data subject. A user who is the data subject is under certain circumstances entitled under Regulation (EU) 2016/679 to access personal data concerning them, and such rights are unaffected by this Regulation. Under this Regulation, the user who is a natural person is further entitled to access all data generated by the product, personal and non-personal. Where the user is not the data subject but an enterprise, including a sole trader, and not in cases of shared household use of the product, the user will be a controller within the meaning of Regulation (EU) 2016/679. Accordingly, such a user as controller intending to request personal data generated by the use of a product or related service is required to have a legal basis for processing the data under Article 6(1) of Regulation (EU) 2016/679, such as the consent of the data subject or the performance of a contract to which the data subject is a party. This user should ensure that the data subject is appropriately informed of the specified, explicit and legitimate purposes for processing those data, and how the data subject may effectively exercise their rights. Where the data holder and the user are joint controllers within the meaning of Article 26 of Regulation (EU) 2016/679, they are required to determine, in a transparent manner by means of an arrangement between them, their respective responsibilities for compliance with that Regulation. It should be understood that such a user, once data has been made available, may in turn become a data holder, if they meet the criteria under this Regulation and thus become subject to the obligations to make data available under this Regulation.

Authors
Winfried Veil
Related Tiles (0)
Social Media
Last update: 2023-08-06 20:07:04
By: Winfried Veil
Created at: 2022-03-02 12:06:42