EHDS
Data & Privacy
- Data Act
- Data Governance Act
- EHDS
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
- Product Liability Directive
Cybersecurity
- Cyber Resilience Act
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
European Health Data Space Regulation
- Recitals
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
EHDS
EHDS Article 63. Enforcement by health data access bodies
- 1.When carrying out their monitoring and supervisory tasks, as referred to in Article 57(1), point (a)(ii), health data access bodies shall have the right to request and receive all the necessary information from health data users and health data holders to verify compliance with this Chapter.
- 2.Where health data access bodies find that a health data user or health data holder does not comply with the requirements of this Chapter, they shall immediately notify the health data user or health data holder of those findings and take appropriate measures. The health data access body concerned shall give the health data user or health data holder concerned the opportunity to state their views within a reasonable period that shall not exceed four weeks. Where the finding of non-compliance concerns a possible breach of Regulation (EU) 2016/679, the health data access body concerned shall immediately inform the supervisory authorities under that Regulation and provide them with all relevant information concerning that finding.
- 3.With regard to non-compliance by health data users, health data access bodies shall have the power to revoke the data permit issued pursuant to Article 68 and stop without undue delay the affected electronic health data processing operation carried out by the health data user, and shall take appropriate and proportionate measures aimed at ensuring compliant processing by the health data user. As part of such enforcement measures, the health data access bodies may also, where appropriate, exclude, or initiate proceedings to exclude, in accordance with national law, the health data user concerned from any access to electronic health data within the EHDS in the context of secondary use for a period of up to five years.
- 4.With regard to non-compliance by health data holders, where a health data holder withholds the electronic health data from health data access bodies with the manifest intention of obstructing the use of electronic health data, or does not respect the deadlines set out in Article 60(2), the health data access body shall have the power to fine the health data holder for each day of delay with a periodic penalty payment, which shall be transparent and proportionate. The amount of the fines shall be established by the health data access body in accordance with national law. In the event of repeated breaches by the health data holder of the obligation of cooperation with the health data access body, that body may exclude or initiate proceedings to exclude, in accordance with national law, the health data holder concerned from submitting health data access applications pursuant to this Chapter for a period of up to five years. During the period of that exclusion, the health data holder shall remain obliged to make data accessible under this Chapter, where applicable.
- 5.The health data access body shall communicate the enforcement measures taken pursuant to paragraphs 3 and 4, and the reasons on which they are based, to the health data user or health data holder concerned, without delay, and shall lay down a reasonable period for the health data user or health data holder to comply with those measures.
- 6.Any enforcement measures taken by the health data access body pursuant to paragraph 3 shall be notified to other health data access bodies through the IT tool referred to in paragraph 7. Health data access bodies may make that information publicly available on their websites.
- 7.The Commission shall, by means of implementing acts, set out the architecture of an IT tool, as part of the infrastructure of HealthData@EU referred to in Article 75, aimed at supporting and making transparent to other health data access bodies the enforcement measures referred to in this Article, especially periodic penalty payments, the revoking of data permits and exclusions. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 98(2).
- 8.The Commission shall issue guidelines, by 26 March 2032, in close cooperation with the EHDS Board, on enforcement measures including periodic penalty payments and other measures to be taken by the health data access bodies.
Relevant Recitals for this Article
In order to strengthen the enforcement of the rules on secondary use, appropriate measures that can lead to administrative fines or enforcement measures by health data access bodies or temporary or definitive exclusions from the EHDS framework of health data users or health data holders that do not comply with their obligations should be envisaged. Health data access bodies should be empowered to verify compliance of health data users and health data holders and give them the opportunity to reply to any findings and to remedy any infringement. When deciding on the amount of the administrative fine or on an enforcement measure for each individual case, health data access bodies should take into account the cost margins and the criteria set out in this Regulation, ensuring that those fines or measures are proportionate.