DATA PROTECTION
Regulation 2025/327 establishing the European Health Data Space has been published in the Official Journal of the European Union.
Regulation 2025/327 establishing the European Health Data Space Regulation (EHDS) introduces significant innovations in the processing of and access to electronic health data in the European Union and represents a significant step towards the digitization and integration of electronic health data (personal and non-personal) in Europe, with the aim of improving the quality of healthcare, promoting innovation and ensuring the security and privacy of citizens.
Main objectives
Data Access and Control for Citizens: The regulation aims to ensure that individuals can easily access their electronic health data and have more control over it in the context of healthcare.
Secondary Data Use: Facilitates the use of electronic health data for purposes such as research, innovation, policymaking, health threat preparedness and response, patient safety, personalized medicine, official statistics, and regulatory activities.
Harmonisation of the Internal Market: Establishes a uniform legal and technical framework for the development, marketing and use of electronic health record (EHR) systems that comply with EU values.
The Regulation promotes the adoption of common standards to ensure that electronic health data (personal and non-personal) are findable, accessible, interoperable and reusable (FAIR principles). This facilitates the secure and efficient sharing of data between different systems and Member States. Given the sensitivity of health data, safeguards are introduced at both EU and national level to ensure a high level of protection, in accordance with the General Data Protection Regulation (GDPR). Member States are required to designate competent authorities for the implementation and supervision of the Regulation, ensuring consistent application of the provisions across the Union.
Violations committed by the owners or users of health data may be subject to the following administrative sanctions:
The European Commission has also published a document containing useful practical FAQs on various topics such as the following:
Main objectives
Data Access and Control for Citizens: The regulation aims to ensure that individuals can easily access their electronic health data and have more control over it in the context of healthcare.
Secondary Data Use: Facilitates the use of electronic health data for purposes such as research, innovation, policymaking, health threat preparedness and response, patient safety, personalized medicine, official statistics, and regulatory activities.
Harmonisation of the Internal Market: Establishes a uniform legal and technical framework for the development, marketing and use of electronic health record (EHR) systems that comply with EU values.
The Regulation promotes the adoption of common standards to ensure that electronic health data (personal and non-personal) are findable, accessible, interoperable and reusable (FAIR principles). This facilitates the secure and efficient sharing of data between different systems and Member States. Given the sensitivity of health data, safeguards are introduced at both EU and national level to ensure a high level of protection, in accordance with the General Data Protection Regulation (GDPR). Member States are required to designate competent authorities for the implementation and supervision of the Regulation, ensuring consistent application of the provisions across the Union.
Violations committed by the owners or users of health data may be subject to the following administrative sanctions:
- a maximum of €10 million or, in the case of a company, a maximum of 2% of the total annual worldwide turnover achieved in the previous financial year, whichever is higher; or
- a maximum of €20 million or, in the case of a company, a maximum of 4% of the total annual worldwide turnover achieved in the previous financial year, whichever is higher for specific infringements.
The European Commission has also published a document containing useful practical FAQs on various topics such as the following:
- the purpose of the EHDS and its material scope;
- the terms for the application of the EHDS;
- data subject rights applicable to patients under the EHDS;
- the tasks of the Digital Health Authorities;
- secondary use of personal electronic health data;
- the international aspects of the EHDS, including the participation of third countries in trade, the applicability of health data holder obligations to non-EU residents, and the application of the EHDS to EEA countries; and
- how the EHDS relates to other EU regulations such as the GDPR, the Data Act, and the AI Act.
