BETA

150 Amendments of Maria GRAPINI related to 2022/0140(COD)

Amendment 50 #
Proposal for a regulation
Recital 34
(34) In order to ensure an appropriate and effective enforcement of the requirements and obligations laid down in Chapter III of this Regulation, the system of market surveillance and compliance of products established by Regulation (EU) 2019/1020 should apply. Depending on the organisation defined at national level, such market surveillance activities could be carried out by the digital health authorities ensuring the proper implementation of Chapter II or a separate market surveillance authority responsible for EHR systems. While designating digital health authorities as market surveillance authorities could have important practical advantages for the implementation of health and care, any conflicts of interest should be avoided, for instance by separating different tasks. Member States should ensure that market surveillance authorities have the necessary human, technical and financial resources, premises, infrastructure, and expertise to carry out their duties effectively.
2023/03/09
Committee: IMCO
Amendment 60 #
(71) In order to assess whether this Regulation reaches its objectives effectively and efficiently, is coherent and still relevant and provides added value at Union level the Commission should carry out an evaluation of this Regulation. The Commission should carry out a partial evaluation of this Regulation 53 years after its entry into force, on the self-certification of EHR systems and the need to introduce a conformity assessment procedure performed by notified bodies, and an overall evaluation 7 years after the entry into force of this Regulation. The Commission should submit reports on its main findings following each evaluation to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions.
2023/03/09
Committee: IMCO
Amendment 66 #
Proposal for a regulation
Article 2 – paragraph 2 – point m
(m) ‘EHR’ (electronic health record) means any collection of past or present electronic health data, including physical and mental data, related to a natural person and collected in the health system, processed for healthcare or research purposes;
2023/03/09
Committee: IMCO
Amendment 68 #
Proposal for a regulation
Article 2 – paragraph 2 – point n
(n) ‘EHR system’ (electronic health record system) means any appliance or softwar, software or other article intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records, or that can be reasonably expected by the manufacturer to be mainly used for these purposes;
2023/03/09
Committee: IMCO
Amendment 70 #
Proposal for a regulation
Article 2 – paragraph 2 – point n a (new)
(n a) ‘general software’ means any software that is not intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records, or that cannot be reasonably expected by the manufacturer to be mainly used for these purposes;
2023/03/09
Committee: IMCO
Amendment 72 #
Proposal for a regulation
Article 2 – paragraph 2 – point o
(o) ‘wellness application’ means any appliance or software intended by the manufacturer to be used by a natural person for processing electronic health data for other purposes than healthcare, such as well-being and pursuing healthy life- stylhealthy life-style and well-being purposes, or that can be reasonably expected by the manufacturer to be mainly used for these purposes;
2023/03/09
Committee: IMCO
Amendment 95 #
Proposal for a regulation
Article 17 – paragraph 1 – point j
(j) upon request of aprovide market surveillance authority, provide ities with all the information and documentation necessary to demonstrate the conformity of their EHR system with the essential requirements laid down in Annex II prior to making it available or putting it into service.
2023/03/09
Committee: IMCO
Amendment 96 #
Proposal for a regulation
Article 17 – paragraph 1 – point k a (new)
(k a) establish reporting channels and ensure their accessibility to allow for users to submit complaints or concerns regarding potential non-conformity of products; assess the complaints and concerns received, and inform market surveillance authorities in case of suspected non-compliance of the product; and keep a register of complaints and concerns received for 10 years and make it available upon request from a market surveillance authority.
2023/03/09
Committee: IMCO
Amendment 106 #
Proposal for a regulation
Article 18 – paragraph 2 – point b
(b) further to a reasoned request from a market surveillance authority, provide thatmarket surveillance authorityies with all the information and documentation necessary to demonstrate the conformity of an EHR system with the essential requirements laid down in Annex II;
2023/03/09
Committee: IMCO
Amendment 126 #
Proposal for a regulation
Article 20 – paragraph 4
4. Distributors shall, further to a reasoned request from a provide market surveillance authority, provide ities with all the information and documentation necessary to demonstrate the conformity of an EHR system prior to making it available on the market. They shall cooperate with that authority, at its request, on any action taken to bring their EHR systems in conformity with the essential requirements laid down in Annex II.
2023/03/09
Committee: IMCO
Amendment 129 #
Proposal for a regulation
Article 21 – paragraph 1
An importer or distributor shall be considered a manufacturer for the purposes of this Regulation and shall be subject to the obligations laid down in Article 17, where they made an EHR system available on the market under their own name or trademark or modify an EHR system already placed on the market in such a way that conformity with the applicable requirements may be affected. Second- hand economic operators, including refurbishers, who make available on the market second-hand EHR systems, whether prepared for re-use, checked, cleaned, repaired, refurbished or without any action on the product shall not be considered as modifying a product in such a way that conformity with the applicable requirements may be affected.
2023/03/09
Committee: IMCO
Amendment 133 #
Proposal for a regulation
Article 23 – paragraph 1 – subparagraph 1
The Commission shall, by means of implementing acts, adopt common specifications in respect of the essential requirements set out in Annex II, including a time limit for implementing those common specifications. The Commission shall consult, when preparing implementing acts, the relevant stakeholders, including the European Data Protection Supervisor and the European Data Protection Board where common specifications have an impact on the data protection requirements of EHR systems. Where relevant, the common specifications shall take into account the specificities of medical devices and high risk AI systems referred to in paragraphs 3 and 4 of Article 14.
2023/03/09
Committee: IMCO
Amendment 146 #
Proposal for a regulation
Article 27 – paragraph 1
1. The CE marking shall be affixed visibly, legibly and indelibly to the accompanying documents of the EHR system and, where applicable, to the packaging, and, where possible, to the EHR system itself.
2023/03/09
Committee: IMCO
Amendment 150 #
Proposal for a regulation
Article 28 – paragraph 3 a (new)
3 a. Market surveillance authorities shall act as single contact points, and centralize all procedures and verifications avoiding duplicated procedures with the Artificial Intelligence Act (2021/0106(COD)), Medical Devices Regulation 2012/0266(COD), In vitro Diagnostic Medical Devices Regulation (2012/0267(COD)), Cyber Resilience Act (2022/0272(COD)).
2023/03/09
Committee: IMCO
Amendment 192 #
Proposal for a regulation
Recital 5
(5) More and more Europeans cross national borders to work, study, visit relatives or to travel. To facilitate the exchange of health data, and in line with the need for empowering citizens, they should be able to access their health data in an electronic format that can be recognised and accepted across the Union. Such personal electronic health data could include personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status, personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, as well as data determinants of health, such as behaviour, environmental, physical influences, medical care, social or educational factors. Electronic health data also includes data that has been initially collected for research, statistics, policy making or regulatory purposes and may be made available according to the rules in Chapter IV. The electronic health data concern all categories of those data, irrespective to the fact that such data is provided by the data subject or other natural or legal persons, such as health professionals, or is processed in relation to a natural person’s health or well-being and should also include inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automatic means. The wide range of data types requires regulation with differentiated access rights to protect natural persons data. This fundamentally concerns social data in particular, and mental health data in general.
2023/03/30
Committee: ENVILIBE
Amendment 197 #
Proposal for a regulation
Article 69 – paragraph 1 a (new)
Penalties shall at least include fines proportionate to the extent of non- compliance and to the turnover of the relevant economic operator. Fines shall be calculated in such a way as to make sure that they effectively deprive the economic operator of the economic benefits derived from their infringements. Fines shall be gradually increased for repeated infringements.
2023/03/09
Committee: IMCO
Amendment 198 #
Proposal for a regulation
Article 69 – paragraph 1 b (new)
In deciding whether to impose sanctions and, if so, in determining their nature and appropriate level, due account shall be taken of: (a) the nature, gravity and duration of the infringement; (b) any previous infringements by the economic operator of this Regulation; (c) the financial benefits gained or losses avoided by the economic operator due to the infringement, if the relevant data are available; (d) penalties imposed in respect of the same infringement in other Member States; (e) any action taken by the economic operator to remedy or to mitigate the adverse effects of the infringement; (f) any other aggravating or mitigating factors applicable to the circumstances of the case.
2023/03/09
Committee: IMCO
Amendment 200 #
Proposal for a regulation
Article 69 – paragraph 1 c (new)
Member States shall ensure that any decision containing penalties related to the breach of the provisions of this Regulation is published no later than a month after the penalty is imposed.
2023/03/09
Committee: IMCO
Amendment 203 #
Proposal for a regulation
Article 70 – paragraph 1
1. After 53 years from the entry into force of this Regulation, the Commission shall carry out a targeted evaluation of this Regulation especially with regards to Chapter III, and submit a report on its main findings to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions, accompanied, where appropriate, by a proposal for its amendment especially with regards to a transition from self-certification to third- party certification. The evaluation shall include an assessment of the self- certification of EHR systems and reflect onconsider the need to introduce a conformity assessment procedure performed by notified bodies as a way to better ensure protection of electronic health data.
2023/03/09
Committee: IMCO
Amendment 208 #
Proposal for a regulation
Article 71 a (new)
Article 71 a Amendment to Directive (EU) 2020/1828 on Representative Actions for the Protection of the Collective Interests of Consumers The following is added to Annex I: “(67) Regulation (EU) .../... of the European Parliament and of the Council on the European Health Data Space”
2023/03/09
Committee: IMCO
Amendment 212 #
Proposal for a regulation
Annex II – point 3 – point 3.1
3.1. An EHR system shall be designed and developed in such a way that it ensures safe and secure processing of electronic health data, and that it prevents unauthorised access to such data, and that it duly takes into consideration the principles of data minimization and data protection by design.
2023/03/09
Committee: IMCO
Amendment 213 #
Proposal for a regulation
Annex II – point 3 – point 3.8
3.8. An EHR system designed for the storage of electronic health data shall support different retention periods and access rights that take into account the origins and categories of electronic health data and the specific purpose of the data processing operations.
2023/03/09
Committee: IMCO
Amendment 233 #
Proposal for a regulation
Recital 13
(13) Natural persons may not want to allow access to some parts of their personal electronic health data while enabling access to other parts. Such selective sharing of personal electronic health data should be supported. However, such restrictions may have life threatening consequences and, therefore, access to personal electronic health data should be possible to protect vital interests as an emergency override. According to Regulation (EU) 2016/679, vital interests refer to situations in which it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal electronic health data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. More specific legal provisions on the mechanisms of restrictions placed by the natural person on parts of their personal electronic health data should be provided by Member States in national law. Given the unequal access to sexual and reproductive healthcare among the Member States, natural persons should always retain the right to withhold that kind of information from their doctors. Because the unavailability of the restricted personal electronic health data may impact the provision or quality of health services provided to the natural person, he/she should assume responsibility for the fact that the healthcare provider cannot take the data into account when providing health services.
2023/03/30
Committee: ENVILIBE
Amendment 292 #
Proposal for a regulation
Recital 27
(27) In order to ensure respect for the rights of natural persons and health professionals, EHR systems marketed in the internal market of the Union should be able to store and transmit, in a secure way, high quality electronic health data. This is a key principle of the EHDS to ensure the secure and free movement of electronic health data across the Union. To that end, a mandatory self-certification schemconformity assessment procedure for EHR systems processing one or more priority categories of electronic health data should be established to overcome market fragmentation while ensuring a proportionate approach. Through this self- certificationprocedure, EHR systems should prove compliance with essential requirements on interoperability and security, set at Union level. Considering the sensitive data that will be processed via these systems, a self-certification regime is not an adequate option. In relation to security, essential requirements should cover elements specific to EHR systems, as more general security properties should be supported by other mechanisms such as cybersecurity schemes under Regulation (EU) 2019/881 of the European Parliament and of the Council48. _________________ 48 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
2023/03/30
Committee: ENVILIBE
Amendment 306 #
Proposal for a regulation
Recital 35
(35) Users of wellness applications, such as mobile applications, should be informed about the capacity of such applications to be connected and to supply data to EHR systems or to national electronic health solutions, in cases where data produced by wellness applications is useful for healthcare purposes. The capability of those applications to export data in an interoperable format is also relevant for data portability purposes. Where applicable, users should be informed about the compliance of such applications with interoperability and security requirements. However, given the large number of wellness applications and the limited relevance for healthcare purposes of the data produced by many of them, a certification scheme for these applications would not be proportionate. A voluntary labelling scheme should therefore be established as an appropriate mechanism for enabling the transparency for the users of wellness applications regarding compliance with the requirements, thereby supporting users in their choice of appropriate wellness applications with high standards of interoperability and security. The Commission may set out in implementing acts the details regarding the format and content of such label.deleted
2023/03/30
Committee: ENVILIBE
Amendment 371 #
Proposal for a regulation
Recital 43
(43) The health data access bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, the health data access bodies should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation. The health data access bodies should also cooperate with stakeholders, including patient organisations. Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulation (EU) 2016/679 apply and the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 should be tasked with enforcing these rules. Those supervisory authorities should remain the only competent authorities responsible for personal data protection issues and their decisions should not be conditioned or overruled by the health data access bodies. Moreover, given that health data are sensitive data and in a duty of loyal cooperation, the health data access bodies should inform the data protection authorities of any issues related to the data processing for secondary use, including penalties. In addition to the tasks necessary to ensure effective secondary use of health data, the health data access body should strive to expand the availability of additional health datasets, support the development of AI in health and promote the development of common standards. They should apply tested techniques that ensure electronic health data is processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data. Health data access bodies can prepare datasets to the data user requirement linked to the issued data permit. This includes rules for anonymization of microdata sets.
2023/03/30
Committee: ENVILIBE
Amendment 393 #
Proposal for a regulation
Recital 49
(49) Given the sensitivity of electronic health data, it is necessary to reduce risks on the privacy of natural persons by asking for their explicit consent for the data to be used and by applying the data minimisation principle as set out in Article 5 (1), point (c) of Regulation (EU) 2016/679. Therefore, the use of anonymised electronic health data which is devoid of any personal data should be made available when possible and if the data user asks it. If the data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of this type of data for the planned data processing activity. The personal electronic health data should only be made available in pseudonymised format and the encryption key can only be held by the health data access body. Data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, subject to administrative or possible criminal penalties, where the national laws foresee this. However, this should not prevent, in cases where the results of a project carried out based on a data permit has a health benefit or impact to a concerned natural person (for instance, discovering treatments or risk factors to develop a certain disease), the data users would inform the health data access body, which in turn would inform the concerned natural person(s), if the natural person has agreed in advance to receive such information. Moreover, the applicant can request the health data access bodies to provide the answer to a data request, including in statistical form. In this case, the data users would not process health data and the health data access body would remain sole controller for the data necessary to provide the answer to the data request.
2023/03/30
Committee: ENVILIBE
Amendment 414 #
Proposal for a regulation
Recital 53
(53) For requests to access electronic health data from a single data holder in a single Member State and in order to alieviate the administrative burden for heath data access bodies of managing such request, the data user should be able to request this data directly from the data holder and the data holder should be able to issue a data permit while complying with all the requirements and safeguards linked to such request and permit. Multi- country requests and requests requiring combination of datasets from several data holders should always be channelled through health data access bodies. The data holder should report to the health data access bodies about any data permits or data requests they provide.deleted
2023/03/30
Committee: ENVILIBE
Amendment 456 #
Proposal for a regulation
Recital 65
(65) In order to promote the consistent application of this Regulation, a European Health Data Space Board (EHDS Board) should be set up. The Commission should participate in its activities and chair it. It should contribute to the consistent application of this Regulation throughout the Union, including by helping Member State to coordinate the use of electronic health data for healthcare, certification, but also concerning the secondary use of electronic health data. Given that, at national level, digital health authorities dealing with the primary use of electronic health data may be different to the health data access bodies dealing with the secondary use of electronic health data, the functions are different and there is a need for distinct cooperation in each of these areas, the EHDS Board should be able to set up subgroups dealing with these two functions, as well as other subgroups, as needed. For an efficient working method, the digital health authorities and health data access bodies should create networks and links at national level with different other bodies and authorities, but also at Union level. Such bodies could comprise data protection authorities, cybersecurity, eID and standardisation bodies, as well as bodies and expert groups under Regulations […], […], […] and […] [Data Governance Act, Data Act, AI Act and Cybersecurity Act]. Given the tasks of the EHDS Board, its members should be only representatives of national or Union authorities. An advisory group with representatives of external stakeholders (such as industry, patients organisations, etc.) could be established, without voting rights in the EHDS Board.
2023/03/30
Committee: ENVILIBE
Amendment 477 #
Proposal for a regulation
Article 1 – paragraph 2 – point b
(b) lays down rules for the placing on the market, making available on the market or putting into service of electronic health records systems (‘EHR systems’) in the Union, with the obligation to comply with the GDPR;
2023/03/30
Committee: ENVILIBE
Amendment 478 #
Proposal for a regulation
Article 1 – paragraph 2 – point d
(d) establishes a mandatory cross- border infrastructure enabling the primary use of electronic health data across the Union that complies with the GDPR;
2023/03/30
Committee: ENVILIBE
Amendment 479 #
Proposal for a regulation
Article 1 – paragraph 2 – point e
(e) establishes a mandatory cross- border infrastructure for the secondary use of electronic health data that complies with the GDPR.
2023/03/30
Committee: ENVILIBE
Amendment 484 #
Proposal for a regulation
Article 1 – paragraph 3 – point a
(a) manufacturers and suppliers of EHR systems and wellness applications placed on the market and put into service in the Union and the users of such products;
2023/03/30
Committee: ENVILIBE
Amendment 490 #
Proposal for a regulation
Article 1 – paragraph 3 a (new)
3 a. This Regulation shall not affect the application of Regulations (EU) 2016/679, (EU) 2018/1725, (EU) No 536/2014 and Directive 2002/58/EC.
2023/03/30
Committee: ENVILIBE
Amendment 491 #
Proposal for a regulation
Article 1 – paragraph 3 b (new)
3 b. References to the provisions of Regulation (EU) 2016/679 shall be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions and bodies, where relevant.
2023/03/30
Committee: ENVILIBE
Amendment 492 #
Proposal for a regulation
Article 1 – paragraph 4
4. This Regulation shall be without prejudice to other Union legal acts regarding access to, sharing of or secondary use of electronic health data, or requirements related to the processing of data in relation to electronic health data, in particular Regulations (EU) 2016/679, (EU) 2018/1725, […] [Data Governance Act COM/2020/767 final] and […] [Data Act COM/2022/68 final] and Directive 2002/58/EC.
2023/03/30
Committee: ENVILIBE
Amendment 497 #
Proposal for a regulation
Article 1 – paragraph 6
6. This Regulation shall not affect the rights and obligations laid down in Union or national law concerning data processing for the purposes of reporting, complying with information requests or demonstrating or verifying compliance with legal obligations and shall be without prejudice to the rights and obligations arising from the GDPR.
2023/03/30
Committee: ENVILIBE
Amendment 502 #
Proposal for a regulation
Article 2 – paragraph 1 – point a
(a) the definitions, including those of ‘personal data’, ‘processing’, ‘pseudonymisation’, ‘controller’, ‘processor’, ‘third party’, ‘consent’, ‘genetic data’, ‘data concerning health’, ‘supervisory authority’, ‘international organisation’ in Regulation (EU) 2016/679;
2023/03/30
Committee: ENVILIBE
Amendment 506 #
Proposal for a regulation
Article 2 – paragraph 2 – point a
(a) ‘personal electronic health data’ means data concerning health and genetic data as defined in Regulation (EU) 2016/679, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services, processed in an electronic form;
2023/03/30
Committee: ENVILIBE
Amendment 518 #
Proposal for a regulation
Article 2 – paragraph 2 – point b
(b) ‘non-personal electronic health data’ means data concerning health and genetic data in electronic format that falls outside the definition of personal data provided in Article 4(1) of Regulation (EU) 2016/679;
2023/03/30
Committee: ENVILIBE
Amendment 529 #
Proposal for a regulation
Article 2 – paragraph 2 – point e
(e) ‘secondary use of electronic health data’ means the processing of electronic health data for purposes set out in Chapter IV of this Regulation. The data used may include personal electronic health data initially collected in the context of primary use, but also electronic health data collected for the purpose of the secondary use. Secondary use of personal electronic health data shall have Article 9(2) of Regulation (EU) 2016/679 as its legal basis;
2023/03/30
Committee: ENVILIBE
Amendment 552 #
Proposal for a regulation
Article 2 – paragraph 2 – point m
(m) ‘EHR’ (electronic health record) means a collection of electronic health data related to a natural person and collected in the health system, processed for the purpose of the provision of healthcare purposservices;
2023/03/30
Committee: ENVILIBE
Amendment 563 #
Proposal for a regulation
Article 2 – paragraph 2 – point o
(o) ‘wellness application’ means any appliance or software intended by the manufacturer to be used by a natural person for processing electronic health data for other purposes than healthcare, such as well-being and pursuing healthy life-styles;deleted
2023/03/30
Committee: ENVILIBE
Amendment 682 #
Proposal for a regulation
Article 3 – paragraph 9
9. Notwithstanding Article 6(1), point (d), of Regulation (EU) 2016/679, natural persons shall have the right to confidentially restrict access of health professionals to all or part of their electronic health data, and the fact that such data has been restricted. Member States shall establish the rules and specific safeguards regarding such restriction mechanisms, which shall also include the possibility to exercise geographical and temporal restrictions and restrictions related to a specific category of health professionals.
2023/03/30
Committee: ENVILIBE
Amendment 695 #
Proposal for a regulation
Article 3 – paragraph 10
10. Natural persons shall have the right to obtainreceive automatically information on the healthcare providers and health professionals that have accessed their electronic health data in the context of healthcare. All relevant entities shall maintain a record of those who have had access to data. The information shall be provided immediately and free of charge through electronic health data access services.
2023/03/30
Committee: ENVILIBE
Amendment 703 #
Proposal for a regulation
Article 3 – paragraph 11
11. The supervisory authority or authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall also be responsible for monitoring the application of this Article, in accordance with the relevant provisions in Chapters VI, VII and VIII of Regulation (EU) 2016/679. They shall be competent to impose administrative fines up to the amount referred to in Article 83(5) of that Regulation. Those supervisory authorities and the digital health authorities referred to in Article 10 of this Regulation shall, where relevant, cooperate in the enforcement of this Regulation, within the remit of their respective competences.
2023/03/30
Committee: ENVILIBE
Amendment 707 #
Proposal for a regulation
Article 3 – paragraph 12
12. The Commission shall, by means of implementingdelegated acts, determine the requirements concerning the technical implementation of the rights set out in this Article. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2), including technical and organisational measures to ensure the process of authentication of the authorised person referred to in point (b) of paragraph 5.
2023/03/30
Committee: ENVILIBE
Amendment 716 #
Proposal for a regulation
Article 4 – paragraph 1 – point a
(a) have access on a need-to-know basis to the electronic health data of natural persons under their treatment, irrespective of the Member State of affiliation and the Member State of treatment;
2023/03/30
Committee: ENVILIBE
Amendment 725 #
Proposal for a regulation
Article 4 – paragraph 2
2. In line with the data minimisation principle provided for in Regulation (EU) 2016/679, Member States mayshall establish rules providing for the categories of personal electronic health data required by different health professions. Such rules shall not be based on the source of electronic health data.
2023/03/30
Committee: ENVILIBE
Amendment 734 #
Proposal for a regulation
Article 4 – paragraph 3
3. Member States shall ensure that access to at least the priority categories of electronic health data referred to in Article 5 is made available to health professionals through health professional access services, where the processing of health data is necessary. Health professionals who are in possession of recognised electronic identification means shall have the right to use those health professional access services, free of charge, where the processing of health data is necessary.
2023/03/30
Committee: ENVILIBE
Amendment 767 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 3
Access to and exchange of electronic health data for primary use may be enabled for other categories of personal electronic health data available in the EHR of natural persons.deleted
2023/03/30
Committee: ENVILIBE
Amendment 772 #
Proposal for a regulation
Article 5 – paragraph 2
2. The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list of priority categories of electronic health data in paragraph 1. Such delegated acts may also amend Annex I by adding, modifying or removing the main characteristics of the priority categories of electronic health data and indicating, where relevant, deferred application date. The categories of electronic health data added through such delegated acts shall satisfy the following criteria: (a) the category is relevant for health services provided to natural persons; (b) according to the most recent information, the category is used in a significant number of EHR systems used in Member States; (c) international standards exist for the category that have been examined for the possibility of their application in the Union.
2023/03/30
Committee: ENVILIBE
Amendment 795 #
Proposal for a regulation
Article 7 – paragraph 1
1. Member States shall ensure that, where data is processed in electronic format, health professionals systematically register the relevant health data falling under at least the priority categories referred to in Article 5 concerning the health services provided by them to natural persons, in the electronic format in an EHR system, and shall be responsible for ensuring their confidentiality.
2023/03/30
Committee: ENVILIBE
Amendment 801 #
Proposal for a regulation
Article 7 – paragraph 2
2. Where electronic health data of a natural person is registered in a Member State that is not the Member State of affiliation of that person, the Member State of treatment shall ensure that the registration is performed under the person identification data of the natural person in the Member State of affiliation, and shall be responsible for ensuring they remain confidential.
2023/03/30
Committee: ENVILIBE
Amendment 869 #
Proposal for a regulation
Article 10 – paragraph 2 – point o a (new)
(o a) promote public awareness and understanding of the benefits, risks, rules, safeguards and rights in relation to the EHDS system.
2023/03/30
Committee: ENVILIBE
Amendment 874 #
Proposal for a regulation
Article 10 – paragraph 2 a (new)
2 a. Digital health authorities shall assist relevant data protection authorities so as to ensure the protection of individuals’ rights and freedoms with regard to the processing of personal data.
2023/03/30
Committee: ENVILIBE
Amendment 876 #
Proposal for a regulation
Article 10 – paragraph 3
3. The Commission is empowered to adopt delegated acts in accordance with Article 67 to supplement this Regulation by entrusting the digital health authorities with additional tasks necessary to carry out the missions conferred on them by this Regulation and to modify the content of the annual report.
2023/03/30
Committee: ENVILIBE
Amendment 896 #
Proposal for a regulation
Article 11 – paragraph 1
1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the digital health authority, where their rights laid down in this Regulation are affected. Where the complaint concerns the rights of natural persons pursuant to Article 3 of this Regulation, the digital health authority shall informsend a copy of the complaint to the supervisory authorities under Regulation (EU) 2016/679. The decision of the digital health authority shall not prejudice any measures taken by the data protection authorities within their competences under Regulation (EU) 2016/679.
2023/03/30
Committee: ENVILIBE
Amendment 905 #
Proposal for a regulation
Article 11 a (new)
Article 11 a Right to an effective remedy against a digital health authority 1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a digital health authority concerning them. 2. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy where the digital health authority which is competent pursuant to Article 10 does not handle a complaint or does not inform the natural or legal person within three months on the progress or outcome of the complaint lodged pursuant to Article 11. 3. Proceedings against a digital health authority shall be brought before the courts of the Member States where the digital health authority is established.
2023/03/30
Committee: ENVILIBE
Amendment 917 #
Proposal for a regulation
Article 12 – paragraph 4
4. The Commission shall, by means of implementing acts, adopt the necessary measures for the technical development of MyHealth@EU, detailed rules concerning the security, confidentiality and protection of electronic health data and the conditions and compliance checks necessary to join and remain connected to MyHealth@EU and conditions for temporary or definitive exclusion from MyHealth@EU. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2). The European Union Agency for Cyber Security shall be consulted and closely involved in all steps of the procedure. Any measures adopted shall meet the highest technical standards in terms of security, confidentiality and protection of electronic health data.
2023/03/30
Committee: ENVILIBE
Amendment 940 #
Proposal for a regulation
Article 13 – paragraph 3 – subparagraph 1
Member States and the Commission shall seek to ensure interoperability of MyHealth@EU with technological systems established at international level for the exchange of electronic health data. The Commission may adopt an implementing delegated act establishing that a national contact point of a third country or a system established at an international level is compliant with requirements of MyHealth@EU for the purposes of the electronic health data exchange. Before adopting such an implementing delegated act, a compliance check of the national contact point of the third country or of the system established at an international level shall be performed under the control of the Commission, including on whether the health data transfer stemming from such exchange complies with the rules in Chapter V of Regulation (EU) 2016/679.
2023/03/30
Committee: ENVILIBE
Amendment 955 #
Proposal for a regulation
Article 15 – paragraph 1
1. EHR systems may be placed on the market or put into service only ifafter a notified body has confirmed that they comply with the provisions laid down in this Chapter.
2023/03/30
Committee: ENVILIBE
Amendment 1053 #
Proposal for a regulation
Article 26 a (new)
Article 26 a Conformity assessment Before an EHR system may be placed on the market a notified body has to: (1) assess if the EHR system is in conformity with the essential requirements laid down in Annex II; (2) assess if the EHR system is in conformity with the requirements laid down in Regulation... (Cyber Resilience Act COM/2022/457). (3) assess if the technical documentation is available and complete; (4) assess if the EHR system fulfils the requirements of the EU declaration of conformity. Only after EU-wide approval has been issued, the CE marking can be affixed, together with an identification number.
2023/03/30
Committee: ENVILIBE
Amendment 1081 #
Proposal for a regulation
Article 29 – paragraph 1
1. Where a market surveillance authority, or, in cases involving personal data, a supervisory authority under Regulation (EU) 2016/679, finds that an EHR system presents a risk to the health or safety of natural persons, to the protection of personal data or to other aspects of public interest protection, it shall require the manufacturer of the EHR system concerned, its authorised representative and all other relevant economic operators to take all appropriate measures to ensure that the EHR system concerned no longer presents that risk when placed on the market to withdraw the EHR system from the market or to recall it within a reasonable period.
2023/03/30
Committee: ENVILIBE
Amendment 1085 #
Proposal for a regulation
Article 29 – paragraph 3
3. The market surveillance authority shall immediately inform the Commission and the market surveillance authorities, or, where applicable, the supervisory authority under Regulation (EU) 2016/679, shall immediately inform the Commission and the market surveillance authorities, or, if applicable, the supervisory authorities under Regulation (EU) 2016/679, of other Member States of the measures ordered pursuant to paragraph 1. That information shall include all available details, in particular the data necessary for the identification of the EHR system concerned, the origin and the supply chain of the EHR system, the nature of the risk involved and the nature and duration of the national measures taken.
2023/03/30
Committee: ENVILIBE
Amendment 1087 #
Proposal for a regulation
Article 29 – paragraph 4 – subparagraph 1
Manufacturers of EHR systems placed on the market shall report any serious incident involving an EHR system to the market surveillance authorities, or, in cases involving personal data, the supervisory authorities under Regulation (EU) 2016/679 of the Member States where such serious incident occurred and the corrective actions taken or envisaged by the manufacturer.
2023/03/30
Committee: ENVILIBE
Amendment 1089 #
Proposal for a regulation
Article 29 – paragraph 5
5. The market surveillance authorities referred to in paragraph 4 shall inform the other market surveillance authorities, without delay, of the serious incident and the corrective action taken or envisaged by the manufacturer or required of it to minimise the risk of recurrence of the serious incident.
2023/03/30
Committee: ENVILIBE
Amendment 1102 #
Proposal for a regulation
Article 31
Voluntary labelling of wellness 1. Where a manufacturer of a wellness application claims interoperability with an EHR system and therefore compliance with the essential requirements laid down in Annex II and common specifications in Article 23, such wellness application may be accompanied by a label, clearly indicating its compliance with those requirements. The label shall be issued by the manufacturer of the wellness application. 2. The label shall indicate the following information: (a) categories of electronic health data for which compliance with essential requirements laid down in Annex II has been confirmed; (b) reference to common specifications to demonstrate compliance; (c) validity period of the label. 3. The Commission may, by means of implementing acts, determine the format and content of the label. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2). 4. The label shall be drawn-up in one or more official languages of the Union or languages determined by the Member State(s) in which the in which the wellness application is placed on the market. 5. The validity of the label shall not exceed 5 years. 6. If the wellness application is embedded in a device, the accompanying label shall be placed on the device. 2D barcodes may also be used to display the label. 7. The market surveillance authorities shall check the compliance of wellness applications with the essential requirements laid down in Annex II. 8. Each supplier of a wellness application, for which a label has been issued, shall ensure that the wellness application that is placed on the market or put into service is accompanied with the label for each individual unit, free of charge. 9. Each distributor of a wellness application for which a label has been issued shall make the label available to customers at the point of sale in electronic form or, upon request, in physical form. 10. The requirements of this Article shall not apply to wellness applications which are high-risk AI systems as defined under Regulation […] [AI Act COM/2021/206 final].Article 31 deleted applications
2023/03/30
Committee: ENVILIBE
Amendment 1108 #
Proposal for a regulation
Article 31 – paragraph 4
4. The label shall be drawn-up in one or more official languages of the Union or languages determined by, and obligatorily in the language of the Member State(s) in which the in which the wellness application is placed on the market.
2023/03/30
Committee: ENVILIBE
Amendment 1117 #
Proposal for a regulation
Article 32 – paragraph 1
1. The Commission shall establish and maintain a publicly available database with information on EHR systems for which an EU declaration of conformity has been issued pursuant to Articles 26 and wellness applications for which a label has been issued pursuant to Article 3126a.
2023/03/30
Committee: ENVILIBE
Amendment 1128 #
Proposal for a regulation
Article 33 – title
Minimum cCategories of electronic data for secondary use
2023/03/30
Committee: ENVILIBE
Amendment 1139 #
Proposal for a regulation
Article 33 – paragraph 1 – point a
(a) EHRselectronic health data from EHRs, including the categories in Article 5 of this Regulation;
2023/03/30
Committee: ENVILIBE
Amendment 1145 #
Proposal for a regulation
Article 33 – paragraph 1 – point b
(b) data impacting on health, including social, environmental behavioural determinants of health;deleted
2023/03/30
Committee: ENVILIBE
Amendment 1152 #
Proposal for a regulation
Article 33 – paragraph 1 – point c
(c) relevant pathogen genomic data, impacting on human health; , provided that it is rendered anonymous;
2023/03/30
Committee: ENVILIBE
Amendment 1157 #
Proposal for a regulation
Article 33 – paragraph 1 – point d
(d) healthcare-related administrative data, including claims and reimbursement data;
2023/03/30
Committee: ENVILIBE
Amendment 1168 #
(f) person generated electronic health data, including medical devices, wellness applications or other digital health applications;deleted
2023/03/30
Committee: ENVILIBE
Amendment 1178 #
Proposal for a regulation
Article 33 – paragraph 1 – point g
(g) identification data related to health professionals involved in the treatment of a natural person;deleted
2023/03/30
Committee: ENVILIBE
Amendment 1197 #
Proposal for a regulation
Article 33 – paragraph 1 – point l
(l) data from research cohorts, questionnaires and surveys related to health;
2023/03/30
Committee: ENVILIBE
Amendment 1207 #
Proposal for a regulation
Article 33 – paragraph 1 – point n
(n) electronic data related to insurance status, professional status, education, lifestyle, wellness and behaviour data relevant to health;deleted
2023/03/30
Committee: ENVILIBE
Amendment 1223 #
Proposal for a regulation
Article 33 – paragraph 3
3. The electronic health data referred to in paragraph 1 shall cover data processed for the provision of health or care or for public health, research, innovation, policy making, official statistics, patient safety or regulatory purposes, collected by entities and bodies in the health or care sectors, including public and private providers of health or care, entities or bodies performing research in relation to these sectors, and Union institutions, bodies, offices and agencies.deleted
2023/03/30
Committee: ENVILIBE
Amendment 1257 #
Proposal for a regulation
Article 33 – paragraph 5
5. Where the consent of the natural person is required by national law, health data access bodieAn accessible and easily understandable mechanism shall be provided to natural persons, whereby they shall be asked for their consent to have their health data processed for some or all of the purposes of secondary use, by one or more data users. If a natural person does not give explicit consent, their health data shall not be processed for secondary use. Natural persons shall rely otain the obligations laid down in this Chapter to provide access to electronic health data. right to withdraw their consent at any moment. Where data users process electronic health data solely on the basis of consent within the meaning of Article 4(11) of Regulation (EU) 2016/679, the scope of all possible processing should be determined by the scope of the prior obtained consent.
2023/03/30
Committee: ENVILIBE
Amendment 1271 #
Proposal for a regulation
Article 33 – paragraph 7
7. The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list in paragraph 1 to adapt it to the evolution of available electronic health data.
2023/03/30
Committee: ENVILIBE
Amendment 1280 #
Proposal for a regulation
Article 33 – paragraph 8
8. Health data access bodies may provide access to additional categories of electronic health data that they have been entrusted with pursuant to national law or based on voluntary cooperation with the relevant data holders at national level, in particular to electronic health data held by private entities in the health sector.deleted
2023/03/30
Committee: ENVILIBE
Amendment 1288 #
Proposal for a regulation
Article 34 – paragraph 1 – introductory part
1. Health data access bodies shall only provide access to electronic health data referred to in Article 33 where the intended purpose ofto a health data user where the processing pursuedof the data by the applicant complies withis necessary for one of the following purposes, in accordance with Article 6(1)(c) and Article 9(2)(g), (h), (i) and (j) of Regulation (EU) 2016/679:
2023/03/30
Committee: ENVILIBE
Amendment 1294 #
Proposal for a regulation
Article 34 – paragraph 1 – point a
(a) activities for reasons of public interest in the area of public and occupational health, such asthe protection against serious cross- border threats to health, public health surveillance orand ensuring high levels of quality and safety of healthcare and of medicinal products or medical devices;
2023/03/30
Committee: ENVILIBE
Amendment 1299 #
Proposal for a regulation
Article 34 – paragraph 1 – point b
(b) to support public sector bodies or Union institutions, agencies and bodies including regulatory authorities, in the health or care sector to carry out their tasks defined in their mandates, where processing is necessary for reasons of substantial public interest;
2023/03/30
Committee: ENVILIBE
Amendment 1309 #
Proposal for a regulation
Article 34 – paragraph 1 – point d
(d) education or teaching activities in health or care sectors;deleted
2023/03/30
Committee: ENVILIBE
Amendment 1315 #
Proposal for a regulation
Article 34 – paragraph 1 – point e
(e) scientific research related to health or care sectors, contributing to public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;
2023/03/30
Committee: ENVILIBE
Amendment 1319 #
Proposal for a regulation
Article 34 – paragraph 1 – point f
(f) development and innovation activities for products or services contributing to public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;deleted
2023/03/30
Committee: ENVILIBE
Amendment 1332 #
Proposal for a regulation
Article 34 – paragraph 1 – point g
(g) training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;deleted
2023/03/30
Committee: ENVILIBE
Amendment 1348 #
Proposal for a regulation
Article 34 – paragraph 1 – point h
(h) providing personalised healthcare consisting in assessing, maintaining or restoring the state of health of natural persons, based on the health data of other natural persons.
2023/03/30
Committee: ENVILIBE
Amendment 1354 #
Proposal for a regulation
Article 34 – paragraph 2
2. Access to electronic health data referred to in Article 33 where the intended purpose of processing pursued by the applicant fulfils one of the purposes referred to in points (a) to (c) of paragraph 1 shall only be granted to public sector bodies and Union institutions, bodies, offices and agencies exercising their tasks conferred to them by Union or national law, including where processing of data for carrying out these tasks is done by a third party on behalf of that public sector body or of Union institutions, agencies and bodies, meaning that the provisions of the GDPR must be respected.
2023/03/30
Committee: ENVILIBE
Amendment 1356 #
Proposal for a regulation
Article 34 – paragraph 2 a (new)
2 a. In accordance with Article 21(6) of Regulation (EU) 2016/679, where personal data are processed for statistical or scientific research purposes as referred to in points (c), (e) and (h) of paragraph 1, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
2023/03/30
Committee: ENVILIBE
Amendment 1373 #
Proposal for a regulation
Article 35 – paragraph 1 – point a
(a) taking any decisions detrimental related to a natural person based on their electronic health data; in order to qualify as “decisions”, they must produce legal effects or similarly significantly affect those natural persons;
2023/03/30
Committee: ENVILIBE
Amendment 1379 #
Proposal for a regulation
Article 35 – paragraph 1 – point b
(b) taking decisions in relation to a natural person or groups of natural persons to exclude them from the benefit of an insurance or credit contract or to modify their contributions and insurance premiums or durations of loans;
2023/03/30
Committee: ENVILIBE
Amendment 1385 #
Proposal for a regulation
Article 35 – paragraph 1 – point c
(c) advertising or marketing activities towards health professionals, organisations in health or natural persons;
2023/03/30
Committee: ENVILIBE
Amendment 1399 #
Proposal for a regulation
Article 35 – paragraph 1 – point e a (new)
(e a) calculating reimbursement, costs or expenditures relating to healthcare provision to be borne by natural persons, private or public insurance, or public bodies, including, but not limited to, the development and amendment of healthcare provider payment systems;
2023/03/30
Committee: ENVILIBE
Amendment 1413 #
Proposal for a regulation
Article 35 – paragraph 1 – point e b (new)
(e b) automated individual decision- making, including profiling, in accordance with Article 22 of the Regulation (EU) 2016/679.
2023/03/30
Committee: ENVILIBE
Amendment 1435 #
Proposal for a regulation
Article 36 – paragraph 2
2. Member States shall ensure that each health data access body is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and the exercise of its powers, including for the pseudonymisation of the electronic health data.
2023/03/30
Committee: ENVILIBE
Amendment 1438 #
Proposal for a regulation
Article 36 – paragraph 2 a (new)
2 a. The Commission shall be empowered to adopt delegated acts for the provision of a uniform pseudonymisation procedure.
2023/03/30
Committee: ENVILIBE
Amendment 1450 #
Proposal for a regulation
Article 36 – paragraph 3
3. In the performance of their tasks, health data access bodies shall actively cooperate with stakeholders’ representatives, especially with representatives of patients, data holders and data users. Staff of health data access bodies shall avoid any conflicts of interest. Health data access bodies shall not be bound by any instructions, when making their decisions. Health data access bodies shall actively cooperate with the relevant bodies or authorities responsible for the application of EU and national data protection legislation.
2023/03/30
Committee: ENVILIBE
Amendment 1484 #
Proposal for a regulation
Article 37 – paragraph 1 – point i
(i) support the development of AI systems, the training, testing and validating of AI systems and the development of harmonised standards and guidelines under Regulation […] [AI Act COM/2021/206 final] for the training, testing and validation of AI systems in health;deleted
2023/03/30
Committee: ENVILIBE
Amendment 1491 #
Proposal for a regulation
Article 37 – paragraph 1 – point j
(j) cooperate with and supervise data holders to, assist them in order to ensure respect of data subjects' consent as referred to in Article 33(5), and ensure the consistent and accurate implementation of the data quality and utility label set out in Article 56;
2023/03/30
Committee: ENVILIBE
Amendment 1545 #
Proposal for a regulation
Article 38 – paragraph 1 – point c
(c) the applicable rights of natural persons in relation to secondary use of electronic health data, including the rights laid down in Chapter III of Regulation (EU) 2016/679;
2023/03/30
Committee: ENVILIBE
Amendment 1549 #
Proposal for a regulation
Article 38 – paragraph 1 – point d a (new)
(d a) the identity and the contact details of the health data access body and, where applicable, other information required pursuant to Article 13(1), point (a), of Regulation (EU) 2016/679.
2023/03/30
Committee: ENVILIBE
Amendment 1551 #
Proposal for a regulation
Article 38 – paragraph 1 – point e a (new)
(e a) the record on who has been granted access to which sets of electronic health data and a justification regarding the purposes for processing them as referred to in Article 34(1), Union and national law.
2023/03/30
Committee: ENVILIBE
Amendment 1555 #
Proposal for a regulation
Article 38 – paragraph 2
2. Health data access bodies shall not be obliged to provide the specific information under Article 14 of Regulation (EU) 2016/679 to each natural person concerning the use of their data for projects subject to a data permit and shall provide general public information on all the data permits issued pursuant to Article 46.deleted
2023/03/30
Committee: ENVILIBE
Amendment 1581 #
Proposal for a regulation
Article 38 a (new)
Article 38 a Right to lodge a complaint with a health data access body 1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the health data access body, where their rights laid down in this Regulation are affected. Where the complaint concerns the rights of natural persons pursuant to Article 38(1), point (d), of this Regulation, the health data access body shall inform and send a copy of the complaint to the supervisory authorities under Regulation (EU) 2016/679. 2. The health data access body with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken. 3. Health data access body shall cooperate to handle and resolve complaints, including by exchanging all relevant information by electronic means, without undue delay.
2023/03/30
Committee: ENVILIBE
Amendment 1585 #
Proposal for a regulation
Article 38 b (new)
Article 38 b Right to an effective remedy against a health data access body 1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a health data access body concerning them. 2. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy where the health data access body which is competent pursuant to Article 37 does not handle a complaint or does not inform the natural or legal person within three months on the progress or outcome of the complaint lodged pursuant to Article 38a. 3. Proceedings against a health data access body shall be brought before the courts of the Member State where the health data access body is established.
2023/03/30
Committee: ENVILIBE
Amendment 1602 #
Proposal for a regulation
Article 39 – paragraph 3
3. The Commission is empowered to adopt delegated acts in accordance with Article 67 to modify the content of the annual activity report.
2023/03/30
Committee: ENVILIBE
Amendment 1693 #
Proposal for a regulation
Article 44 – paragraph 1
1. The health data access body shall ensure that access is only provided to requested electronic health data that is necessary and relevant for the purpose of processing indicated in the data access application by the data user and in line with the data permit granted.
2023/03/30
Committee: ENVILIBE
Amendment 1714 #
Proposal for a regulation
Article 44 – paragraph 3
3. Where the purpose of the data user’s processing cannot be achieved with anonymised data, taking into account the information provided by the data user, the health data access bodies shall provide access to electronic health data in pseudonymised format. The information necessary to reverse the pseudonymisation shall be available only to the health data access body. Data users shall not re- identify the electronic health data provided to them in pseudonymised format. The data user’s failure to respect the health data access body’s measures ensuring anonymisation and pseudonymisation shall be subject to appropriate penalties.
2023/03/30
Committee: ENVILIBE
Amendment 1717 #
Proposal for a regulation
Article 44 – paragraph 3 a (new)
3 a. Taking into account the state of the art and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the health data access body shall apply appropriate anonymisation or pseudonymisation techniques to ensure a high level of security, appropriate to the risk of re-identification.
2023/03/30
Committee: ENVILIBE
Amendment 1728 #
Proposal for a regulation
Article 45 – paragraph 2 – point -a (new)
(-a) a description of the applicant's identity, professional function and operation, including the identity of who will have access to the electronic health data;
2023/03/30
Committee: ENVILIBE
Amendment 1729 #
Proposal for a regulation
Article 45 – paragraph 2 – point -a a (new)
(-a a) a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679, unless the data access application only concerns aggregated data that makes the re- identification of a natural person impossible;
2023/03/30
Committee: ENVILIBE
Amendment 1730 #
Proposal for a regulation
Article 45 – paragraph 2 – point a
(a) a detailed explanation of the intended use of the electronic health data, including for which of: (i) the purposes referred to in Article 34(1) access is sought; 9(2), points (i) and (j), of Regulation (EU) 2016/679, combined with Article 34(1); (ii) demonstrable evidence that the stated purpose is of public interest.
2023/03/30
Committee: ENVILIBE
Amendment 1743 #
Proposal for a regulation
Article 45 – paragraph 2 – point c
(c) an indication whether electronic health data shouldneed to be made available in an anonymised form pseudonymised format and the reason why the envisaged purpose for processing cannot be pursued using anonymised data;
2023/03/30
Committee: ENVILIBE
Amendment 1745 #
Proposal for a regulation
Article 45 – paragraph 2 – point d
(d) where applicable, an explanation of the reasons for seeking access to electronic health data in a pseudonymised format;deleted
2023/03/30
Committee: ENVILIBE
Amendment 1747 #
Proposal for a regulation
Article 45 – paragraph 2 – point e
(e) a description of the safeguards planned to prevent any other use or any misuse of the electronic health data, including the re-identification of natural persons in the dataset;
2023/03/30
Committee: ENVILIBE
Amendment 1769 #
Proposal for a regulation
Article 45 – paragraph 4 – point a
(a) a description of how the processing would comply with Article 6(1) ofapplicable Union and national law on data protection and privacy, notably Regulation (EU) 2016/679 and, where relevant, Regulation (EU) 2016/6798/1725;
2023/03/30
Committee: ENVILIBE
Amendment 1777 #
Proposal for a regulation
Article 45 – paragraph 4 – point b
(b) information on the assessment of ethical aspects of the processing, where applicable and in line with national law.
2023/03/30
Committee: ENVILIBE
Amendment 1787 #
Proposal for a regulation
Article 46 – paragraph 1
1. Health data access bodies shall assess if the application fulfils one of the purposes listed ingrant access to electronic health data only if the application fulfils all of the following criteria: (a) the purposes described in the data access application correspond to at least one of the purposes listed in Article 9(2) of Regulation (EU) 2016/679, combined with Article 34(1) of this Regulation, if; (b) the requested data is necessary and relevant for the purpose listdescribed in the application and if the requirements in this Chapter are fulfilldata access application; (c) the processing complies with applicable Union and national data protection law. The health data access bodies shall consult the relevant data protection authorities on this matter; (d) the information provided byin the applicant. If that is the case, the health data access body shall issue a data permit. tion demonstrates sufficient safeguards to protect the rights and interests of the data holder and of the natural persons concerned and to prevent any other use or misuse of the data, including the re-identification of natural persons.
2023/03/30
Committee: ENVILIBE
Amendment 1805 #
Proposal for a regulation
Article 46 – paragraph 2
2. Health data access bodies shall refuse all applications including one or more purposes listed in Article 35 or where requirements in this Chapter are not met, all applications that do not fulfill the criteria referred to in paragraph 1 or where requirements in this Chapter are not met. The data authorisation shall not be granted for personal electronic health data where the data subject has not given consent pursuant to Article 33(5).
2023/03/30
Committee: ENVILIBE
Amendment 1818 #
Proposal for a regulation
Article 46 – paragraph 3
3. A health data access body shall issue or refuse a data permit within 2 months of receiving the data access application. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final], the health data access body may extend the period for responding to a data access application by 2 additional months where necessary, taking into account the complexity of the request. In such cases, the health data access body shall notify the applicant as soon as possible that more time is needed for examining the application, together with the reasons for the delay. Where a health data access body fails to provide a decision within the time limit, the data permit shall be issued.
2023/03/30
Committee: ENVILIBE
Amendment 1822 #
Proposal for a regulation
Article 46 – paragraph 3 a (new)
3 a. The supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 shall have the possibility to scrutinise and, if necessary, overturn any data permit request issued by a health data access body, in line with the powers conferred to them by the respective Regulations.
2023/03/30
Committee: ENVILIBE
Amendment 1838 #
Proposal for a regulation
Article 46 – paragraph 7
7. Data users shall have the right to access and process the electronic health data in accordance with the data permit delivered to them on the basis of this Regulation only after they have demonstrated the effective implementation of their security measures referred to in Article 45(2), points (e) and (f).
2023/03/30
Committee: ENVILIBE
Amendment 1842 #
Proposal for a regulation
Article 46 – paragraph 9
9. A data permit shall be issued for the duration necessary to fulfil the requested purposes which shall not exceed 5 years. This duration may be extended once, at the request of the data user, based on arguments and documents to justify this extension provided, 1 month before the expiry of the data permit, for a period which cannot exceed 5 years. By way of derogation from Article 42, the health data access body may charge increasing fees to reflect the costs and risks of storing electronic health data for a longer period of time exceeding the initial 5 years. In order to reduce such costs and fees, the health data access body may also propose to the data user to store the dataset in storage system with reduced capabilities. The data within the secure processing environment shall be deleted within 6 months followingimmediately after the expiry of the data permit. Upon request of the data user, the formula on the creation of the requested dataset shall be stored by the health data access body.
2023/03/30
Committee: ENVILIBE
Amendment 1855 #
Proposal for a regulation
Article 46 – paragraph 12
12. Data users shall inform the health data access body of any clinically significant findings that may influence the health status of the natural persons whose data are included in the dataset and where natural persons have explicitly given their consent.
2023/03/30
Committee: ENVILIBE
Amendment 1878 #
Proposal for a regulation
Article 48 – paragraph 1
By derogation from Article 46 of this Regulation, a data permit shall not be required to access the electronic health data under this Article. When carrying out those tasks under Article 37 (1), points (b) and (c), the health data access body shall inform public sector bodies and the Union institutions, offices, agencies and bodies, about the availability of data within 2 months of the data access application, in accordance with Article 9 of Regulation […] [Data Governance Act COM/2020/767 final]. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final ], the health data access body may extend the period by 2 additional months where necessary, taking into account the complexity of the request. The health data access body shall make available the electronic health data to the data user within 2 months after receiving them from the data holders, unless it specifies that it will provide the data within a longer specified timeframe.deleted
2023/04/05
Committee: ENVILIBE
Amendment 1889 #
Proposal for a regulation
Article 49
Access to electronic health data from a 1. access to electronic health data only from a single data holder in a single Member State, by way of derogation from Article 45(1), that applicant may file a data access application or a data request directly to the data holder. The data access application shall comply with the requirements set out in Article 45 and the data request shall comply with requirements in Article 47. Multi-country requests and requests requiring a combination of datasets from several data holders shall be addressed to health data access bodies. 2. issue a data permit in accordance with Article 46 or provide an answer to a data request in accordance with Article 47. The data holder shall then provide access to the electronic health data in a secure processing environment in compliance with Article 50 and may charge fees in accordance with Article 42. 3. 51, the single data provider and the data user shall be deemed joint controllers. 4. shall inform the relevant health data access body by electronic means of all data access applications filed and all the data permits issued and the data requests fulfilled under this Article in order to enable the health data access body to fulfil its obligations under Article 37(1) and Article 39.rticle 49 deleted single data holder Where an applicant requests In such case, the data holder may By way of derogation from Article Within 3 months the data holder
2023/04/05
Committee: ENVILIBE
Amendment 1908 #
2. The health data access bodies shall ensure that electronic health data from data holders in the format determined by the data permit can be uploaded by data holders and can be accessed by the data user in a secure processing environment. The data users shall only be able to download non- personal electronic health data from the secure processing environment.
2023/04/05
Committee: ENVILIBE
Amendment 1919 #
Proposal for a regulation
Article 51 – paragraph 1
1. The health data access bodies and the data users, including Union institutions, bodies, offices and agencies,data holder shall be deemed controller for the disclosure of the requested personal electronic health data to the health data access body pursuant to Article 33(1). The health data access body shall be deemed controller for the processing of the personal electronic health data when fulfilling its tasks pursuant to Article 37(1), point (d). The data user shall be deemed joint controllers of electronic health data processed in accordance with data permi for the processing of personal electronic health data in pseudonymised form in the secure processing environment pursuant to the data permit. The health data access body shall act as a processor for the health data user's processing pursuant to a data permit in the secure processing environment.
2023/04/05
Committee: ENVILIBE
Amendment 1924 #
Proposal for a regulation
Article 51 – paragraph 2
2. The Commission shall, by means of implementing acts, establish a template for the joint controllers’ arrangement that meets the requirements laid down in Article 28(3) of Regulation (EU) 2016/679. Those implementing acts shall be adopted in accordance with the advisory procedure set out in Article 68(2).
2023/04/05
Committee: ENVILIBE
Amendment 1936 #
Proposal for a regulation
Article 52 – paragraph 5
5. Third countries or international organisations may become authorised participants where they comply with the rules of Chapter IV of this Regulation, the transfer stemming from such connection complies with the rules in Chapter V of Regulation (EU) 2016/679 and provide access to data users located in the Union, on equivalent terms and conditions, to the electronic health data available to their health data access bodies. The Commission may adopt implementing acts establishing that a national contact point of a third country or a system established at an international level is compliant with requirements of HealthData@EU for the purposes of secondary use of health data, is compliant with the Chapter IV of this Regulation and Chapter V of Regulation (EU) 2016/679 and provides access to data users located in the Union to the electronic health data it has access to on equivalent terms and conditions. The compliance with these legal, organisational, technical and security requirements, including with the standards for secure processing environments pursuant to Article 50 shall be checked under the control of the Commission. These implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68 (2). The Commission shall make the list of implementing acts adopted pursuant to this paragraph publicly available.
2023/04/05
Committee: ENVILIBE
Amendment 1938 #
Proposal for a regulation
Article 52 – paragraph 8
8. The Member States and the Commission shall set up HealthData@EU to support and facilitate the cross-border access to electronic health data for secondary use, connecting the national contact points for secondary use of electronic health data of all Member States and authorised participants in that infrastructure. HealthData@EU shall be a non-proprietary software product developed in an open and transparent process.
2023/04/05
Committee: ENVILIBE
Amendment 1988 #
Proposal for a regulation
Article 60 – paragraph 2 a (new)
2a. Public procurers, national competent authorities, including digital health authorities and health data access bodies, and the Commission shall require, as a condition to procure or fund services provided by controllers and processors established in the Union processing personal electronic health data, that such controllers and processors: (a) will store this data in the Union, in accordance with Article 60a of this Chapter, and (b) have duly demonstrated that they are not subject to third country legislation conflicting with Union data protection rules.
2023/04/05
Committee: ENVILIBE
Amendment 1990 #
Proposal for a regulation
Article 60 a (new)
Article 60a Storage of electronic health data For the purposes of primary and secondary use of electronic health data, Member States shall ensure that the storage, processing and analysis of electronic health data shall be carried out exclusively within a secure location or locations within the territory of the Union, without prejudice to the possibility to transfer personal electronic health data in compliance with Chapter V of Regulation (EU) 2016/679.
2023/04/05
Committee: ENVILIBE
Amendment 1994 #
Proposal for a regulation
Article 61 – paragraph 1
1. Non-personal electronic data made available by health data access bodies, that are based on a natural person’s electronic data falling within one of the categories of Article 33 [(a), (e), (f), (i), (j), (k), (m)] shall be deemed highly sensitive within the meaning of Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final], provided that their transfer to third countries presents a risk of re-identification through means going beyond those likely reasonably to be used, in view of the limited number of natural persons involved in that data, the fact that they are geographically scattered or the technological developments expected in the near future.
2023/04/05
Committee: ENVILIBE
Amendment 2004 #
Proposal for a regulation
Article 61 – paragraph 2
2. The protective measures for the categories of data mentioned in paragraph 1 shall depend on the nature of the data and anonymization techniques and shall be detailed in the Delegated Act under the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final].
2023/04/05
Committee: ENVILIBE
Amendment 2018 #
Proposal for a regulation
Article 63 – paragraph 1
In the context of international access and transfer of personal electronic health data, shall be granted in accordance with Chapter V of Regulation (EU) 2016/679. Member States may maintain or introduce further conditions, including limitations, in accordance with and under the conditions of article 9(4) of the Regulation (EU) 2016/679.
2023/04/05
Committee: ENVILIBE
Amendment 2020 #
Proposal for a regulation
Article 63 – paragraph 1 a (new)
Access to electronic health data for entities from third countries, for secondary use purposes, shall be possible only if the third country where an entity is established, allows access to health data of its residents for entities from the Union.
2023/04/05
Committee: ENVILIBE
Amendment 2029 #
Proposal for a regulation
Article 64 – paragraph 1
1. A European Health Data Space Board (EHDS Board) is hereby established to facilitate cooperation and the exchange of information among Member States. The EHDS Board shall be composed of the high level representatives of digital health authorities and health data access bodies of all the Member States and of the European Data Protection Board and the European Data Protection Supervisor. Other national authorities, including market surveillance authorities referred to in Article 28, European Data Protection Board and European Data Protection Supervisor may be invited to the meetings, where the issues discussed are of relevance for them. The Board may also invite experts and observers to attend its meetings, and may cooperate with other external experts as appropriate. Other Union institutions, bodies, offices and agencies, research infrastructures and other similar structures shall have an observer role.
2023/04/05
Committee: ENVILIBE
Amendment 2049 #
Proposal for a regulation
Article 65 – paragraph 1 – point b – point iii
(iii) other aspects of the primary use of electronic health data, with the exception of all matters related to personal data protection.
2023/04/05
Committee: ENVILIBE
Amendment 2060 #
Proposal for a regulation
Article 65 – paragraph 2 – point b – point vi
(vi) other aspects of the secondary use of electronic health data, with the exception of all matters related to personal data protection.
2023/04/05
Committee: ENVILIBE
Amendment 2082 #
Proposal for a regulation
Article 67 – paragraph 4
4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Inter-institutional Agreement of 13 April 2016 on Better Law-Making. In accordance with Article 42 of Regulation (EU) 2018/1725, the Commission shall consult the European Data Protection Board and European Data Protection Supervisor where the delegated acts concern data protection.
2023/04/05
Committee: ENVILIBE
Amendment 2090 #
Proposal for a regulation
Article 69 – paragraph 1
Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties shall be effective, proportionate and dissuasive. Member States shall notify the Commission of those rules and measures by date of application of this Regulation and shall notify the Commission without delay of any subsequent amendment affecting them. Penalties shall cover infringements not addressed by Regulation (EU) 2017/745, Regulation (EU) 2017/746, Regulation (EU) No 536/2014 and Regulation (EU) 2016/679 and shall depend on the circumstances of each individual case. When deciding whether to impose a penalty and deciding on the amount of the penalty in each individual case, due regard shall be given to the criteria stated in Article 83(2) of Regulation (EU) 2016/679, where applicable.
2023/04/05
Committee: ENVILIBE
Amendment 2094 #
Proposal for a regulation
Article 69 a (new)
Article 69a Right to an effective judicial remedy against a controller or processor In accordance with Article 79 of Regulation (EU) 2016/679, without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a digital health authority pursuant to Article 11 or with a health data access body pursuant to Article 38a, each natural person shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with the Regulation.
2023/04/05
Committee: ENVILIBE
Amendment 2097 #
Proposal for a regulation
Article 69 b (new)
Article 69b Right to receive compensation Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation, in accordance with national and Union law.
2023/04/05
Committee: ENVILIBE
Amendment 2101 #
Proposal for a regulation
Article 70 – paragraph 1
1. After 5 years from the entry into force of this Regulation, the Commission shall carry out a targeted evaluation of this Regulation especially with regards to Chapters III and IV, and submit a report on its main findings to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions, accompanied, where appropriate, by a proposal for its amendment. The evaluation shall include an assessment of the self-certification of EHR systems and reflect on the need to introduce a conformity assessment procedure performed by notified bodies.
2023/04/05
Committee: ENVILIBE
Amendment 2108 #
Proposal for a regulation
Article 70 a (new)
Article 70a Amendments to Directive 2020/1828/EC In the Annex of Directive (EU) 2020/1828, the following point is added: (XX) Regulation (EU) XXX of the European Parliament and of the Council on the European Health Data Space.
2023/04/05
Committee: ENVILIBE