5.1 Stakeholders
There can be many stakeholders involved when two or more organisations agree to share data. In International Data Spaces terminology, the Data Owner is the organisation that owns the right to define Usage Contracts, Usage Policies and Payment Models (incl. third party usage). In other contexts, such as the Gaia-X Data Exchange Services specification (Gaia-X, 2022), this role is referred to as Data Licensor. A Data Creator creates data, e.g., from one or many sensors in a vehicle. The Data Provider makes data technically available for data exchange. In many cases the Data Creator, Provider and Owner are the very same organisation. The Data User is the organization that has the legal right to use the data as by the Usage Policies defined by a Data Owner. The Data Consumer receives data from, or access data at, the Data Provider.
In the terminology there is also a pre-defined role of a Service Provider. The Service Provider receives data from one (or many) Data Provider(s) (or other Service Provider(s)) and distributes the result to a Data Consumer.
It is important to state that a single organisation can act in one, many, or even all, of the roles. A participant in a study is defined as a Data Subject per GDPR, the person who generates or is monitored while the data being collected. This person is protected by legal rights concerning the usage of the data.
Data Licensor/Data Owner
A natural or legal participant who own usage rights for data (personal or non-personal). In the context of IDSA, the Data Owner may attach usage restriction information to their data before it is transferred to a Data Consumer. To use the data, the Data Consumer must fully accept the Data Owner’s usage policy. This ensures that the Data Owner maintains data sovereignty and control over their data.
Data Provider
The Data Provider must implement appropriate data-protection means to ensure responsibility and liability, as stated in Usage Policies with Data Owner and the Data Subject. Since an organization can obtain many roles, this can lead to chains where organizations are acting as Data Consumers and Data Providers. It is important for all parties in the chain to have a clear picture of the data flow, comply with the data-protection requirements and thoroughly understand the rights and Data Usage Policies and privacy laws in the country where the data are being managed.
Data Consumer
A data consumer might be allowed to download data from, or operate within, a data provider. An organization can establish a physical or logical Site where the requirements stated by the Data Provider are implemented. The data consumer within this Site must accept and follow the data-protection principles. In many cases an organisation acting as a Data Provider also acts as a (internal) Data Consumer, although it might be practical to keep the distinction between the two, especially in large organisations when managing personal and/or confidential data.