Data & Privacy
- Data Act
- Data Governance Act
- EHDS
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
- Product Liability Directive
Cybersecurity
- Cyber Resilience Act
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
European Health Data Space Regulation
- Recitals
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
EHDS Article 88. Third-country transfer of non-personal electronic data
- 1.Non-personal electronic health data made available by health data access bodies to a health data user in a third country under a data permit issued pursuant to Article 68 of this Regulation or a health data request approved pursuant to Article 69 of this Regulation, to authorised participants in a third country or to an international organisation, and based on a natural person’s electronic health data falling within one of the categories referred to in Article 51 of this Regulation, shall be deemed highly sensitive within the meaning of Article 5(13) of Regulation (EU) 2022/868 where the transfer of such non-personal electronic data to third countries presents a risk of re-identification through means going beyond those reasonably likely to be used, in particular in view of the limited number of natural persons to whom those data relate, the fact that they are geographically scattered or the technological developments expected in the near future.
- 2.The protective measures for the categories of data mentioned in paragraph 1 of this Article shall be detailed in a delegated act referred to in Article 5(13) of Regulation (EU) 2022/868.
Relevant Recitals for this Article
Certain categories of electronic health data can remain particularly sensitive even when they are in anonymised format and thus non-personal, as already specifically provided for in Regulation (EU) 2022/868. Even where state-of-the-art anonymisation techniques are used, there remains a residual risk that the capacity to re-identify could be or become available, beyond the means reasonably likely to be used. Such residual risk is present in relation to rare diseases, that is to say a life-threatening or chronically debilitating condition affecting not more than 5 in 10 000 persons in the Union, where the limited numbers of cases reduce the possibility of fully aggregating the published data in order to preserve the privacy of natural persons while also maintaining an appropriate level of granularity in order to remain meaningful. Such residual risk can affect different categories of health data and can lead to the re-identification of the data subjects using means that are beyond those reasonably likely to be used. Such risk depends on the level of granularity, on the description of the characteristics of data subjects, on the number of people affected, for instance in cases of data included in electronic health records, disease registries, biobanks and person-generated data, where the range of identification characteristics is broader, and on the possible combination with other information, for example in very small geographical areas, or through the technological evolution of methods which had not been available at the moment of anonymisation. Such re-identification of natural persons would present a major concern and would be likely to put the acceptance of the rules on secondary use provided for in this Regulation at risk. Furthermore, aggregation techniques are less tested for non-personal data containing for example trade secrets, as is the case in the reporting on clinical trials and clinical investigations, and enforcement of breaches of trade secrets outside the Union is more difficult in the absence of a sufficient international protection standard. Therefore, for those categories of health data, there remains a risk of re-identification after the anonymisation or aggregation, which cannot be reasonably mitigated initially. This falls within the criteria indicated in Article 5(13) of Regulation (EU) 2022/868. Those types of health data would thus fall within the empowerment set out in Article 5(13) of that Regulation for transfer to third countries. The special conditions provided for under the empowerment set out in Article 5(13) of Regulation (EU) 2022/868 will be detailed in the context of the delegated act adopted under that empowerment, and need to be proportional to the risk of re-identification and to take into account the specificities of different data categories or of different anonymisation or aggregation techniques.