9. Proposed Data Exchange Criteria

This section includes an initial set of policy rules and mandatory information for Data Exchange Services. This is work in progress, open for feedback. No Label levels are anticipated for this section at this stage, therefore only a Basic Conformity level is envisaged.

In Gaia-X, Data is at the core of Data Exchange Services. Data are furnished by Data Producers (for instance data owners or data controllers in the GDPR sense, data holder in EU data acts sense, etc.) to Data Product Providers who compose these data into a Data Product to be used by Data Consumers.

Further details of all the terms used in this section are defined in the Data Exchange chapter of the Gaia-X Architecture Document and to keep definitions consistent across documents and versions, those definitions will not be duplicated here.

9.1 Conformity Criteria for Data Exchange Services

Criterion D1.1.1: The Data Product Service Provider shall instantiate data exchange services using Gaia-X conformant service offerings.

Basic Conformity: mandatory declaration

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Criterion D1.1.2: Data Product Providers and Data Consumers must be Participants with Gaia-X conformant descriptions.

Basic Conformity: mandatory declaration

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Criterion D1.1.3: For each Data Product, the Data Product Provider shall have the legal authorization from the Data Producer to include the data in the `Data Product’.

Basic Conformity: mandatory declaration

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: Data Product Provider

Criterion D1.1.4: For each Data Product, the Data Product Provider shall provide in the Data Product Description a Data License defining the usage policy for all data in this Data Product.

Basic Conformity: mandatory declaration

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Criterion D1.1.5: Before delivering a Data Usage (i.e. the instantiation of a Data Product), the Data Product Provider shall negotiate and co-sign a Data Product Usage Contract with the Data Consumer.

Note: A Data Product Usage Contract is a Ricardian contract: a contract at law that is both human-readable and machine-readable, cryptographically signed and rendered tamper-proof.

Basic Conformity: mandatory declaration

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

Criterion D1.1.6: For each licensed data element included in the Data Product, the Data Product Provider shall ensure that the Data Product Usage Contract includes an explicit Data Usage Agreement (DUA) signed by the Data Licensor.

In case of data liable to EU regulations (GDPR, EU acts on data …), the signed Data Usage Agreement must contain all information required by the regulation (e.g. consent as per GDPR, authorizations/permissions as per EU acts on data, permissions as per the EU Finance Data Access regulation, etc…).

Note: a Data Licensor is a natural or legal Participant who owns usage rights for some Data. It can be a data subject as per GDPR for personal data or a primary owner of non-personal data (i.e. not liable to GDPR).

Note: The Data Usage Agreement gives the Data Product Provider the legal authorization for providing the data to the Data Consumer. The DUA contains usage terms and conditions associated with these data (permissions, prohibitions, duties …).

Basic Conformity: mandatory declaration

Assessing Entity: Gaia-X Association or mandated entity

Assessment Process: self-assessment

9.2 Mandatory information to be provided for Data Exchange Services

The following defines the mandatory information to be included in the Gaia-X Credentials, in the context of the provision of Data Exchange Services. Other information to be provided optionally is listed in the Annex.

• For each Data Product, it shall be specified whether it contains Personal Identifiable Information (PII) or not.

• If a Data Product contains Personal Identifiable Information (PII), information on the Legitimate Processing of Information related to PII (legal basis, purpose of the processing, contact points of the Data Protection Officer to formulate a withdrawal consent request) shall be provided.

• If the data are about data subjects as one or more Natural Persons, or sensitive data, then information on the Data Producer or Data Licensor and the list of consents covering the processing activities from the data subjects as Natural Person when the dataset contains PII shall be provided. To avoid data re-identification, this rule applies independently if the data is raw, pseudo-anonymized or anonymized. (Note: This is on purpose beyond GDPR requirements.) Note: relevant source is GDPR article 9.

• If a Data Product contains Personal Identifiable Information (PII), the information on the legal basis, specifying one of the reasons for processing of PII as detailed in the identified Personal Data Regime, shall be provided.

• If a Data Product contains Personal Identifiable Information (PII), the information on the ContactPoint of the Data Protection Officer or Participant responsible for the management of personal or sensitive data shall be provided.

• If a Data Product contains Personal Identifiable Information (PII), the information on the purposes of the processing shall be provided. Note: it is recommended to use well know controlled vocabulary such as the Data Privacy Vocabulary:Purposes.

• If a Data Product contains Personal Identifiable Information (PII), the information on the Contact Point (https://schema.org/ContactPoint) of the Participant to whom formulate a withdrawal consent request shall be provided.

• For each Data Product, the information on the credential of the participant legally enabling the data usage shall be provided.

• For each Data Product, the information on the data exchange component that exposes the data resource shall be provided.

• The description of a Data Product can only be made by its Data Product Provider.

• For each Data Product, the information on the data exchange component that exposes the data resource shall be provided.

• For Data Exchange components, the description of the Service offering shall contain or point to an Instantiated Virtual Resource with at least one Service Access Point being a Contract Negotiation Endpoint.

• For Data Exchange components, the output of the Contract Negotiation Endpoint shall point to the result of the negotiation signed by all the Participants in direct link with the negotiation.

• If Data Producer or Data Licensor are specified, they can be the only participants describing the consent on a Data Product.

• For each Data Product, the information on the credential of the participant legally enabling the data usage shall be provided.

• For each Data Product, it shall be specified whether it contains licensed data (in particular, but not only, Personal Identifiable Information as per GDPR).

• If the Data Product contains licensed data, then the Data Product Usage Contract shall include an explicit Data Usage Agreement signed by the Data Licensor.