EHDS
Data & Privacy
- Data Act
- Data Governance Act
- EHDS
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
- Product Liability Directive
Cybersecurity
- Cyber Resilience Act
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
European Health Data Space Regulation
- Recitals
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
EHDS
EHDS Article 64. General conditions for the imposition of administrative fines by health data access bodies
- 1.Each health data access body shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements referred to in paragraphs 4 and 5 is effective, proportionate and dissuasive in each individual case.
- 2.Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, enforcement measures referred to in Article 63(3) and (4). Health data access bodies shall decide whether to impose an administrative fine and the amount of the administrative fine in each individual case by giving due regard to the following circumstances:
- (a)the nature, gravity and duration of the infringement;
- (b)whether any penalties or administrative fines have already been imposed by other competent authorities for the same infringement;
- (c)the intentional or negligent character of the infringement;
- (d)any action taken by the health data holder or health data user to mitigate the damage caused;
- (e)the degree of responsibility of the health data user, taking into account technical and organisational measures implemented by that health data user pursuant to Article 67(2), point (g), and Article 67(4);
- (f)any relevant previous infringements by the health data holder or health data user;
- (g)the degree of cooperation of the health data holder or health data user with the health data access body as regards remedying the infringement and mitigating its possible adverse effects;
- (h)the manner in which the health data access body became aware of the infringement, in particular whether, and to what extent, the health data user notified it of the infringement;
- (i)compliance with any enforcement measures referred to in Article 63(3) and (4) which have been ordered previously against the controller or processor concerned with regard to the same subject matter;
- (j)any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained or losses avoided, directly or indirectly, through the infringement.
- 3.If a health data holder or a health data user intentionally or negligently infringes several provisions of this Regulation for the same or a linked data permit or health data request, the total amount of the administrative fine shall not exceed the amount specified for the most serious infringement.
- 4.In accordance with paragraph 2 of this Article, infringements of the duties of the health data holder or health data user pursuant to Article 60 and Article 61(1), (5) and (6) shall be subject to administrative fines of a maximum of EUR 10 000 000 or, in the case of an undertaking, of a maximum of 2 % of its total worldwide annual turnover in the preceding financial year, whichever is higher.
- 5.In accordance with paragraph 2, the following infringements shall be subject to administrative fines of a maximum of EUR 20 000 000 or, in the case of an undertaking, of a maximum of 4 % of its total worldwide annual turnover in the preceding financial year, whichever is higher:
- (a)health data users processing electronic health data obtained via a data permit issued pursuant to Article 68 for the uses referred to in Article 54;
- (b)health data users extracting personal electronic health data from secure processing environments;
- (c)re-identifying or attempting to re-identify the natural persons to whom the electronic health data obtained by the health data users on the basis of a data permit or a health data request pursuant to Article 61(3) relate;
- (d)non-compliance with enforcement measures taken by the health data access body pursuant to Article 63(3) and (4).
- 6.Without prejudice to the powers of health data access bodies pursuant to Article 63, each Member State may lay down rules on whether and to what extent administrative fines may be imposed on public authorities and public sector bodies established in that Member State.
- 7.The exercise by a health data access body of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and national law, including effective judicial remedies and due process.
- 8.Where the legal system of a Member State does not provide for administrative fines, this Article may be applied in a manner that, in accordance with its national legal framework, ensures that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by health data access bodies. In any event, the fines imposed shall be effective, proportionate and dissuasive. The Member State concerned shall notify the Commission of the provisions of the laws which it adopts pursuant to this paragraph by 26 March 2029 and, without delay, of any subsequent law amending such provisions or amendments affecting such provisions.
Relevant Recitals for this Article
In order to strengthen the enforcement of the rules on secondary use, appropriate measures that can lead to administrative fines or enforcement measures by health data access bodies or temporary or definitive exclusions from the EHDS framework of health data users or health data holders that do not comply with their obligations should be envisaged. Health data access bodies should be empowered to verify compliance of health data users and health data holders and give them the opportunity to reply to any findings and to remedy any infringement. When deciding on the amount of the administrative fine or on an enforcement measure for each individual case, health data access bodies should take into account the cost margins and the criteria set out in this Regulation, ensuring that those fines or measures are proportionate.