Data Governance Act Roles Explained: Who Does What Under the EU Data Sharing Framework

The EU Data Governance Act is often discussed as part of the broader European data strategy. But it should not be understood as a general right to access all data, or as a replacement for the GDPR. Its purpose is more specific: to create a framework that increases trust in data sharing, strengthens mechanisms for data availability and supports the development of common European data spaces.

Regulation (EU) 2022/868 applies since September 2023. The European Commission describes it as a key pillar of the European strategy for data, aimed at increasing trust in data sharing, strengthening mechanisms to increase data availability and overcoming technical obstacles to data reuse.

For businesses, public-sector bodies and data-sharing projects, the starting point is role classification. Different obligations apply depending on whether a party is a data holder, data user, data subject, data intermediation service provider, recognised data altruism organisation or legal representative.

The DGA is a governance framework, not a general data access right

The Data Governance Act supports data sharing, but it does not create a general entitlement for any business to demand access to any data. That distinction is important.

The DGA addresses several specific areas. It facilitates the reuse of certain categories of protected public-sector data, regulates data intermediation services, creates a voluntary framework for recognised data altruism organisations and supports data sharing across sectors and borders. The Commission summarises the framework as including mechanisms for reuse of certain public-sector data, trustworthy data intermediaries, ways for citizens and businesses to make data available for society, and measures to facilitate cross-sector and cross-border data sharing.

This means that the DGA should be read as part of the EU's data governance architecture. It creates trust mechanisms, procedural structures and regulated roles. It does not remove the need to assess whether a particular party is legally allowed to share or use a given dataset.

Data subject: the GDPR role remains central

Where personal data is involved, the data subject remains a GDPR concept. The DGA does not replace that status. It uses the data protection framework as a baseline.

This is a practical point. A person whose personal data is processed remains a data subject under the GDPR, with the rights and protections that follow from that regulation. The DGA does not create a separate or weaker category for personal data sharing.

As a result, any DGA analysis involving personal data should also include a parallel GDPR analysis. The relevant questions remain familiar: who is the controller, who is the processor, what is the lawful basis, what information must be provided, how can rights be exercised, and whether any international transfer issues arise.

Data holder: the party able to grant access or share data

A data holder is a party that has the right to grant access to, or share, certain personal or non-personal data under applicable law. In practice, this may include public-sector bodies, organisations holding datasets, or other actors that are legally able to make data available.

The important point is that "data holder" is not the same as owner in a property-law sense. The role is functional. It depends on whether the party has the legal ability to grant access to or share the data.

For personal data, this distinction is especially important. The DGA does not itself create a new lawful basis for processing personal data. A party cannot rely on the label "data holder" to bypass GDPR requirements. The ability to share personal data must still be assessed under data protection law.

Data user: lawful access and permitted use

A data user is a party that has lawful access to certain data and is entitled to use it for commercial or non-commercial purposes. The concept should not be read as a general claim to obtain data. It presupposes lawful access.

This matters for contract design and data-sharing projects. A business may want to use a dataset for analytics, product development, AI training, research, compliance, public-interest purposes or commercial services. But before it can be treated as a lawful data user, the route to access and the permitted purpose of use must be clear.

In practical terms, data-user analysis should ask:

• how access is obtained;
• who grants access;
• for what purpose the data may be used;
• whether the data is personal or non-personal;
• whether sector-specific rules restrict use;
• and whether contractual terms impose additional limits.

Data intermediation service providers: trusted organisers of data sharing

One of the most important DGA concepts is the data intermediation service provider. These providers are intended to act as trustworthy organisers of data sharing or data pooling. The Commission describes data intermediaries as part of the DGA's mechanism to boost trustworthy data-sharing systems across the EU.

The role is not meant to cover every software platform that touches data. The DGA focuses on specific services that intermediate between data holders and potential data users, between data subjects or individuals making non-personal data available and potential data users, or through data cooperatives.

The core idea is trust and neutrality. A data intermediation service provider should not simply exploit the data it intermediates for its own separate purposes. The DGA framework is designed to create confidence that the intermediary is not using its position to create conflicts of interest or secondary monetisation that undermines the trust of data holders, data subjects or data users.

For businesses considering such services, the legal assessment should therefore cover more than the platform's technical architecture. It should also examine whether the provider is notified, whether the service is structurally separated where required, how terms are drafted, how access is governed, how abuse is prevented, and how personal data protection is addressed.

Data altruism organisations: voluntary sharing for general interest purposes

The DGA also creates a framework for recognised data altruism organisations. Data altruism refers to voluntary data sharing for objectives of general interest, such as healthcare, combating climate change, improving mobility, public administration or scientific research.

The Commission explains that the DGA is intended to make it easier for citizens and businesses to make their data available for the benefit of society. The recognised data altruism organisation status is part of that framework.

This is a voluntary registration model, not a general label for any non-profit or socially beneficial data project. Recognition is linked to specific conditions, including general-interest objectives, not-for-profit orientation, independence from for-profit entities and compliance with applicable governance requirements.

For organisations considering this model, the main question is whether the activity is genuinely structured around data altruism and general-interest objectives, rather than ordinary commercial data sharing described in public-interest language.

Legal representatives for non-EU actors

The DGA also uses the concept of a legal representative for certain non-EU actors. This is relevant where a data intermediation service provider not established in the Union offers services in the Union, and where a non-EU entity seeks to operate as a recognised data altruism organisation in the Union.

The legal representative functions as an EU contact and compliance interface. It can be addressed by competent authorities and relevant persons in addition to or instead of the non-EU provider or entity. But the appointment of a legal representative does not mean that the non-EU actor itself disappears from the compliance analysis.

For non-EU businesses, this is a familiar pattern in EU digital regulation. Market access may require an EU-facing representative function, but that representative is not a substitute for understanding the underlying obligations of the service.

The DGA and GDPR must be analysed together

The most important caution for DGA projects is the relationship with data protection law. Where personal data is involved, the GDPR remains fully relevant.

The DGA should therefore not be presented internally as a shortcut for data sharing. It does not make personal data freely available. It does not remove the need for a lawful basis. It does not replace transparency obligations, data-subject rights, controller/processor analysis or international transfer rules.

The safer way to approach a DGA-related project is to treat it as two-layered:

• the DGA layer, which asks whether the data-sharing structure falls within the DGA and whether the relevant role-specific obligations are met;
• the GDPR layer, which asks whether the processing of personal data is lawful, transparent, secure and properly allocated between controllers and processors.

For non-personal data, the GDPR layer may not apply, but other legal constraints can still matter. These may include confidentiality, trade secrets, sector-specific rules, contractual restrictions and restrictions on unlawful third-country access or transfer.

Practical role mapping

A useful first step in any DGA project is to map the roles before drafting documents or building processes.

That mapping should identify:

• who holds the data and on what legal basis;
• who wants to use the data and for what purpose;
• whether personal data is involved;
• whether any party is acting as a data intermediation service provider;
• whether the activity is data altruism or ordinary data sharing;
• whether a non-EU actor needs a legal representative;
• and which GDPR, contractual or sector-specific constraints apply.

This mapping is not only a regulatory exercise. It affects contractual drafting, governance, data access rules, technical architecture, user communications, risk allocation and enforcement exposure.

Practical takeaway

The Data Governance Act creates a trust framework for data sharing in the EU. It does not create a universal data access right, and it does not replace the GDPR.

For businesses and data-sharing projects, the practical question is: which DGA role does each party perform, and what other legal framework applies at the same time?

The answer will often require a combined analysis of the DGA, GDPR, contract terms and sector-specific rules. Correct role mapping is therefore the first step before building a data-sharing model, appointing an intermediary, relying on data altruism, or involving non-EU actors in an EU-facing data project.

Legal references

• Regulation (EU) 2022/868, in particular Articles 1-2, 10-14, 18-25 and 34.
• GDPR, where personal data is involved.
• European Commission, "European Data Governance Act", including its explanation of the DGA as a framework to increase trust in data sharing, support trustworthy data intermediaries and facilitate cross-sector and cross-border data sharing.