Acm.nl uses cookies to analyze how the website is used, and to improve the user experience. Read more about cookies

Vetted researchers

Researchers sometimes need non-public data from very large online platforms and search engines. In order to gain access to such data, researchers can apply for vetted status with ACM.

On this page:

Requirements for vetted researchers

Vetted researchers have the right to access non-public data that they need for their research. Very large online platforms and search engines are required to give researchers access to that data.

In order to be granted the vetted status, researchers must meet all of the following requirements:

Research organizations conduct scientific research or carry out educational activities that also involve scientific research. Both of these activities are carried out on a non-profit basis or pursuant to a public-interest mission recognized by a Member State.

You can apply for the vetted status in the data access portal. In that portal, you will also find a list of research organizations that meet the above requirements. If your organization is not on that list, you must demonstrate that your organization meets the requirements. Documents that may support this are, for example:

  • statutes containing a public-interest mission
  • a general description of duties
  • annual reports or financial statements that show that all profits are reinvested in scientific research
  • information that shows that your organization is not-for-profit

The affiliation to a research organization can be demonstrated, for example, by

  • a contract of employment
  • a formal declaration signed by the research organization

Researchers and their work are unbiased and independent from commercial interests. In that context, think of a direct commercial interest, such as shares. However, it may also concern an indirect commercial interest, such as a family connection or a social relationship with a director, senior employee, or advisor of the very large online platform or search engine that you wish to study.

You can demonstrate your independence by endorsing the standard statement in the data access portal or by, for example, a written statement, signed by you.

The application for the vetted status must contain documents regarding:

  • the source, nature, and amount of the research funding
  • the length of the funding period

The researcher treats the data confidentially, and is able to secure it. In addition, the researcher protects any personal data. The technical and organizational measures that the researcher has put in place to that end has been included in the application.

The data that you need may contain personal data from users or information on internal processes of a very large online platform or search engine. You must handle such data in a secure and confidential manner. You must demonstrate this in your application.

To that end, you must:

  • identify any data-security risks and confidentiality risks associated with the request, including the protection of personal data
  • describe the technical, legal and organizational measures for mitigating the above risks, and for protecting personal data
  • give further details on the proposed data access modality and the thereto-associated technical security measures

You can substantiate the above points as much as possible with documents such as contracts, certificates (ISO or otherwise), or any other supporting documentation.

For a definition of personal data, please consult the website of the Dutch Data Protection Authority (AP).

If your application contains any personal data, you must do the following, among other things:

  • indicate whether the personal data is pseudonymized or identifiable, and describe what anonymization or pseudonymization techniques you use
  • clearly describe which legal basis under the GDPR you use for the processing of personal data
  • conduct a Data Protection Impact Assessment if required by the GDPR
  • indicate whether any personal data will be transferred outside of the European Union (EU) or the European Economic Area (EEA)

We advise you to involve the DPO (Data Protection Officer) of your organization in the processing and protection of personal data.

Access to the data as well as the requested timeframes are necessary for and proportionate to the research objective. The expected results will contribute to the research objective.

Demonstrate this in your application with a detailed description of the requested data, as well as with information about:

  • how the data was selected
  • why this data is necessary, e.g. in relation to publicly available data and to the research question and/or research hypothesis
  • the level of data granularity (e.g. aggregated or individual-level data)
  • data minimization
  • the justification of the requested timeframe

The objective of the research is to contribute to the detection, identification, and understanding of systemic risks, or to the assessment of the effectiveness, efficiency, and the effects of the measures taken by very large online platforms and search engines.

Systemic risks are risks that can inflict serious harm to society or the economy at large, for example the widespread dissemination of illegal content or the disruption of the democratic process.

Demonstrate in your application that your research contributes to the abovementioned objective by providing information about:

  • your research activities and research methodology
  • how the research activities are connected to the detection, identification, and understanding of systemic risks or the assessment of the effectiveness, efficiency, and the effects of the measures taken by very large online platforms and search engines
  • how the systemic risk is related to the design or functioning of the very large online platform or search engine and its related systems

The researcher will make the research results publicly available, free of charge, within a reasonable period.

You can demonstrate that you meet this requirement by drawing up a written statement.

Are you a researcher, and do you have a question? If so, send your questions to dsa-vettedresearchers [at] acm [punt] nl

Filing an application for vetted status

Researchers can apply for vetted status in the data access portal of the European Commission.

We will only assess applications if at least one of following is located in the Netherlands:

  • the European headquarters of the very large platform or search engine that the researchers are requesting data from
  • the legal representative of the very large platform or search engine that the researcher is requesting data from
  • the research organization of the researcher

If none of these apply, the application must be submitted in a different member state.

An up-to-date overview of all very large online platforms and search engines can be found on the European Commission’s website. This overview also shows in which Member State the platform or search engine has its legal representative.

We will assess whether an application meets the requirements, and then decide whether the researcher is granted the vetted status. The Dutch Data Protection Authority (AP) advises us about the protection of personal data. We aim to issue a final decision within 80 working days.

If the research organization is located in the Netherlands, but the platform or search engine is located in a different member state, we will only carry out a preliminary assessment of the application: a so-called initial assessment. We will subsequently forward our advice and the application to the regulator in the member state in which the very large online platform or search engine is located. That regulator will issue the final decision.

All applications filed with us must be submitted either in Dutch or in English. This also applies to any supporting documents.

Data access request

If you are granted the vetted status, we will send the very large online platform or search engine a request for access to the requested data. The very large online platform or search engine must either comply with the request or ask for an amendment to the request. It must do so within 15 days, and only if:

  • the very large online platform or search engine has no access to the requested data, or
  • providing access may lead to significant vulnerabilities in the security or confidentiality of their service.

After receiving a request for an amendment, we will assess it, and decide on it within 15 days.

Revoking the data access

We monitor whether the researchers that have been granted vetted status by us continue to meet the requirements. If a vetted researcher no longer meets the requirements, we may revoke their access to the data.

If you have any indications that a vetted researcher no longer meets the requirements, please report this to us.

Access to public data

If you, for your research, need access to data from very large online platforms or search engines that is publicly available, you do not need the vetted status.

Very large online platforms and search engines must grant all researchers access to data if:

  • that data is publicly available
  • the researcher is affiliated with a scientific research organization
  • the researcher is independent from commercial interests
  • the funding of the research project has been disclosed
  • the researcher handles data security and confidentiality, and is able to secure and protect personal data
  • the researcher demonstrates that the access to publicly available information is necessary for detecting, identifying and understanding systemic risks

The European Commission monitors whether the platforms and search engines comply with these rules.

Sources

Back to top