A more inclusive Europe through personal data sovereignty in cross-border digital public services

Cross-border services require EU Member states to share data and the uptake of these services entails users to share their data safely and securely. In addition to being technically assured and having cross-border digital services that are safely designed, people should also know what is done with their personal data, have the possibility to disable permissions, and have only the minimal data requested necessary for a specific use, and last but not least, their data should only be used as originally intended. In other words, cross-border services must deliver data sovereignty to motivate EU citizens to use cross-border digital public services often. However, the EU needs to overcome many challenges, especially when it comes to technical interoperability between member states to reach the desired state of data sovereignty in cross-border services. The following research presents a technical approach to personal data in the context of cross-border services. This approach uses principles of decentralisation and data minimisation by design, as well as processes for data consent management, all of which aim to position people with greater agency and control over their own personal data and digital identity. This research presents a personal data governance framework, which is a minimum viable prototype for allowing users to achieve data sovereignty in cross-border services. To achieve this, an analysis of existing reference technologies was conducted alongside a study of the European context. Moreover, workshops in three European Union EU countries took place with relevant stakeholders as well as user interviews and finally, usability tests on the prototype were organised. The research provides insights into the potential of a data governance framework for enhancing the quality of cross-border digital services and informs the development of practical and effective data governance policies and practices for cross-border digital public services in the EU.


INTRODUCTION
Cross-border digital public services refer to the ability of citizens, businesses, and organisations to access and use public services provided by a Member State other than their original state, such as applying to universities, paying taxes, or gaining access to healthcare services.These services promote mobility and cross-border cooperation within the EU and contribute to the digital single market.However, technical interoperability issues, such as local solutions that may not meet policy requirements, legacy systems, and different approaches to dealing with specific types of data, create barriers to the efficient flow of data and hinder data sovereignty.Interoperability in the EU context refers to the ability of different systems, services, and applications to work together seamlessly and efficiently, regardless of their technology or organisational boundaries.It enables the exchange and sharing of data, information, and services across different platforms, devices, and networks between different Member States [18].Still, in the EU context, technical interoperability barriers are associated with some of the most challenging problems for cross-government information systems [29].
Trust is also crucial in digital government services, and privacy and security are important factors in building citizens' trust in digital public services and enhancing cross-border service uptake.
Ensuring privacy in online transactions is critical for instilling trust and promoting the adoption of innovative digital public services.If citizens can 'trust' that their data is secure, they will continue to share it with governments and adopt cross-border services [21,29,[31][32][33][34].
To address interoperability and privacy challenges in crossborder environments, several policies have been initiated by the European Commission.Firstly, the European Commission plans to introduce a new digital identity framework for European citizens, residents, and businesses [12].This initiative builds on the current eIDAS Regulation, which provides a cross-border legislative framework for trustworthy digital IDs, authentication, and website certification within the EU.60% of the EU population in 14 Member States can use their national eID for cross-border purposes [14].The European digital identity framework is critical for achieving the once-only principle (OOP) concept, which aims to ensure that citizens, institutions, and businesses only provide authorities and administrations with standard information once [24].A Eurobarometer survey has shown that 85% of EU citizens desire a secure and trustworthy single digital ID for various public and private digital services, and the European digital identity wallet will serve as the foundation for such a system [22].Secondly, the European Interoperability Framework (EIF) provides technical and organisational principles for interoperable digital solutions across the EU [10].The EIF establishes a technical interoperability framework crucial for cross-border digital public services implementation while protecting data sovereignty.Along with the EIF, the Single Digital Gateway (SDG) policy is another EU initiative that provides easy and seamless access to public services and information for citizens and businesses across the EU.It involves the creation of a digital portal that allows users to access public services and information from anywhere, regardless of their location or the location of the service provider [10].
Lastly, the General Data Protection Regulation (GDPR) updated the EU's personal data protection framework, introducing a riskbased approach to data protection [16].It aims to facilitate the free movement of personal data within the EU while ensuring the protection of data subjects' rights.Article 25 of the GDPR introduces a new requirement of data protection by design, which is linked to privacy by design, a principle advocating for privacy considerations embedded in the technology itself, from the design stage throughout the system's lifecycle.Although the eIDAS and the GDPR do not offer specific guidance on the means to achieve data protection by design, there is a need to assess its extent and means in the eIDAS interoperability framework, given the voluntary use of eIDAS by private-sector services.However, even with policies such as the eIDAS and regulations like the GDPR in place, the delivery of data sovereignty has much to advance, as 47% of Europeans do not utilise digital government services because of data privacy concerns [15].Also, the use of cross-border services remains stagnant at 54%, compared to 81% at the national level [13].This fact is concerning as a 1% decrease in the proportion of cross-border services would cost the EU economy roughly € 8 billion [17].Citizens want to access and share their data in an interoperable way while ensuring they do it with privacy and security [23].The achievement of data sovereignty in cross-border services entails that Member States also achieve technical interoperability.The EU still needs to deliver on these policies to allow data sharing and data migration more safely and transparently in cross-border settings.Thus, this research sets outs to design a personal data governance framework that builds on the current body of research and aims to deliver on some of the capacities proposed by EU policies.
This article then presents the following research question: "How can a personal data governance framework be designed in a user-centric way to ensure data sovereignty in crossborder digital services in the EU?
In order to answer this guiding question, the following research presents a technical approach to personal data in the context of cross-border services.This approach utilises principles of decentralisation and data minimisation by design, as well as processes for data consent management, all of which aim to position people with greater agency and control over their own personal data.The proposed personal data governance framework is a minimum viable prototype (MVP) that may help users to achieve data sovereignty in cross-border services.To design this framework, an analysis of existing reference technologies was conducted alongside a study of the European context.Moreover, workshops in three EU countries took place with relevant stakeholders and user interviews and finally, usability tests on the prototype were organised.This research aims to provide insights into the potential of a personal data governance framework for practical and effective data governance policies and practices for cross-border digital public services in the EU.

RESEARCH BACKGROUND
The adoption and success of cross-border projects are reportedly influenced by various factors, not only those related to technology and regulations but also those related to the managerial, organisational, political, and institutional contexts [35].In the digital government field, technical interoperability has long been identified as a cause that hinders cross-border collaboration between countries.Regarding technical and semantic issues, the main obstacle to the cross-border implementation of the OOP is the technological heterogeneity and maturity of e-Government systems [8,21,24].Fragmentation of data exchange infrastructures in Member States has also been identified as a barrier to achieving EU-wide interoperability and OOP [28].National solutions implemented within borders are not designed for cross-border data exchange and are often resistant to change [8].Research has shown that Member States are reluctant to change legacy systems for cross-border reasons [21].Technical interoperability is hindered by the heterogeneity of data exchange infrastructure systems, different approaches to handling data, and access to distributed data sources [24].Achieving cross-border interconnection between local databases is challenging due to the heterogeneity of data exchange infrastructures in the EU, and solutions must ensure high compatibility with existing technological systems [6].Also, mutual trust between public administrations is a significant challenge in implementing EU policies at the cross-border level [19].
Transmitting data and achieving digital sovereignty is also essential to make citizens trust cross-border systems.Citizens in Germany, Austria, and Switzerland, also expressed concerns about seamless data exchange across borders, with two-thirds of respondents having a negative impression of cross-border OOP implementation [1].As also shown in a survey that evaluated citizens' perspectives on cross-border data exchange, only a minority of the responders felt confident regarding their electronic data privacy [30].Trust is a critical factor in the success of digital government initiatives as it helps to overcome citizens' concerns related to uncertainty and risk, which could otherwise inhibit their use of technology.Although trust has been discussed in the public administration field, empirical research on the subject is still limited [9].However, the concept of trustworthiness has become central to digital government research, with the perception of conviction in the reliability and integrity of a trusted entity being a key element [26].Trustworthiness is the perception of conviction in the trusted entity's reliability and integrity, with this perception usually involving concerns related to security and privacy [2].Privacy and security are recurring issues in digital government, and the perceived privacy and security of information are critical to instilling citizens' confidence and improving digital public services uptake [7].Perceived privacy and information security are critical to motivating users' confidence, especially for transactional services requiring citizens to disclose personal information before a process can be completed [3].Therefore, confidence in online services is crucial in generating trust in cross-border digital public services [36].
Moreover, several solutions have been developed for cross-border data exchange.These solutions have been analysed by the academic community in the context of data interoperability [24].The European Commission has primarily initiated these solutions.For instance, eDelivery was developed to enable secure communication and data exchange between public administration, businesses, and citizens [37].BRIS is a platform that facilitates cross-border data exchange between Business Registers in European Economic Area countries [5].EESSI enables the exchange of social security information across borders [11].EUCARIS is a decentralised system that connects Member States and allows sharing of information related to vehicles and driving licences [39].OpenPEPPOL provides a set of PEPPOL-based ICT products and services that enable cross-border interconnection of eProcurement systems [38].Finally, the TOOP project developed the OOP solution, demonstrating the feasibility of achieving OOP in a cross-border setting [25].
While cross-border digital initiatives in the EU are a step in the right direction towards promoting technical interoperability and establishing data sovereignty, there are still issues with data protection, security, and legal and regulatory differences among Member States.To achieve data sovereignty in cross-border digital services, a wider approach is needed that considers policy frameworks and can be implemented in day-to-day services.The EU must establish a harmonised governance framework for data sovereignty across Member States and ensure that all cross-border services comply with current policies.Citizen consent and usage policies for data exchanges are also crucial.Academic research in this area is being applied in initiatives such as the International Data Spaces Association (IDSA) and GAIA-X.An appropriate personal data governance can assist in diminishing trust difficulties and delivering on the EIF's objectives.

RESEARCH METHODOLOGY
Implementing cross-border public services in the EU requires a robust data governance framework that balances the need for secure and efficient data sharing with protecting citizens' personal information.A well-designed data governance framework can address technical issues and increase data privacy and protection, making it possible to implement cross-border public services that meet the needs of EU citizens.The following steps were followed while designing, building, and validating the personal data governance framework.The steps for this research methodology and their relation can be seen in the following image:

Analysis of reference technologies
First, the selection criteria for the reference technologies analysed in this research method were based on their potential to address the challenges of data privacy and protection in cross-border services.Specifically, the technologies were selected based on their ability to enable individuals to control their personal data, ensure secure and transparent data sharing with service providers, and promote data sovereignty.For the personal wallet technology, attribute-based credential technology was considered essential for data minimisation and control of personal data transfer.At the same time, the IDSA's data sovereignty approach was chosen for its ability to enable specific data usage policies when transferring private data between multiple stakeholders.Finally, the MyData approach was selected due to its privacy-focused principles and potential to address data privacy and protection issues in cross-border services in the EU.

Cross-border service selection and desk research
Due to the rising trend of cross-border mobility in the EU, working or studying abroad was chosen as a case study to develop a personal data governance framework for cross-border services.Mobile tertiary students have increased by 22% since 2013, indicating an increasing popularity of studying abroad in the EU [40].Additionally, the employment rate for individuals with citizenship from another Member State than the one they were living in was 76% in 2019, compared to 74% for nationals and 60% for non-EU citizens, which highlights the growing trend of working abroad [41].However, this raises concerns about protecting and governance of personal data, as individuals may need to share their private information with various service providers in different countries.To design the personal data governance framework, it is necessary to test it in a narrower environment and analyse if it can be scaled to an EU setting after testing.As such, the framework is verified in specific services and with different Member States.First, the current situation of data sovereignty in cross-border services in three Member States was analysed: Germany, Greece and Latvia.The three countries committed to digital service transformation have been chosen to cover different geographical scopes, eGovernment maturity levels and spatial challenges.Desk research was then conducted to identify and catalogue cross-border services offered in these countries.In other words, a list of all services necessary to complete the process of working or studying from country to country was identified.Then, these existing services were categorised in terms of their readiness and capacity to be integrated into a personal data governance framework.

Definition of personas and their user journeys
The user journey is a well-known and widely used tool in service design to achieve high customer orientation and satisfaction in public services [27].Two draft user journeys have been produced collaboratively based on the initial inventory of existing cross-border services, one for studying abroad and one for working abroad.These journeys have then been utilised to inform the creation of 'personas', which are based on common use cases of individuals interested in pursuing education or employment in another Member State, different from the one they have a nationality.These two common user journeys (studying or working) were then used to generate six process flows, or six distinct user journeys.In other words, the process of studying or working was developed back and forth for each pair of piloted countries.For example, the process of studying from country A to country B is different from country B to country A. This distinction arises because the services required to complete the cross-border process differ.As a result, the user journey for a citizen travelling from Greece to Latvia to study differs from that of a person moving from Latvia to Greece.

Workshops with relevant stakeholders in the three pilot countries
An online workshop was organised to define and understand the gaps cross-border digital services face, particularly regarding privacy and personal data management.During this co-creation session, a visual representation of the EU digital identity landscape was created with external experts.In total, 17 external experts participated in the workshop, of which one migration expert, five public service providers from Latvia, one public service provider from Germany, three public service providers from Greece, four senior researchers from the digital government field, one person who works closely with eIDAS, and two technicians who deliver digital ID wallet solutions.The workshop consisted of a series of interactive sessions, including presentations, group discussions, and brainstorming exercises.The complete session lasted for 2 hours.Their expertise and experience in the field generated insights and perspectives on the challenges and opportunities cross-border services face.The workshop also included a series of case studies and practical examples to help participants better understand the issues at hand.The workshop's outcome was summarised in a comprehensive report detailing the key findings and recommendations for addressing the identified gaps in cross-border services.

Interviews with potential end-users
Following the analysis of existing service inventories, pilot partners turned to interviews with prospective end-users for input and validation on existing gaps in cross-border services and to evaluate if the 'personas' accurately reflect end-user experiences.The interviews aimed to get an overview of which processes are officially required and, most importantly, when moving to another EU country.This process involved conducting interviews with end-users to gather their requirements for a data governance framework concerning consent management and citizens' rights under the GDPR.The sample was selected from a diverse end-user group, including individuals from different age groups, education levels, and industries, to ensure diversity of opinions and requirements.The interviews were semi-structured, open-ended, and conducted faceto-face or via videoconference.All people had minimum digital skills, and they had recently moved to another EU country (in the past five years).A total of 35 interviews were conducted (13 in Greece, 12 in Latvia and 10 in Germany).This process also helped set user requirements for the personal data governance framework.

Usability tests
The two general services were incorporated into an MVP of the data governance framework by constructing API mockups.This alpha version was evaluated in pilot countries with the 35 potential endusers, adding more precise user needs for future platform releases.
During the usability testing, each pilote country had group chats with the end-users and one-on-one chats.Users needed to complete short activities on the MVP, and end-users were encouraged to complete surveys and discuss the functionalities and their personal experience with the alpha version of the framework.Users had to concentrate on their capacity to freely grant/deny permissions to access their data, construct a mobility scenario, and use some of the services provided.Each group session lasted about one hour, while individual chats lasted about 30 minutes.This strategy allowed for a more exact mapping of user requirements on a technically organised and displayed user journey that utilises the personal data governance framework.

Synthesis from Research Methodology
The methodology's initial results indicate fragmentation and a lack of technological preparedness and interoperability maturity as fundamental deficiencies in national cross-border services.Certain services exist and may be integrated into the MVP; others exist but are not ready or unsuitable for interaction.The initial results of the cross-border services gap analysis in three countries show that each country has unique challenges in developing a personal data governance framework for cross-border services.Germany faces challenges with the slow implementation of online services due to bureaucratic silos, a lack of coordinated communication infrastructure, and a language gap.Greece has a high pace of digitalising services but lacks a central point of contact for necessary services, has a critical language gap, and has low interconnection capabilities.Latvia has a centralised approach delivering public services.Still, it faces challenges in cross-border scenarios due to separate platforms and the integration of eIDAS, as well as a partly decentralised organisation of services.These initial results demonstrate that developing a personal data governance framework for cross-border services must consider each country's unique challenges and gaps.Following the usability tests, a set of recommendations for the future development of a personal data governance framework was identified, such as features of the user journey services engine and modelling tool, improvements to the UI/UX of the platform and its modules, and transparent communication on data security and trustworthiness, that primarily focus on optimising already implemented features and making previous requirements more user-centred.End-users also recognised the value of the MVP for receiving information and handling services.In addition, they saw its potential as a valuable tool for those who want to move temporarily or permanently within the EU for any other reason.
End-users shared their experience with difficulties obtaining various private and public services in pilot countries, especially when there is no residence permit or locally issued eID card.Often, information is not available in English or other preferred languages.Overall, end-users validated previously identified gaps from other methodological steps.The primary outcome of the usability tests was the evaluation of initial technical components and functionalities for the MVP, as well as additional user requirements gathering.The information obtained during the event was aggregated and utilised to improve the presented MVP in this research.

Personal data governance framework (MVP)
The personal data governance framework should allow users to monitor what data is available and how it is used or accessed.It should give citizens control by allowing them to add, delete or modify data, facilitating or blocking access to public bodies (where permitted or required by law), companies or data intermediaries, giving individuals the power to determine how their data can be used.Based on the results obtained from the research methodology, an MVP of a personal data governance framework has been developed.This prototype is fully functional and has been made available to beta testers with a selection of potential users in pilot countries.The personal data governance framework aims to allow citizens to control the use of their data.Citizens will be able to govern access to their data, benefiting from a set of usage policies that apply levels of access, and to be the sovereign owner of that data.Usage policies relate to the rules that will be used when sharing data.For example, the user can consent to share the data to one specific service provider only three times.
The main objective is to maximise the feeling of control over personal data.Using a personal data governance framework allows citizens to control what personal data is available and how it is used or accessed.Complete control is always available: adding, deleting or modifying data, providing or blocking access to public bodies (where permitted or imposed by law), companies or data intermediaries, giving individuals the power to determine how their data can be used.From a technical point of view, the personal data governance MVP includes: a "private/personal data" governance platform or data portal, including a personal data management site which, provides a user interface to define, manage, and control the use of personal data, and a set of APIs/libraries to interact with the cross-border services platform.The implementation of the personal data governance framework consists of four main modules: the transparency dashboard, citizen data ownership, usage control and the personal data usage enforcement.The following subsections describe the characteristics of each of these modules:

The transparency dashboard
This module is a web application that uses a human-centric approach to liberate personal data's potential and facilitate its controlled flow from multiple data sources to applications and services.Citizens must be able to opt-in or out of their personal data usage, in line with the requirements of the GDPR.The main objective is to give the individual control of their data.Its use provides the following advantages: it monitors what data is available and how it can be accessed; provides individual-linked services and policies and consents related to the use of data; notifies users about data processing performed in the services; gives users control over their data, allowing them to decide which data can be shared with which service provider.In addition, it allows all consents to be revoked ) an upper frame with some context information (registered user, language, and notifications icon) and the login and logout function, c) a central frame providing the interface for each functionality and d) the dashboard page, which provides a summary view of the services the user is using along with the consents the user has defined for those services.

The citizen data ownership
This module allows citizens to manage personal data and allows organisations to fulfil the requirements in line with the GDPR.It will expose several interfaces for the transparency dashboard, so that individuals can grant and withdraw their consents and receive notifications about how their data is being used.On the other hand, it will expose several interfaces for the services, so that they can be informed about the citizens' consents and data usage policies, and they can send notifications about the data being used.The citizen front-end includes a consent manager that allows one to decide which of the services involved in cross-border services will be allowed the use of certain personal data.Each service declares the personal data it will require, some data is mandatory (without this data, the service will fail during its invocation) and there is also optional data.Mandatory data will be shown in a way that the user understands that the service will fail during its invocation if consent is not given to them.
By default, all personal data consents are disabled (even the mandatory ones).Therefore, the citizen must consent to the use of his or her personal data and must decide how much or how little he or she is willing to disclose.The citizen front-end prompts the user, through notifications, to visit the transparency dashboard and update the personal data consents in case they are disabled when he or she makes an application or inputs data for a service.After managing this data, the user will be able to proceed with the relevant application/service, given that all required consents are granted.Personal data that has not been given consent by the citizen, is not sent to service providers.The service access to personal data is disabled by default to comply with the European GDPR and in line with the EU's digital strategy [4].

Usage control
This module provides the enforcement mechanism to apply the agreed upon data usage policies.The available formats of data usage policies include GDPR consents and international data spaces (IDS) data policies enforcement.The MVP personal data government framework strategy is to minimise the adaptation needed from service provider to use the framework as it is not realistic to ask public and private services to use IDS connectors for data transfer.Therefore, the MVP Personal Data Governance Framework assumes the responsibility of performing data usage policies management and enforcement.

Personal data usage enforcement
The personal data usage enforcement module is the main component that interacts with the data governance framework through citizen data ownership.The enforcement module will call the framework before transferring personal data to the service to enforce both personal data consents and data usage policies.Data usage regulations are solely enforced on the data provider's side because no IDS connectors are utilised for data transfer.As a result, no true "data usage control" can be implemented, only a limited set of IDS policies that provide data access rules.Furthermore, the contract negotiation stage is optional.
For use in the data governance framework, the process of negotiating the contract between the citizen and the service provider is slightly modified.As a result of the definition of the data use policy, a contractual agreement is obtained, but whereas in IDS a contract represents an agreement between companies exchanging data and is defined for specific 'artefacts' or data sets, in this context, the contract represents agreements between end-users and public/private services for the use of personal data [9].

DISCUSSION
It is essential that the user of cross-border services has a sense of control over the use of his/her personal data by the services one may need to access in order to complete all the formalities that may be required of them.In order to give the citizen control, a data governance framework is presented that is a centralised integrated platform, in which the user is allowed to give consent and set usage policies for personal data to be used by the different services.On the one hand, there is an overview of the services selected by the user and the personal data needed by each service, and on the other hand, given a certain personal data, the user can know which services make use of that data.
With a personal data governance framework such as one presented in this research, citizens are safer from having their personal data used without their consent.There is also a "panic button" that allows the user to revoke all permissions in one go.Thanks to the use of a digital wallet the user will be able to have control of their data and be safe from any kind of data breach.Providing a personal data governance framework can also help citizens regain confidence in the proper use of their data.As there is no intermediate storage of data beyond the wallet itself, one can enforce minimum risk of data leakage.This combination of a secure storage mechanism for personal data together with a consent-based data governance system increases the reliability of services offered in member states.At the same time, it allows public service providers to rely on data provided by citizens from other member states.It is estimated that through the use of these governance frameworks, the use of cross-border services will increase.In the daily use of the tool, there may be some limitations that are presented below.

LIMITATIONS AND FUTURE WORK
From the results obtained in the usability tests in three different member states with different cultural perceptions of privacy, there was a high level of acceptance by users in terms of control of their personal data, this being the main reasoning behind the framework.Nevertheless, they still find the tool somewhat complex to use and with room for improvement in the look and feel.Based on the feedback received, an updated version is being produced that will make it even easier for users to assign consent.For the framework to work efficiently, services registration is required.Public and private services that are closely linked to consents have to be accessible from a repository or a catalogue of services.For each service, in addition to its purpose, its description, the service provider and the set of personal data that the service requires must be described and must be included in the consent.
Another interesting limitation is that the amount of people over 65 has increased, doubling the percentage in the last six decades, considering this progression, it is considered that a citizen may encounter a usability problem.To overcome this limitation, the framework is going through many revisions from the accessibility and usability point of view, and in addition, it will offer a complete user manual and other support aids to provide guidance to the citizens.Adapting the framework to other countries may represent some challenges.As mentioned previously, there are unique legal, technical and political issues related to the implementation of the framework, this will happen with each new country.Moreover, the framework is configured and adapted for being used in European environments.For its adaptation to other countries, a deep study of the laws of the involved countries is required.Finally, the methodology allows control over the exchange of data with service providers but does not allow for direct communication between the user and the provider and therefore cannot control that the provider applies the most restrictive usage policies (e.g. if the user wants the provider to delete his personal data from its database, he will have to request it directly (by email or similar).
In relation to future work, technological evolution and the increasingly pervasive presence of Artificial Intelligence (AI) will pose new challenges for adaptation by all services and sectors.These challenges will first concern security, privacy, ethics and transparency in the use of data, and global harmonisation and sharing of AI governance principles will be necessary to respect public trust.The European Union, together with other countries, has already expressed its views on this issue by proposing the EU AI Act to regulate the use of AI systems within EU countries, and therefore the framework can be adapted to be compliant with the guidelines and integrate service providers that will use AI to deliver their services [20].

CONCLUSIONS
The research paper focuses on developing a personal data governance framework to support cross-border services in the EU.The solution proposed in the paper combines control, policies, and enforcement while ensuring easy usability for citizens.The motivation behind the study was to protect individuals' privacy rights while promoting the free flow of data between EU member states.The main distinguishing feature of the framework is that it is designed for citizens as end-users: it is citizens who must have full control over the use of their sensitive data, through means that allow them to monitor what data is available, how it is used and the right to delete it at any time.The proposed framework was based on a review of policies and best practices in personal data protection and outlines the key elements that organisations should consider when implementing cross-border services.
The framework is expected to increase the use of cross-border services hosted in EU member states, as it can contribute to increasing the perception of integrity and security in citizens that will have a trusted and accessible environment where they can control the use of their personal data.The framework is flexible and can be adapted to the specific needs of different organisations and sectors.Through the framework, service providers can ensure the protection of personal data and documents as well as compliance with GDPR and other regulations.The findings of the study show that a well-designed personal data governance framework is helpful for the effective implementation of cross-border services.The framework provides organisations with the necessary guidance and tools to ensure compliance with privacy regulations and protect the rights of individuals.