Logo
StreamLex Home
Logo
StreamLex Home
Laws
Laws
Recitals
Recitals
Contact
About UsNewsRecitalsTrackersNewsletterTerms of UsePrivacy NoticeLinkedIn
EHDS
  • Data & Privacy

    • Data Act
    • Data Governance Act
    • EHDS
    • ePrivacy Directive
    • GDPR
  • AI & Trust

    • Artificial Intelligence Act
    • Product Liability Directive
  • Cybersecurity

    • Cyber Resilience Act
    • Cybersecurity Act
    • DORA
    • NIS2
  • Digital Services & Media

    • Digital Markets Act
    • Digital Services Act
    • European Media Freedom Act
EHDS

EHDS Article 64. General conditions for the imposition of administrative fines by health data access bodies

  • 1.
    Each health data access body shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements referred to in paragraphs 4 and 5 is effective, proportionate and dissuasive in each individual case.
  • 2.
    Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, enforcement measures referred to in Article 63(3) and (4). Health data access bodies shall decide whether to impose an administrative fine and the amount of the administrative fine in each individual case by giving due regard to the following circumstances:
    • (a)
      the nature, gravity and duration of the infringement;
    • (b)
      whether any penalties or administrative fines have already been imposed by other competent authorities for the same infringement;
    • (c)
      the intentional or negligent character of the infringement;
    • (d)
      any action taken by the health data holder or health data user to mitigate the damage caused;
    • (e)
      the degree of responsibility of the health data user, taking into account technical and organisational measures implemented by that health data user pursuant to Article 67(2), point (g), and Article 67(4);
    • (f)
      any relevant previous infringements by the health data holder or health data user;
    • (g)
      the degree of cooperation of the health data holder or health data user with the health data access body as regards remedying the infringement and mitigating its possible adverse effects;
    • (h)
      the manner in which the health data access body became aware of the infringement, in particular whether, and to what extent, the health data user notified it of the infringement;
    • (i)
      compliance with any enforcement measures referred to in Article 63(3) and (4) which have been ordered previously against the controller or processor concerned with regard to the same subject matter;
    • (j)
      any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained or losses avoided, directly or indirectly, through the infringement.
  • 3.
    If a health data holder or a health data user intentionally or negligently infringes several provisions of this Regulation for the same or a linked data permit or health data request, the total amount of the administrative fine shall not exceed the amount specified for the most serious infringement.
  • 4.
    In accordance with paragraph 2 of this Article, infringements of the duties of the health data holder or health data user pursuant to Article 60 and Article 61(1), (5) and (6) shall be subject to administrative fines of a maximum of EUR 10 000 000 or, in the case of an undertaking, of a maximum of 2 % of its total worldwide annual turnover in the preceding financial year, whichever is higher.
  • 5.
    In accordance with paragraph 2, the following infringements shall be subject to administrative fines of a maximum of EUR 20 000 000 or, in the case of an undertaking, of a maximum of 4 % of its total worldwide annual turnover in the preceding financial year, whichever is higher:
    • (a)
      health data users processing electronic health data obtained via a data permit issued pursuant to Article 68 for the uses referred to in Article 54;
    • (b)
      health data users extracting personal electronic health data from secure processing environments;
    • (c)
      re-identifying or attempting to re-identify the natural persons to whom the electronic health data obtained by the health data users on the basis of a data permit or a health data request pursuant to Article 61(3) relate;
    • (d)
      non-compliance with enforcement measures taken by the health data access body pursuant to Article 63(3) and (4).
  • 6.
    Without prejudice to the powers of health data access bodies pursuant to Article 63, each Member State may lay down rules on whether and to what extent administrative fines may be imposed on public authorities and public sector bodies established in that Member State.
  • 7.
    The exercise by a health data access body of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and national law, including effective judicial remedies and due process.
  • 8.
    Where the legal system of a Member State does not provide for administrative fines, this Article may be applied in a manner that, in accordance with its national legal framework, ensures that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by health data access bodies. In any event, the fines imposed shall be effective, proportionate and dissuasive. The Member State concerned shall notify the Commission of the provisions of the laws which it adopts pursuant to this paragraph by 26 March 2029 and, without delay, of any subsequent law amending such provisions or amendments affecting such provisions.

Relevant Recitals for this Article

© 2025 StreamLex

NewsletterAbout UsTerms of UsePrivacy NoticeManage cookies

© 2025 StreamLex