This Regulation should lay down conditions for re-use of protected data that apply to public sector bodies designated as competent under national law to grant or refuse access for re-use, and which are without prejudice to rights or obligations concerning access to such data. Those conditions should be non-discriminatory, transparent, proportionate and objectively justified, while not restricting competition, with a specific focus on promoting access to such data by SMEs and start-ups. The conditions for re-use should be designed in a manner promoting scientific research so that, for example, privileging scientific research should, as a rule, be considered to be non-discriminatory. Public sector bodies allowing re-use should have in place the technical means necessary to ensure the protection of rights and interests of third parties and should be empowered to request the necessary information from the re-user. Conditions attached to the re-use of data should be limited to what is necessary to preserve the rights and interests of third parties in the data and the integrity of the information technology and communication systems of the public sector bodies. Public sector bodies should apply conditions which best serve the interests of the re-user without leading to a disproportionate burden on the public sector bodies. Conditions attached to the re-use of data should be designed to ensure effective safeguards with regard to the protection of personal data. Before transmission, personal data should be anonymised, in order not to allow the identification of the data subjects, and data containing commercially confidential information should be modified in such a way that no confidential information is disclosed. Where the provision of anonymised or modified data would not respond to the needs of the re-user, subject to fulfilling any requirements to carry out a data protection impact assessment and consult the supervisory authority pursuant to Articles 35 and 36 of Regulation (EU) 2016/679 and where the risks to the rights and interests of data subjects have been found to be minimal, on-premise or remote re-use of the data within a secure processing environment could be allowed.
This could be a suitable arrangement for the re-use of pseudonymised data. Data analyses in such secure processing environments should be supervised by the public sector body, so as to protect the rights and interests of third parties. In particular, personal data should be transmitted to a third party for re-use only where a legal basis under data protection law allows such transmission. Non-personal data should be transmitted only where there is no reason to believe that the combination of non-personal data sets would lead to the identification of data subjects. This should also apply to pseudonymised data which retain their status as personal data. In the event of the reidentification of data subjects, an obligation to notify such a data breach to the public sector body should apply in addition to an obligation to notify such a data breach to a supervisory authority and to the data subject in accordance with Regulation (EU) 2016/679. Where relevant, the public sector bodies should facilitate the re-use of data on the basis of the consent of data subjects or the permission of data holders on the re-use of data pertaining to them through adequate technical means. In that respect, the public sector body should make best efforts to provide assistance to potential re-users in seeking such consent or permission by establishing technical mechanisms that permit transmitting requests for consent or permission from re-users, where practically feasible. No contact information should be given that allows re-users to contact data subjects or data holders directly. Where the public sector body transmits a request for consent or permission, it should ensure that the data subject or data holder is clearly informed of the possibility to refuse consent or permission.