Requirements pursuant to the Digital Services Act

1. What is the Digital Services Act (DSA)?

The Digital Services Act, in effect as of February 2024, aims to regulate the Internet more strongly and consistently, thereby creating a safe, predictable and trustworthy online environment. This is primarily about protecting the fundamental rights of Internet users and preventing illegal content. Binding EU-wide obligations have been introduced for all digital service providers that provide goods, services or content to consumers in the EU.

2. Does the DSA and its requirements apply to my service/website/app?

The Digital Services Act distinguishes between three different types of “intermediary services”:

a) Mere conduit. With a mere conduit or pass-through service, information provided by the user is simply transmitted or access to a communication network is provided. Examples include VPN and WLAN providers, top-level domains or email services.

b) Caching Service: A caching service, on the other hand, is an automatic, time-limited temporary storage of information that only serves to transmit information more efficiently. Examples of this are web or DNS caching.

c) Hosting Service. A hosting service stores information provided by the     user on their behalf. Classic examples include cloud computing services as well as web, email and server hosting. A special form of a hosting service is the Online Platform, a hosting service that not only stores information or content on behalf of a user, but also distributes such information publicly, i.e. outside of Bayer.

The most relevant type for Bayer is the “hosting service”. The very broad definition could be interpreted like this:

Whenever we store customer/patients/healthcare professional/etc. information on our systems, with the knowledge/consent of the users and on their behalf, and such information is used by us to provide a service within a commercial context which can be consumed electronically at individual request of the user (excluding editorially managed information or pushed news by us), this may classify as a hosting service in the sense of the DSA.

Some examples from the Bayer World:

a) Communication or intermediary platforms to facilitate information exchange between patients/farmers:

Even though a detailed information exchange between the respective patients/farmers, etc. may only happen later and directly between them via private communication tools (without Bayer as intermediary), at least some patient/farmer information will be hosted on our systems in order to facilitate the “match”. Insofar, the offering of an intermediary platform is within the scope of the DSA.

b) Collaborations with external platforms: 

We would differentiate according to a “generalized” view of the respective user: does the typical user perceive the Service received as a Bayer Service or as the service of the external third party? (branding, look and feel of website, etc.). In the latter case and as a general rule, we would see the obligations of the DSA primarily imposed on the direct user-facing external partner and not on us (rendering a Service in the background to our partner).

c) Web Shops

If the user information is stored in our own interest and for the specific service provision only (delivery of product), we would not see this storage as being “on behalf of the user”. However, if we also offered e.g. a rating and comment function and such information would be published on behalf of the user so that other users could read them, this would make the web shop an Online Platform within the meaning of the DSA.

From a regional perspective, the obligations imposed by the DSA apply to all intermediary services offered to recipients of the service that have their place of establishment or are located in the EU, irrespective of where the providers of those intermediary services have their place of establishment.

3) What are the obligations imposed by the DSA?

a) Central points of contact for users and authorities

• Prior to the go-live of the intermediary services, please designate: 
  • A single point of contact within Bayer to enable Member States’ authorities to communicate with us directly by electronic means. Please also add a second language (next to English) that is used in the country where the legal entity that is offering the intermediary service has its main establishment (for example: German in case the service is offered by Bayer AG);
  • A single point of contact to enable the recipients of the service to communicate with us directly by electronic means.
  • In case you provide an intermediary service to recipients located in the EU but you do not have an establishment in the EU yourself: Designate, in writing, a legal or natural person to act as your legal representative in one of the Member States where you offer your intermediary services.
• Please fill out the respective notice in the imprint template and publish this information on your service accordingly.

b) Moderation of content

• Include in your terms of use, using clear, plain, intelligible, user-friendly and unambiguous language, information on any restrictions that you impose in relation to the use of your service. That information has to include information on any policies, procedures, measures and tools used for the purpose of content moderation, including algorithmic decision-making and human review, as well as the rules of procedure of your internal complaint handling system.
• Please note that this obligation is only relevant to the extent that users are able to generate content that is “moderated” by the provider, i.e. primarily for Online Platforms. This is not the case where Bayer has set-up the electronic communication between patients/farmers to be private (e.g. via private email) and not on the Bayer platform itself.

c) Transparency Reporting obligation

You need to make publicly available, in a machine-readable format and in an easily accessible manner, at least once a year (earliest in 2025), clear, easily comprehensible reports on any content moderation (if any, cf. above) that you engaged in during the relevant period. We will provide a template for this, once there is a common “best” practice established.

d) Notice and action mechanism (only applicable for Hosting Services and Online Platforms):

• Establish a notice and action mechanism to allow individuals or entities to report specific information that the individual or entity considers to be illegal content. This mechanism must be easily accessible and user-friendly and allow reports to be submitted exclusively by electronic means.
  To implement this, please use the preformulated respective text line in our imprint template and create an input mask on your website, which allows the input of the information as listed in the bullet below (example).
• The notice and action mechanism should prompt the reporting individual to provide the following information (you can use this template): 
  a) A sufficiently substantiated explanation of the reasons why the individual or entity alleges the information in question to be illegal content;
  b) A clear indication of the exact electronic location of that information (such as the exact URL or URLs)
  c) The name and email address of the individual or entity submitting the notice
  d)  A statement confirming the bona fide belief of the individual or entity submitting the notice that the information and allegations contained therein are accurate and complete.
• Immediately send to the notifying individual or entity a confirmation of receipt (if you received the electronic contact details of the notifying individual or entity)
• Promptly inform the individual or entity from whom the concerned information originates of your decision.
• All reports submitted must be processed and decided promptly, carefully, free from arbitrariness and objectively.

e) Additional Obligations for Online Platforms
In case you intend to set up an Online Platform as defined above, several additional obligations pursuant to the Digital Service Act may apply. Please contact your local LPC Business Partner.