Data & Privacy
- Data Act
- Data Governance Act
- EHDS
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
- Product Liability Directive
Cybersecurity
- Cyber Resilience Act
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
European Health Data Space Regulation
- Recitals
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
EHDS Article 66. Data minimisation and purpose limitation
- 1.Where health data access bodies receive a health data access application, they shall ensure that access is only provided to electronic health data that are adequate, relevant and limited to what is necessary in relation to the purpose of processing indicated in the health data access application by the health data user and in line with the data permit issued pursuant to Article 68.
- 2.Health data access bodies shall provide electronic health data in an anonymised format, where the purpose of processing by the health data user can be achieved with such data, taking into account the information provided by the health data user.
- 3.Where the health data user has sufficiently demonstrated that the purpose of processing cannot be achieved with anonymised data in accordance with Article 68(1), point (c), health data access bodies shall provide access to electronic health data in pseudonymised format. The information necessary to reverse the pseudonymisation shall be available only to the health data access body or an entity that acts as a trusted third party in accordance with national law.
Relevant Recitals for this Article
Given the sensitivity of electronic health data, it is necessary to reduce risks for the privacy of natural persons by applying the data minimisation principle. Therefore, non-personal electronic health data should be made available in all cases where the provision of such data is sufficient. If the health data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of that type of data and the health data access body should assess whether that justification is valid. The personal electronic health data should only be made available in pseudonymised format. Taking into account the specific purposes of the processing, personal electronic health data should be pseudonymised or anonymised as early as possible in the process of making data available for secondary use. It should be possible for pseudonymisation and anonymisation to be carried out by health data access bodies or by health data holders. As controllers, health data access bodies and health data holders should be allowed to delegate those tasks to processors. When providing access to a pseudonymised or anonymised dataset, a health data access body should use state-of-the-art pseudonymisation or anonymisation technology and standards, ensuring to the maximum extent possible that natural persons cannot be re-identified by health data users. Such technology and standards for data pseudonymisation or anonymisation should be further developed. Health data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, and where they do so they should be subject to administrative fines and enforcement measures laid down in this Regulation or possible criminal penalties, where national law so provides. Moreover, a health data applicant should be able to request a response to a health data request in an anonymised statistical format. In such cases, the health data user will only process non-personal data, and the health data access body will remain sole controller for any personal data necessary to provide the response to the health data request.