Data & Privacy
AI & Trust
Cybersecurity
Digital Services & Media
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
Regulation (EU) 2016/679 sets out specific provisions concerning the rights of natural persons in relation to the processing of their personal data. The EHDS builds upon those rights and complements some of them as applied to personal electronic health data. Those rights apply regardless of the Member State in which the personal electronic health data are processed, type of healthcare provider, sources of those data or Member State of affiliation of the natural person. The rights and rules related to the primary use of personal electronic health data under this Regulation concern all categories of those data, irrespective of how they have been collected or who has provided them, the legal ground for the processing under Regulation (EU) 2016/679 or the status of the controller as a public or private organisation. The additional rights of access and portability of personal electronic health data provided for in this Regulation should be without prejudice to the rights of access and portability as established under Regulation (EU) 2016/679. Natural persons continue to have those rights under the conditions set out in that Regulation.
Natural persons might not want to allow access to some parts of their personal electronic health data while enabling access to other parts. This could especially be relevant in cases of sensitive health issues such as those related to mental or sexual health, sensitive procedures such as abortions, or data on specific medication which could reveal other sensitive issues. Such selective sharing of personal electronic health data should therefore be supported and implemented through restrictions set by the natural person concerned in the same way within the territory of a given Member State and for cross-border data sharing. Those restrictions should allow for sufficient granularity to restrict parts of datasets, such as elements of the patient summaries. Before setting the restrictions, natural persons should be informed of the risks for patient safety associated with limiting access to health data. Given that the unavailability of the restricted personal electronic health data may impact the provision or quality of health services provided to the natural person, natural persons making use of such access restrictions should assume responsibility for the fact that the healthcare provider cannot take the data into account when providing health services. The restrictions on access to personal electronic health data could have life-threatening consequences and, therefore, access to those data should nevertheless be possible where necessary to protect vital interests in emergency situations. More specific legal provisions on the mechanisms of restrictions placed by natural persons on parts of their personal electronic health data could be provided for by Member States in their national law, in particular as regards medical liability in cases where restrictions have been placed by the natural person concerned.