Comparison of the Draft and Adopted Delegated Act on Data Access

1. CONTEXT OF THE DELEGATED ACT On 16 November 2022, Regulation (EU) 2022/2065 of the European Parliament and of the Council, the Digital Services Act (DSA) entered into force. That Regulation provides a harmonised legal framework applicable to all online intermediary services provided in the Union and seeks to create a safer digital space, in which the fundamental rights of all users of digital services are effectively protected. pProtected. Regulation (EU) 2022/2065 includes a special set of obligations for providers of very large online platforms (‘VLOPs’) and of very large online search engines engines, (‘VLOSEs’), proportionate to their particular role and societal impact in the Union. The It imposes several obligations imposed on such those providers seek to increase their public accountability, accountability and including include the obligation to maintain public repositories of advertisements, to draft publish reports at least once a year on the results of their assessment of any systemic risks stemming from the design design, functioning or functioning use of their service and its related systems systems, and to adopt on the risk mitigation measures, measures they put in place, as well as reports resulting from the obligation to subject themselves to independent compliance audits. Article 40 of Regulation (EU) 2022/2065 requires providers of very large online platforms and of very large online search engines to provide access to their the data they hold for the purposes of regulatory supervision supervision, and research and scrutiny that contributes to the detection, identification and understanding of systemic risks in the Union, and to the assessment of the adequacy, efficiency and impacts of risk mitigation measures that those providers have to take under that Regulation. The impact of this provision is twofold: researchers who fulfil the conditions set out in the provision will benefit from access to previously undisclosed or under-disclosed data, opening up new avenues for research and increasing the potential of generating knowledge for the benefit of all. At the same time, these insights will contribute to regulators’ the work on of competent authorities in carrying out their supervision and enforcement tasks, including the assessment of the measures implemented steps taken by those providers of very large online platforms and of very large online search engines to meet fulfil the their obligations under requirements laid down in Regulation (EU) 2022/2065. Pursuant to Article 40(13) of Regulation (EU) 2022/2065, the Commission shall is empowered to adopt delegated acts to supplement that Regulation by laying down the technical conditions under which providers of very large online platforms or of very large online search engines are to share data pursuant to Article 40, paragraphs 1 and 4, of Regulation (EU) 2022/2065 and the purposes for which the data may be used. In addition, the provision states that those delegated acts shall lay down the specific conditions under which such sharing of data with researchers can take place in compliance with Regulation (EU) 2016/679, as well as relevant objective indicators, procedures and, where necessary, independent advisory mechanisms in support of sharing of data, taking into account the rights and interests of the providers of very large online platforms or of very large online search engines and the recipients of the service concerned, including the protection of confidential information, in particular trade secrets, and maintaining the security of their service. This delegated act specifies the procedures and technical conditions enabling the provision of access to data pursuant to Article 40, paragraph 4 of Regulation (EU) 2022/2065. Given the important role that researchers can play for the detection, identification and understanding of systemic risks in the Union and for the assessment of the adequacy, efficiency and impacts impact of risk mitigation measures that providers of very large online platforms and of very large online search engines are required to take under that Regulation Regulation, (EU) 2022/2065, this delegated act specifies the procedures and technical conditions enabling the sharing of the data pursuant to Article 40, paragraph 4. To this end, this delegated act is intended to ensure an effective and harmonised application of the provision regulating access to data for vetted researchers pursuant to Regulation (EU) 2022/2065. The rules laid down in this delegated act build on existing practices for accessing data from providers of very large online platforms or of very large online search engines, which were set up on a voluntary basis. Considering the innovative nature of the mechanism set out in Article 40(4) of Regulation (EU) 2022/2065 involving different actors, namely researchers, Digital Services Coordinators and providers of very large online platforms or of very large online search engines, specific procedures are defined set out to develop solid, reliable, consistent and uniform practices, and to protect the rights and interests of all the actors involved. In particular, the delegated act sets out the procedures to be followed by Digital Services Coordinators for the formulation of reasoned requests for data access to data to providers of very large online platforms or of very large online search engines. In doing so, this delegated act also clarifies and harmonises the procedures for the management of the data access process, starting from the submission of the data access application and it establishes the Digital Services Act (DSA) data access portal, to underpin the different steps in the that process. Moreover, the delegated act sets out pays particular attention to the legal, organisational and technical safeguards conditions to be taken into account by the Digital Services Coordinator of establishment when determining the appropriate access modalities for the sharing provision of the access to data. To this end, the delegated act operationalises sets out rules for the interactions between the Digital Service Services Coordinator of establishment and the providers of very large online platforms or of very large online search engines in the processing of the reasoned request for data access access. to data. The delegated act therefore aims at designing establishing a practical consistent and clear uniform process for data access, access for vetted researchers, which will protect the rights and interests of those involved – while containing adequate safeguards against any form of abuse.

2. CONSULTATIONS PRIOR TO THE ADOPTION OF THE ACT Over the last two year, years preceding the adoption of this delegated act, the Commission has collected views from a wide range of different stakeholders, including providers of digital services, such as providers of very large online platforms or of very large search engines, providers of other online platforms and other intermediary service providers, other businesses, civil society organisations as well as an expert group of academics and researchers. In addition, the Commission conducted a public call for evidence from 25 April to 31 May 2023. 133 contributions were received, gathering feedback input on data access needs by from researchers, providers of online platforms, civil society organisations as well as other relevant interested stakeholders. The call also covered operational matters aspects of data access, such as procedural and technical requirements for data access applications. The Commission also conducted targeted consultations with specialised stakeholders in the field of research and access to data, including Member State experts, Digital Services Coordinators, in order to gather further technical views and identify areas that would benefit from further clarity through specification in this delegated act. Consultations took place with academics, civil society actors and intermediary service providers. Furthermore, the Commission published a draft of this delegated act for public feedback. feedback from 29 October 2024 to 10 December 2024. 109 contributions were received mainly from researchers, Digital Services Coordinators and businesses. This delegated act addresses the main points raised by stakeholders, stakeholders with a view to while preserving the level of rigor in ensuring that an efficient and harmonised process is in place, balancing the rights and interests of all actors involved for the provision of access to data for vetted researchers as required by Regulation (EU) 2022/2065.

3. LEGAL ELEMENTS OF THE DELEGATED ACT Section Chapter I sets out the general provisions, namely, namely the subject matter of the delegated act (Article 1) and the definitions of key terms (Article 2). Section Chapter II sets out the information and contact obligations in relation to the data access process. First, it establishes the DSA data access portal (Article 3), then it sets out the roles and responsibilities for the processing of personal data carried out in the DSA data access portal (Article 4) and the rules for the processing of personal data in the DSA data access portal (Article 5). Lastly, it sets out requirements regarding the points of contact and information to the public information on the data access process (Article 6). Section Chapter III lays down the requirements for the formulation and assessment processing of reasoned requests. requests for data access. It provides details on the formulation of a reasoned request for data access by the Digital Services Coordinator of establishment pursuant to Article 40(4) of Regulation (EU) 2022/2065 (Article 7), on the prerequisites for the formulation of a reasoned request for data access (Article 8), on the appropriateness of the access modalities to ensure compliance with the data security, confidentiality and personal data protection requirements corresponding to the data requested (Article 9) and on the content of the reasoned request for data access (Article 10). It then sets out the requirements for the publication of the an overview of the reasoned request for data access in the DSA data access portal (Article 11), the procedures for the handling of amendments amendment requests submitted by providers of very large online platforms or of very large online search engines pursuant to Article 40(5) of Regulation 2022/2065 (Article 12) and a mediation process the dispute settlement procedure (Article 13). Lastly, it lays down the conditions for the independent advisory mechanisms expert consultations (Article 14). Section Chapter IV contains a provisions provision on the conditions for providing access to the data requested to vetted researchers by providing details on the data format management and data documentation requirements data providers need to adhere to when providing access to data (Article 15). Finally, Section Chapter V contains the final provision of this delegated act concerning its entry into force (Article 16).

COMMISSION DELEGATED REGULATION (EU) …/... of XXX 1.7.2025 supplementing Regulation (EU) 2022/2065 of the European Parliament and of the Council by laying down the technical conditions and procedures under which providers of very large online platforms and of very large online search engines are to share data with vetted researchers pursuant to Article 40 of Regulation (EU) 2022/2065 (Text with EEA relevance)

THE EUROPEAN COMMISSION, Having regard to the Treaty on the Functioning of the European Union, Having regard to Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC, and in particular Article 40(13) thereof, Whereas:

Article 40 of Regulation (EU) 2022/2065 lays down rules regarding access to data to be granted by providers of very large online platforms and of very large online search engines.

It In particular, it enables researchers who have demonstrated that they fulfil the relevant conditions laid down in Article 40(8) of that Regulation (‘vetted researchers’) to be provided with such access. The purpose of this This Regulation is to lay lays down technical conditions and harmonises the procedures necessary to enable such access.

Under Article 40(4) of Regulation (EU) 2022/2065, vetted researchers are to be provided with access to data to help them study systemic risks in the Union and assess the effectiveness of measures to reduce mitigate those risks. Their findings can constitute valuable input for the enforcement of Regulation (EU) 2022/2065. 2022/2065 and foster accountability of providers of very large online platforms and of very large online search engines.

To make The purpose of this Regulation is to lay down the data sharing according to Article 40(4) of Regulation (EU) 2022/2065 work, clear rules are needed for efficient sharing of data by providers of very large online platforms or of very large online search engines with vetted researchers. This includes setting out the steps and technical conditions needed and the procedures necessary to ensure enable such access, in a secure and efficient manner that is consistent across all Digital Services Coordinators, and in a way that ensures equality of treatment for researchers and data providers. is shared securely and efficiently.

To ensure that the data access process is transparent and consistent across all Digital Services Coordinators, Coordinators and to make this that process clear and easy-to-use, transparent for everyone, it is necessary to create a dedicated digital infrastructure (‘the DSA data access portal’). That The DSA data access portal should enable allow researchers, data providers, and Digital Services Coordinators to participate in the data access process, have access to and exchange disseminate relevant information, communications, such as the details of the dedicated points of contact, and updates communicate with on one ongoing processes. another. The DSA data access portal should not be considered as one of the access modalities to be used for the provision of access to the data pursuant to a reasoned request.

Data providers, and researchers wishing to participate in the data access process, should create an account on the DSA data access portal for that purpose. To ensure that Digital Services Coordinators can access information submitted via the DSA data access portal without needing to create a separate account in on the portal, the DSA data access portal should be interoperable with the information sharing system AGORA established by in Commission Implementing Regulation (EU) 2024/6073.

To ensure transparency of the data access process for all the parties involved and to monitor the effectiveness and efficiency of the data access process and compliance with Article 40(4) of Regulation (EU) 2022/2065 and this Regulation, the DSA data access portal should generate automatic notifications in relation to different steps and updates of the process.

In order to provide To make it easier for researchers to participate in with consistent information about the data access process, they should be given clear information about the procedures for applying for access to data. Digital Services Coordinators should therefore put in place dedicated make available and easily accessible on their online interfaces information pages, concerning the data access process, including links to the DSA data access portal, portal. allowing researchers to find information on To avoid creating unnecessary administrative burden, increase efficiency and facilitate communication among all parties involved in the data access process. process, Digital Services Coordinators are encouraged to facilitate the management of information related to the data access process, also from a linguistic perspective.

To help applicant In order to allow researchers to identify design effective research projects and to reduce the administrative burden relevant data for the purposes set out in Article 40(4) of Regulation (EU) 2022/2065, the data access process, data providers should make available DSA provide an overview of the data inventory of catalogues for their services services. Such catalogues should be easily findable and accessible online, including indications on the online interfaces of data providers, and should describe the available data assets, their data structures structure available, and metadata, where possible, indicate suggested modalities for accessing access to which may be requested pursuant to Article 40(4) of Regulation (EU) 2022/2065. When making available them. the DSA data catalogues, data providers should have regard to risks to confidentiality, data security or personal data protection potentially deriving from such information being made public.

To contribute to the development of relevant research projects for the purposes set out in Article 40(4) of Regulation (EU) 2022/2065, the DSA data catalogues should include in particular data related to the systemic risks in the Union that data providers have identified in their annual risk assessments pursuant to Article 34 of that Regulation, as well as data related to any risk mitigation measures referred to in Article 35 of that Regulation. To ensure the relevance and timeliness of the DSA data catalogues, those catalogues should be updated regularly with due consideration to newly identified systemic risks and the evolution of systemic risks. For example, they should reflect emerging risks identified following an ad hoc risk assessment pursuant to Article 34 of Regulation (EU) 2022/2065 or following an audit report pursuant to Article 37 of that Regulation. To minimise the procedural burden on the data providers, where appropriate, such catalogues may rely on existing data documentation resources used for other purposes and audiences, such as advertising, content creation, or third-party app development. The DSA data catalogues should not be required to be exhaustive and therefore should not bind or limit applicant researchers in their data access applications.

In order to facilitate the determination of the access modalities by the Digital Services Coordinator of establishment and reduce the overall burden of the data access process on all actors involved, data providers should publish their suggested access modalities for the data described in the DSA data catalogues. These suggested access modalities should be proportionate to the sensitivity of the data and include information on the possible technical, organisational and legal conditions considered by the data providers as appropriate to enable the provision of the data. The access modalities suggested by data providers should not bind Digital Services Coordinators of establishment, who should remain competent to determine the appropriate access modalities.

To ensure that data access application applications are treated equally, independently of the Member State Digital Services Coordinator to which the data access application is submitted or from which the reasoned request originates, the timeframe for the formulation of reasoned requests should be harmonised. In case specified to ensure consistency across all Digital Services Coordinators. If the formulation of the reasoned request requires additional time, the Digital Services Coordinator of establishment should notify the principal researcher, giving reasons for the delay. Such reasons may include the need for to carry out additional verifications, verifications by the Digital Services Coordinator of the research organisation or of establishment, for example where data access applications imply international data transfers, or where the Digital Services Coordinator of establishment has detected identified potential risks to the security of the Union if the data were to be shared. Making use With a view to aligning also the steps in the data access process preceding the formulation of reasoned requests, including any independent advisory mechanism should not be among the reasons causing assessment of data access applications and granting of vetted researcher status, Digital Services Coordinators are encouraged to develop a consistent and coordinated way of working, including common operational criteria, within the delay. framework of the European Board for Digital Services.

To ensure that In order to streamline the procedures for the formulation of reasoned requests, all Digital Services Coordinator Coordinators of establishment should be required has all the information necessary to formulate the reasoned request, the Digital Services Coordinator to which the data access application was submitted, should verify that certain common elements the data access application includes the relevant information and supporting documentation. Within 5 working days from the receipt of the data access process were duly covered in application, the principal researcher should receive a confirmation of completeness or be notified about the possibility to correct and resubmit the data access application applications. if information or supporting documentation are missing.

To that end, As a prerequisite for formulating a reasoned request, the Digital Services Coordinator Coordinators of establishment should verify whether that all applicant researchers who are mentioned in the data access application have provided the relevant documentation demonstrating demonstrated their affiliation to a research organisation, such as for example by providing documentary evidence of employment contracts or any other form of legal association. association with the research organisation.

The Digital Services Coordinator Coordinators of establishment should also verify that documentation the applicant researchers demonstrating demonstrated their independence from commercial interests interests, for example, by and their access to the available legal, organisational and technical means to meet the requirements of confidentiality, data security and protection of personal data has been provided, for example in the form of a declaration to that effect. commitment letter by the research organisation of affiliation of each applicant researcher.

The Digital Services Coordinator of establishment should verify that the funding of the research project for which the data are requested is disclosed. disclosed in the data access application. The information provided by the applicant researchers should include details of the financial and non-financial contributions, such as the funding entity, the amount, the nature and duration of the contribution contribution, and including whether the funding entity, has already been awarded or whether an application for funding is still under evaluation, as well as, where applicable, relevant references to EU Union funded projects. Where available, the data access application should also include the outcomes of evaluations conducted by the entity or entities providing the funding.

The Digital Services Coordinator of establishment should verify whether the data access application describes how the research project for which the data are requested is relevant for the purposes laid out in Article 40(4) of Regulation (EU) 2022/2065 and includes information on the research questions addressed and the planned methodology for conducting the research. Where available, the data access application should include the outcomes of evaluations concerning the scientific merits of the research projects conducted by the research organisation of affiliation or the entity providing the funding, including references to evaluation processes conducted in relation to EU funded projects.

The Digital Services Coordinator of establishment should verify that the data access application describes how the modalities by which the data were and data format are selected, with reference to the requirements of necessity for, and proportionality, proportionality entailing that to, the purpose of the envisaged research. Where the requested data can only are also available through other sources, the Digital Services Coordinator of establishment should assess whether the request for such data in the data access application is duly justified, having regard to the information in the data access application. Possible justifications may include evidence of poor quality or unreliability of such data deriving from other sources or the unsuitability of the format in which such data may be requested if retrieved from other sources for the purposes of the research cannot be achieved by project, which would hinder other the performance of existing means, such as data being available through other the research project. sources, including public data Data access modalities and tools. The data that can be applied for requested in order to study systemic risks or their mitigation in the Union may vary over time. evolve in the future.

Current examples of such data include data related to users of the services, such as profile information, relationship networks, individual-level content exposure and engagement histories; interaction data such as comments or other engagements; data related to content recommendations, including data used to personalise recommendations; data related to ad the targeting of advertisements and profiling, including cost per click data and other measures of advertising prices; data related to the testing of new features prior to their deployment, including the results of A/B tests; data related to content moderation and governance, such as data on algorithmic or other content moderation sytems systems and processes, including changelogs, archives or repositories documenting moderated content, including accounts as well as data related to prices, quantities and characteristics of goods or services provided or intermediated by the data provider.

The Digital Services Coordinator of establishment should verify whether the data access application describes provides for sufficient information that demonstrate that the researcher is capable of fulfilling the specific requirements of confidentiality, security and protection of personal data with respect to the data requested, requested data, identifies possible risks deriving from the access accessing and processing of such data for the purposes of the research, and illustrates documents any access modalities proposed, including the proposed legal, organisational and technical safeguards conditions that will be put in place to minimise the identified risks. risks, Such safeguards can take the form for instance by means of a any combination of relevant legal, organisational and technical means, including appropriate access modalities, and should be adapted to the specific research project. Possible examples include data access agreements, non-disclosure agreements, organisational measures, such as internal processes applied to monitor that measures that are intended as safeguards are correctly applied or internal verifications of the fulfilment of commitments commitment letter from a data access application by staff not linked to the research project as well as activity logging organisation confirming access to means that can constitute relevant safeguards, or other supporting Documents. authentication and access restriction measures and encrypted storage of the data.

Where personal data within the meaning of Article 4, point (1), of Regulation (EU) 2016/679 of the European Parliament and of the Council are requested, the Digital Services Coordinator of establishment should first verify that the data access application includes information on the legal basis justifying for the processing of personal data, including special categories, categories of personal data, where applicable, and whether such legal basis is in line with Article 6(1), points point (e) or (f), or and where applicable Article 9(2), points point (g) or (j), of Regulation (EU) 2016/679. In addition, the Digital Services Coordinator of establishment should also verify that the data access application contains relevant sufficient indication that the researchers have assessed risks to personal data protection protection. For example, this could be demonstrated by a documentation, such as the records of processing activities pursuant to Article 30 of Regulation (EU) 2016/679, the data protection impact assessments assessment within the meaning of Article 35 of that Regulation Regulation. (EU) 2016/679 and any other documentation ensuring the implementation of the principles of data protection by design and by default and the application of data security best practices, as relevant.

To facilitate the formulation of the reasoned request, request and preserve the integrity of the information included in the data access application the Digital Services Coordinator of establishment should verify whether the data access application includes a summary. The existence of such Such a summary should contain an overview contribute to preserving the integrity of the information included that will be part of the reasoned request, published in the DSA data access portal, in cases where the assessment of the data access application. application leads to the formulation of a reasoned request.

In order to determine ensure that the appropriate access modalities, modalities including appropriate interfaces as referred the Digital Services Coordinator of establishment determines are adequate to address the sensitivity of the specific data requested in a data access application, Article 40(7) of Regulation (EU) 2022/2065, the Digital Services Coordinator of establishment should assess whether perform a case-by-case assessment, based on the information provided access modalities proposed by the applicant researchers in the data access application application. are The access modalities established in the reasoned request should be appropriate to fulfil the requirements of data security, data confidentiality and protection of personal data and, at the same time, enable the attainment of the research objectives of the research project.

Such modalities Access to data may be, among others, a take place for example through data transmission to the vetted researchers via an appropriate interface and appropriate data storage; a transmission of the data to to, and storage in in, a secure processing environment operated by the data provider or by a certified third party provider to which vetted researchers have access but where no data transmission to the vetted researchers takes place, or other access modalities to be set up or facilitated by the data provider. When specifying the access modalities, the Digital Services Coordinator of establishment should also list any legal, technical or organisational conditions to which access is to be subject. In cases where providing access involves a transfer of personal data to third countries or international organisations within the meaning of Chapter V of Regulation (EU) 2016/679, the access modalities should also include information on the need to put in place an appropriate transfer mechanism, to ensure that the data provider takes the necessary action to comply with that Regulation.

To ensure that the personal data are shared can be accessed in compliance with Regulation (EU) 2016/679, Digital Services Coordinators may should be allowed to consult the relevant supervisory authorities established pursuant to Article 51 of that Regulation Regulation, (EU) 2016/679 which remain ultimately competent to assess the compliance with Regulation (EU) 2016/679. With a view to ensure that the level of protection of natural persons guaranteed by Regulation (EU) 2016/679 is not undermined where sharing the data with the vetted researchers will involve international data transfers, such consultation should be compulsory, unless the international transfer is covered by an implementing act adopted pursuant to Article 45(3) Regulation (EU) 2016/679, ensuring an adequate level of protection.

To ensure that the data access modalities are appropriate to address particular specific sensitivities in terms of data protection, of data security or of confidentiality, the Digital Services Coordinator of establishment, on the basis of the information received in the data access application, should be able to the Digital Services Coordinator of establishment may require require, in the reasoned request that access to data are shared be provided via secure processing environments. In such cases, the Digital Services Coordinator of establishment should ensure that the chosen environment is operates in line with the latest most appropriate technological technology developments and it allows should require the relevant documentation attesting that the necessary security and technical measures are in place and that controls are in place to monitor the effectiveness of such measures, with the purpose of ensuring that such environments are appropriate to process sensitive data, while at the same time allowing the vetted researchers to attain the objectives of their research.

In order to ensure consistency of with regard to the information transmitted by the Digital Services Coordinators of establishment to the data providers, it is necessary to specify the structure content of the reasoned requests requests. should be standardised.

In order to safeguard the interests of data providers and to reduce the frequency of amendment requests over time, time also reducing and facilitate the burden formulation of relevant analysing similar data access applications by researchers, for Digital Services Coordinators, an overview of each reasoned request, including any amendments and updates, updates to it, should be made publicly available in the DSA data access portal, portal by the Digital Services Coordinator of establishment. establishment who issued the respective reasoned requests.

In order to ensure that the Digital Services Coordinator of establishment has the relevant information to evaluate an amendment request and to facilitate a uniform approach in the evaluation of amendment request, requests, the data provider should explain be required to specify the reasons for such request, detailing as referred to in Article 40(5) of Regulation (EU) 2022/2065. More specifically, when assessing an amendment request submitted on the grounds to propose to modify the basis of a data provider’s lack of access to the specific data data, requested or to propose alternative data. In the context of amendment requests, the Digital Services Service Coordinator of establishment should be in a position to examine whether the alleged impossibility is duly justified, for example by the non-existence of the requested data, or by technical restrictions such as encryption and it should have regard the information necessary to consider whether the lack of access is permanent or temporary. It should be clear, in this respect, that commercial considerations should not be considered as a ground to automatically refuse access to requested data butrather as a ground to modify the means of providing access to the legitimate interests of data, which may result in imposing additional data security and providers, including the protection of their trade secrets, confidentiality requirements. and security.

In order to ensure an efficient resolution of disputes within and to encourage the framework laid down identification of a mutually acceptable solution, following an amendment request, data providers should be able to ask the Digital Services Coordinators of establishment to participate in mediation. Such participation should be voluntary throughout the entire mediation process and should not result in any binding outcome for sharing data to fulfil the purposes referred to in Article 40(4) of Regulation (EU) 2022/2065, in cases where a request for amendment is rejected by the Digital Services Coordinator of establishment, which remain competent to decide on the amendment data provider may suggest a mediation and identify a mediator to that end. Such mediator should support an agreement between the data provider and the Digital Services Coordinator of establishment on a specific reasoned request. requests.

To For the purposes of facilitating inform informed decisions related and effective decision-making in relation to the data access process, Digital Services Coordinators may decide should have the possibility to request expert opinions on specific elements of the data access process, such as the determination of the access modalities, including appropriate interfaces, the formulation of the reasoned request and any amendment requests by the data provider. The experts and bodies consulted should possess proven expertise in the matter on which the their subject matter opinion is sought and should be independent. In particular, they should not have any conflict of interests, deriving for example from any ties with the applicant researchers or with the data provider.

In order to prevent that mediation indefinitely prolong the data access process, the transmission of the written request for mediation, the selection of the mediator and the mediation process itself should take place within specified timeframes. The Digital Services Coordinators of establishment should set a time limit for the mediation process in relation to a given reasoned request and the mediator should have the authority to terminate the mediation process in specific circumstances.

In order to maintain mutual trust among the parties involved in the mediation, the Digital Services Coordinator of establishment should ensure that the proposed mediator meet the requirements of impartiality, independence and possess relevant expertise on the subject matter of the mediation.

To In order to increase transparency and allow Digital Services Coordinators to build on their expertise acquired over time, each expert consultation request and respective outcome the follow-up generated by it should be registered in AGORA.

In order to facilitate allow for the effective monitoring supervision of compliance with the conditions set out in the reasoned request, the data provider should notify the Digital Services Coordinator of establishment when within three working days of the date on which access has been provided to the vetted researchers get and of the date of the access to the data and when such access is its termination. terminated by the data provider.

In order to enable the navigation and usability of vetted researchers to use the accessed requested data for the purposes of the research and to provide relevant put them in the proper context, context information, data providers should provide vetted researchers with the relevant metadata and documentation describing the data made available, such as codebooks, changelogs and architectural documentation.

In order to facilitate allow for meaningful research to be conducted by the vetted researchers, also by enabling the combination of the data requested with data available through other sources, data providers should not impose any restrictions on the analytical tools employed by vetted researchers, including relevant software libraries, and should not impose archiving, storage, refresh and deletion requirements, unless they are explicitly mentioned in the access modalities, modalities identified in the reasoned request.

Where the data provided to the vetted researchers include personal data, data within the meaning of Article 4 of Regulation (EU) 2016/679, the data provider should observe make use of the possibilities offered by rules laid down in that Regulation Regulation. (EU) 2016/679. In particular, Article 40(4) of Regulation (EU) 2022/2065 creates a legal obligation in within the sense meaning of Article 6(1), point (c) of Regulation (EU) 2016/679 for any processing of personal data necessary for the data provider to provide access to the data specified in the reasoned request. Where special categories of personal data within the meaning of Article 9 of Regulation (EU) 2016/679 are to be processed, this Regulation the data provider should demonstrate that the processing meets the requirements requirement of Article 6(1), point (c) of Regulation (EU) 2016/679, as well as Article 9(2), point (g) of Regulation (EU) 2016/679.

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on 4 December 2024.

After consulting the European Board for Digital Services in accordance with Article 40(13) of Regulation (EU) 2022/2065 and following its endorsement, HAS ADOPTED THIS REGULATION:

Subject Matter

This Regulation lays down procedures and technical conditions for providing vetted researchers with access to data held by providers of very large online platforms and of very large online search engines, pursuant to Article 40(4) of Regulation (EU) 2022/2065, in particular:

the technical conditions for the development and functioning of a data access portal portal; for the purposes of Regulation (EU) 2022/2065;

the procedures and technical conditions for the management of the data access process by Digital Services Coordinators and data providers;

the requirements for the formulation of reasoned requests and the assessment of amendment requests;

the technical conditions for the provision of access to data by the data providers.

Definitions

For the purposes of this Regulation, the definitions set out in Article 4 of Regulation (EU) 2016/679, 2016/679 and Article 3 of Regulation (EU) 2018/1725 of the European Parliament and Article 3 of the Council Regulation (EU) 2022/2065 shall apply. The following definitions shall also apply:

‘data access application’ means the information and relevant documentation submitted by applicant researchers to the Digital Services Coordinator of establishment or the Digital Services Coordinator of the Member State of the research organisation organisation, to which the principal researcher is affiliated affiliated, to obtain the vetted researcher status of ‘vetted researcher’ as referred to in Article 40(8), first subparagraph, of Regulation (EU) 2022/2065, for a specific research project involving access to data from a data provider;

‘data access process’ means the steps and procedures that may lead to the sharing provision of access to the data pursuant as referred to in Article 40(4) of Regulation (EU) 2022/2065;

‘applicant researcher’ means any natural person applying for access to data, data as referred to in Article 40(4) of Regulation (EU) 2022/2065, either individually, in a group or as part of an entity;

‘principal researcher researcher’ means the applicant researcher who submits the data access application and assumes the responsibility for the completeness and accuracy of the information in and the supporting documentation of a data access application in their individual capacity or on behalf of an entity or a group of applicant researchers researchers; and acts as a contact point for the data access application when the vetted status is granted;

‘data provider’ means a provider of a very large online platform or of a very large online search engine designated as such in accordance with Article 33(4) of Regulation (EU) 2022/2065, that controls the data to which access is a reasoned requested request might be addressed; pursuant to Article 40(4) of Regulation (EU) 2022/2065;

‘access modalities’ means any appropriate interface pursuant to Article 40(7) of Regulation (EU) 2022/2065, as well as any legal, organisational and technical conditions determining access to the data requested;

‘reasoned request’ means a reasoned request for data access pursuant to Article 40(4) of Regulation (EU) 2022/2065;

‘amendment request’ means a request for amendment pursuant to Article 40(5) of Regulation (EU) 2022/2065 submitted by the data provider to the Digital Services Coordinator of establishment following the receipt of a reasoned request;

‘DSA data access portal’ means the digital infrastructure hosted by the Commission that facilitates the management of the data access process, including the processing of relevant information;

‘secure processing environment’ means the secure processing environment provided by or on behalf of the data provider as defined in Article 2, point (20), of Regulation (EU) 2022/868. 2022/868 of the European Parliament and of the Council.

DSA data access portal

The Commission shall establish the and host a DSA data access portal, portal.

which The DSA data access portal shall: shall have the following functions:

support and streamline the management of the data access process for researchers, data providers and Digital Services Coordinators;

serve as the single central digital point for of exchange of information on the data access process and facilitate the information exchanges pursuant to this Regulation among applicant researchers, vetted researchers, data providers, providers and Digital Services Coordinators.

The DSA data access portal shall be hosted by the Commission

The DSA data access portal shall be interoperable with the information sharing system AGORA established by Implementing Regulation (EU) 2024/607. The Digital Services Coordinators shall have access in AGORA to the information submitted through the DSA data access portal.

Data providers shall register in have an account on the DSA data access portal.

To participate in the data access process, applicant researchers shall register in have an account on the DSA data access portal.

The DSA data access portal shall consist of a publicly accessible interface and non-public dashboards accessible to applicant and vetted researchers and data providers as users who have been identified and authenticated, following the registration.

Roles and responsibilities for processing personal data in the DSA data access portal

The Commission shall be a processor of personal data processed within the DSA data access portal. meaning of Article 3, point (12), of Regulation (EU) 2018/1725 in respect of:

personal data when registering applicant researchers and data providers in the DSA data access portal;

personal data necessary for the data access process and the related sharing of information, including with AGORA.

The responsibilities of the Commission as processor for data processing activities conducted in the DSA data access portal shall be as set out in the Annex Annex.

Digital Services Coordinators shall be separate controllers within the meaning of Article 4(7) of Regulation (EU) 2016/679 with respect to the processing of personal data they carry out to manage the data access process. process and for publication of relevant information.

Processing of personal data in the DSA data access portal

The transmission, storage and other processing of personal data in the DSA data access portal shall take place only as necessary and proportionate and only for the purpose of managing the data access process. The processing of personal data shall take place in the DSA data access portal only in respect of the following categories of data subjects:

natural persons registered in having an account on the DSA data access portal;

natural persons whose personal information data is contained in the data access application to the DSA data access portal or in any other exchange pursuant to this Regulation concerning the data access process.

Where personal data are registered in and exchanged via the DSA data access portal, the processing shall take place only in so far as it is proportionate and necessary for the purpose of the data access process and publication of relevant information.

The processing of personal data may shall take place in the DSA data access portal only in respect of the following categories of personal data:

identity data, such as name, address, contact information, contact number and user ID ID; of the natural persons for the purpose of the registration;

identification data, contact information such as address, email address, contact details, details;

personal data contained in the documentation demonstrating the affiliation to a research organisation, and any other personal information deemed necessary necessaryfor for the purpose of submitting participating in the data access application; process.

logs indicating the information about the flow and movements of the exchanged data in the DSA data access portal.

The DSA data access portal shall store the personal data listed under Article 5(2) of this Regulation.

The storage processing of personal data referred to in paragraph 5(3) 1 shall be performed using information technology infrastructure located in the European Economic Area.

The Commission shall ensure that data subjects can exercise their rights in accordance with Regulation (EU) 2018/1725, and shall be responsible for compliance with that Regulation for the personal data processing activities carried out on its behalf.

Points of contact and public information on the data access process

The Each Digital Services Coordinators Coordinator and each data provider shall establish a dedicated point of contact contact, for applicant and vetted researchers as well as data providers, whose task shall be to provide information and support on the data access process process. pursuant to Article 40(4) of Regulation (EU) 2022/2065. The Digital Services Coordinators shall communicate their points of contact to the Commission.

The Each Digital Services Coordinators Coordinator shall make available and easily accessible findable on their its online interfaces interface, the details of the points point of contact established pursuant to paragraph 1, 1 together with a link to the DSA data access portal portal. and an indication of the Union languages in which they accept data access applications.

Each The Digital Services Coordinators and data provider providers shall establish a communicate their point points of contact for the data access process and communicate the contact details to their Digital Services Coordinator of establishment and to the Commission. Commission, as soon as possible.

Data providers shall make the following information available and easily accessible findable on their online interfaces interfaces:

the details of the point of contact, contact established by them pursuant to paragraph 1;

a link to the DSA data access portal portal; as well as

an overview of a DSA data catalogue, which describes the data inventory assets, that may be accessed for the purposes set out in Article 40(4) of Regulation EU 2022/2065, as well as their data structure services, including examples of available datasets and metadata;

suggested access modalities for the data in the catalogue pursuant to access point (c), adequate to them the level of sensitivity of the different data assets.

The points of contact shall not contain any personal data within the meaning of Article 4, point (1), of Regulation (EU) 2016/679.

The Commission shall publish the details of the points of contact referred to in paragraphs paragraph 1 and 2 in the public interface of the DSA data access portal.

The information referred to in paragraph 4, points (c) and (d), shall be regularly updated, in particular to reflect data related to the risk assessments carried out pursuant to Article 34 of Regulation (EU) 2022/2065 and the audits carried out pursuant to Article 37 of that Regulation.

Formulation of reasoned request

Within 5 working days from the receipt of the data access application, the Digital Services Coordinator to which the data access application has been submitted shall either confirm to the principal researcher that the application contains the information and supporting documentation listed in Article 8, or indicate which elements of the data access application require correction or completion, allowing the principal researcher to resubmit.

Within 21 80 working days starting from the submission day after the confirmation of a completeness of the data access application application, to the principal researcher, the Digital Services Coordinator of establishment establishment, taking due account of the prerequisites set out in Article 8 and, where applicable, any other assessment relevant for these purposes, shall: shall decide whether a reasoned request can be formulated and shall undertake one of the following actions:

Where appropriate, formulate a reasoned request, transmit submit it to the data provider and inform notify the principal researcher of its transmission; the submission of the reasoned request;

or inform the principal researcher about of the reasons why the reasoned request could not be formulated.

Where, in duly justified cases, the Digital Services Coordinator of establishment needs additional time to formulate the a reasoned request, it may extend the deadline referred to in paragraph 2 for a reasonable period. The Digital Services Coordinator of establishment shall notify the principal researcher of the extension as soon as possible and shall indicate the reasons for the delay and as well as a new date for undertaking the actions referred transmission of the reasoned request to the data provider. in paragraph 1.

Prerequisites for formulating a reasoned request

The Digital Services Coordinator of establishment shall verify that the data access application includes decide whether a reasoned request can be formulated taking into account the following elements:

the consent from the principal researcher to be the point of contact for the data access application;

for each applicant researcher:

the identity and contact details of the applicant researcher;

documentary evidence a confirmation of affiliation to a research organisation as defined in Article 2, point (1), of Directive (EU) 2019/790 of the existence European Parliament and of a formal relationship between the Council; applicant researcher and the research organisation of affiliation;

confirmation a declaration of affiliation, independence from commercial interests relevant and access to the specific project for which technical means necessary to meet the data are requested; requirements set out in Article 40(8), point (d), of Regulation (EU) 2022/2065;

a commitment to making their research results publicly available free of charge.

information about funding, funding including both financial and non-financial contributions supporting the research project for which the data are requested;

a description of the research project, including activities to be conducted with the requested data; research question, the systemic risks or mitigation measures studied and the planned research activities;

a description information about the volume, scope, granularity and type of the data requested; requested, including format, scope and, where possible, the specific attributes, relevant metadata and data documentation, also considering the information made available pursuant to Article 6(4) of this Regulation;

an explanation as to why the research project cannot be carried out with alternative existing means such as using data available through other sources;

information on the identified proposed safeguards to mitigate possible risks in terms of confidentiality, data security and personal data protection corresponding related to the data that would be requested, including as regards the modalities of access accessed, a description to and processing of the technical, legal and organisational measures that will be put in place, including, where possible, suggested access modalities, to mitigate such risks when processing the requested data;

information on the necessity an and estimation proportionality of the required duration access to the data and the information on the time frames of the access, consistent with research for which the data are requested; described research activities and planned methodology;

a summary of the data access application containing insofar as it is relevant to the vetted status that has been granted, including the following elements:

an abstract of the research topic, topic; including the systemic risks studied;

the data provider from which data are requested requested; for the purposes of carrying out the research project;

a description of the data requested, as referred to in be shared, including format, scope and, where possible, specific data points. point (c).

Appropriate access Access modalities

The Digital Services Coordinator of establishment shall determine in the reasoned request modalities, including the modalities according technical, legal and organisational measures, that the data provider is to which use for providing access to the data is to be granted by the data provider. vetted researchers.

When determining the access modalities, the Digital Services Coordinator of establishment shall take into account the sensitivity of information provided in the data requested, access application, in particular the information referred to in Article 8, point (e), considering also the rights and interests of the data provider, providers and the recipients of the service concerned, including the protection of confidential information, in particular trade secrets, and maintaining the security of its their service. service and the information made available by the data providers pursuant to Article 6(4), point (d).

The Where providing access to data involves international data transfers, the Digital Services Coordinator Coordinators of establishment shall be allowed to consult the relevant supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679, unless the international transfer in question is covered by an implementing act adopted pursuant to Article 45(3) Regulation (EU) 2016/679.

In addition to the elements referred to in paragraph 3, the Digital Services Coordinator of establishment shall, when determining access modalities, take into account the following elements: (a) where the access involves the processing of personal data: i. the assessment of the risks concerning processing of personal data as described in Article 8(e), including, where applicable, data protection impact assessments within the meaning of Article 35 of Regulation (EU) 2016/679; ii. envisaged technical and organisational measures as submitted pursuant to Article 8(e). (b) relevant network security measures, encryption, access control mechanisms, backup policies, data integrity mechanisms, incident response plans; (c) where applicable, information on the intended storage period and the relevant data destruction plans; (d) any organisational measures such as internal review processes, restrictions of access rights and information sharing; (e) any proposed contractual clauses, such as non-disclosure agreements, data agreements and any other type of written statements, laying down possible conditions of access and processing between the principal researcher and the data provider; (f) existence of training on data security and protection of personal data received by the applicant researchers; (g) Whether secure processing environments is necessary to process the data.

Where, Where in accordance with the access modalities, Digital Services Coordinator of establishment considers that a secure processing environment is to be used to grant provide access, access to the data requested, the Digital Services Coordinator of establishment shall require documentation attesting that the operator of that environment:

specifies access conditions to the secure processing environment in order to minimise the risk of the unauthorised reading, copying, modification or removal of the data hosted in the secure processing environment;

ensures that vetted researchers have access only to data covered by their the reasoned request, by means of individual and unique user identities and confidential access modes;

keeps identifiable logs of access to the secure processing environment for the period necessary to verify and audit all processing operations in that environment;

ensures that the computing power at the disposal of the vetted researchers is appropriate and sufficient for the purposes of the research project;

monitors the effectiveness of the measures listed in points (a) to (d).

Content of the a reasoned request

The A reasoned request shall contain at least the following elements:

the contact details of the principal researcher;

the date by which the data provider shall give access to the data requested and the date on which such access shall be terminated;

the access modalities determined pursuant to Article 9; for the sharing of the data with the vetted researchers;

the summary of the data access application referred to in Article 8, 8 point (i). (g);

The Digital Services Coordinator of establishment may include in the reasoned request the names and contact details of all vetted researchers mentioned in the data access application may be disclosed where this is necessary to enable access to the requested data, in accordance with the access modalities specified in the reasoned request.

If providing access involves a transfer of personal data to a third country or international organisation within the meaning of Chapter V of Regulation (EU) 2016/679, the reasoned request shall include information on the need to put in place or refer to an appropriate transfer mechanism to ensure compliance with Regulation (EU) 2016/679.

Publication of the an overview of the a reasoned request in the DSA data access portal

Upon formulation of the a reasoned request, the Digital Services Coordinator of establishment shall publish an overview of the reasoned request in the public interface of the DSA data access portal. The overview shall contain: contain all the following:

the summary of the data access application referred to in Article 8, 8 point (i); (g);

the access modalities determined pursuant for the sharing of the data to Article 9. the vetted researchers.

The Where necessary as a result of an amendment request or a dispute settlement procedure, the Digital Services Coordinator of establishment shall update the overview referred to in paragraph 1 accordingly. shall be updated to reflect any changes resulting from a modification of one or more elements following the examination of an amendment request or the outcome of a mediation in accordance with Article 13.

Procedures for examining the handling of amendment requests

Upon the receipt of an amendment request, request pursuant to Article 40(5) of Regulation (EU) 2022/2065, the Digital Services Coordinator of establishment shall inform the principal researcher concerned.

When deciding on an amendment request made pursuant to Article 40(5), point (a), of Regulation (EU) 2022/2065, the Digital Services Coordinator of establishment shall take into account whether: the following:

whether the reasons for the inaccessibility alleged lack of access to data are duly substantiated;

the whether that lack of access to data is permanent or temporary.

When deciding on an amendment request made pursuant to Article 40(5), point (b), of Regulation (EU) 2022/2065, the Digital Services Coordinator of establishment shall take into account: account all the following:

whether the alleged vulnerability vulnerabilities and its their significance are duly substantiated;

the likelihood and severity of harm resulting from the these alleged significant vulnerability; vulnerabilities;

the extent to which the access modalities set out in the reasoned request effectively mitigate the risk of such harm occurring.

At any time during the assessment of an amendment request, the Digital Services Coordinator of establishment may ask the data provider to provide or the principal researcher for any additional information needed that it considers necessary to complete its assessment.

Such request for additional information shall be made as soon as possible to allow the data provider or the principal researcher sufficient time to respond and, in any event, shall not affect the deadline set in Article 40(6), second subparagraph of Regulation (EU) 2022/2065. Where the data provider or the principal researcher fails to provide the requested information at all or within a period specified by the Digital Services Coordinator of establishment concludes that the amendment request is duly justified, it shall assess whether any proposals for alternative access modalities to the requested data or provides partial information, any proposals for alternative data pursuant to Article 40(6) of Regulation (EU) 2022/2065 strike an appropriate balance between the data access requested and the vulnerabilities invoked in support of the amendment request. In assessing such proposals, the Digital Services Coordinator of establishment may consult shall make its decision within the principal researcher timeframe laid down in Article 40(6) of Regulation (EU) 2022/2065, based on the information that was made available to it within a reasonable delay. enquire about the suitability of any alternative proposals submitted by the data provider for attaining the objectives of the research project proposed in the data access application.

If the assessment of the amendment request leads to a modification of one or more elements in the reasoned request, the Digital Services Coordinator shall modify the reasoned request accordingly, transmit it to the data provider and, in parallel, notify the principal researcher and update the overview of the reasoned request in the DSA data access portal.

Mediation Dispute settlement procedure

If the data provider disagrees with the decision of the Digital Services Coordinator of establishment following an on the amendment request, the data provider may may, ask within a period of five working days from the communication by the Digital Services Coordinator of establishment pursuant to Article 40(6), second subparagraph of Regulation (EU) 2022/2065, request in writing the Digital Services Coordinator of establishment to participate in a mediation. The request for mediation shall include the identity and contact details of the proposed mediator.

The Digital Services Coordinator of establishment shall not be obliged to participate in the mediation process.

The written request referred to in paragraph 1, shall include a concise description of the specific elements of the decision, as communicated by the Digital Services Coordinator of establishment pursuant to Article 40(6), second subparagraph of Regulation (EU) 2022/2065, to which the data provider objects.

The Digital Services Coordinator of establishment and the data provider shall agree on the appointment of a mediator and initiate the mediation within 20 working days from the submission of the mediation request pursuant to paragraph 3.

The mediator shall be impartial and independent. The objective of the mediator shall be to help parties reach an agreement that: (a) allows vetted researchers to access the data (b) protects the rights and interests of the data provider and the vetted researchers.

The Before agreeing to the appointment of a mediator, the Digital Services Coordinator of establishment shall verify that the mediator proposed meets is impartial and independent and possesses the requirements of impartiality and independence and has qualified and relevant expertise related experience in relation to the elements laid down subject matter as described in the written request referred Article 40(5) of Regulation (EU) 2022/2065 and is able to in paragraph 1. act without undue delay. If the Digital Services Coordinator of establishment determines that the proposed mediator does not meet those requirements, it may ask the data provider to propose another mediator. When the Digital Services Coordinator of establishment has verified that the proposed mediator meets those requirements, it shall confirm the suitability of the mediator.

The data provider shall bear all be solely responsible for covering the costs of the mediation.

The Where appropriate, the Digital Services Coordinator of establishment shall inform the principal researcher of the mediation request referred to in paragraph 1 without undue delay and may decide to invite the principal researcher to join the mediation as a party party. Where the data access application has been submitted to help reach an agreement that supports the objectives Digital Services Coordinator of the research project organisation, the Digital Services Coordinator of establishment may invite the Digital Services Coordinator of the research organisation to participate in relation the mediation process. Any party invited to which join the data was requested. mediation by the Digital Services Coordinator of establishment shall not be obliged to participate in the mediation process.

The data provider, All parties involved in the mediation process should engage Digital Services Coordinator of establishment and, where relevant, the principal researcher, shall act in good faith throughout the mediation. and strive to reach a fair and mutually acceptable agreement.

The participation Participation in mediation shall not affect the rights right of the parties to initiate judicial proceedings at any time before, during or after the mediation.

The Digital Services Coordinator of establishment may shall set a time limit for the mediation, which cannot shall not exceed two months from 40 working days starting on the day of date on which the initiation of meditation process was started in accordance with paragraph 1. If no agreement has been reached within that time limit, the mediator shall declare the mediation closed. pursuant to paragraph 4.

The mediator may end terminate the mediation earlier if in one of the following cases:

one of the parties requests it explicitly; explicitly to terminate the mediation;

it becomes clear that the parties’ conduct of the parties during the mediation mediation, including a failure to engage in good faith, makes it unlikely that an agreement will be reached. reached

The Digital Services Coordinator of establishment shall register in AGORA a summary record of the mediation, prepared by the mediator and signed by all parties. The record shall include the following information:

the date of the written request for mediation by the data provider;

the identities and contact details of the participants; parties;

the start and end dates of the mediation;

the outcome of the mediation, including any agreement reached or the reason for termination of the mediation.

Where the mediation leads to results in an agreement between resulting in granting access to the parties, data on terms that are different to those specified in the reasoned request, the Digital Services Coordinator of establishment shall amend take such agreement into account and, where appropriate, modify the reasoned request to reflect that agreement. and inform the principal researcher of the modification.

Where the parties fail to reach an agreement, the Digital Services Coordinator of establishment shall notify the data provider that the decision of the Digital Services Coordinator of establishment on the amendment request, as last communicated pursuant to Article 40(6), second subparagraph of Regulation (EU) 2022/2065, shall be considered valid and shall serve as the relevant basis for further steps in the process and inform the principal researcher.

Independent advisory mechanisms expert consultation

Before formulating a reasoned request, or taking a decision on an amendment request, the Digital Services Coordinator may decide to consult experts.

The experts shall: shall (a) be independent and impartial; impartial (b) and possess relevant expertise and proven skills and have the capacity and resources to perform the identified task, without incurring undue delay.

To attest impartiality, the experts shall sign a declaration confirming that they:

have no financial or personal ties to the data provider or the applicant researchers;

have no interest in the outcome of the data access process;

are free from any conflicts of interest.

The Digital Services Coordinator shall encode any consultation carried out pursuant to paragraph 1, along with the expert opinion received in response to the consultation, without undue delay in AGORA.

Prior to initiating new consultations, the Digital Services Coordinators are encouraged to refer to previous outcomes.

Data format sharing and data documentation

Data providers shall notify the Digital Services Coordinator of establishment within 24 hours: three working days of the fact:

that the vetted researchers have access to the requested data requested, has been provided to vetted researchers, in accordance with the access modalities specified in the reasoned request;

that the access for the vetted researchers is has been terminated.

Data providers shall provide vetted researchers with relevant documentation related any additional information needed to access and understand the data requested. requested data, such as codebooks, changelogs and architectural documentation. In cases where the provision of such documentation information may results result in a significant vulnerability, vulnerability of the data provider’s services, the data provider shall notify the Digital Services Coordinator of establishment of that risk and, where possible, propose alternative documentation. information.

When providing access to data, data providers shall not impose on vetted researchers data management requirements such as archiving, storage, refresh and deletion requirements requirements, that hinder the research referred to in the reasoned request in any way.

or limitations Data providers shall be allowed to the limit vetted researchers’ use of standard analytical tools, that may hinder including relevant software libraries, for the analysis performance of the data requested, only if it is specified relevant research, unless such requirements or limitations are explicitly mentioned in the reasoned request.

Where personal data are processed, data providers shall not impose on vetted researchers any conditions in relation to the processing of the shared personal data other than those specified in the reasoned request.

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. This Regulation shall be binding in its entirety and directly applicable in all Member States.