Logo
StreamLex Home
Logo
StreamLex Home
Laws
Laws
Recitals
Recitals
Contact
About UsNewsRecitalsTrackersNewsletterTerms of UsePrivacy NoticeLinkedIn
EHDS
  • Data & Privacy

    • Data Act
    • Data Governance Act
    • EHDS
    • ePrivacy Directive
    • GDPR
  • AI & Trust

    • Artificial Intelligence Act
    • Product Liability Directive
  • Cybersecurity

    • Cyber Resilience Act
    • Cybersecurity Act
    • DORA
    • NIS2
  • Digital Services & Media

    • Digital Markets Act
    • Digital Services Act
    • European Media Freedom Act
EHDS

EHDS Article 63. Enforcement by health data access bodies

  • 1.
    When carrying out their monitoring and supervisory tasks, as referred to in Article 57(1), point (a)(ii), health data access bodies shall have the right to request and receive all the necessary information from health data users and health data holders to verify compliance with this Chapter.
  • 2.
    Where health data access bodies find that a health data user or health data holder does not comply with the requirements of this Chapter, they shall immediately notify the health data user or health data holder of those findings and take appropriate measures. The health data access body concerned shall give the health data user or health data holder concerned the opportunity to state their views within a reasonable period that shall not exceed four weeks. Where the finding of non-compliance concerns a possible breach of Regulation (EU) 2016/679, the health data access body concerned shall immediately inform the supervisory authorities under that Regulation and provide them with all relevant information concerning that finding.
  • 3.
    With regard to non-compliance by health data users, health data access bodies shall have the power to revoke the data permit issued pursuant to Article 68 and stop without undue delay the affected electronic health data processing operation carried out by the health data user, and shall take appropriate and proportionate measures aimed at ensuring compliant processing by the health data user. As part of such enforcement measures, the health data access bodies may also, where appropriate, exclude, or initiate proceedings to exclude, in accordance with national law, the health data user concerned from any access to electronic health data within the EHDS in the context of secondary use for a period of up to five years.
  • 4.
    With regard to non-compliance by health data holders, where a health data holder withholds the electronic health data from health data access bodies with the manifest intention of obstructing the use of electronic health data, or does not respect the deadlines set out in Article 60(2), the health data access body shall have the power to fine the health data holder for each day of delay with a periodic penalty payment, which shall be transparent and proportionate. The amount of the fines shall be established by the health data access body in accordance with national law. In the event of repeated breaches by the health data holder of the obligation of cooperation with the health data access body, that body may exclude or initiate proceedings to exclude, in accordance with national law, the health data holder concerned from submitting health data access applications pursuant to this Chapter for a period of up to five years. During the period of that exclusion, the health data holder shall remain obliged to make data accessible under this Chapter, where applicable.
  • 5.
    The health data access body shall communicate the enforcement measures taken pursuant to paragraphs 3 and 4, and the reasons on which they are based, to the health data user or health data holder concerned, without delay, and shall lay down a reasonable period for the health data user or health data holder to comply with those measures.
  • 6.
    Any enforcement measures taken by the health data access body pursuant to paragraph 3 shall be notified to other health data access bodies through the IT tool referred to in paragraph 7. Health data access bodies may make that information publicly available on their websites.
  • 7.
    The Commission shall, by means of implementing acts, set out the architecture of an IT tool, as part of the infrastructure of HealthData@EU referred to in Article 75, aimed at supporting and making transparent to other health data access bodies the enforcement measures referred to in this Article, especially periodic penalty payments, the revoking of data permits and exclusions. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 98(2).
  • 8.
    The Commission shall issue guidelines, by 26 March 2032, in close cooperation with the EHDS Board, on enforcement measures including periodic penalty payments and other measures to be taken by the health data access bodies.

Relevant Recitals for this Article

© 2025 StreamLex

NewsletterAbout UsTerms of UsePrivacy NoticeManage cookies

© 2025 StreamLex