Data & Privacy
AI & Trust
Cybersecurity
Digital Services & Media
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
Without hindering or replacing contractual arrangements or other mechanisms in place, this Regulation is aimed at establishing a common mechanism to access electronic health data for secondary use across the Union. Under that mechanism, health data holders should make the data they hold available on the basis of a data permit or a health data request. For the purpose of processing electronic health data for secondary use, one of the legal bases referred to in Article 6(1), points (a), (c), (e) or (f), of Regulation (EU) 2016/679 in conjunction with Article 9(2) thereof is required. Accordingly, this Regulation provides for a legal basis for the secondary use of personal electronic health data, including the safeguards required under Article 9(2), points (g) to (j), of Regulation (EU) 2016/679 to allow the processing of special categories of data, in terms of lawful purposes, trusted governance for providing access to health data through the involvement of health data access bodies, and processing in a secure processing environment, as well as arrangements for data processing, set out in the data permit. Consequently, Member States should no longer be able to maintain or introduce under Article 9(4) of Regulation (EU) 2016/679 further conditions, including limitations and specific provisions requesting the consent of natural persons, with regard to the processing for secondary use of personal electronic health data under this Regulation, with the exception of the introduction of stricter measures and additional safeguards at national level aimed at safeguarding the sensitivity and value of certain data as laid down in this Regulation. Health data applicants should also demonstrate a legal basis referred to in Article 6 of Regulation (EU) 2016/679 that allows them to request access to electronic health data pursuant to this Regulation and should fulfil the conditions set out in Chapter IV thereof. In addition, the health data access body should assess the information provided by the health data applicant, based on which it should be able to issue a data permit for the processing of personal electronic health data pursuant to this Regulation that should fulfil the requirements and conditions set out in Chapter IV of this Regulation. For processing of electronic health data held by the health data holders, this Regulation creates the legal obligation within the meaning of Article 6(1), point (c), of Regulation (EU) 2016/679, in accordance with Article 9(2), points (i) and (j), of that Regulation, for the health data holder to make available the personal electronic health data to health data access bodies, while the legal basis for the purpose of the initial processing, for example the delivery of healthcare, is unaffected. This Regulation also assigns tasks in the public interest within the meaning of Article 6(1), point (e), of Regulation (EU) 2016/679 to the health data access bodies, and meets the requirements of Article 9(2), points (g) to (j), as applicable, of that Regulation. If the health data user relies upon a legal basis set out in Article 6(1), point (e) or (f), of Regulation (EU) 2016/679, this Regulation should provide for the safeguards required under Article 9(2) of Regulation (EU) 2016/679.
Health data users who benefit from access to datasets provided for under this Regulation could enrich the data in those datasets with various corrections, annotations and other improvements, for instance by supplementing missing or incomplete data, thus improving the accuracy, completeness or quality of the data in the datasets. Health data users should be encouraged to report critical errors in datasets to health data access bodies. To support the improvement of the initial database and further use of the enriched dataset, Member States should be able to establish rules for the processing and the use of electronic health data containing improvements related to the processing of those data. The improved dataset should be made available free of charge to the original health data holder together with a description of the improvements. The health data holder should make the new dataset available, unless it provides a justified notification to the health data access body for not doing so, for instance in cases in which the enrichment by the health data user is of low quality. It should be ensured that non-personal electronic health data are available for secondary use. In particular, pathogen genomic data hold significant value for human health, as shown during the COVID-19 pandemic during which timely access to and sharing of such data proved to be essential for the rapid development of detection tools, medical countermeasures and responses to public health threats. The greatest benefit from pathogen genomics efforts will be achieved when public health and research processes share datasets and cooperate to inform and improve each other.