The Member States will discuss, on Thursday 15 September at a meeting of the EU Council’ Working Party on Telecommunications, the Czech Presidency’s compromise proposal for chapters six to eleven of the future Data Act (see EUROPE 13014/14).
In addition to tweaking several definitions and adding ‘customer’, ‘digital assets’ and ’operators within data spaces’ the text now also includes virtual assistants in the scope of the future regulation.
Furthermore, it also addresses the issue of contractual conditions for changing data processing service providers. In this respect, several references to ensure a high level of security throughout the data porting process have been added.
Customers should also be able to request full deletion of all their data “within prescribed or agreed deadlines”.
In addition, the changes introduce an obligation for data processing service providers to provide an open interface for the retrieval of the data for the customer. This, the document states, should be available “only to customers and their providers, but not publicly available”.
The text further clarifies that the obligations of data processing service providers to remove obstacles that could prevent customers from having functional equivalence when moving to a new provider should be the sole responsibility of the original provider.
However, the text adds, the original data processing service providers should cooperate with the data processing service providers of the receiving service with a view to facilitating functional equivalence, but “without the obligation to guarantee it”.
The document also specifies the deadlines and allows one year - from the publication of the open interoperability specifications and/or European standards - for data processing service providers to ensure compatibility with the interoperability specifications.
On the side of the Member States, the list of criteria to be taken into account in order to impose a sanction for a data breach has also been completed.
In particular, Member States should take into account the nature, seriousness, extent and duration of the infringement as well as the actions taken by the offender to mitigate or repair the damage caused by the breach. In addition, the offending entity’s liabilities and any previous offences should also be included in the criteria, as should the financial benefits obtained or losses avoided by the offender as a result of the offence.
See the document: https://aeur.eu/f/32s (Original version in French by Thomas Mangin)