Data Governance Act Article 5 sets the conditions under which public sector bodies may allow third parties to re-use protected data they hold. It binds three actors: Member States (resourcing duties), public sector bodies (the operational duties at point of re-use), and re-users (controls they may be required to accept). The article does not record a calendar deadline at the obligation-row level — the Regulation's general application date controls.
Who Article 5 obligates
The primary obligated entity in the rows is Member State, but the most operationally consequential duties fall on public sector bodies — the holders of the data. Re-users do not have stand-alone Article 5 duties; they encounter Article 5 indirectly, through conditions a public sector body imposes.
Obligation breakdown
Publish conditions for re-use
"Public sector bodies shall make publicly available the conditions for allowing re-use and the procedure to request re-use via the single information point." The action verb is publish, and the channel is fixed: the single information point established under the Regulation, not an arbitrary corner of the body's own website.
Resource public sector bodies
"Member States shall ensure that public sector bodies are equipped with the necessary resources to comply with this Article." This is the resourcing duty: the practical Article 5 work — vetting requests, applying access controls, maintaining a secure processing environment — has to be funded.
Non-discriminatory, transparent, proportionate conditions
"Conditions for re-use shall be non-discriminatory, transparent, proportionate and objectively justified, and shall not be used to restrict competition." The four adjectives are cumulative: a condition that is transparent but discriminatory still fails. The competition clause closes the obvious loophole — a public sector body cannot use Article 5 conditions to favour a national champion.
Preserve protected nature of data
"Public sector bodies shall ensure that the protected nature of data is preserved in accordance with Union and national law." This is the umbrella obligation that brings GDPR, statistical confidentiality, intellectual property and commercial confidentiality into the Article 5 chain. Re-use does not strip the protection; it has to survive transit to the re-user.
Anonymisation of personal data
"Public sector bodies may require that personal data has been anonymised before granting access for re-use." This is permissive, not mandatory: the body may require anonymisation. Where the body does not, the underlying data protection law continues to apply on its own terms.
Modification of commercially confidential information
"Public sector bodies may require that commercially confidential information has been modified, aggregated or treated by any other method of disclosure control before granting access for re-use." Three methods are named: modification, aggregation, "any other method of disclosure control." The body picks the proportionate one.
Secure processing environment
"Public sector bodies may require re-users to access and re-use data remotely within a secure processing environment provided or controlled by the public sector body." This is the strongest Article 5 control: rather than transferring data out, the re-user comes into the body's environment. It is permissive, not default.
What this means in practice
For organisations seeking to re-use public sector data — from research consortia to private analytics firms — Article 5 means the access path can vary by body: anonymisation, modification, secure environment access, or any combination. Conditions must be public and routed through the single information point, so the first reconnaissance step is not the body's own page but the national gateway. Member States that under-resource their public sector bodies create a soft form of refusal: requests sit while the body lacks the staff to vet them. None of the Article 5 obligation rows record a fine ceiling — the Data Governance Act's penalty regime sits elsewhere in the Regulation.
Related Fontvera pages
- AI Act vs GDPR on automated decisions — Article 5's "preserve the protected nature of data" obligation interacts directly with GDPR where personal data is involved.