Skip to content

5. Proposed Compliance for Data Exchange Services

In Gaia-X, Data is at the core of Data Exchange Services. Data are furnished by Data Producers (for instance data owners or data controllers in the GDPR sense, data holder in EU data acts sense, etc.) to Data Product Providers who compose these data into a Data Product to be used by Data Consumers.

Further details of all the terms used in this section are defined in the section on Data Exchange Services of the Gaia-X Architecture Document and in the Data Exchange Services specifications, and to keep definitions consistent across documents and versions, they won’t be duplicated here.

5.1 Conformity Criteria for Data Exchange Services


Criterion D1.1.1: The Data Product shall be a Gaia-X compliant Service Offering.

Conformity Label L1 Label L2 Label L3
declaration declaration declaration declaration

Declaration: See P.1.2.9

Permissible Standards:N/A

Example Standards:N/A


Criterion D1.1.2a: The Data Product Provider offering the Data Product shall be a Gaia-X Participant.

Conformity Label L1 Label L2 Label L3
declaration declaration declaration declaration

Declaration: N/A

Permissible Standards:N/A

Example Standards:N/A


Criterion D1.1.2b: The Data Product Provider shall deliver the Data Product only to Data Consumers with a Gaia-X compliant description

Conformity Label L1 Label L2 Label L3
declaration declaration certification certification

Declaration: N/A

Permissible Standards:

  • a conformity scheme which includes the verification of records in the Data Usage Logging Service

Example Standards:N/A

Note

This criterion is important to create trust at the data licensor/data producer level.


Criterion D1.1.3: For each Data Product, the Data Product Provider shall have the legal authorization from the Data Producer(s) to include the data in the Data Product.

Conformity Label L1 Label L2 Label L3
declaration declaration certification certification

Declaration: The Data Product Description shall include links to authorization documents which are signed through a Gaia-X authorized Trust Service Provider.

Permissible Standards:

  • a conformity scheme which includes the verification that the authorization documents are legally valid.

Example Standards:N/A

Note

If the data product aggregates data from several data producers, then the data product provider shall have a legal authorization from each data producer.

Note

The legal authorization will often be subordinated to the data usage agreement from the data licensor(s). Indeed the Data Product will usually be generic (e.g. customer banking transactions) and the real scope (e.g. Jane Doe’s transactions) will be defined during instantiation before data usage.


Criterion D1.1.4: For each Data Product, the Data Product Provider shall provide in the Data Product Description a Data License defining the usage policy in ODRL for all data in this Data Product.

Conformity Label L1 Label L2 Label L3
declaration declaration declaration declaration

Declaration: The Data Product Description shall include a data license expressed as a valid ODRL document containing at least indication that the data product contains or not licensed data and, in that case, the template of the Data Usage Agreement to be signed by the data licensor(s) before data usage. The Data license shall contain:

  1. the constraints specific to the Data Product Provider.
  2. indication that the data product contains or not licensed data and in that case.
  3. the template of the Data Usage Agreement to be signed by the data licensor(s) before data usage.

Permissible Standards:N/A

Example Standards:N/A


Criterion D1.1.5: The Data Product Provider shall deliver the Data Usage, instantiating the Data Product, only to Data Consumer(s) which have formally accepted the Data Product Usage Contract.

Conformity Label L1 Label L2 Label L3
declaration declaration certification certification

Declaration: Yes/No

Permissible Standards:

  • a conformity scheme which includes performing correlation of the records in the Data Usage Logging Service with the Data Product Usage Contracts (either provided by the Data Product Provider or through a Data Product Usage Contract Store) and verifying that each contract is formally accepted by the Data Consumer.

Example Standards:N/A

Note

A Data Product Usage Contract is a Ricardian contract: a contract at law that is both human-readable and machine-readable, cryptographically signed and rendered tamper-proof.

Note

A Data Consumer can formally accept the Data Product Usage Contract either through a qualified digital signature or through a record from a Gaia-X Trusted Source (e.g. trusted data intermediary)


Criterion D1.1.6a: For each licensed data element included in the Data Product, the Data Product Provider shall ensure that each Data Product Usage Contract includes Data Usage Agreement(s) (DUA) provided by the Data Licensor(s) explicitly authorizing the Data Usage by the Data Consumer.

Conformity Label L1 Label L2 Label L3
declaration declaration certification certification

Declaration: In case of data liable to EU regulations (GDPR, EU acts on data …), the provided Data Usage Agreement must contain all information required by the regulation (e.g. consent as per GDPR, authorizations/permissions as per EU acts on data, permissions as per the EU Finance Data Access regulation, etc…).

Permissible Standards:

  • a conformity scheme which includes the verification that the Data Product Usage Contracts contain appropriate Data Usage Agreement(s)

Example Standards:N/A

Note

A Data Licensor is a natural or legal Participant who owns usage rights for some Data. It can be a data subject as per GDPR for personal data or a primary owner of non-personal data (i.e. not liable to GDPR).

Note

The Data Licensor(s) can provide the Data Usage Agreement(s) either through a qualified digital signature or through a record from a Gaia-X Trusted Source (e.g. a trusted data intermediary).

Note

The Data Usage Agreement(s) gives the Data Product Provider the legal authorization for providing the data to the Data Consumer. The DUA contains usage terms and conditions associated with these data (permissions, prohibitions, duties …).

Note

Controlling that the Data Licensor is legally authorized to give a Data Usage Agreement is often domain specific (for instance a farmer can give agreement to use data related to a parcel only if she/he owns or rents this parcel).


Criterion D1.1.6b: The Data Product Provider shall deliver the Data Usage instantiating the Data Product only to Data Consumer(s) which fulfill the constraints in the Data Usage Agreements.

Conformity Label L1 Label L2 Label L3
declaration declaration certification certification

Declaration: Yes/No

Permissible Standards:

  • a conformity scheme which includes the verification checking that each Data Consumer of the Data Product has provided appropriate Verifiable Credentials for the constraints in the Data Usage Agreements

Example Standards:N/A

Note

Controlling that the Data Consumer fulfils the constraints expressed in the Data Usage Agreement(s) is often domain specific (for instance a patient might agree to share medical data to non-profit research laboratories from specific countries with defined cyber-security certificates). A generic way to implement this criterion is to request the Data Consumer to provide, in the Data Product Usage Contract, the appropriate Verifiable Credentials issued by Gaia-X Trusted Data Sources.

Suggest a modification