Login
Book a demo

Data Space Privacy Addendum

Effective date: Feb 10, 2026
Last update: Feb 25, 2026

1. Purpose of the Addendum

This Addendum governs the processing of personal data that may occur in the context of:

  • the onboarding process to the Data Space;
  • the management of participation;
  • the publication and consumption of datasets;
  • the governance, traceability, and security of the Data Space.

Where personal data is processed through other Sheetgo products or services outside the governance framework of the Data Space, Sheetgo’s General Privacy Policy shall apply.

2. Nature of the Sheetgo Data Space

The Sheetgo Data Space is a technological and governance environment that enables the controlled sharing of data between participants, governed by specific contractual and technical rules.

Participation is voluntary and subject to the corresponding Accession Agreement.

3. Roles in Data Protection

3.1 Participants

Each participant acts as:

  • Controller with respect to the datasets it decides to publish;
  • Independent Controller with respect to the personal data included in those datasets.

Sheetgo does not determine the content, purpose, or legal basis of the datasets designated by participants.

Where personal data is processed through other Sheetgo products or services outside the governance framework of the Data Space, Sheetgo’s General Privacy Policy shall apply.

3.2 Sheetgo as Controller

Sheetgo acts as Controller with respect to:

  • management of onboarding to the Data Space;
  • administration of accounts and roles;
  • issuance and validation of technical credentials;
  • management of digital identities;
  • logging and traceability records;
  • supervision of Data Space security;
  • contractual and governance management.

Legal basis:

  • Article 6(1)(b) GDPR (performance of a contract);
  • Article 6(1)(f) GDPR (legitimate interest in ensuring the security and governance of the Data Space).

3.3 Sheetgo as Processor (limited scope)

Where Sheetgo technically facilitates the exchange of datasets between participants, it may act as Processor exclusively in relation to:

  • technical transmission of data;
  • automated processing necessary to enable the exchange;
  • application of technical rules defined by the participant.

In such cases:

  • Sheetgo will act under documented instructions;
  • it will implement appropriate technical and organizational measures;
  • it will not use the data for its own purposes.

Where Sheetgo acts as a processor on behalf of a Participant, such processing shall be governed by the corresponding Data Processing Agreement or by the contractual clauses incorporated into the Accession Agreement.

4. Processing Principles Applicable in the Data Space

Processing activities within the Sheetgo Data Space are governed by:

  • data minimization;
  • purpose limitation;
  • security and confidentiality;
  • access traceability;
  • granular permission control;
  • logical segregation of environments.

5. Technical and Organizational Measures

The Data Space incorporates measures such as:

  • encryption in transit and at rest;
  • strong authentication;
  • role-based access control (RBAC);
  • logging and auditing of operations;
  • dataset segregation per participant;
  • security monitoring.

These measures are periodically reviewed in accordance with industry standards.

6. Traceability and Logging

Within the Data Space, Sheetgo may generate technical records (logs) relating to:

  • access to datasets;
  • acceptance of terms of use;
  • negotiation of data contracts;
  • technical exchange of information.

These records are retained for purposes of:

  • security;
  • regulatory compliance;
  • incident resolution;
  • contractual auditing.

7. Responsibility of Participants

Participants are responsible for:

  • determining the legal basis for the data they publish;
  • ensuring that datasets comply with applicable regulations;
  • applying anonymization or aggregation processes where appropriate;
  • properly defining access conditions;
  • responding to data subject rights requests.

Sheetgo does not automatically validate the lawfulness of published content, except for basic technical checks related to structural consistency or security.

8. International Transfers

Where infrastructure or certain services associated with the Data Space involve processing outside the European Economic Area, appropriate safeguards shall be applied in accordance with Chapter V of the GDPR, including, where applicable, the use of Standard Contractual Clauses or other transfer mechanisms recognized under European Union law.

9. Transparency and Auditability

In line with governance and auditability principles applicable to data spaces, Sheetgo provides information regarding its security and compliance framework through its Trust Center.

Evidence of relevant certifications and audits may be consulted upon request at: https://trust.sheetgo.com/

10. Data Subject Rights

Where Sheetgo acts as Controller, data subjects may exercise their rights in accordance with the General Privacy Policy.

When Sheetgo acts as the Processor, requests must be addressed to the corresponding participant acting as the Controller.

11. Retention

Data processed in the context of the Data Space shall be retained:

  • for the duration of participation;
  • for applicable statutory limitation periods;
  • for periods necessary to ensure traceability and contractual compliance.

12. Updates

This Addendum may be updated to reflect regulatory or technical changes in the Data Space.

The current version will be available on the Sheetgo website.