§ Data Act · Article 32

Data Act Article 32: Obligations, Deadlines & Penalties

Regulation (EU) 2023/2854, Article 32 · All obligations · Data Act
At a glance
Article 32 of the Data Act imposes 8 obligations on provider of data processing services. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 32

Obligation 1
Providers of data processing services shall take all adequate technical, organisational and legal measures, including contracts, to prevent international and third-country governmental access and transfer of non-personal data held in the Union where such transfer or access would create a conflict with Union law or national law. Regulation (EU) 2023/2854, Article 32, Article 32
Obligated entity
provider of data processing services
Action required
take measures
Deadline
Penalty
Obligation 2
Any decision or judgment of a third-country court or tribunal and any decision of a third-country administrative authority requiring a provider of data processing services to transfer or give access to non-personal data shall be recognised or enforceable only if based on an international agreement in force between the requesting third country and the Union or a Member State. Regulation (EU) 2023/2854, Article 32, Article 32
Obligated entity
provider of data processing services
Action required
recognise or enforce
Deadline
Penalty
Obligation 3
In the absence of an international agreement, if compliance with a third-country decision risks conflict with Union or national law, transfer or access shall take place only where the third-country system requires reasons and proportionality, allows for review by a competent court, and empowers the court to take into account relevant legal interests of the data provider. Regulation (EU) 2023/2854, Article 32, Article 32
Obligated entity
provider of data processing services
Action required
assess conditions
Deadline
Penalty
Obligation 4
The addressee of a third-country decision may ask the opinion of the relevant national body or authority competent for international cooperation in legal matters to determine whether the conditions for transfer are met, particularly regarding trade secrets, commercially sensitive data, or intellectual property rights. Regulation (EU) 2023/2854, Article 32, Article 32
Obligated entity
provider of data processing services
Action required
ask opinion
Deadline
Penalty
Obligation 5
If the addressee considers that the third-country decision may impinge on the national security or defence interests of the Union or its Member States, it shall ask the opinion of the relevant national body or authority to determine whether the data requested concerns such interests. Regulation (EU) 2023/2854, Article 32, Article 32
Obligated entity
provider of data processing services
Action required
ask opinion
Deadline
Penalty
Obligation 6
If the addressee has not received a reply from the relevant national body or authority within one month, or if the opinion concludes that the conditions for transfer are not met, the addressee may reject the request for transfer or access to non-personal data on those grounds. Regulation (EU) 2023/2854, Article 32, Article 32
Obligated entity
provider of data processing services
Action required
reject request
Deadline
one month
Penalty
Obligation 7
If the conditions laid down in paragraph 2 or 3 are met, the provider of data processing services shall provide the minimum amount of data permissible in response to a request, based on a reasonable interpretation of that request. Regulation (EU) 2023/2854, Article 32, Article 32
Obligated entity
provider of data processing services
Action required
provide data
Deadline
Penalty
Obligation 8
The provider of data processing services shall inform the customer about the existence of a request of a third-country authority to access its data before complying with that request. Regulation (EU) 2023/2854, Article 32, Article 32
Obligated entity
provider of data processing services
Action required
inform
Deadline
before complying
Penalty
Exemptions
where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity
§ Frequently asked

Questions about Article 32

Who must comply with Article 32 of the Data Act? +
provider of data processing services.
What does Article 32 of the Data Act require? +
take measures recognise or enforce assess conditions
What is the compliance deadline for Data Act Article 32? +
before complying; one month
Need a cross-border briefing on Data Act Article 32?
Search Fontvera ↵
All EU obligation pages  ·  All Data Act articles