The Data Sharing obligations under Article 16 of this Regulation apply only in relation to User Data.
Subject to provision of the User’s consent in accordance with Article 22 of this Regulation, where a User uses Data Sharing provided by a Data Service Provider to consolidate information relating to the User Data of that User, the Data Holder must:
2.1
communicate the information relating to the User Data in accordance with the request received;
2.2
treat a request for information relating to the User Data in the same way as a request solely received directly from the User; and
2.3
communicate securely with the Data Sharing Provider in accordance with this Regulation and other applicable Regulations and requirements of the Open Finance Framework.
A Data Sharing Provider must:
3.1
only provide Data Sharing in accordance with the User's explicit consent and instructions;
3.2
not Process any User Data that is Sensitive Data for the provision of Data Sharing, even with the explicit consent of the User;
3.3
ensure that the User's personalised security credentials, such as Personal Identification Numbers (PIN) and/or passwords, are:
3.3.1
not accessible to other parties, with the exception of the issuer of the credentials; and
3.3.2
transmitted through secure and efficient channels.
The Data Sharing Provider must identify itself to and communicate securely with the Data Holder and the User.
The Data Sharing Provider must not use, access or store any information for any purpose except for the provision of the Data Sharing services explicitly requested by the User, except where necessary to comply with any applicable law of the State.