Logo
StreamLex Home
Logo
StreamLex Home
Laws
Laws
Recitals
Recitals
Contact
About UsNewsRecitalsTrackersNewsletterTerms of UsePrivacy NoticeLinkedIn
EHDS
  • Data & Privacy

    • Data Act
    • Data Governance Act
    • EHDS
    • ePrivacy Directive
    • GDPR
  • AI & Trust

    • Artificial Intelligence Act
    • Product Liability Directive
  • Cybersecurity

    • Cyber Resilience Act
    • Cybersecurity Act
    • DORA
    • NIS2
  • Digital Services & Media

    • Digital Markets Act
    • Digital Services Act
    • European Media Freedom Act
EHDS

EHDS Article 68. Data permit

  • 1.
    For the purposes of granting access to electronic health data, the health data access bodies shall assess whether all the following criteria are fulfilled:
    • (a)
      the purposes described in the health data access application correspond to one or more of the purposes listed in Article 53(1);
    • (b)
      the requested data are necessary, adequate and proportionate for the purposes described in the health data access application, taking into account data minimisation and purpose limitation requirements provided for in Article 66;
    • (c)
      the processing complies with Article 6(1) of Regulation (EU) 2016/679 and, in the case of pseudonymised data, there is sufficient justification that the purpose cannot be achieved with anonymised data;
    • (d)
      the health data applicant is qualified in relation to the intended purposes of data use and has appropriate expertise, including professional qualifications in the areas of healthcare, care, public health or research, consistent with ethical practice and applicable laws and regulations;
    • (e)
      the health data applicant demonstrates sufficient technical and organisational measures to prevent the misuse of the electronic health data and to protect the rights and interests of the health data holder and of the natural persons concerned;
    • (f)
      the information on the assessment of ethical aspects of the processing, referred to in Article 67(2), point (j), where applicable, complies with national law;
    • (g)
      where the health data applicant intends to make use of an exception under Article 71(4), the justification required by national law adopted pursuant to that Article has been provided;
    • (h)
      all other requirements in this Chapter are fulfilled by the health data applicant.
  • 2.
    The health data access body shall also take into account the following:
    • (a)
      risks for national defence, security, public security and public order;
    • (b)
      the risk of undermining the confidentiality of data in governmental databases of regulatory authorities.
  • 3.
    Where the health data access body concludes that the requirements in paragraph 1 are fulfilled and the risks referred to in paragraph 2 are sufficiently mitigated, the health data access body shall grant access to electronic health data by issuing a data permit. Health data access bodies shall refuse all health data access applications where the requirements in this Chapter are not fulfilled. Where the requirements for issuing a data permit are not met, but the requirements to provide a response in an anonymised statistical format under Article 69 are, the health data access body may decide to provide such response, on condition that providing that response would mitigate the risks and, if the purpose of the health data access application can be fulfilled in this manner, that the health data applicant agrees to receiving a response in an anonymised statistical format under Article 69.
  • 4.
    By way of derogation from Regulation (EU) 2022/868, the health data access body shall issue or refuse a data permit within three months of receiving a complete health data access application. If the health data access body finds that the health data access application is incomplete, it shall notify the health data applicant, which shall be given the possibility of completing that application. If the health data applicant does not complete the health data access application within four weeks, the data permit shall not be issued. The health data access body may extend the period for responding to a health data access application by three additional months where necessary, taking into account the urgency and complexity of the health data access application and the volume of health data access applications submitted for decision. In such cases, the health data access body shall notify the health data applicant as soon as possible that more time is needed for examining the health data access application, together with the reasons for the delay.
  • 5.
    When handling a health data access application for cross-border access to electronic health data referred to in Article 67(3), health data access bodies and relevant authorised participants in HealthData@EU referred to in Article 75 shall remain responsible for adopting decisions to grant or refuse access to electronic health data within their remit in accordance with this Chapter. The health data access bodies and authorised participants in HealthData@EU concerned shall inform each other of their decisions. They may take that information into consideration when deciding on granting or refusing access to electronic health data. A data permit issued by one health data access body may benefit from mutual recognition by the other health data access bodies.
  • 6.
    Member States shall provide for an accelerated health data access application procedure for public sector bodies and Union institutions, bodies, offices and agencies with a legal mandate in the field of public health if the processing of electronic health data is to be carried out for the purposes established in Article 53(1), points (a), (b) and (c). When such accelerated procedure applies, the health data access body shall issue or refuse a data permit within two months of receiving a complete health data access application. The health data access body may extend the period for responding to a health data access application by one additional month where necessary.
  • 7.
    Following the issuance of the data permit, the health data access body shall immediately request the electronic health data from the health data holder. The health data access body shall make available the electronic health data to the health data user within two months of receiving them from the health data holders, unless the health data access body specifies that the data are to be provided within a longer specified timeframe.
  • 8.
    In cases referred to in paragraph 5, first subparagraph, of this Article, the health data access bodies and authorised participants in HealthData@EU which issued a data permit or access approval, respectively, may decide to provide access to the electronic health data in the secure processing environment provided by the Commission as referred to in Article 75(9).
  • 9.
    Where the health data access body refuses to issue a data permit, it shall provide a justification for that refusal to the health data applicant.
  • 10.
    When issuing a data permit, the health data access body shall set out in that data permit the general conditions applicable to the health data user. The data permit shall contain the following:
    • (a)
      the categories, specification and format of the electronic health data to be accessed, which are covered by the data permit, including their sources and an indication of whether the electronic health data are to be accessed in a pseudonymised format in the secure processing environment;
    • (b)
      a detailed description of the purpose for which the electronic health data are made available;
    • (c)
      where a mechanism to implement an exception is provided for and applicable under Article 71(4), information on whether it has been applied and the reason for the related decision;
    • (d)
      the identity of authorised persons, in particular the identity of the principal investigator, with access rights to the electronic health data in the secure processing environment;
    • (e)
      the duration of the data permit;
    • (f)
      information about the technical characteristics and tools available to the health data user within the secure processing environment;
    • (g)
      the fees to be paid by the health data user;
    • (h)
      any specific conditions.
  • 11.
    Health data users shall have the right to access and process the electronic health data in a secure processing environment in accordance with the data permit issued to them on the basis of this Regulation.
  • 12.
    A data permit shall be issued for the duration necessary to fulfil the requested purposes and that duration shall not exceed 10 years. That duration may be extended once, for a period which does not exceed 10 years, at the request of the health data user, based on arguments and documents to justify that extension which shall be provided one month before the expiry of the data permit. The health data access body may charge fees which increase to reflect the costs and risks of storing electronic health data for a period exceeding the initial period. In order to reduce such costs and fees, the health data access body may also propose to the health data user to store the dataset in a storage system with reduced capabilities. Such reduced capabilities shall not affect the security of the processed dataset. The electronic health data within the secure processing environment shall be deleted within six months of the expiry of the data permit. At the request of the health data user, the formula for the creation of the requested dataset may be stored by the health data access body.
  • 13.
    If the data permit needs to be updated, the health data user shall submit a request for an amendment of the data permit.
  • 14.
    The Commission may, by means of an implementing act, develop a logo for acknowledging the contribution of the EHDS. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 98(2).

Relevant Recitals for this Article

Resources for this Article

© 2025 StreamLex

NewsletterAbout UsTerms of UsePrivacy NoticeManage cookies

© 2025 StreamLex