法律人 LawPlayer logo

資料由法律人 LawPlayer整理提供·EU law / curated by LawPlayer from EUR-Lex

Regulation

Commission Delegated Regulation (EU) 2025/2050 of 1 July 2025 supplementing Regulation (EU) 2022/2065 of the European Parliament and of the Council by laying down the technical conditions and procedures under which providers of very large online platforms and of very large online search engines are to share data with vetted researchers

CELEX
Delegated Regulation (EU) 2025/2050
Date of document
Articles
17
Source
EUR-Lex
Article 1Subject matter

This Regulation lays down procedures and technical conditions for providing vetted researchers with access to data held by providers of very large online platforms and of very large online search engines, pursuant to Article 40(4) of Regulation (EU) 2022/2065, in particular:

(a)

the technical conditions for the development and functioning of a data access portal;

(b)

the procedures and technical conditions for the management of the data access process by Digital Services Coordinators and data providers;

(c)

the requirements for the formulation of reasoned requests and the assessment of amendment requests;

(d)

the technical conditions for the provision of access to data by the data providers.

Article 2Definitions

For the purposes of this Regulation, the definitions in Article 4 of Regulation (EU) 2016/679 and Article 3 of Regulation (EU) 2018/1725 shall apply. The following definitions shall also apply:

(1)

‘data access application’ means the information and relevant documentation submitted by applicant researchers to the Digital Services Coordinator of establishment or the Digital Services Coordinator of the Member State of the research organisation, to which the principal researcher is affiliated, to obtain the status of ‘vetted researcher’ as referred to in Article 40(8), first subparagraph, of Regulation (EU) 2022/2065, for a specific research project involving access to data from a data provider;

(2)

‘data access process’ means the steps and procedures that may lead to the provision of access to the data as referred to in Article 40(4) of Regulation (EU) 2022/2065;

(3)

‘applicant researcher’ means any natural person applying for access to data as referred to in Article 40(4) of Regulation (EU) 2022/2065, either individually, in a group or as part of an entity;

(4)

‘principal researcher’ means the applicant researcher who submits the data access application in their individual capacity or on behalf of an entity or a group of applicant researchers;

(5)

‘data provider’ means a provider of a very large online platform or of a very large online search engine designated as such in accordance with Article 33(4) of Regulation (EU) 2022/2065, to which a reasoned request might be addressed;

(6)

‘reasoned request’ means a reasoned request for data access pursuant to Article 40(4) of Regulation (EU) 2022/2065;

(7)

‘amendment request’ means a request for amendment pursuant to Article 40(5) of Regulation (EU) 2022/2065 submitted by the data provider to the Digital Services Coordinator of establishment following the receipt of a reasoned request;

(8)

‘secure processing environment’ means secure processing environment as defined in Article 2, point (20), of Regulation (EU) 2022/868 of the European Parliament and of the Council  ( 5 ) .

Article 3DSA data access portal

1.   The Commission shall establish and host a DSA data access portal.

2.   The DSA data access portal shall have the following functions:

(a)

support and streamline the management of the data access process for researchers, data providers and Digital Services Coordinators;

(b)

serve as the central digital point for information on the data access process and facilitate the information exchanges pursuant to this Regulation among applicant researchers, vetted researchers, data providers and Digital Services Coordinators.

3.   The DSA data access portal shall be interoperable with the information sharing system AGORA established by Implementing Regulation (EU) 2024/607. The Digital Services Coordinators shall have access in AGORA to the information submitted through the DSA data access portal.

4.   Data providers shall have an account on the DSA data access portal.

5.   To participate in the data access process, applicant researchers shall have an account on the DSA data access portal.

Article 4Roles and responsibilities for processing personal data in the DSA data access portal

1.   Digital Services Coordinators shall be separate controllers with respect to the processing of personal data they carry out to manage the data access process and for publication of relevant information.

2.   The Commission shall be a processor of personal data processed within the DSA data access portal.

3.   The responsibilities of the Commission as processor for data processing activities conducted in the DSA data access portal shall be as set out in the Annex.

Article 5Processing of personal data in the DSA data access portal

1.   Where personal data are registered in and exchanged via the DSA data access portal, the processing shall take place only in so far as it is proportionate and necessary for the purpose of the data access process and publication of relevant information.

2.   The processing of personal data shall take place in the DSA data access portal only in respect of the following categories of data subjects:

(a)

natural persons having an account on the DSA data access portal;

(b)

natural persons whose personal data is contained in the DSA data access portal or in any other exchange pursuant to this Regulation concerning the data access process.

3.   The processing of personal data shall take place in the DSA data access portal only in respect of the following categories of personal data:

(a)

identity data, such as name, user ID;

(b)

contact information such as address, email address, contact details;

(c)

personal data contained in the documentation demonstrating the affiliation to a research organisation, and any other personal information deemed necessary for the purpose of participating in the data access process.

4.   The processing of personal data referred to in paragraph 1 shall be performed using information technology infrastructure located in the European Economic Area.

Article 6Points of contact and public information on the data access process

1.   Each Digital Services Coordinator and each data provider shall establish a dedicated point of contact, whose task shall be to provide information and support on the data access process.

2.   The Digital Services Coordinators and data providers shall communicate their points of contact to the Commission, as soon as possible. The Commission shall publish the details of the points of contact referred to in paragraph 1 in the public interface of the DSA data access portal.

3.   Each Digital Services Coordinator shall make available and easily findable on its online interface, the details of the point of contact established pursuant to paragraph 1 together with a link to the DSA data access portal.

4.   Data providers shall make the following information available and easily findable on their online interfaces:

(a)

the details of the point of contact established by them pursuant to paragraph 1;

(b)

a link to the DSA data access portal;

(c)

a DSA data catalogue, which describes the data assets, that may be accessed for the purposes set out in Article 40(4) of Regulation EU 2022/2065, as well as their data structure and metadata;

(d)

suggested access modalities for the data in the catalogue pursuant to point (c), adequate to the level of sensitivity of the different data assets.

5.   The information referred to in paragraph 4, points (c) and (d), shall be regularly updated, in particular to reflect data related to the risk assessments carried out pursuant to Article 34 of Regulation (EU) 2022/2065 and the audits carried out pursuant to Article 37 of that Regulation.

Article 7Formulation of reasoned request

1.   Within 80 working days from the submission of a data access application, the Digital Services Coordinator of establishment, taking due account of the prerequisites set out in Article 8 and, where applicable, any other assessment relevant for these purposes, shall decide whether a reasoned request can be formulated and shall undertake one of the following actions:

(a)

formulate a reasoned request, submit it to the data provider and notify the principal researcher of the submission of the reasoned request;

(b)

inform the principal researcher of the reasons why the reasoned request could not be formulated.

2.   Where, in duly justified cases, the Digital Services Coordinator of establishment needs additional time to formulate a reasoned request, it shall notify the principal researcher as soon as possible and shall indicate the reasons for the delay as well as a new date for undertaking the actions referred to in paragraph 1.

Article 8Prerequisites for formulating a reasoned request

The Digital Services Coordinator of establishment shall decide whether a reasoned request can be formulated taking into account the following elements:

(a)

for each applicant researcher:

(i)

a confirmation of affiliation to a research organisation as defined in Article 2, point (1), of Directive (EU) 2019/790 of the European Parliament and of the Council  ( 6 ) ;

(ii)

a declaration of independence from commercial interests relevant to the specific project for which the data are requested;

(iii)

a commitment to making their research results publicly available free of charge;

(b)

information about funding supporting the research project for which the data are requested;

(c)

a description of the data requested, including format, scope and, where possible, the specific attributes, relevant metadata and data documentation, also considering the information made available pursuant to Article 6(4) of this Regulation;

(d)

information on the necessity and proportionality of the access to the data and the information on the time frames of the research for which the data are requested;

(e)

information on the identified risks in terms of confidentiality, data security and personal data protection related to the data that would be accessed, a description of the technical, legal and organisational measures that will be put in place, including, where possible, suggested access modalities, to mitigate such risks when processing the requested data;

(f)

a description of the research activities to be conducted with the requested data;

(g)

a summary of the data access application containing the following elements:

(i)

the research topic;

(ii)

the data provider from which data are requested;

(iii)

a description of the data requested, as referred to in point (c).

Article 9Access modalities

1.   The Digital Services Coordinator of establishment shall determine the modalities, including the technical, legal and organisational measures, that the data provider is to use for providing access to the data to the vetted researchers.

2.   The Digital Services Coordinators shall be allowed to consult the relevant supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679.

3.   When determining the access modalities, the Digital Services Coordinator of establishment shall take into account the information provided in the data access application, in particular the information referred to in Article 8, point (e), considering also the rights and interests of the data providers and the recipients of the service concerned, including the protection of confidential information, trade secrets, and maintaining the security of their service and the information made available by the data providers pursuant to Article 6(4), point (d).

4.   In addition to the elements referred to in paragraph 3, the Digital Services Coordinator of establishment shall, when determining access modalities, take into account the following elements:

(a)

where the access involves the processing of personal data:

(i)

the assessment of the risks concerning processing of personal data as described in Article 8(e), including, where applicable, data protection impact assessments within the meaning of Article 35 of Regulation (EU) 2016/679;

(ii)

envisaged technical and organisational measures as submitted pursuant to Article 8(e);

(b)

relevant network security measures, encryption, access control mechanisms, backup policies, data integrity mechanisms, incident response plans;

(c)

where applicable, information on the intended storage period and the relevant data destruction plans;

(d)

any organisational measures such as internal review processes, restrictions of access rights and information sharing;

(e)

any proposed contractual clauses, such as non-disclosure agreements, data agreements and any other type of written statements, laying down possible conditions of access and processing between the principal researcher and the data provider;

(f)

existence of training on data security and protection of personal data received by the applicant researchers;

(g)

whether secure processing environments is necessary to process the data.

5.   Where the Digital Services Coordinator of establishment considers that a secure processing environment is to be used to provide access to the data requested, the Digital Services Coordinator of establishment shall require documentation attesting that the operator of that environment:

(a)

specifies access conditions to the secure processing environment in order to minimise the risk of the unauthorised reading, copying, modification or removal of the data hosted in the secure processing environment;

(b)

ensures that vetted researchers have access only to data covered by the reasoned request, by means of individual and unique user identities and confidential access modes;

(c)

keeps identifiable logs of access to the secure processing environment for the period necessary to verify and audit all processing operations in that environment;

(d)

ensures that the computing power at the disposal of the vetted researchers is appropriate and sufficient for the purposes of the research project;

(e)

monitors the effectiveness of the measures listed in points (a) to (d).

Article 10Content of a reasoned request

1.   A reasoned request shall contain at least the following elements:

(a)

the date by which the data provider shall give access to the data requested and the date on which such access shall be terminated;

(b)

the access modalities determined pursuant to Article 9;

(c)

the summary of the data access application referred to in Article 8 point (g).

2.   The Digital Services Coordinator of establishment may include in the reasoned request the names and contact details of all vetted researchers mentioned in the data access application where this is necessary to enable access to the requested data, in accordance with the access modalities specified in the reasoned request.

3.   If providing access involves a transfer of personal data to a third country or international organisation within the meaning of Chapter V of Regulation (EU) 2016/679, the reasoned request shall include information on the need to put in place or refer to an appropriate transfer mechanism to ensure compliance with Regulation (EU) 2016/679.

Article 11Publication of an overview of a reasoned request in the DSA data access portal

1.   Upon formulation of a reasoned request, the Digital Services Coordinator of establishment shall publish an overview of the reasoned request in the public interface of the DSA data access portal. The overview shall contain all the following:

(a)

the summary of the data access application referred to in Article 8 point (g);

(b)

the access modalities determined pursuant to Article 9.

2.   The overview referred to in paragraph 1 shall be updated to reflect any changes resulting from a modification of one or more elements following the examination of an amendment request or the outcome of a mediation in accordance with Article 13.

Article 12Procedures for examining amendment requests

1.   Upon the receipt of an amendment request pursuant to Article 40(5) of Regulation (EU) 2022/2065, the Digital Services Coordinator of establishment shall inform the principal researcher concerned.

2.   When deciding on an amendment request made pursuant to Article 40(5), point (a), of Regulation (EU) 2022/2065, the Digital Services Coordinator of establishment shall take into account the following:

(a)

whether the reasons for the alleged lack of access to data are duly substantiated;

(b)

whether that lack of access to data is permanent or temporary.

3.   When deciding on an amendment request made pursuant to Article 40(5), point (b), of Regulation (EU) 2022/2065, the Digital Services Coordinator of establishment shall take into account all the following:

(a)

whether the alleged vulnerabilities and their significance are duly substantiated;

(b)

the likelihood and severity of harm resulting from these alleged significant vulnerabilities;

(c)

the extent to which the access modalities set out in the reasoned request effectively mitigate the risk of such harm occurring.

4.   At any time during the assessment of an amendment request, the Digital Services Coordinator of establishment may ask the data provider or the principal researcher for any additional information that it considers necessary to complete its assessment.

5.   Such request for additional information shall be made as soon as possible to allow the data provider or the principal researcher sufficient time to respond and, in any event, shall not affect the deadline set in Article 40(6), second subparagraph of Regulation (EU) 2022/2065. Where the data provider or the principal researcher fails to provide the requested information at all or within a period specified by the Digital Services Coordinator of establishment or provides partial information, the Digital Services Coordinator of establishment shall make its decision within the timeframe laid down in Article 40(6) of Regulation (EU) 2022/2065, based on the information that was made available to it within a reasonable delay.

Article 13Mediation

1.   If the data provider disagrees with the decision of the Digital Services Coordinator of establishment on the amendment request, the data provider may, within a period of five working days from the communication by the Digital Services Coordinator of establishment pursuant to Article 40(6), second subparagraph of Regulation (EU) 2022/2065, request in writing the Digital Services Coordinator of establishment to participate in mediation.

2.   The Digital Services Coordinator of establishment shall not be obliged to participate in the mediation process.

3.   The written request referred to in paragraph 1, shall include a concise description of the specific elements of the decision, as communicated by the Digital Services Coordinator of establishment pursuant to Article 40(6), second subparagraph of Regulation (EU) 2022/2065, to which the data provider objects.

4.   The Digital Services Coordinator of establishment and the data provider shall agree on the appointment of a mediator and initiate the mediation within 20 working days from the submission of the mediation request pursuant to paragraph 3.

5.   Before agreeing to the appointment of a mediator, the Digital Services Coordinator of establishment shall verify that the mediator is impartial and independent and possesses the relevant expertise related to the subject matter as described in the written request referred to in paragraph 1.

6.   The data provider shall bear all costs of the mediation.

7.   The Digital Services Coordinator of establishment shall inform the principal researcher of the mediation request referred to in paragraph 1 without undue delay and may decide to invite the principal researcher to join the mediation as a party. Where the data access application has been submitted to the Digital Services Coordinator of the research organisation, the Digital Services Coordinator of establishment may invite the Digital Services Coordinator of the research organisation to participate in the mediation process. Any party invited to join the mediation by the Digital Services Coordinator of establishment shall not be obliged to participate in the mediation process.

8.   Participation in mediation shall not affect the right of the parties to initiate judicial proceedings at any time before, during or after the mediation.

9.   The Digital Services Coordinator of establishment shall set a time limit for the mediation, which shall not exceed 40 working days starting on the day of the initiation of the mediation pursuant to paragraph 4.

10.   The mediator may terminate the mediation earlier in one of the following cases:

(a)

one of the parties requests explicitly to terminate the mediation;

(b)

it becomes clear that the conduct of the parties during the mediation, including a failure to engage in good faith, makes it unlikely that an agreement will be reached.

11.   Where the mediation results in an agreement between the parties, the Digital Services Coordinator of establishment shall take such agreement into account and, where appropriate, modify the reasoned request and inform the principal researcher of the modification.

12.   Where the parties fail to reach an agreement, the Digital Services Coordinator of establishment shall notify the data provider that the decision of the Digital Services Coordinator of establishment on the amendment request, as last communicated pursuant to Article 40(6), second subparagraph of Regulation (EU) 2022/2065, shall be considered valid and shall serve as the relevant basis for further steps in the process and inform the principal researcher.

13.   The Digital Services Coordinator of establishment shall register in AGORA a summary record of the mediation, prepared by the mediator and signed by all parties. The record shall include the following information:

(a)

the date of the written request for mediation by the data provider;

(b)

the identities and contact details of the parties;

(c)

the start and end dates of the mediation;

(d)

the outcome of the mediation, including any agreement reached or the reason for termination of the mediation.

Article 14Independent expert consultation

1.   Before formulating a reasoned request, or taking a decision on an amendment request, the Digital Services Coordinator may decide to consult experts.

2.   The experts shall be independent and impartial and possess relevant expertise and proven skills and have the capacity and resources to perform the identified task, without incurring undue delay.

3.   To attest impartiality, the experts shall sign a declaration confirming that they:

(a)

have no financial or personal ties to the data provider or the applicant researchers;

(b)

have no interest in the outcome of the data access process;

(c)

are free from any conflicts of interest.

4.   The Digital Services Coordinator shall encode any consultation carried out pursuant to paragraph 1, along with the expert opinion received in response to the consultation, without undue delay in AGORA.

Article 15Data sharing and data documentation

1.   Data providers shall notify the Digital Services Coordinator of establishment within three working days of the fact:

(a)

that access to the requested data has been provided to vetted researchers, in accordance with the reasoned request;

(b)

that the access for the vetted researchers has been terminated.

2.   Data providers shall provide vetted researchers with any additional information needed to access and understand the requested data, such as codebooks, changelogs and architectural documentation. In cases where the provision of such information may result in a significant vulnerability of the data provider’s services, the data provider shall notify the Digital Services Coordinator of establishment of that risk and, where possible, propose alternative information.

3.   When providing access to data, data providers shall not impose on vetted researchers data management requirements such as archiving, storage, refresh and deletion requirements, or limitations to the use of standard analytical tools, that may hinder the performance of the relevant research, unless such requirements or limitations are explicitly mentioned in the reasoned request.

4.   Where personal data are processed, data providers shall not impose on vetted researchers any conditions in relation to the processing of the shared personal data other than those specified in the reasoned request.

Article 16Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union .

Schedules & Appendices

ANNEXResponsibilities of the Commission as processor for data processing activities conducted in the context of the DSA data access portal

ANNEX

Responsibilities of the Commission as processor for data processing activities conducted in the context of the DSA data access portal

1.

The Commission shall set up and ensure a secure and reliable IT infrastructure, the DSA data access portal, on behalf of the Digital Services Coordinators, that supports and streamlines the management of the data access process for researchers, research organisations, data providers and Digital Services Coordinators.

2.

To fulfil its obligations as processor for the Digital Services Coordinators, the Commission may use third parties as sub-processors. If it is the case, the controllers shall authorise the Commission to use sub-processors or replace sub-processors where necessary. The Commission shall inform the controllers of said use or replacement of sub-processors, thereby giving the controllers the opportunity to object to any such changes. The Commission shall ensure that the same data protection obligations as set out in this Regulation apply to these sub-processors.

3.

The processing by the Commission shall process personal data only insofar as necessary for the:

(a)

authentication and access control with regard to all DSA data access portal users;

(b)

authorisation implementation of requests by DSA data access portal users to create, update and delete any information contained in the application within the DSA data access portal;

(c)

reception of the personal data referred to in Article 5(3) of this Regulation uploaded by DSA data access portal users;

(d)

storage of the personal data in the DSA data access portal;

(e)

deletion of the personal data at their expiration date or upon instruction of the controller;

(f)

after the end of the provision of services provided by the DSA data access portal, deletion of any remaining personal data unless Union or Member State laws require storage of such personal data.

4.

The Commission shall take all state of the art organisational, physical, and logical security measures to ensure the DSA data access portal functioning. To this end, the Commission shall:

(a)

designate a responsible entity for the security management of the DSA data access portal, communicate to the controllers its contact information and ensure its availability to react to security threats;

(b)

assume the responsibility for the security of the DSA data access portal, including regularly carrying out tests, evaluations and assessments of the security measures.

5.

The Commission shall take all necessary security measures to avoid compromising the smooth operational functioning of the DSA data access portal. This shall include:

(a)

risk assessment procedures to identify and estimate potential threats to the DSA data access portal;

(b)

audit and review procedure to:

(i)

check the correspondence between the implemented security measures and the applicable security policy;

(ii)

control on a regular basis the integrity of the DSA data access portal, security parameters and granted authorisations;

(iii)

detect security breaches and intrusions into the DSA data access portal;

(iv)

implement changes to mitigate existing security weaknesses in the DSA data access portal;

(v)

define the conditions under which to authorise, including at the request of controllers, and contribute to, the performance of independent audits, including inspections, and reviews on security measures subject to conditions that respect Protocol (No 7) to the Treaty on the Functioning of the European Union on the Privileges and Immunities of the European Union;

(c)

changing the control procedure to document, measure the impact of a change before its implementation, and keep the controllers informed of any changes that can affect the communication with and/or the security of the DSA data access portal;

(d)

laying down a maintenance and repair procedure to specify the rules and conditions to be respected when maintenance and/or repair of the DSA data access portal is to be performed;

(e)

laying down a security incident procedure to define the reporting and escalation scheme, inform without delay the controllers affected, inform without delay the controllers for them to notify the national data protection supervisory authorities of any personal data breach and define a disciplinary process to deal with security breaches in the DSA data access portal.

6.

The Commission shall take state of the art physical and logical security measures for the facilities hosting the DSA data access portal and for the controls of data and security access thereto. To this end, the Commission shall:

(a)

enforce physical security to establish distinct security perimeters and allowing detection of breaches in the DSA data access portal;

(b)

control access to the DSA data access portal facilities;

(c)

ensure that equipment cannot be added, replaced or removed without prior authorisation from the designated responsible bodies;

(d)

control access from and to the DSA data access portal;

(e)

ensure that the DSA data access portal users who access the DSA data access portal are authenticated;

(f)

review the authorisation rights related to the access to the DSA data access portal in case of a security breach affecting the DSA data access portal;

(g)

keep the integrity of the information transmitted through the DSA data access portal;

(h)

implement technical and organisational security measures to prevent unauthorised access to personal data in the DSA data access portal;

(i)

implement, whenever necessary, measures to block unauthorised access to the DSA data access portal (i.e. block a location/IP address).

7.

The Commission shall:

(a)

take steps to protect its domain, including the severing of connections, in the event of substantial deviation from the principles and concepts for quality and security;

(b)

maintain a risk management plan related to its area of responsibility;

(c)

monitor, in real time, the performance of all the service components of the DSA data access portal, produce regular statistics and keep records;

(d)

provide support for the DSA data access portal in English to the DSA data access portal users;

(e)

assist the controllers by appropriate technical and organisational measures for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of Regulation (EU) 2016/679;

(f)

support the controllers by providing information concerning the DSA data access portal to implement the obligations pursuant to Articles 32, 33, 34, 35 and 36 of Regulation (EU) 2016/679;

(g)

ensure that data processed within the DSA data access portal is unintelligible to any person who is not authorised to access it;

(h)

take all relevant measures to prevent unauthorised access to transmitted personal data via the DSA data access portal;

(i)

take measures in order to facilitate communication between the controllers;

(j)

maintain a record of processing activities carried out on behalf of the controllers in accordance with Article 31(2) of Regulation (EU) 2018/1725.

17 articles

Cite this act

Commission Delegated Regulation (EU) 2025/2050 of 1 July 2025 supplementing Regulation (EU) 2022/2065 of the European Parliament and of the Council by laying down the technical conditions and procedures under which providers of very large online platforms and of very large online search engines are to share data with vetted researchers (EUR-Lex). Retrieved via LawPlayer, https://lawplayer.com/eu/act/32025R2050

© European Union, https://eur-lex.europa.eu, 1998-2026. Reuse authorised under Commission Decision 2011/833/EU, provided the source is acknowledged.

EU-EurLex-Reuse-2011-833

本頁資料來源:EUR-Lex·整理提供:法律人 LawPlayer· lawplayer.com