Data & Privacy
AI & Trust
Cybersecurity
Digital Services & Media
CHAPTER I
GENERAL PROVISIONSArticles 1 — 2
CHAPTER II
PRIMARY USEArticles 3 — 24
CHAPTER III
EHR SYSTEMS AND WELLNESS APPLICATIONSArticles 25 — 49
CHAPTER IV
SECONDARY USEArticles 50 — 81
CHAPTER V
ADDITIONAL ACTIONSArticles 82 — 91
CHAPTER VI
EUROPEAN GOVERNANCE AND COORDINATIONArticles 92 — 96
CHAPTER VII
DELEGATION OF POWERS AND COMMITTEE PROCEDUREArticles 97 — 98
CHAPTER VIII
MISCELLANEOUSArticles 99 — 104
CHAPTER IX
DEFERRED APPLICATION, TRANSITIONAL AND FINAL PROVISIONSArticles 105 — 105
ANNEXES
Certain categories of electronic health data can remain particularly sensitive even when they are in anonymised format and thus non-personal, as already specifically provided for in Regulation (EU) 2022/868. Even where state-of-the-art anonymisation techniques are used, there remains a residual risk that the capacity to re-identify could be or become available, beyond the means reasonably likely to be used. Such residual risk is present in relation to rare diseases, that is to say a life-threatening or chronically debilitating condition affecting not more than 5 in 10 000 persons in the Union, where the limited numbers of cases reduce the possibility of fully aggregating the published data in order to preserve the privacy of natural persons while also maintaining an appropriate level of granularity in order to remain meaningful. Such residual risk can affect different categories of health data and can lead to the re-identification of the data subjects using means that are beyond those reasonably likely to be used. Such risk depends on the level of granularity, on the description of the characteristics of data subjects, on the number of people affected, for instance in cases of data included in electronic health records, disease registries, biobanks and person-generated data, where the range of identification characteristics is broader, and on the possible combination with other information, for example in very small geographical areas, or through the technological evolution of methods which had not been available at the moment of anonymisation. Such re-identification of natural persons would present a major concern and would be likely to put the acceptance of the rules on secondary use provided for in this Regulation at risk. Furthermore, aggregation techniques are less tested for non-personal data containing for example trade secrets, as is the case in the reporting on clinical trials and clinical investigations, and enforcement of breaches of trade secrets outside the Union is more difficult in the absence of a sufficient international protection standard. Therefore, for those categories of health data, there remains a risk of re-identification after the anonymisation or aggregation, which cannot be reasonably mitigated initially. This falls within the criteria indicated in Article 5(13) of Regulation (EU) 2022/868. Those types of health data would thus fall within the empowerment set out in Article 5(13) of that Regulation for transfer to third countries. The special conditions provided for under the empowerment set out in Article 5(13) of Regulation (EU) 2022/868 will be detailed in the context of the delegated act adopted under that empowerment, and need to be proportional to the risk of re-identification and to take into account the specificities of different data categories or of different anonymisation or aggregation techniques.