BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
• obligations for data holders obliged by law to make data available; • unfair contractual terms in data sharing con - tracts between businesses; • European data spaces; • switching between cloud service providers; • the prevention of unlawful access and trans - fer of cloud-based data; • the interoperability of data, data sharing mechanisms and cloud services; and • smart contracts for data sharing. The European Commission has published a comprehensive overview of the Data Act on its website , including its objectives and how it works in practice. In addition, it has published frequently asked questions about the Data Act. 3.2 Interaction of Data Regulation and Data Protection While the scope of the GDPR is limited to the processing of so-called personal data, the scope of the Data Act is much broader as it applies to any data. Given the overlap in the definitions of “data” and “personal data”, there is inevitably an overlap between the obligations under the GDPR and those under the Data Act. However, since the GDPR is considered a so-called lex specialis it will, with regard to personal data, prevail over the obligations under the Data Act. Consequently, the provisions of the Data Act are without prejudice to the GDPR regime, privacy rights and the right to confidentiality of commu - nications, all of which must be complied with when adhering to the requirements under the Data Act. As the GDPR and the Data Act both address the manner in which certain data is used, there are similarities and differences in the handling of such data between the two legal instruments.
Some of these differences and similarities are listed in the following. • With regard to connected devices, the Data Act enhances the right to data portability, and users may be able to access and port both personal and non-personal data generated by those objects. • Any processing of personal data should also comply with the GDPR, including the require - ment of a valid legal basis for processing under Articles 6 and 9 of the GDPR. The Data Act itself does not constitute a legal basis for the collection or generation of personal data by the data holder. • Where the user is not the data subject, the Data Act does not create a legal basis for pro - viding access to personal data, or for making personal data available to a third party, and should not be understood as conferring any new right on the data holder to use personal data generated by the use of a connected product or related service. In those cases, the data holder can comply with requests by anonymising personal data or transmit - ting only personal data relating to the user (in the case of data that includes personal data about multiple people). • Technical measures to comply with the prin - ciples of data minimisation and data protec - tion, by design and by default, may include pseudonymisation and encryption as well as the use of technology that permits algorithms to be brought to the data and allows valuable insights to be derived while only processing the necessary data. 3.3 Rights and Obligations Under Applicable Data Regulation There are no specific laws implementing the Data Act and the use of internet of things (IOT) services and data processing services in Bel -
21
CHAMBERS.COM
Powered by FlippingBook