Data & Privacy
- Data Act
- Data Governance Act
- EHDS
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
- Product Liability Directive
Cybersecurity
- Cyber Resilience Act
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
European Health Data Space Regulation
- Recitals
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
EHDS Article 75. HealthData@EU
- 1.Each Member State shall designate one national contact point for secondary use. That national contact point for secondary use shall be an organisational and technical gateway, enabling and responsible for the making available of electronic health data for secondary use in a cross-border context. The national contact point for secondary use may be the coordinator health data access body referred to in Article 55(1). Each Member State shall inform the Commission of the name and contact details of the national contact point for secondary use by 26 March 2027. The Commission and the Member States shall make that information publicly available.
- 2.The Union health data access service shall act as the contact point of the Union’s institutions, bodies, offices and agencies for secondary use and shall be responsible for making electronic health data available for secondary use.
- 3.The national contact points for secondary use referred to in paragraph 1 and the Union health data access service referred to in paragraph 2 shall connect to the cross-border infrastructure for secondary use, namely HealthData@EU. The national contact points for secondary use and the Union health data access service shall facilitate the cross-border access to electronic health data for secondary use for different authorised participants in HealthData@EU. The national contact points for secondary use shall cooperate closely with each other and with the Commission.
- 4.Health-related research infrastructures or similar infrastructures whose functioning is based on Union law and which provide support for the use of electronic health data for research, policymaking, statistical, patient safety or regulatory purposes may become authorised participants in HealthData@EU and connect to it.
- 5.Third countries or international organisations may become authorised participants in HealthData@EU where they comply with the rules of this Chapter and provide access to health data users located in the Union, on equivalent terms and conditions, to the electronic health data available to their health data access bodies, subject to compliance with Chapter V of Regulation (EU) 2016/679. The Commission may, by means of implementing acts, determine that a national contact point for secondary use of a third country or a system established at international level by an international organisation is compliant with the requirements of HealthData@EU for the purposes of secondary use of health data, is compliant with this Chapter and provides access to health data users located in the Union to the electronic health data it has access to on terms and conditions equivalent to those of HealthData@EU. Compliance with those legal, organisational, technical and security requirements, including with the requirements for secure processing environments provided for in Article 73, shall be checked under the control of the Commission. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 98(2). The Commission shall make the list of implementing acts adopted pursuant to this paragraph publicly available.
- 6.Each national contact point for secondary use and each authorised participant in HealthData@EU shall acquire the required technical capability to connect to and participate in HealthData@EU. They shall comply with the requirements and technical specifications needed to operate HealthData@EU and to allow them to connect to it.
- 7.The Member States and the Commission shall set up HealthData@EU to support and facilitate the cross-border access to electronic health data for secondary use, connecting the national contact points for secondary use and authorised participants in HealthData@EU and the central platform referred to in paragraph 8.
- 8.The Commission shall develop, deploy and operate a central platform for HealthData@EU by providing information technology services needed to support and facilitate the exchange of information between health data access bodies as part of HealthData@EU. The Commission shall only process electronic health data on behalf of the controllers as a processor.
- 9.Where requested by two or more national contact points for secondary use, the Commission may provide a secure processing environment which is compliant with the requirements of Article 73 for data from more than one Member State. Where two or more national contact points for secondary use or authorised participants in HealthData@EU put electronic health data in the secure processing environment managed by the Commission, they shall be joint controllers and the Commission shall be processor for the purpose of processing data in that environment.
- 10.The national contact points for secondary use shall act as joint controllers of the processing operations carried out in HealthData@EU in which they are involved and the Commission shall act as processor on behalf of those national contact points for secondary use, without affecting the tasks of health data access bodies prior to and following those processing operations.
- 11.Member States and the Commission shall seek to ensure that HealthData@EU is interoperable with other relevant common European data spaces as referred to in Regulations (EU) 2022/868 and (EU) 2023/2854.
- 12.By 26 March 2027, the Commission shall, by means of implementing acts, set out:
- (a)requirements, technical specifications and the IT architecture of HealthData@EU, which shall ensure state-of-the-art data security, confidentiality, and protection of electronic health data in HealthData@EU;
- (b)conditions and compliance checks required to be able to join and remain connected to HealthData@EU and conditions for temporary disconnection or definitive exclusion from HealthData@EU, including specific provisions for cases of serious misconduct or repeated infringements;
- (c)the minimum criteria that need to be met by the national contact points for secondary use and the authorised participants in HealthData@EU;
- (d)the responsibilities of the controllers and processors participating in HealthData@EU;
- (e)the responsibilities of the controllers and processors for the secure processing environment managed by the Commission;
- (f)common specifications for the architecture of HealthData@EU and for its interoperability with other common European data spaces.
The implementing acts referred to in the first subparagraph of this paragraph shall be adopted in accordance with the examination procedure referred to in Article 98(2).
- 13.Where there is a positive outcome of the compliance check referred to in paragraph 5 of this Article, the Commission may, by means of implementing acts, take decisions to connect individual authorised participants to HealthData@EU. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 98(2).
Relevant Recitals for this Article
In order to achieve an inclusive and sustainable framework for multi-country secondary use, a cross-border infrastructure should be established (‘HealthData@EU’). HealthData@EU should accelerate secondary use while increasing legal certainty, respecting the privacy of natural persons and being interoperable. Due to the sensitivity of health data, principles such as ‘privacy by design’ and ‘privacy by default’ and the concept of bringing questions to data instead of moving those data should be respected whenever possible. Member States should designate national contact points for secondary use, as organisational and technical gateways for health data access bodies, and connect those contact points to HealthData@EU. The Union health data access service should also be connected to HealthData@EU. In addition, authorised participants in HealthData@EU could be research infrastructures established as a European Research Infrastructure Consortium (ERIC) under Council Regulation (EC) No 723/2009 , as a European digital infrastructure consortium (EDIC) under Decision (EU) 2022/2481 or similar infrastructures established under other Union legal acts, as well as other types of entities, including infrastructures under the European Strategy Forum on Research Infrastructures (ESFRI) or infrastructures federated under the European Open Science Cloud (EOSC). Third countries and international organisations could also become authorised participants in HealthData@EU, provided that they are compliant with the requirements in this Regulation. The Commission communication of 19 February 2020 entitled ‘A European strategy for data’ promoted the linking of the various common European data spaces. HealthData@EU should therefore enable the secondary use of different categories of electronic health data, including linking of the health data with data from other data spaces such as those relating to the environment, agriculture and social sector. Such interoperability between the health sector and other sectors such as the environmental, agricultural or social sectors could be relevant for obtaining additional insights on health determinants. The Commission could provide a number of services within HealthData@EU, including supporting the exchange of information amongst health data access bodies and authorised participants in HealthData@EU for the handling of cross-border access requests, maintaining catalogues of electronic health data available through the infrastructure, network discoverability and metadata queries, connectivity and compliance services. The Commission could also set up a secure processing environment, allowing data from different national infrastructures to be transmitted and analysed, at the request of the controllers. For the sake of IT efficiency, rationalisation and interoperability of data exchanges, existing systems for data sharing should be reused as much as possible, such as those being built for the exchange of evidence under the ‘once-only’ technical system of Regulation (EU) 2018/1724 of the European Parliament and of the Council .
In addition, given that the connection to HealthData@EU could entail transfers of personal data related to the applicant or the health data user to third countries, relevant transfer instruments under Chapter V of Regulation (EU) 2016/679 need to be in place for such transfers.
The authorisation process to gain access to personal electronic health data in different Member States can be repetitive and cumbersome for health data users. Whenever possible, synergies should be established to reduce the burden and barriers for health data users. One way to achieve that aim is to adhere to the ‘single application’ principle whereby, with one application, the health data user can obtain authorisation from multiple health data access bodies in different Member States or authorised participants in HealthData@EU.