Data & Privacy
AI & Trust
Cybersecurity
Digital Services & Media
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
Regulation (EU) 2016/679 sets out specific provisions concerning the rights of natural persons in relation to the processing of their personal data. The EHDS builds upon those rights and complements some of them as applied to personal electronic health data. Those rights apply regardless of the Member State in which the personal electronic health data are processed, type of healthcare provider, sources of those data or Member State of affiliation of the natural person. The rights and rules related to the primary use of personal electronic health data under this Regulation concern all categories of those data, irrespective of how they have been collected or who has provided them, the legal ground for the processing under Regulation (EU) 2016/679 or the status of the controller as a public or private organisation. The additional rights of access and portability of personal electronic health data provided for in this Regulation should be without prejudice to the rights of access and portability as established under Regulation (EU) 2016/679. Natural persons continue to have those rights under the conditions set out in that Regulation.
In addition, due to the different sensitivities in the Member States on the degree of patients’ control over their health data, Member States should be able to provide for an absolute right to opt out from access to their personal electronic health data by anyone other than the original controller, without any possibility to override that opt-out in emergency situations. In such a case, Member States should establish the rules and specific safeguards regarding such opt-out mechanisms. Those rules and specific safeguards could also relate to specific categories of personal electronic health data, for example genetic data. The right to opt out means that personal electronic health data relating to the natural person who exercises that right would not be made available through the services set up under the EHDS other than to the healthcare provider that provided the treatment. Member States should be able to require the registration and storage of personal electronic health data in an EHR system used by the healthcare provider who provided the health services and accessible only to that healthcare provider. If a natural person has exercised the right to opt out, healthcare providers will still document the treatment provided in accordance with applicable rules, and will be able to access the data registered by them. Natural persons who exercise the right to opt out should be able to reverse their decision. In such cases, personal electronic health data generated during the period of the opt-out might not be available via the access services and MyHealth@EU.