Vetted Researcher Data Access

There are two ways that researchers that are studying systemic risk in the EU can get access to data under Article 40 of the DSA. 

• Public data under Article 40(12).  This is a process where a researcher who meets the relevant criteria can apply for data access directly from a VLOP/VLOSE, for example, access to a content library or API of public posts.
• Non-public data, known as “vetted researcher data access”, under Article 40(4)-(11). This is a process where a researcher, who has been vetted or assessed by a Digital Services Coordinator to have met the criteria as set out in DSA Article 40(8), can request access to non-public data held by a VLOP/VLOSE. The data must be limited in scope and deemed necessary and proportionate to the purpose of the research.

How can I access public data under the DSA (Article 40(12))?

Before applying for vetted researcher status, researchers must first assess whether public data access may be satisfactory to meet their research needs. 

To request access to public data you should apply directly to the VLOP/VLOSE you wish to obtain data from. Information on how to do this should be available on the VLOP/VLOSE’s own website. We cannot make a public data access request, relating to Article 40 (12), on a researcher’s behalf. However, if you have faced difficulties with obtaining data under Article 40 (12), you can contact our Contact Centre.

How can I access non-public data under DSA (Article 40(4)-(11))?

What is a vetted researcher?

A vetted researcher is a researcher who:

• applies to a Digital Service Coordinator (DSC) for vetted researcher status;
• is formally awarded vetted researcher status by a DSC, having met the relevant criteria that are set out in Article 40(8); and 
• is granted permission to access the non-public data they have requested for the purposes of completing the research outlined in their application. 

What are the requirements for submitting a Vetted Researcher Data Access application?

To be granted access to non-public data held by a VLOP / VLOSE you must submit a detailed application to a Digital Services Coordinator which demonstrates that you meet the criteria as set out in Article 40(8) of the DSA. For your information we have summarised these criteria below. However, please look at the detailed requirements set out in Article 40(8). You will need to demonstrate:

1. You are affiliated to a research organisation.
2. You are independent from commercial interests of providers.
3. You have disclosed the funding of the research.
4. You can fulfil the specific data security, data protection and confidentiality requirements for the requested data and have described the appropriate technical and organisational measures that they have put in place.
5. Your access to the data and the time frames requested are necessary for, and proportionate to, the purpose of your research.
6. The planned research will be carried out for the purposes of contributing to an understanding of systemic risk or the assessment of risk mitigation measures in the EU.
7. You are committed to making your research results publicly available free of charge, within a reasonable period after the completion of the research.

How can I submit a Vetted Researcher Data Access application?

Coimisiún na Meán is responsible for awarding vetted researcher status and making a reasoned request for data on behalf of a vetted researcher for all applications made regarding VLOP/VLOSEs that are established in Ireland.

DCSs are currently waiting for the publication of a Delegated Act from the European Commission, expected in 2025. Applications will be submitted through the dedicated EC Data Access Application Portal when this becomes available.

In the interim, we can provide the following broad guidance: 

A researcher who wishes to access data from a VLOP/VLOSE established in Ireland can follow two possible routes to achieving Vetted Researcher status:

• Route 1: A researcher may submit their application to the Digital Services Coordinator of the Member State of the research organisation to which they are affiliated. If successful, this initial assessment will then be forwarded to Coimisiún na Meán, for final assessment.
• Route 2: A researcher can apply directly to Coimisiún na Meán (DSC of establishment)

Due to the high volume of applications expected for VLOP/VLOSEs established in Ireland, once the Delegated Act is enacted we would encourage EU based researchers to follow Route 1 as outlined above. 

How can I prepare for submitting a Vetted Researcher Data Access application?

It is important to understand that your application will be assessed as a data access request and so you will need to show compliance with GDPR (General Data Protection Regulation) if requesting any personal data, as well as any other applicable legislation. Under the GDPR, a Data Protection Impact Assessment (DPIA) is mandatory where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”. In cases where it is not clear whether a DPIA is strictly mandatory, carrying out a DPIA is still good practice and a useful tool to help data controllers comply with data protection law. You can find guidelines on this topic which have been endorsed by the European Data Protection Board.

We would encourage prospective applicants to consult with their research organisation’s Data Protection Officer (DPO) in advance of preparing an application. You can keep up to date with the development of the Delegated Act on data access provided for in the Digital Services Act by clicking on the button below.