Data Strategy — EU regulation

By June 2025, Member State authorities will start reviewing registered data altruism teams to verify adoption of Commission Implementing Regulation (EU) 2024/1860 consent templates. Controllers must show compliant consent capture, withdrawal processes, and data minimization controls aligned with the Data Governance Act. This audit cycle marks the first systematic enforcement of the EU's new data altruism framework, which enables individuals and teams to voluntarily share data for purposes of general interest.

Data Altruism Framework Overview

The Data Governance Act introduced a novel legal framework for data altruism, recognizing that data sharing for societal benefit requires trust mechanisms beyond commercial data intermediation. Data altruism enables individuals and legal entities to consent to their data being used for general interest purposes such as scientific research, public health improvement, climate change mitigation, and public service improvement.

Registered data altruism teams serve as trusted intermediaries between data subjects and data users. Registration provides a trust mark indicating compliance with DGA requirements. National competent authorities maintain registers of approved teams and oversee ongoing compliance. The registration framework aims to build public confidence in data sharing by ensuring strong governance and data protection.

The consent template harmonization addresses a key setup challenge for cross-border data altruism. Prior to the implementing regulation, teams operating in multiple Member States faced divergent consent requirements. The harmonized templates enable consistent consent collection while preserving national language requirements and specific protections.

Implementing Regulation Requirements

Commission Implementing Regulation (EU) 2024/1860 specifies standardized consent form templates that registered teams must adopt. The templates include mandatory elements ensuring data subjects receive consistent information about data use purposes, processing activities, data recipients, and their rights. Teams may not deviate from mandatory template elements, though supplementary information may be added.

Consent forms must clearly identify the registered organization, its registration status, and the competent authority overseeing compliance. Purpose descriptions must be specific enough for data subjects to understand how their data will benefit general interest objectives. Generic or overly broad purpose statements do not satisfy template requirements.

Withdrawal mechanisms must be prominently disclosed and easily accessible. Data subjects retain the right to withdraw consent at any time without detriment. Teams must implement technical and organizational measures ensuring withdrawal requests are honored promptly across all data processing activities and downstream data recipients.

Audit Preparation and Evidence Requirements

National authority audits will examine consent collection processes, evidence retention, and withdrawal setup. Teams should prepare documentation demonstrating template adoption across all consent channels. Website forms, mobile applications, paper consent collection, and telephone consent scripts should all conform to template requirements.

Consent records must show valid consent under both the DGA framework and GDPR requirements. Timestamped records should capture the template version presented, the data subject's affirmative action indicating consent, and the purposes to which consent was given. Consent management platforms should be configured to generate audit-ready evidence extracts.

Withdrawal records require similar documentation rigor. Systems should log withdrawal requests including receipt timestamp, processing completion timestamp, and confirmation of data deletion or anonymization. Cascading withdrawal to downstream data recipients should be documented with recipient acknowledgments.

Cross-Border Considerations

Data altruism teams operating across Member States must handle multiple competent authority relationships. Registration is typically with the authority of the Member State of establishment, but data collection in other Member States may trigger additional obligations. Cross-border cooperation mechanisms enable authorities to share audit findings and coordinate enforcement.

Language requirements present practical challenges for harmonized templates. The implementing regulation establishes template content, but teams must provide translations appropriate for data subjects in each collection jurisdiction. Translation accuracy should be verified, and version control should ensure all language versions reflect current template requirements.

Data transfers outside the EU by data altruism teams require appropriate safeguards under GDPR Chapter V. International research collaborations may involve data recipients in third countries. Teams should document transfer mechanisms and ensure consent materials disclose international data flows.

Purpose Governance and Scope Control

Data altruism consent is limited to purposes approved by competent authorities during registration or subsequent amendments. Teams must maintain registers of approved purposes and ensure processing activities remain within scope. New research projects or data use purposes may require registration amendments before data processing can start.

Purpose creep represents a significant compliance risk. As data altruism programs mature, pressure may emerge to expand data use beyond original consent scope. Governance frameworks should include purpose review processes ensuring new uses are evaluated against consent scope and registration terms before setup.

Downstream data recipient agreements should restrict processing to consented purposes. Data sharing agreements should incorporate purpose limitation clauses and audit rights. Teams remain accountable for recipient compliance and should implement monitoring mechanisms proportionate to data sensitivity and recipient risk profiles.

Technical Implementation Considerations

Consent management systems require configuration to support DGA template requirements alongside GDPR consent management. Systems should capture granular consent choices enabling data subjects to consent to some purposes while declining others. Preference centers should display current consent status and enable modification.

Data minimization controls should limit data collection to what is necessary for consented purposes. Teams should document data minimization decisions and implement technical measures preventing collection of unnecessary data elements. Regular reviews should assess whether collected data remains proportionate to current purposes.

Deletion and anonymization capabilities support withdrawal setup. Systems should enable reliable identification and deletion of individual data subject records across all storage locations. Where deletion is impractical for analytical datasets, anonymization techniques should render re-identification infeasible.

organizational Governance Requirements

Board or management body oversight of data altruism activities shows governance commitment. Reporting lines should ensure senior leadership visibility into consent compliance, withdrawal volumes, and audit findings. Risk reporting should incorporate data altruism compliance risks alongside other organizational risks.

Data protection officer involvement improves compliance assurance. DPOs should review consent templates, assess processing activities against consent scope, and participate in audit preparation. Coordination with DGA competent authorities complements existing DPO relationships with data protection supervisory authorities.

Staff training ensures operational teams understand template requirements and consent handling procedures. Training should cover consent collection, withdrawal processing, and audit response. Regular refresher training addresses template updates and lessons learned from compliance incidents.

Audit Response and Remediation

early engagement with competent authorities can smooth audit processes. Teams should understand authority expectations, preferred documentation formats, and communication channels. Pre-audit meetings may clarify audit scope and enable preparation of requested materials.

Audit findings requiring remediation should be addressed promptly. Remediation plans should include root cause analysis, corrective actions, and timeline commitments. Follow-up verification shows remediation effectiveness. Persistent non-compliance could affect registration status and the organization's ability to continue data altruism activities.

Lessons learned from audits should inform continuous improvement. Consent management processes, template setups, and governance frameworks should be refined based on audit feedback. Industry peer networks may provide benchmarking opportunities and best practice sharing.

You may also find useful

Hand-picked articles on adjacent topics.

Data Strategy · Credibility 73/100 · June 28, 2024

Data Strategy — EU regulation

The European Commission issued common consent form templates for data altruism under the Data Governance Act, forcing data trusts and civic data collaboratives to align intake processes before 2025 registration audits…

Data Strategy · Credibility 91/100 · August 22, 2025

Data Strategy — Data portability

The EU Data Act goes live September 12, 2025. You have got weeks to finalize data portability for users, set up fair compensation models, and get your B2B contracts in order. The clock is ticking.

Data Strategy · Credibility 91/100 · September 24, 2025

EU Dga Data Intermediation Compliance

Data intermediation services that were operating when the Data Governance Act was adopted must be fully compliant with Chapter III obligations by 24 September 2025, so data leaders need to close registration, neutrality…

Data Strategy · Credibility 91/100 · September 24, 2025

EU Dga Evaluation Deadline

The European Commission must deliver its first Data Governance Act evaluation by 24 September 2025, so data leaders should prepare evidence packs that show how neutrality, access, and sanction frameworks are operating…

Data Strategy · Credibility 86/100 · March 20, 2025

Data Strategy — Healthcare interoperability

European Health Data Space access body deadlines are approaching. Member states need to establish health data access bodies to help secondary use of health data for research. Healthcare data governance in the EU is…

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

June 30, 2025

Coverage pillar

Data Strategy

Source credibility

86/100 — high confidence

Topics

EU regulation · Data governance · Consent management

Sources cited

3 sources (eur-lex.europa.eu, digital-strategy.ec.europa.eu, iso.org)

Reading time

6 min

Documentation

1. Commission Implementing Regulation (EU) 2024/1860 — Official Journal of the European Union
2. Data altruism under the Data Governance Act — European Commission
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization