Activities of Angelika NIEBLER related to 2022/0140(COD)
Plenary speeches (1)
European Health Data Space (debate)
Amendments (262)
Amendment 49 #
Proposal for a regulation
Recital 1
Recital 1
(1) Whereas: The aim of this Regulation is to establish the European Health Data Space (‘EHDS’) in order to improve access to and control by natural persons over their personal electronic health data in the context of healthcare (primary use of electronic health data), as well as for other purposes in the health sector that would benefit the society such as research, innovation, policy-making, patient safety, personalised medicine, official statistics or regulatory activities (secondary use of electronic health data). In addition, the goal is to improve the functioning of the internal market by laying down a uniform legal framework in particular for the development, marketing and use of electronic health record systems (‘EHR systems’) in conformity with Union values.
Amendment 67 #
(37) For the secondary use of the, not requiring consent, of certain clinical data for health-related research, innovation, policy making, regulatory purposes, patient safety or the treatment of other natural persons, the possibilities offered by Regulation (EU) 2016/679 for a Union law should be used as a basis and rules and mechanisms and providing suitable and specific measures to safeguard the rights and freedoms of the natural persons. This Regulation provides the legal basis in accordance with Articles 9(2) (g), (h), (i) and (j) of Regulation (EU) 2016/679 for the secondary use of, not requiring consent, of certain health data, establishing the safeguards for processing, in terms of lawful purposes, trusted governance for providing access to that health data (through health data access bodies) and processing in a secure environment, as well as modalities for data processing, set out in the data permit. At the same time, the data applicant should demonstrate a legal basis pursuant to Article 6 of Regulation (EU) 2016/679, based on which they could request access to data pursuant to this Regulation and should fulfil the conditions set out in Chapter IV. More specifically: for processing of certain electronic health data held by the data holder pursuant to this Regulation, this Regulation, in certain cases, creates the legal obligation in the sense of Article 6(1) point (c) of Regulation (EU) 2016/679 for disclosing theat data, for secondary use, by the data holder to health data access bodies, while the legal basis for the purpose of the initial processing (e.g. delivery of care) is unaffected. This Regulation also meets the conditions for such processing pursuant to Articles 9(2) (h),(i),(j) of the Regulation (EU) 2016/679. This Regulation assigns tasks in the public interest to the bodies involved in health data access bodies (running the secure processing environment, processing data before they are used, etc.) in the sense of Article 6(1)(e) of Regulation (EU) 2016/679 to the health data access bodies, and meets the requirements of Article 9(2)(h),(i),(j) of the Regulation (EU) 2016/679. This applies equally to the activities of the application processing body that examines and, where appropriate, approves data access applications by data users, without storing health data itself, and to the activities of the pseudonymisation body that pseudonymises the electronic health data prior to storage at health data access bodies. Therefore, in this case, this Regulation provides the legal basis under Article 6 and meets the requirements of Article 9 of that Regulation on the conditions under which certain electronic health data can be processed. In the case where the user has access to electronic health data (for secondary use of data for one of the purposes defined in this Regulation), the data user should demonstrate its legal basis pursuant to Articles 6(1), points (e) or (f), of Regulation (EU) 2016/679 and explain the specific legal basis on which it relies as part of the application for access to electronic health data pursuant to this Regulation: on the basis of the applicable legislation, where the legal basis under Regulation (EU) 2016/679 is Article 6(1), point (e), or on Article 6(1), point (f), of Regulation (EU) 2016/679. If the user relies upon a legal basis offered by Article 6(1), point (e), it should make reference to another EU or national law, different from this Regulation, mandating the user to process personal health data for the compliance of its tasks. If the lawful ground for processing by the user is Article 6(1), point (f), of Regulation (EU) 2016/679, in this case it is this Regulation that provides the safeguards. In this context, the data permits issued by the health data acapplication processing bodies are an administrative decision defining the conditions for the access to the data.
Amendment 74 #
Proposal for a regulation
Recital 41
Recital 41
(41) The secondary use of health data under EHDS should enable the public, private, not for profit entities, as well as individual researchers to have access to health data for research, innovation, policy making, educational activities, patient safety, regulatory activities or personalised medicine, in line with the purposes set out in this Regulation. Access to data for secondary use should contribute to the general interest of the society. Activities for which access in the context of this Regulation is lawful may include using the electronic health data for tasks carried out by public bodies, such as exercise of public duty, including public health surveillance, planning and reporting duties, health policy making, ensuring patient safety, quality of care, and the sustainability of health care systems. Public bodies and Union institutions, bodies, offices and agencies may require to have regular access to electronic health data for an extended period of time, including in order to fulfil their mandate, which is provided by this Regulation. Public sector bodies may carry out such research activities by using third parties, including sub-contractors, as long as the public sector body remain at all time the supervisor of these activities. The provision of the data should also support activities related to scientific research (including private research), development and innovation, producing goods and services for the health or care sectors, such as innovation activities or training of AI algorithms that could protect the health or care of natural persons. In some cases, the information of some natural persons (such as genomic information of natural persons with a certain disease) could support the diagnosis or treatment of other natural persons. There is a need for public bodies to go beyond the emergency scope of Chapter V of Regulation […] [Data Act COM/2022/68 final]. However, the public sector bodies may request the support of health data access bodies for processing or linking data. This Regulation provides a channel for public sector bodies to obtain access to information that they require for fulfilling their tasks assigned to them by law, but does not extend the mandate of such public sector bodies. Any attempt to use the data for any measures detrimental to the natural person, to increase insurance premiums, to advertise products or treatments, or develop harmful products should be prohibited.
Amendment 77 #
Proposal for a regulation
Recital 42
Recital 42
(42) The establishment of one or moreIn order to increase the level of data protection and citizens' trust in connection with the secondary use of data, health data acprocess bodies, supporting access to electronic health data in Member States, is an essential component for promoting the secondary use of health-related dataing steps should be divided up among legally distinct entities, i.e. different bodies for (i) the pseudonymisation of health data (‘pseudonymisation bodies’), (ii) the storage and processing of health data (‘health data access bodies’) and (iii) health data access applications (‘application processing bodies’). Member States should therefore establish one or more health data access bodysuch bodies in each case, for instance to reflect their constitutional, organisational and administrative structure. However, one of these bodies involved in health data access bodies should be designated as a coordinator for Union-wide cooperation in case there are more than one data access body. Where a Member State establishes several such bodies, it should lay down rules at national level to ensure the coordinated participation of those bodies in the EHDS Board. That Member State should in particular designate one health data access body to function as a single contact point for the effective participation of those bodies, and ensure swift and smooth cooperation with other bodies involved in health data access bodies, the EHDS Board and the Commission. HThe bodies involved in health data access bodies may vary in terms of organisation and size (spanning from a dedicated full-fledged organization to a unit or department in an existing organization or private bodies) but should have the same functions, responsibilities and capabilities. Health data acApplication processing bodies should not be influenced in their decisions on access to electronic data for secondary use. However, their independence should not mean that the health data acapplication processing bodyies cannot be subject to control or monitoring mechanisms regarding its financial expenditure or to judicial review. Each health data acapplication processing body should be provided with the necessary financial and human resources, premises and infrastructure necessary, and any private application processing body should be reimbursed the necessary appropriate level of expenditure, for the effective performance of its tasks, including those related to cooperation with other bodies involved in health data access bodies throughout the Union. Each health data access bodyAll bodies involved in the secondary use of health data should have a separate, public annual budget, which may be part of the overall state or national budget. In order to enable better access to health data and complementing Article 7(3) of Regulation […] of the European Parliament and of the Council [Data Governance Act COM/2020/767 final], Member States should entrust health data access bodies with powers to take decisions on access to and secondary use of health data. This could consist in allocating new tasks toWith regard to application processing bodies, a certification system should be set up to ensure their competent bodies designated by Member States under Article 7(1) of Regulation […] [Data Governance Act COM/2020/767 final] or in designating existing or new sectoral bodies responsible for such tasks in relation to access to health datace and uniform assessment standards for data use applications.
Amendment 79 #
Proposal for a regulation
Recital 43
Recital 43
(43) The health data accessSupervisory bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, the health data accesssupervisory bodies should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation. The health data accessSupervisory bodies should also cooperate with stakeholders, including patient organisations. Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulation (EU) 2016/679 apply and the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 should be tasked with enforcing these rules. Moreover, given that health data are sensitive data and in a duty of loyal cooperation, the health data accesssupervisory bodies should inform the data protection authorities of any issues related to the data processing for secondary use, including penalties. In addition to the tasks necessary to ensure effective secondary use of health data, the application processing body, in concert with the health data access body, should strive to expand the availability of additional health datasets, support the development of AI in health and promote the development of common standards. Together with the pseudonymisation body, they should apply tested techniques that ensure that electronic health data is processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data. Health data access bodies and pseudonymisation bodies can prepare datasets to the data user requirement linked to the issued data permit. This includes rules for anonymization of microdata sets.
Amendment 80 #
Proposal for a regulation
Recital 44
Recital 44
(44) Considering the administrative burden for health data access bodies, application processing bodies and pseudonymisation bodies to inform the natural persons whose data are used in data projects within a secure processing environment, the exceptions provided for in Article 14(5) of Regulation (EU) 2016/679 should apply. Therefore, bodies involved in health data access bodies should provide general information concerning the conditions for the secondary use of their health data containing the information items listed in Article 14(1) and, where necessary to ensure fair and transparent processing, Article 14(2) of Regulation (EU) 2016/679, e.g. information on the purpose and the data categories processed. Exceptions from this rule should be made when the results of the research could assist in the treatment of the natural person concerned. In this case, the data user should inform the health data acdata holder, where appropriate with the involvement of the application processing body, which, with the involvement of the pseudonymisation body, should inform the data subject or his health professional. Natural persons should be able to access the results of different research projects on the website of the health data acapplication processing body or a central website, ideally in an easily searchable manner. The list of the data permits should also be made public. In order to promote transparency in their operation, each health data acapplication processing body should publish an annual activity report providing an overview of its activities.
Amendment 81 #
Proposal for a regulation
Recital 47
Recital 47
(47) Health data access bodies, pseudonymisation bodies, application processing bodies and single data holders should be allowed to charge fees based on the provisions of Regulation […] [Data Governance Act COM/2020/767 final] in relation to their tasks. Such fees may take into account the situation and interest of SMEs, individual researchers or public bodies. Data holders should be allowed to also charge fees for making data available. Such fees should reflect the costs for providing such services. Private data holders may also charge fees for the collection of data. In order to ensure a harmonised approach concerning fee policies and structure, the Commission may adopt implementing acts. Provisions in Article 10 of the Regulation [Data Act COM/2022/68 final] should apply for fees charged under this Regulation.
Amendment 82 #
Proposal for a regulation
Recital 48
Recital 48
(48) In order to strengthen the enforcement of the rules on the secondary use of electronic health data, appropriate measures that can lead to penalties or temporary or definitive exclusions from the EHDS framework of the data users or data holders that do not comply with their obligations. The health data accessSupervisory bodyies should be empowered to verify compliance and give data users and holders the opportunity to reply to any findings and to remedy any infringement. The imposition of penalties should be subject to appropriate procedural safeguards in accordance with the general principles of law of the relevant Member State, including effective judicial protection and due process.
Amendment 84 #
Proposal for a regulation
Recital 49
Recital 49
(49) Given the sensitivity of electronic health data, it is necessary to reduce risks on the privacy of natural persons by applying the data minimisation principle as set out in Article 5 (1), point (c) of Regulation (EU) 2016/679. Therefore, the use of anonymised electronic health data which is devoid of any personal data should be made available when possible and if the data user asks it. If the data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of this type of data for the planned data processing activity. The personal electronic health data should only be made available in pseudonymised format and the permanent encryption key can only be held by the health data accesspseudonymisation body. Data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, subject to administrative or possible criminal penalties, where the national laws foresee this. However, this should not prevent, in cases where the results of a project carried out based on a data permit has a health benefit or impact to a concerned natural person (for instance, discovering treatments or risk factors to develop a certain disease), the data users would inform the health data acapplication processing bodyies, which in turn would request the pseudonymisation body to inform the concerned natural person(s). Moreover, about this. Moreover, via the application processing bodies the applicant can request the health data access bodies to provide the answer to a data request, including in statistical form. In this case, the data users would not process health data and the health data access body would remain sole controller for the data necessary to provide the answer to the data request.
Amendment 85 #
Proposal for a regulation
Recital 50
Recital 50
(50) In order to ensure that all health data acapplication processing bodies issue permits in a similar way, it is necessary to establish a standard common process for the issuance of data permits, with similar requests in different Member States. The applicant should provide thealth data ac application processing bodies with several information elements that would help the body evaluate the request and decide if the applicant may receive a data permit for secondary use of data, also ensuring coherence between different health data acapplication processing bodies. Such information include: the legal basis under Regulation (EU) 2016/679 to request access to data (exercise of a task in the public interest assigned by law or legitimate interest), purposes for which the data would be used, description of the needed data and possible data sources, a description of the tools needed to process the data, as well as characteristics of the secure environment that are needed. Where data is requested in pseudonymised format, the data applicant should explain why this is necessary and why anonymous data would not suffice. An ethical assessment may be requested based on national law. The health data acApplication processing bodies and, where relevant, data holders, should assist data users in the selection of the suitable datasets or data sources for the intended purpose of secondary use. Where the applicant needs anonymised statistical data, it should submit a data request application, requiring the application processing health data access body to provide directly the result with the help of the access body. In order to ensure a harmonised approach between health data acapplication processing bodies, the Commission should support the harmonisation of data application, as well as data request.
Amendment 86 #
Proposal for a regulation
Recital 51
Recital 51
(51) As the resources of health data acapplication processing bodies are limited, they can apply prioritisation rules, for instance prioritising public institutions before private entitiresearch projects on specific diseases, but they should not make any discrimination between the national or from organisations from other Member States within the same category of priorities. The data user should be able to extend the duration of the data permit in order, for example, to allow access to the datasets to reviewers of scientific publication or to enable additional analysis of the dataset based on the initial findings. This would require an amendment of the data permit and may be subject to an additional fee. However, in all the cases, the data permit should reflect theses additionals uses of the dataset. Preferably, the data user should mention them in their initial request for the issuance of the data permit. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data permit.
Amendment 89 #
Proposal for a regulation
Recital 53
Recital 53
(53) For requests to access electronic health data from a single data holder in a single Member State and in order to alieviate the administrative burden for heath data acAccess to health data should be arranged directly between the data holder and the data user. In this case, in principle, only the application processing bodies of managing such request, the data user should be able to request this data directly from the data holder and the data holder should be able to issue a data permit while complying with all the requirements and safeguards linked to such request and permit. Multi- country requests and requests requiring combination of datasets from severaly is involved in making electronic health data available and the data holder takes over the operational tasks of the pseudonymisation and access body if the data holder can make that possible. However, the pseudonymisation body may be consulted by the data holders s. Should always be channelled through health data access bodies. The data holder should report to the health data access bodies about any data permits or secure processing environment not be available to the data user for making the data available, access should be provided via the relevant health data requaccests they providebody.
Amendment 91 #
Proposal for a regulation
Recital 55
Recital 55
(55) For the processing of electronic health data in the scope of a granted permit, the health data access bodies and the data users should be joint controllers in the sense of Article 26 of Regulation (EU) 2016/679, meaning that the obligations of joint controllers under that Regulation will apply. To support health data access bodies and data users, the Commission should, by means of an implementing act, provide a template for the joint controller arrangements health data access bodies and data users will have to enter into. In order to achieve an inclusive and sustainable framework for multi-country secondary use of electronic health data, a cross-border infrastructure should be established. HealthData@EU should accelerate the secondary use of electronic health data while increasing legal certainty, respecting the privacy of natural persons and being interoperable. Due to the sensitivity of health data, principles such as “privacy by design” and “bring questions to data instead of moving data” should be respected whenever possible. Authorised participants in HealthData@EU could be health data access bodies, research infrastructures established as an European Research Infrastructure Consortium (‘ERIC’) under Council Regulation (EC) No 723/200950 or similar structures established under another Union legislation, as well as other types of entities, including infrastructures under the European Strategy Forum on Research Infrastructures (ESFRI), infrastructures federated under the European Open Science Cloud (EOSC). Other authorised participants should obtain the approval of the joint controllership group for joining HealthData@EU. On the other hand, HealthData@EU should enable the secondary use of different categories of electronic health data, including linking of the health data with data from other data spaces such as environment, agriculture, social etc. The Commission could provide a number of services within HealthData@EU, including supporting the exchange of information amongst health data access bodies and authorised participants for the handling of cross- border access requests, maintaining catalogues of electronic health data available through the infrastructure, network discoverability and metadata queries, connectivity and compliance services. The Commission may also set up a secure environment, allowing data from different national infrastructures to be transmitted and analysed, at the request of the controllers. The Commission digital strategy promote the linking of the various common European data spaces. For the health sector, interoperability with the sectors such as the environmental, social, agricultural sectors may be relevant for additional insights on health determinants. For the sake of IT efficiency, rationalisation and interoperability of data exchanges, existing systems for data sharing should be reused as much as possible, like those being built for the exchange of evidences under the once only technical system of Regulation (EU) 2018/1724 of the European Parliament and of the Council51. _________________ 50 Council Regulation (EC) No 723/2009 of 25 June 2009 on the Community legal framework for a European Research Infrastructure Consortium (ERIC) (OJ L 206, 8.8.2009, p. 1). 51 Regulation (EU) 2018/1724 of the European Parliament and of the Council of 2 October 2018 establishing a single digital gateway to provide access to information, to procedures and to assistance and problem-solving services and amending Regulation (EU) No 1024/2012 (OJ L 295, 21.11.2018, p. 1).
Amendment 93 #
Proposal for a regulation
Recital 56
Recital 56
(56) In case of cross-border registries or databases, such as the registries of European Reference Networks for Rare Diseases, which receive data from different healthcare providers in several Member States, the health data acan application processing body wherefrom the Member State in which the coordinator of the registry is located should be responsible for providing access to data.
Amendment 94 #
Proposal for a regulation
Recital 57
Recital 57
(57) The authorisation process to gain access to personal health data in different Member States can be repetitive and cumbersome for data users. Whenever possible, synergies should be established to reduce the burden and barriers for data users. One way to achieve this aim is to adhere to the “single application” principle whereby, with one application, the data user obtain authorisation from multiple health data acapplication processing bodies in different Member States.
Amendment 95 #
(58) The health data acApplication processing bodies should provide information about the available datasets and their characteristics so that data users can be informed of elementary facts about the dataset and assess their possible relevance to them. For this reason, each dataset should include, at least, information concerning the source, nature of data and conditions for making data available. Therefore, an EU datasets catalogue should be established to facilitate the discoverability of datasets available in the EHDS; to help data holders to publish their datasets; to provide all stakeholders, including the general public, also taking into account people with disabilities, with information about datasets placed on the EHDS (such as quality and utility labels, dataset information sheets); to provide the data users with up-to-date data quality and utility information about datasets.
Amendment 97 #
Proposal for a regulation
Recital 64
Recital 64
(64) Certain categories of electronic health data can remain particularly sensitive even when they are in anonymised format and thus non-personal, as already specifically foreseen in the Data Governance Act. Even in situations of the use of state of the art anonymization techniques, there remains a residual risk that the capacity to re-identify could be or become available, beyond the means reasonably likely to be used. Such residual risk is present in relation to rare diseases (a life-threatening or chronically debilitating condition affecting not more than five in 10 thousand persons in the Union), where the limited numbers of case reduce the possibility to fully aggregate the published data in order to preserve the privacy of natural persons while also maintaining an appropriate level of granularity in order to remain meaningful. It can affect different types of health data depending on the level of granularity and description of the characteristics of data subjects, the number of people affected or and for instance in cases of data included in electronic health records, disease registries, biobanks, person generated data etc. where the identification characteristics are broader and where, in combination with other information (e.g. in very small geographical areas) or through the technological evolution of methods which had not been available at the moment of anonymisation, can lead to the re- identification of the data subjects using means that are beyond those reasonably likely to be used. The realisation of such risk of re-identification of natural persons would present a major concern and is likely to put the acceptance of the policy and rules on secondary use provided for in this Regulation at risk. Furthermore, aggregation techniques are less tested for non-personal data containing for example trade secrets, as in the reporting on clinical trials, and enforcement of breaches of trade secrets outside the Union is more difficult in the absence of a sufficient international protection standard. Therefore, for these types of health data, there remains a risk for re- identification after the anonymisation or aggregation, which could not be reasonably mitigated initially. This falls within the criteria indicated in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final]. These types of health data would thus fall within the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final] for transfer to third countries. The protective measures, proportional to the risk of re- identification, would need to take into account the specificities of different data categories or of different anonymization or aggregation techniques and will be detailed in the context of the Delegated Act under the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final]Therefore, appropriate anonymisation under this Regulation is only possible if it cannot be reversed in the future. In particular, in order to protect data subjects, no individual datasets may be issued in connection with secondary use under this Regulation.
Amendment 114 #
Proposal for a regulation
Article 2 – paragraph 2 – point y
Article 2 – paragraph 2 – point y
(y) ‘data holder’ means any natural or legal person, which is an entity or a body in the health or care sector, or performing research in relation to these sectors, as well as Union institutions, bodies, offices and agencies who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data, through control of the technical design of a product and related services, the ability to make available, including to register, provide, restrict access or exchange certain data;
Amendment 117 #
Proposal for a regulation
Article 2 – paragraph 2 – point a a
Article 2 – paragraph 2 – point a a
(aa) ‘data permit’ means an administrative decision issued to a data user by a health data acn application processing body or data holder to process the electronic health data specified in the data permit for the secondary use purposes specified in the data permit based on conditions laid down in this Regulation;
Amendment 119 #
(aea) ‘anonymised data’ or ‘data in anonymised format’ means personal data that have been anonymised in such a way as to prevent the data subject from being re-identified, including by drawing on state-of-the-art and future technologies and methods or other data.
Amendment 121 #
Proposal for a regulation
Article 2 – paragraph 2 – point ae b (new)
Article 2 – paragraph 2 – point ae b (new)
(aeb) ‘application processing body’ means a body set up in accordance with Article 36(1), fourth sentence, point (a), whose tasks include, in particular, checking data applications and issuing data permits.
Amendment 123 #
Proposal for a regulation
Article 2 – paragraph 2 – point ae c (new)
Article 2 – paragraph 2 – point ae c (new)
(aec) ‘pseudonymisation body’ means a body established in accordance with Article 36(1), fourth sentence, point (b), whose tasks include, in particular, the pseudonymisation of electronic health data.
Amendment 124 #
Proposal for a regulation
Article 2 – paragraph 2 – point ae d (new)
Article 2 – paragraph 2 – point ae d (new)
(aed) ‘health data access body’ means a body established in accordance with Article 36(1), fourth sentence, point (c), whose tasks include, in particular, the provision of a secure data processing environment.
Amendment 125 #
Proposal for a regulation
Article 2 – paragraph 2 – point ae e (new)
Article 2 – paragraph 2 – point ae e (new)
(aee) ‘bodies involved in health data access’ means bodies within the meaning of points (ag), (ah) and (ai) in so far as, in a specific case, they are involved in enabling secondary use.
Amendment 154 #
Proposal for a regulation
Article 33 – paragraph 1 – point d
Article 33 – paragraph 1 – point d
(d) health-related administrative data for population-wide predominantly publicly funded treatments, including claims and reimbursement data;
Amendment 155 #
Proposal for a regulation
Article 33 – paragraph 1 – point e
Article 33 – paragraph 1 – point e
Amendment 159 #
Proposal for a regulation
Article 33 – paragraph 1 – point h
Article 33 – paragraph 1 – point h
(h) population wide electronic health data registries (public health registries);
Amendment 163 #
Proposal for a regulation
Article 33 – paragraph 1 – point j
Article 33 – paragraph 1 – point j
(j) electronic health data from clinical trials in so far as they have been completed;
Amendment 165 #
Proposal for a regulation
Article 33 – paragraph 1 – point m
Article 33 – paragraph 1 – point m
Amendment 170 #
Proposal for a regulation
Article 33 – paragraph 1 a (new)
Article 33 – paragraph 1 a (new)
(1a) Data in categories (b) and (l) shall only be made available if the data have been collected systematically and comprehensively from data subjects. The fact that a public body, a body governed by public law or a public undertaking within the meaning of Regulation (EU) 2022/868 [Data Governance Act] is involved in the collection of data shall not constitute predominantly public funding of data collection. Data holders shall not be obliged to make unlisted categories of data available for secondary use in accordance with the provisions of this Chapter.
Amendment 172 #
Proposal for a regulation
Article 33 – paragraph 2
Article 33 – paragraph 2
(2) The requirement in the first sentence of the first subparagraph shall not apply to data holders that qualify as micro enterprises as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC59. _________________ 59 Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 174 #
Proposal for a regulation
Article 33 – paragraph 3
Article 33 – paragraph 3
(3) The electronic health data referred to in paragraph 1 shall cover data processed for the provision of health or care or for public health, research, innovation, policy making, official statistics, patient safety or regulatory purposes, collected by entities and bodies in the health or care sectors, including public and private providers of health or care, entities or bodies performing research in relation to these sectors, and Union institutions, bodies, offices and agencies.
Amendment 174 #
Proposal for a regulation
Recital 1
Recital 1
(1) The aim of this Regulation is to establish the European Health Data Space (‘EHDS’) in order to improve access to and control by natural persons over their personal electronic health data in the context of healthcare (primary use of electronic health data), as well as for other purposes in the health sector that would benefit the society such as research, innovation, policy- making, patient safety, personalised medicine, official statistics or regulatory activities (secondary use of electronic health data). In addition, the goal is to improve the functioning of the internal market by laying down a uniform legal framework in particular for the development, marketing and use of electronic health record systems (‘EHR systems’) in conformity with Union values.
Amendment 179 #
Proposal for a regulation
Article 33 – paragraph 4
Article 33 – paragraph 4
(4) Electronic health data entailing protected intellectual property and trade secrets from private enterprises shall be made available for secondary use. Where such data is made available for secondary use, if and to the extent that all measures necessary to preserve the confidentiality of IP rights and trade secrets shallcan be taken., for example by taking the following measures:
Amendment 180 #
Proposal for a regulation
Article 33 – paragraph 4 a (new)
Article 33 – paragraph 4 a (new)
(4a) extending the period for making data available to 24 months in order to allow for registration of property rights; or
Amendment 181 #
Proposal for a regulation
Article 33 – paragraph 4 b (new)
Article 33 – paragraph 4 b (new)
(4b) processing data to ensure that trade secrets are redacted.
Amendment 182 #
Proposal for a regulation
Article 33 – paragraph 5
Article 33 – paragraph 5
Amendment 185 #
Proposal for a regulation
Article 33 – paragraph 6
Article 33 – paragraph 6
(6) Where a public sector body obtains data in emergency situations as defined in Article 15, point (a) or (b) of the Regulation […] [Data Act COM/2022/68 final], in accordance with the rules laid down in that Regulation, it may be supported by a health data access body or a pseudonymisation body to provide technical support to process the data or combing it with other data for joint analysis.
Amendment 192 #
Proposal for a regulation
Article 33 – paragraph 8
Article 33 – paragraph 8
Amendment 194 #
Proposal for a regulation
Article 33 – paragraph 8 a (new)
Article 33 – paragraph 8 a (new)
(8a) Electronic health data from biobanks and dedicated databases, as well as human genetic, genomic and proteomic data, may be shared by the data holder on a voluntary basis in accordance with the rules of this Regulation.
Amendment 196 #
Proposal for a regulation
Article 34 – paragraph 1 – introductory part
Article 34 – paragraph 1 – introductory part
(1) Health data acApplication processing bodies shall only providauthorise access to electronic health data referred to in Article 33 where the intended purpose of processing pursued by the applicant complies with:
Amendment 203 #
Proposal for a regulation
Article 34 – paragraph 1 – point f
Article 34 – paragraph 1 – point f
(f) development and innovation activities for products or services contributing to public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;
Amendment 205 #
Proposal for a regulation
Article 34 – paragraph 1 – point g
Article 34 – paragraph 1 – point g
(g) training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;
Amendment 211 #
Proposal for a regulation
Article 35 – paragraph 1 – point e a (new)
Article 35 – paragraph 1 – point e a (new)
(ea) reconstructing the identity of natural persons from datasets shared under this Regulation;
Amendment 213 #
Proposal for a regulation
Article 35 – paragraph 1 – point e b (new)
Article 35 – paragraph 1 – point e b (new)
(eb) profiling of natural persons solely from the datasets shared under this Regulation or in combination with other data;
Amendment 214 #
Proposal for a regulation
Article 35 – paragraph 1 – point e c (new)
Article 35 – paragraph 1 – point e c (new)
(ec) the targeted use of data shared under this Regulation to obtain intellectual property or trade secrets of competitors or information that allows conclusions to be drawn about the business performance of a specific market operator;
Amendment 215 #
Proposal for a regulation
Article 35 – paragraph 1 – point e d (new)
Article 35 – paragraph 1 – point e d (new)
(ed) the sale of electronic health data made available under this Regulation.
Amendment 216 #
Proposal for a regulation
Article 36 – title
Article 36 – title
Amendment 217 #
Proposal for a regulation
Article 36 – paragraph 1
Article 36 – paragraph 1
(1) Member States shall each designate one or more health data access bodiesbodies involved in accessing health data that are responsible for granting access to electronic health data for secondary use. Member States may either establish one or more new public sector bodies or rely on existing public sector bodies or on internal services of public sector bodies or private legal persons that fulfil the conditions set out in this Article. Where a Member State designates several health data access bodiesbodies involved in accessing health data, it shall designate one health data access body to act as coordinator, with responsibility for coordinating requests with the other health data access bodies.bodies involved in accessing health data. The following legally and organisationally independent bodies may be involved in accessing electronic health data:
Amendment 218 #
Proposal for a regulation
Article 36 – paragraph 1 a (new)
Article 36 – paragraph 1 a (new)
(1a) application processing bodies, which may be administered by both public and private bodies;
Amendment 219 #
Proposal for a regulation
Article 36 – paragraph 1 b (new)
Article 36 – paragraph 1 b (new)
(1b) pseudonymisation bodies, which shall be administered by national public bodies; the European Union shall also create an independent European pseudonymisation body;
Amendment 220 #
Proposal for a regulation
Article 36 – paragraph 1 c (new)
Article 36 – paragraph 1 c (new)
(1c) access bodies, which shall be administered by national public bodies;
Amendment 221 #
Proposal for a regulation
Article 36 – paragraph 2
Article 36 – paragraph 2
(2) Member States shall ensure that each health data access bodybody involved in accessing health data is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and the exercise of its powers. Certification shall be required for approval and designation as an application processing body. Application processing bodies shall carry out their tasks in an impartial, transparent, consistent and timely manner. Senior managers and staff members of the authorities responsible shall not engage in any activity that may conflict with their independence of judgement or integrity in carrying out the tasks entrusted to them.
Amendment 223 #
Proposal for a regulation
Article 36 – paragraph 3
Article 36 – paragraph 3
(3) In the performance of their tasks, health data access bodiesbodies involved in accessing health data shall actively cooperate with stakeholders’ representatives, especially with representatives of patients, data holders and data users. Staff of health data access bodies shall avoid any conflicts of interest. Health data access bodiesbodies involved in accessing health data shall avoid any conflicts of interest. Bodies involved in accessing health data shall not be bound by any instructions, when making their decisions.
Amendment 224 #
Proposal for a regulation
Article 36 – paragraph 4
Article 36 – paragraph 4
(4) Member States shall communicate to the Commission the identity of the health data access bodies designated pursuant to paragraph 1 by the date of application of this Regulation. They shall also communicate to the Commission any subsequent modification of the identity of those bodies. The Commission and the Member States shall make this information publicly available.
Amendment 225 #
Proposal for a regulation
Article 37 – title
Article 37 – title
Tasks of health data access bodiesbodies involved in accessing health data
Amendment 226 #
Proposal for a regulation
Article 37 – paragraph 1 – introductory part
Article 37 – paragraph 1 – introductory part
(1) Health data access bodiesBodies involved in accessing health data shall carry out the following tasks:
Amendment 227 #
Proposal for a regulation
Article 37 – paragraph 1 – point a
Article 37 – paragraph 1 – point a
(a) application processing bodies shall decide on data access applications pursuant to Article 45, authorise and issue data permits pursuant to Article 46 to access electronic health data falling within their national remit for secondary use and decide on data requests in accordance with Chapter II of Regulation […] [Data Governance Act COM/2020/767 final] and this Chapter;
Amendment 228 #
Proposal for a regulation
Article 37 – paragraph 1 – point b
Article 37 – paragraph 1 – point b
(b) access bodies shall support public sector bodies in carrying out the tasks enshrined in their mandate, based on national or Union law;
Amendment 229 #
Proposal for a regulation
Article 37 – paragraph 1 – point c
Article 37 – paragraph 1 – point c
(c) access bodies shall support Union institutions, bodies, offices and agencies in carrying out tasks enshrined in the mandate of Union institutions, bodies, offices and agencies, based on national or Union law;
Amendment 230 #
Proposal for a regulation
Article 37 – paragraph 1 – point d
Article 37 – paragraph 1 – point d
(d) access bodies shall process electronic health data for the purposes set out in Article 34, including the collection, combination, preparation and disclosure of those data for secondary use on the basis of a data permit;
Amendment 231 #
Proposal for a regulation
Article 37 – paragraph 1 – point e
Article 37 – paragraph 1 – point e
(e) access bodies shall process electronic health data from other relevant data holders based on a data permit or a data request for a purposes laid down in Article 34;
Amendment 232 #
Proposal for a regulation
Article 37 – paragraph 1 – point f
Article 37 – paragraph 1 – point f
(f) bodies involved in accessing health shall take all measures necessary to preserve the confidentiality of IP rights and of trade secrets;
Amendment 233 #
Proposal for a regulation
Article 37 – paragraph 1 – point g
Article 37 – paragraph 1 – point g
(g) gather and compile or provide access towhere electronic health data is not accessed directly between data holder and data user, or where the data of a number of holders need to be merged, the access bodies concerned, with the assistance of pseudonymisation bodies, shall gather and compile the necessary electronic health data from the various data holders whose electronic health data fall within the scope of this Regulation and put those data at the disposal of data users in a secure processing environment in accordance with the requirements laid down in Article 50;
Amendment 234 #
Proposal for a regulation
Article 37 – paragraph 1 – point i
Article 37 – paragraph 1 – point i
(i) access bodies shall support the development of AI systems, the training, testing and validating of AI systems and the development of harmonised standards and guidelines under Regulation […] [AI Act COM/2021/206 final] for the training, testing and validation of AI systems in health;
Amendment 235 #
Proposal for a regulation
Article 37 – paragraph 1 – point j
Article 37 – paragraph 1 – point j
(j) application processing bodies shall cooperate with and supervise data holders to ensure the consistent and accurate implementation of the data quality and utility label set out in Article 56;
Amendment 236 #
Proposal for a regulation
Article 37 – paragraph 1 – point k
Article 37 – paragraph 1 – point k
(k) application processing bodies shall maintain a management system to record and process data access applications, data requests and the data permits issued and data requests answered, providing at least information on the name of the data applicant, the purpose of access the date of issuance, duration of the data permit and a description of the data application or the data request;
Amendment 237 #
Proposal for a regulation
Article 37 – paragraph 1 – point l
Article 37 – paragraph 1 – point l
(l) application processing and access bodies shall jointly maintain a public information system to comply with the obligations laid down in Article 38;
Amendment 239 #
Proposal for a regulation
Article 37 – paragraph 1 – point m
Article 37 – paragraph 1 – point m
(m) access bodies shall cooperate at Union and national level to lay down appropriate measures and requirements for accessing electronic health data in a secure processing environment;
Amendment 240 #
Proposal for a regulation
Article 37 – paragraph 1 – point n
Article 37 – paragraph 1 – point n
(n) access bodies shall cooperate at Union and national level and provide advice to the Commission on techniques and best practices for electronic health data use and management;
Amendment 241 #
Proposal for a regulation
Article 37 – paragraph 1 – point o
Article 37 – paragraph 1 – point o
(o) access bodies shall facilitate cross- border access to electronic health data for secondary use hosted in other Member States through HealthData@EU and cooperate closely with each other and with the Commission.;
Amendment 242 #
Proposal for a regulation
Article 37 – paragraph 1 – point q – introductory part
Article 37 – paragraph 1 – point q – introductory part
(q) application processing bodies shall make public, through electronic means:
Amendment 243 #
Proposal for a regulation
Article 37 – paragraph 1 – point q – point iii
Article 37 – paragraph 1 – point q – point iii
Amendment 244 #
Proposal for a regulation
Article 37 – paragraph 1 – point q a (new)
Article 37 – paragraph 1 – point q a (new)
(qa) access bodies shall make public through electronic means the sanctions imposed under Article 43;
Amendment 245 #
Proposal for a regulation
Article 37 – paragraph 1 – point r
Article 37 – paragraph 1 – point r
(r) bodies involved in accessing health data shall fulfil obligations towards natural persons pursuant to Article 38;
Amendment 246 #
Proposal for a regulation
Article 37 – paragraph 1 – point s
Article 37 – paragraph 1 – point s
(s) access bodies shall, if they have reasonable grounds to suspect an infringement, request from data users and data holders all the relevant information to verify the implementation of this Chapter;
Amendment 247 #
Proposal for a regulation
Article 37 – paragraph 1 – point t
Article 37 – paragraph 1 – point t
(t) bodies involved in accessing health data shall fulfil any other tasks related to making available the secondary use of electronic health data in the context of this Regulation to the extent that these tasks fall within their remit.
Amendment 248 #
Proposal for a regulation
Article 37 – paragraph 2 – introductory part
Article 37 – paragraph 2 – introductory part
(2) In the exercise of their tasks, health data access bodies shallbodies involved in accessing health data shall proceed as follows:
Amendment 249 #
Proposal for a regulation
Article 37 – paragraph 2 – point b
Article 37 – paragraph 2 – point b
(b) access bodies shall inform the relevant supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 where a health data access body has imposed penalties or other measures pursuant to Article 43 in relation to processing personal electronic health data and where such processing refers to an attempt to re-identify an individual or unlawful processing of personal electronic health data;
Amendment 250 #
Proposal for a regulation
Article 37 – paragraph 2 – point c
Article 37 – paragraph 2 – point c
(c) bodies involved in accessing health data shall cooperate with stakeholders, including patient organisations, representatives from natural persons, health professionals, researchers, and ethical committees, where applicable in accordance with Union and national law;
Amendment 252 #
Proposal for a regulation
Article 37 – paragraph 2 – point d
Article 37 – paragraph 2 – point d
(d) bodies involved in accessing health data shall cooperate with other national competent bodies, including the national competent bodies supervising data altruism organisations under Regulation […] [Data Governance Act COM/2020/767 final], the competent authorities under Regulation […] [Data Act COM/2022/68 final] and the national competent authorities for Regulations (EU) 2017/745 and Regulation […] [AI Act COM/2021/206 final].
Amendment 253 #
Proposal for a regulation
Article 37 – paragraph 4
Article 37 – paragraph 4
(4) The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list of tasks in paragraph 1 of this Article, to reflect the evolution of activities performed by health data access bodiesbodies involved in accessing health data in the field of health covered by this Regulation.
Amendment 254 #
Proposal for a regulation
Article 38 – title
Article 38 – title
Obligations of health data access bodiesbodies involved in accessing health data towards natural persons
Amendment 255 #
Proposal for a regulation
Article 38 – paragraph 1 – introductory part
Article 38 – paragraph 1 – introductory part
(1) Health data acApplication processing bodies shall make publicly available and easily searchable the conditions under which electronic health data is made available for secondary use,; with information concerning:
Amendment 257 #
Proposal for a regulation
Article 38 – paragraph 2
Article 38 – paragraph 2
(2) Health data access bodiesBodies involved in accessing health data shall not be obliged to provide the specific information under Article 14 of Regulation (EU) 2016/679 to each natural person concerning the use of their data for projects subject to a data permit and. Application processing bodies shall provide general public information on all the data permits issued pursuant to Article 46.
Amendment 258 #
Proposal for a regulation
Article 38 – paragraph 3
Article 38 – paragraph 3
(3) Where a health data acn application processing body is informed by a data user of a finding that may impact on the health of a natural person, the health data access body mayit may, together with the pseudonymisation body and the data holder, inform the natural person and his or her treating health professional about that finding.
Amendment 259 #
Proposal for a regulation
Article 38 – paragraph 4
Article 38 – paragraph 4
(4) Member States shall regularly inform the public at large about the role and benefits of health data access bodiesbodies involved in accessing health data.
Amendment 260 #
Proposal for a regulation
Article 39 – title
Article 39 – title
Reporting by health data access bodiesbodies involved in accessing health data
Amendment 261 #
Proposal for a regulation
Article 39 – paragraph 1 – introductory part
Article 39 – paragraph 1 – introductory part
(1) Each health data access bodybody involved in access to health data shall publish an annual activity report which shall contain at least the following in relation to its respective tasks:
Amendment 262 #
Proposal for a regulation
Article 39 – paragraph 1 – point b
Article 39 – paragraph 1 – point b
Amendment 263 #
Proposal for a regulation
Article 39 – paragraph 2
Article 39 – paragraph 2
(2) The reports shall be transmitted to the Commission.
Amendment 264 #
Proposal for a regulation
Article 39 – paragraph 3
Article 39 – paragraph 3
(3) The Commission is empowered to adopt delegated acts in accordance with Article 67 to modify the content of the annual activity reports.
Amendment 265 #
Proposal for a regulation
Article 40 – paragraph 1
Article 40 – paragraph 1
(1) When processing personal electronic health data, data altruism organisations shall comply with the rules set out in Chapter IV of Regulation […] [Data Governance Act COM/2020/767 final]. Where data altruism organisations process personal electronic health data using a secure processing envirThis Regulation is without prejudice to the processing of datasets based on conmsent, such environments shall also comply with the requirements set out in Article 50 of this Regulationincluding in particular altruistic consent pursuant to [Data Governance Act COM(2020) 767 final].
Amendment 267 #
Proposal for a regulation
Article 41 – paragraph 1
Article 41 – paragraph 1
(1) Where a data holder is obliged to make electronic health data available under Article 33 or under other Union law or national legislation implementing Union law, it shall cooperate in good faith with the health data access bodies or data users, where relevant.
Amendment 268 #
Proposal for a regulation
Article 41 – paragraph 2
Article 41 – paragraph 2
(2) The data holder shall communicate to the health data acapplication processing body a general description of the dataset it holds in accordance with Article 55.
Amendment 269 #
Proposal for a regulation
Article 41 – paragraph 3
Article 41 – paragraph 3
(3) Where a data quality and utility label accompanies the dataset pursuant to Article 56, the data holder shall provide sufficient documentation to the health data acapplication processing body for that body to confirm the accuracy of the label.
Amendment 270 #
Proposal for a regulation
Article 41 – paragraph 4
Article 41 – paragraph 4
(4) The data holder shall put the electronic health data at the disposal of the health data access body within 2 months from receiving the request from the healWhere the data holder has a processing environment that meets the conditions of the secure processing environment in accordance with Article 50, the data holder shall put the electronic health data at the disposal of the data user through that processing environment using the pseudonymisation body as an intermediary; where the data holder does not have such a processing environment, the data holder shall put the electronic health data at the disposal of the health data access body using the pseudonymisation body as an intermediary. The electronic health data shall be made available by the data acholder within 2 months of receipt of the application from the application processing body. In exceptional cases, thate 2-month period may be extended by the health data acapplication processing body for an additional period of 2 months.
Amendment 271 #
Proposal for a regulation
Article 41 – paragraph 7
Article 41 – paragraph 7
Amendment 272 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
(1) HApplication processing bodies, health data access bodies and single data holders may charge fees for making electronic health data available for secondary use. Any fees shall include and be derived from the costs related to conducting the procedure for requests, including for assessing a data application or a data request, granting, refusing or amending a data permit pursuant to Articles 45 and 46 or providing an answer to a data request pursuant to Article 47, in accordance with Article 6 of Regulation […] [Data Governance Act COM/2020/767 final]
Amendment 273 #
Proposal for a regulation
Article 42 – paragraph 5
Article 42 – paragraph 5
(5) Where data holders and data users do not agree on the level of the fees within 1 month of the data permit being granted, the health data acapplication processing body may set the fees in proportion to the cost of making available electronic health data for secondary use. Where the data holder or the data user disagree with the fee set out by the health data acapplication processing body, they shall have access to dispute settlement bodies set out in accordance with Article 10 of the Regulation […] [Data Act COM/2022/68 final].
Amendment 274 #
Proposal for a regulation
Article 43 – paragraph 2
Article 43 – paragraph 2
(2) When requesting from data users and data holders as well as other bodies involved in the access to health data the information that is necessary to verify compliance with this Chapter, the health data access bodies shall be proportionate to the performance of the compliance verification task.
Amendment 275 #
Proposal for a regulation
Article 43 – paragraph 4
Article 43 – paragraph 4
(4) Health data access bodies shall have the power to revokdeclare the data permit issued pursuant to Article 46 void and stop the affected electronic health data processing operation carried out by the data user in order to ensure the cessation of the non- compliance referred to in paragraph 3, immediately or within a reasonable time limit, and shall take appropriate and proportionate measures aimed at ensuring compliant processing by the data users. In this regard, the health data access bodies shall be able, where appropriate, to revokdeclare the data permit void and to exclude the data user from any access to electronic health data for a period of up to 5 years.
Amendment 276 #
Proposal for a regulation
Article 44 – paragraph 1
Article 44 – paragraph 1
(1) The health data access body or the data holder shall ensure that access is only provided to requested electronic health data relevant for the purpose of processing indicated in the data access application by the data user and in line with the data permit granted.
Amendment 277 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
(2) The health data access bodies or data holders shall provide the electronic health data in an anonymised format, where appropriate using the pseudonymisation body as an intermediary, where the purpose of processing by the data user can be achieved with such data, taking into account the information provided by the data user.
Amendment 279 #
Proposal for a regulation
Article 44 – paragraph 3
Article 44 – paragraph 3
(3) Where the purpose of the data user’s processing cannot be achieved with anonymised data, taking into account the information provided by the data user, the health data access bodies or the data holder shall provide access to electronic health data in pseudonymised format. The information necessary to reverse the pseudonymisation shall be available only to the healpseudonymisation body or the data access bodyholder. Data users shall not re- identify the electronic health data provided to them in pseudonymised format. The data user’s failure to respect the healpseudonymisation body’s or the data access bodyholder’s measures ensuring pseudonymisation shall be subject to appropriate penalties.
Amendment 280 #
Proposal for a regulation
Article 45 – paragraph 3
Article 45 – paragraph 3
(3) Data users seeking access to electronic health data from more than one Member State shall submit a single application to one of the concerned health data acapplication processing bodies of their choice which shall be responsible for sharing the request with other health data acapplication processing bodies and authorised participants in HealthData@EU referred to in Article 52, which have been identified in the data access application. For requests to access electronic health data from more than one Member States, the health data acapplication processing body shall notify the other relevant health data acapplication processing bodies of the receipt of an application relevant to them within 15 days from the date of receipt of the data access application.
Amendment 281 #
Proposal for a regulation
Article 45 – paragraph 4 – point a
Article 45 – paragraph 4 – point a
(a) a description of how the processing would comply withthe legal basis on which the processing is to be carried out within the meaning of Article 6(1) of Regulation (EU) 2016/679;
Amendment 282 #
Proposal for a regulation
Article 45 – paragraph 5 – subparagraph 2
Article 45 – paragraph 5 – subparagraph 2
Where the public sector bodies and the Union institutions, bodies, offices and agencies intend to access the electronic health data in pseudonymised format, a description of how the processing would comply with Article 6(1) of Regulation (EU) 2016/679the legal basis on which the processing is to be carried out within the meaning orf Article 56(1) of Regulation (EU) 2018/1725, as applicable,6/679 shall also be provided.
Amendment 283 #
(1) Health data acApplication processing bodies shall assess if the application fulfils one of the purposes listed in Article 34(1) of this Regulation, if the requested data is necessary for the purpose listed in the application and if the requirements in this Chapter are fulfilled by the applicant. If that is the case, the health data acapplication processing body shall issue a data permit.
Amendment 285 #
Proposal for a regulation
Article 46 – paragraph 2
Article 46 – paragraph 2
(2) Health data acApplication processing bodies shall refuse all applications including one or more purposes listed in Article 35 or where requirements in this Chapter are not met.
Amendment 287 #
Proposal for a regulation
Article 46 – paragraph 3
Article 46 – paragraph 3
(3) A health data acn application processing body shall issue or refuse a data permit within 2 months of receiving the data access application. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final], the health data access body may extend the period for responding to a data access application by 2 additional months where necessary, taking into account the complexity of the request. In such cases, the health data acapplication processing body shall notify the applicant as soon as possible that more time is needed for examining the application, together with the reasons for the delay. Where a health data acn application processing body fails to provide a decision within the time limit, the data permit shall be issued.
Amendment 288 #
Proposal for a regulation
Article 46 – paragraph 4
Article 46 – paragraph 4
(4) Following the issuance of the data permit, the health data acapplication processing body shall immediately request the electronic health data from the data holdercall on the data holder to transmit the electronic health data to the health data access body, or to make it available to the data user, via the pseudonymisation body without delay. The health data access body or the data holder shall make available the electronic health data to the data user within 2 months after receiving them from the data holders, unless the health data access body specifies that it will provide the data within a longer specified timeframe.
Amendment 290 #
Proposal for a regulation
Article 46 – paragraph 5
Article 46 – paragraph 5
(5) When the health data acapplication processing body refuses to issue a data permit, it shall provide a justification for the refusal to the applicant.
Amendment 293 #
Proposal for a regulation
Article 46 – paragraph 11
Article 46 – paragraph 11
(11) Data users shall make public the results or output of the secondary use of electronic health data, including information relevant for the provision of healthcare, no later than 18 months after the completion of the electronic health data processing or after having received the answer to the data request referred to in Article 47. Those results or output shall only contain anonymised data. The data user shall inform the health data acapplication processing bodies from which a data permit was obtained and support them to make the information public on thealth data ac application processing bodies’ websites or on a central website. Whenever the data users have used electronic health data in accordance with this Chapter, they shall acknowledge the electronic health data sources and the fact that electronic health data has been obtained in the context of the EHDS.
Amendment 294 #
Proposal for a regulation
Article 46 – paragraph 12
Article 46 – paragraph 12
(12) Data users shall inform the health data acapplication processing body of any clinically significant findings that may influence the health status of the natural persons whose data are included in the dataset.
Amendment 295 #
Proposal for a regulation
Article 46 – paragraph 14
Article 46 – paragraph 14
(14) The liability of health data access bodies as joint controlleror of the data holder as joint controller, depending on who makes the data available to the data user, is limited to the scope of the issued data permit until the completion of the processing activity.
Amendment 296 #
Proposal for a regulation
Article 47 – paragraph 1
Article 47 – paragraph 1
(1) Any natural or legal person may submit a data request for the purposes referred to in Article 34. A health data access body shall only provide an answer to a data request, which is transmitted to it by the application processing body, in an anonymised statistical format and the data user shall have no access to the electronic health data used to provide this answer.
Amendment 297 #
Proposal for a regulation
Article 48
Article 48
Amendment 303 #
Proposal for a regulation
Article 49
Article 49
Access to electronic health data from a (1) Where an applicant requests access to electronic health data only from a single data holder in a single Member State, by way of derogation from Article 45(1), that applicant may file a data access application or a data request directly to the data holder. The data access application shall comply with the requirements set out in Article 45 and the data request shall comply with requirements in Article 47. Multi-country requests and requests requiring a combination of datasets from several data holders shall be adressed to health data access bodies. (2) In such case, the data holder may issue a data permit in accordance with Article 46 or provide an answer to a data request in accordance with Article 47. The data holder shall then provide access to the electronic health data in a secure processing environment in compliance with Article 50 and may charge fees in accordance with Article 42. (3) By way of derogation from Article 51, the single data provider and the data user shall be deemed joint controllers. (4) Within 3 months the data holder shall inform the relevant health data access body by electronic means of all data access applications filed and all the data permits issued and the data requests fulfilled under this Article in order to enable the health data access body to fulfil its obligations under Article 37(1) and Article 39.rticle 49 deleted single data holder
Amendment 305 #
Proposal for a regulation
Article 50 – paragraph 2
Article 50 – paragraph 2
(2) The health data access bodies shall ensure that electronic health data can be uploaded by data holders and can be accessed by the data user in a secure processing environment. The data users shall only be able to download non- personal electronic health data from the secure processing environment. Initially personal data may only be downloaded by data users if anonymised in accordance with this Regulation; this is usually the case only for aggregated data from at least 100 individual datasets.
Amendment 306 #
Proposal for a regulation
Article 51 – paragraph 1
Article 51 – paragraph 1
(1) The health data access bodies and the data users, including Union institutions, bodies, offices and agencies, shall be deemed joint controllers of electronic health data processed in accordance with data permit. In the event that the data holder provides access to the electronic health data to the data user without going through the health data access bodies, the data holder and data user shall be joint controllers of the electronic health data processed in accordance with the data permit.
Amendment 307 #
Proposal for a regulation
Article 52 – paragraph 3
Article 52 – paragraph 3
(3) Union institutions, bodies, offices and agencies in the health sector involved in research, health policy or analysis, shall be authorised participants of HealthData@EU.
Amendment 308 #
Proposal for a regulation
Article 52 – paragraph 4
Article 52 – paragraph 4
(4) Health-related research infrastructures or similar structures whose functioning is based on Union law and which support the use of electronic health data in the health sector for research, policy making, statistical, patient safety or regulatory purposes shall be authorised participants of HealthData@EU.
Amendment 309 #
Proposal for a regulation
Article 52 – paragraph 7
Article 52 – paragraph 7
(7) The Commission is empowered to adopt delegated acts in accordance with Article 67 in order to amend this Article to add or remove categories of authorised health sector participants in HealthData@EU, taking into account the opinion of the joint controllership group pursuant to Article 66 of this Regulation.
Amendment 310 #
Proposal for a regulation
Article 52 – paragraph 8
Article 52 – paragraph 8
(8) The Member States and the Commission shall set up HealthData@EU to support and facilitate the cross-border access to electronic health data for secondary use in the health sector, connecting the national contact points for secondary use of electronic health data of all Member States and authorised participants in that infrastructure.
Amendment 311 #
Proposal for a regulation
Article 53 – paragraph 1
Article 53 – paragraph 1
(1) In the case of cross-border registries and databases, the health data acapplication processing body in which the data holder is registered shall be competent to decide on data access applications to providand to arrange access to electronic health data through the health data access body. Where the registry has joint controllers, the health data access body that shall provide access to electronic health data shall be the body in the Member State where one of the joint controllers is established.
Amendment 312 #
Proposal for a regulation
Article 53 – paragraph 2
Article 53 – paragraph 2
(2) Where registries or databases from a number of Member States organise themselves into a single network of registries or databases at Union level, the associated registries may designate one of their members as a coordinator to ensure the provision of data from the registries’ network for secondary use. The health data acapplication processing body of the Member State in which the coordinator of the network is located shall be competent to decide on the data access applications to providarrange access to electronic health data for the network of registries or databases.
Amendment 313 #
Proposal for a regulation
Article 54 – paragraph 1
Article 54 – paragraph 1
(1) When handling an access application for cross-border access to electronic health data for secondary use, health data acapplication processing bodies and relevant authorised participants shall remain responsible for taking decisions to grant or refuse access to electronic health data within their remit in accordance with the requirements for access laid down in this Chapter.
Amendment 314 #
Proposal for a regulation
Article 54 – paragraph 2
Article 54 – paragraph 2
(2) A data permit issued by one concerned health data acapplication processing body may benefit from mutual recognition by the other concerned health data acapplication processing bodies.
Amendment 315 #
Proposal for a regulation
Article 55 – paragraph 1
Article 55 – paragraph 1
(1) The health data acapplication processing bodies shall inform the data users about the available datasets and their characteristics through a metadata catalogue. Each dataset shall include information concerning the source, the scope, the main characteristics, nature of electronic health data and conditions for making electronic health data available.
Amendment 318 #
Proposal for a regulation
Article 61 – paragraph 1
Article 61 – paragraph 1
(1) Non-personal electronic data made available by health data access bodies, that are based on a natural person’s electronic data falling within one of the categories of Article 33 [(a), (e), (f), (i), (j), (k),b) and (f) through to (mi)] shall be deemed highly sensitive within the meaning of Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final], provided that their transfer to third countries presents a risk of re-identification through means going beyond those likely reasonably to be used, in view of the limited number of natural persons involved in that data, the fact that they are geographically scattered or the technological developments expected in the near future. This shall be without prejudice to Article 50(2) third sentence.
Amendment 319 #
Proposal for a regulation
Recital 37
Recital 37
(37) For the secondary use of the, not requiring consent, of certain clinical data for health-related research, innovation, policy making, regulatory purposes, patient safety or the treatment of other natural persons, the possibilities offered by Regulation (EU) 2016/679 for a Union law should be used as a basis and rules and mechanisms and providing suitable and specific measures to safeguard the rights and freedoms of the natural persons. This Regulation provides the legal basis in accordance with Articles 9(2) (g), (h), (i) and (j) of Regulation (EU) 2016/679 for the secondary use of, not requiring consent, of certain health data, establishing the safeguards for processing, in terms of lawful purposes, trusted governance for providing access to that health data (through health data access bodies) and processing in a secure environment, as well as modalities for data processing, set out in the data permit. At the same time, the data applicant should demonstrate a legal basis pursuant to Article 6 of Regulation (EU) 2016/679, based on which they could request access to data pursuant to this Regulation and should fulfil the conditions set out in Chapter IV. More specifically: for processing of certain electronic health data held by the data holder pursuant to this Regulation, this Regulation, in certain cases, creates the legal obligation in the sense of Article 6(1) point (c) of Regulation (EU) 2016/679 for disclosing theat data, for secondary use, by the data holder to health data access bodies, while the legal basis for the purpose of the initial processing (e.g. delivery of care) is unaffected. This Regulation also meets the conditions for such processing pursuant to Articles 9(2) (h),(i),(j) of the Regulation (EU) 2016/679. This Regulation assigns tasks in the public interest to the health data access bodiesbodies involved in accessing health data (running the secure processing environment, processing data before they are used, etc.) in the sense of Article 6(1)(e) of Regulation (EU) 2016/679 to the health data access bodies, and meets the requirements of Article 9(2)(h),(i),(j) of the Regulation (EU) 2016/679. This applies equally to the activities of the application processing body that examines and, where appropriate, approves data access applications by data users, without storing health data itself, and to the activities of the pseudonymisation body that pseudonymises the electronic health data prior to storage at health data access bodies. Therefore, in this case, this Regulation provides the legal basis under Article 6 and meets the requirements of Article 9 of that Regulation on the conditions under which certain electronic health data can be processed. In the case where the user has access to electronic health data (for secondary use of data for one of the purposes defined in this Regulation), the data user should demonstrate its legal basis pursuant to Articles 6(1), points (e) or (f), of Regulation (EU) 2016/679 and explain the specific legal basis on which it relies as part of the application for access to electronic health data pursuant to this Regulation: on the basis of the applicable legislation, where the legal basis under Regulation (EU) 2016/679 is Article 6(1), point (e), or on Article 6(1), point (f), of Regulation (EU) 2016/679. If the user relies upon a legal basis offered by Article 6(1), point (e), it should make reference to another EU or national law, different from this Regulation, mandating the user to process personal health data for the compliance of its tasks. If the lawful ground for processing by the user is Article 6(1), point (f), of Regulation (EU) 2016/679, in this case it is this Regulation that provides the safeguards. In this context, the data permits issued by the health data acapplication processing bodies are an administrative decision defining the conditions for the access to the data.
Amendment 322 #
Proposal for a regulation
Article 62 – paragraph 5
Article 62 – paragraph 5
(5) The digital health authorities, health data access bodiesbodies involved in accessing health data, data users shall inform the data holder about the existence of a request of a third- country administrative authority to access its data before complying with that request, except where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity.
Amendment 336 #
Proposal for a regulation
Article 67 – paragraph 2
Article 67 – paragraph 2
(2) The power to adopt delegated acts referred to in Articles 5(2), 10(3), 25(3), 32(4), 33(7), 37(4), 39(3), 41(7), 45(7), 46(8), 52(7), 56(4) shall be conferred on the Commission for an indeterminate period of time from the date of entry into force of this Regulation.
Amendment 355 #
Proposal for a regulation
Recital 41
Recital 41
(41) The secondary use of health data under EHDS should enable the public, private, not for profit entities, as well as individual researchers to have access to health data for research, innovation, policy making, educational activities, patient safety, regulatory activities or personalised medicine, in line with the purposes set out in this Regulation. Access to data for secondary use should contribute to the general interest of the society. Activities for which access in the context of this Regulation is lawful may include using the electronic health data for tasks carried out by public bodies, such as exercise of public duty, including public health surveillance, planning and reporting duties, health policy making, ensuring patient safety, quality of care, and the sustainability of health care systems. Public bodies and Union institutions, bodies, offices and agencies may require to have regular access to electronic health data for an extended period of time, including in order to fulfil their mandate, which is provided by this Regulation. Public sector bodies may carry out such research activities by using third parties, including sub-contractors, as long as the public sector body remain at all time the supervisor of these activities. The provision of the data should also support activities related to scientific research (including private research), development and innovation, producing goods and services for the health or care sectors, such as innovation activities or training of AI algorithms that could protect the health or care of natural persons. In some cases, the information of some natural persons (such as genomic information of natural persons with a certain disease) could support the diagnosis or treatment of other natural persons. There is a need for public bodies to go beyond the emergency scope of Chapter V of Regulation […] [Data Act COM/2022/68 final]. However, the public sector bodies may request the support of health data access bodies for processing or linking data. This Regulation provides a channel for public sector bodies to obtain access to information that they require for fulfilling their tasks assigned to them by law, but does not extend the mandate of such public sector bodies. Any attempt to use the data for any measures detrimental to the natural person, to increase insurance premiums, to advertise products or treatments, or develop harmful products should be prohibited.
Amendment 369 #
(42) The establishment of one or moreIn order to increase the level of data protection and citizens' trust in connection with the secondary use of data, health data acprocess bodies, supporting access to electronic health data in Member States, is an essential component for promoting the secondary use of health- related dataing steps should be divided up among legally distinct entities for (i) the pseudonymisation of health data (‘pseudonymisation bodies’), (ii) the storage and processing of health data (‘health data access bodies’) and (iii) health data access applications (‘application processing bodies’). Member States should therefore establish one or more health data access bodysuch bodies in each case, for instance to reflect their constitutional, organisational and administrative structure. However, one of these health data access bodies involved should be designated as a coordinator for Union-wide cooperation in case there are more than one data access body. Where a Member State establishes several such bodies, it should lay down rules at national level to ensure the coordinated participation of those bodies in the EHDS Board. That Member State should in particular designate one health data access body to function as a single contact point for the effective participation of those bodies, and ensure swift and smooth cooperation with other health data access bodies, the EHDS Board and the Commission. Health data access bodiesbodies involved in accessing health data, the EHDS Board and the Commission. The bodies involved in accessing health data may vary in terms of organisation and size (spanning from a dedicated full-fledged organization to a unit or department in an existing organization or private bodies) but should have the same functions, responsibilities and capabilities. Health data acApplication processing bodies should not be influenced in their decisions on access to electronic data for secondary use. However, their independence should not mean that the health data acapplication processing bodyies cannot be subject to control or monitoring mechanisms regarding itstheir financial expenditure or to judicial review. Each health data acapplication processing body should be provided with the necessary financial and human resources, premises and infrastructure necessary for the effective performance of its tasks, including those related to cooperation with other health data access bodies throughout the Union. Each health data access body, or any private application processing body should be reimbursed the necessary appropriate level of expenditure, for the effective performance of its tasks, including those related to cooperation with other bodies involved in accessing health data throughout the Union. All bodies involved in the secondary use of health data should have a separate, public annual budget, which may be part of the overall state or national budget. In order to enable better access to health data and complementing Article 7(3) of Regulation […] of the European Parliament and of the Council [Data Governance Act COM/2020/767 final], Member States should entrust health data access bodies with powers to take decisions on access to and secondary use of health data. This could consist in allocating new tasks toWith regard to application processing bodies, a certification system should be set up to ensure their competent bodies designated by Member States under Article 7(1) of Regulation […] [Data Governance Act COM/2020/767 final] or in designating existing or new sectoral bodies responsible for such tasks in relation to access to health datace and uniform assessment standards for data use applications.
Amendment 374 #
(43) The health data accessSupervisory bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, the health data accesssupervisory bodies should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation. The health data accessSupervisory bodies should also cooperate with stakeholders, including patient organisations. Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulation (EU) 2016/679 apply and the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 should be tasked with enforcing these rules. Moreover, given that health data are sensitive data and in a duty of loyal cooperation, the health data accesssupervisory bodies should inform the data protection authorities of any issues related to the data processing for secondary use, including penalties. In addition to the tasks necessary to ensure effective secondary use of health data, the application processing body, in concert with the health data access body, should strive to expand the availability of additional health datasets, support the development of AI in health and promote the development of common standards. Together with the pseudonymisation body, they should apply tested techniques that ensure that electronic health data is processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data. Health data access bodies and pseudonymisation bodies can prepare datasets to the data user requirement linked to the issued data permit. This includes rules for anonymization of microdata sets.
Amendment 377 #
Proposal for a regulation
Recital 44
Recital 44
(44) Considering the administrative burden for health data access bodies, application processing bodies and pseudonymisation bodies to inform the natural persons whose data are used in data projects within a secure processing environment, the exceptions provided for in Article 14(5) of Regulation (EU) 2016/679 should apply. Therefore, health data access bodiesbodies involved in accessing health data should provide general information concerning the conditions for the secondary use of their health data containing the information items listed in Article 14(1) and, where necessary to ensure fair and transparent processing, Article 14(2) of Regulation (EU) 2016/679, e.g. information on the purpose and the data categories processed. Exceptions from this rule should be made when the results of the research could assist in the treatment of the natural person concerned. In this case, the data user should inform the health data acdata holder, if appropriate with the involvement of the application processing body, which, with the involvement of the pseudonymisation body, should inform the data subject or his health professional. Natural persons should be able to access the results of different research projects on the website of the health data acapplication processing body or a central website, ideally in an easily searchable manner. The list of the data permits should also be made public. In order to promote transparency in their operation, each health data acapplication processing body should publish an annual activity report providing an overview of its activities.
Amendment 382 #
Proposal for a regulation
Recital 47
Recital 47
(47) Health data access bodies, pseudonymisation bodies, application processing bodies and single data holders should be allowed to charge fees based on the provisions of Regulation […] [Data Governance Act COM/2020/767 final] in relation to their tasks. Such fees may take into account the situation and interest of SMEs, individual researchers or public bodies. Data holders should be allowed to also charge fees for making data available. Such fees should reflect the costs for providing such services. Private data holders may also charge fees for the collection of data. In order to ensure a harmonised approach concerning fee policies and structure, the Commission may adopt implementing acts. Provisions in Article 10 of the Regulation [Data Act COM/2022/68 final] should apply for fees charged under this Regulation.
Amendment 388 #
Proposal for a regulation
Recital 48
Recital 48
(48) In order to strengthen the enforcement of the rules on the secondary use of electronic health data, appropriate measures that can lead to penalties or temporary or definitive exclusions from the EHDS framework of the data users or data holders that do not comply with their obligations. The health data accessSupervisory bodyies should be empowered to verify compliance and give data users and holders the opportunity to reply to any findings and to remedy any infringement. The imposition of penalties should be subject to appropriate procedural safeguards in accordance with the general principles of law of the relevant Member State, including effective judicial protection and due process.
Amendment 396 #
Proposal for a regulation
Recital 49
Recital 49
(49) Given the sensitivity of electronic health data, it is necessary to reduce risks on the privacy of natural persons by applying the data minimisation principle as set out in Article 5 (1), point (c) of Regulation (EU) 2016/679. Therefore, the use of anonymised electronic health data which is devoid of any personal data should be made available when possible and if the data user asks it. If the data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of this type of data for the planned data processing activity. The personal electronic health data should only be made available in pseudonymised format and the permanent encryption key can only be held by the health data accesspseudonymisation body. Data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, subject to administrative or possible criminal penalties, where the national laws foresee this. However, this should not prevent, in cases where the results of a project carried out based on a data permit has a health benefit or impact to a concerned natural person (for instance, discovering treatments or risk factors to develop a certain disease), the data users would inform the health data acapplication processing bodyies, which in turn would request the pseudonymisation body to inform the concerned natural person(s). Moreover, about this. Moreover, via the application processing bodies the applicant can request the health data access bodies to provide the answer to a data request, including in statistical form. In this case, the data users would not process health data and the health data access body would remain sole controller for the data necessary to provide the answer to the data request.
Amendment 403 #
Proposal for a regulation
Recital 50
Recital 50
(50) In order to ensure that all health data acapplication processing bodies responsible for access to health data issue permits in a similar way, it is necessary to establish a standard common process for the issuance of data permits, with similar requests in different Member States. The applicant should provide thealth data ac application processing bodies with several information elements that would help the body evaluate the request and decide if the applicant may receive a data permit for secondary use of data, also ensuring coherence between different health data acapplication processing bodies. Such information include: the legal basis under Regulation (EU) 2016/679 to request access to data (exercise of a task in the public interest assigned by law or legitimate interest), purposes for which the data would be used, description of the needed data and possible data sources, a description of the tools needed to process the data, as well as characteristics of the secure environment that are needed. Where data is requested in pseudonymised format, the data applicant should explain why this is necessary and why anonymous data would not suffice. An ethical assessment may be requested based on national law. The health data acApplication processing bodies and, where relevant, data holders, should assist data users in the selection of the suitable datasets or data sources for the intended purpose of secondary use. Where the applicant needs anonymised statistical data, it should submit a data request application, requiring the health data acapplication processing body to provide directly the result with the assistance of the access body. In order to ensure a harmonised approach between health data acapplication processing bodies, the Commission should support the harmonisation of data application, as well as data request.
Amendment 407 #
Proposal for a regulation
Recital 51
Recital 51
(51) As the resources of health data acapplication processing bodies are limited, they can apply prioritisation rules, for instance prioritising public institutions before private entitiresearch projects on specific diseases, but they should not make any discrimination between the national or from organisations from other Member States within the same category of priorities. The data user should be able to extend the duration of the data permit in order, for example, to allow access to the datasets to reviewers of scientific publication or to enable additional analysis of the dataset based on the initial findings. This would require an amendment of the data permit and may be subject to an additonal fee. However, in all the cases, the data permit should reflect theses additionals uses of the dataset. Preferably, the data user should mention them in their initial request for the issuance of the data permit. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data permit.
Amendment 419 #
Proposal for a regulation
Recital 53
Recital 53
(53) For requests to access electronic health data from a single data holder in a single Member State and in order to alieviate the administrative burden for heath data acAccess to health data should be arranged directly between the data holder and the data user. In this case, in principle, only the application processing bodies of managing such request, the data user should be able to request this data directly from the data holder and the data holder should be able to issue a data permit while complying with all the requirements and safeguards linked to such request and permit. Multi- country requests and requests requiring combination of datasets from severaly is involved in making electronic health data available and the data holder takes over the operational tasks of the pseudonymisation and access body if the data holder can make that possible. However, the pseudonymisation body may involve the data holders s. Should always be channelled through health data access bodies. The data holder should report to the health data access bodies about any data permits or secure processing environment not be available to the data user for making the data available, access should be provided via the relevant health data requaccests they providebody.
Amendment 425 #
Proposal for a regulation
Recital 55
Recital 55
(55) For the processing of electronic health data in the scope of a granted permit, the health data access bodies and the data users should be joint controllers in the sense of Article 26 of Regulation (EU) 2016/679, meaning that the obligations of joint controllers under that Regulation will apply. To support health data access bodies and data users, the Commission should, by means of an implementing act, provide a template for the joint controller arrangements health data access bodies and data users will have to enter into. In order to achieve an inclusive and sustainable framework for multi-country secondary use of electronic health data, a cross-border infrastructure should be established. HealthData@EU should accelerate the secondary use of electronic health data while increasing legal certainty, respecting the privacy of natural persons and being interoperable. Due to the sensitivity of health data, principles such as “privacy by design” and “bring questions to data instead of moving data” should be respected whenever possible. Authorised participants in HealthData@EU could be health data access bodies, research infrastructures established as an European Research Infrastructure Consortium (‘ERIC’) under Council Regulation (EC) No 723/200950 or similar structures established under another Union legislation, as well as other types of entities, including infrastructures under the European Strategy Forum on Research Infrastructures (ESFRI), infrastructures federated under the European Open Science Cloud (EOSC). Other authorised participants should obtain the approval of the joint controllership group for joining HealthData@EU. On the other hand, HealthData@EU should enable the secondary use of different categories of electronic health data, including linking of the health data with data from other data spaces such as environment, agriculture, social etc. The Commission could provide a number of services within HealthData@EU, including supporting the exchange of information amongst health data access bodies and authorised participants for the handling of cross- border access requests, maintaining catalogues of electronic health data available through the infrastructure, network discoverability and metadata queries, connectivity and compliance services.The Commission may also set up a secure environment, allowing data from different national infrastructures to be transmitted and analysed, at the request of the controllers. The Commission digital strategy promote the linking of the various common European data spaces.For the health sector, interoperability with the sectors such as the environmental, social, agricultural sectors may be relevant for additional insights on health determinants. For the sake of IT efficiency, rationalisation and interoperability of data exchanges, existing systems for data sharing should be reused as much as possible, like those being built for the exchange of evidences under the once only technical system of Regulation (EU) 2018/1724 of the European Parliament and of the Council51. _________________ 50 Council Regulation (EC) No 723/2009 of 25 June 2009 on the Community legal framework for a European Research Infrastructure Consortium (ERIC) (OJ L 206, 8.8.2009, p. 1). 51 Regulation (EU) 2018/1724 of the European Parliament and of the Council of 2 October 2018 establishing a single digital gateway to provide access to information, to procedures and to assistance and problem-solving services and amending Regulation (EU) No 1024/2012 (OJ L 295, 21.11.2018, p. 1).
Amendment 430 #
Proposal for a regulation
Recital 56
Recital 56
(56) In case of cross-border registries or databases, such as the registries of European Reference Networks for Rare Diseases, which receive data from different healthcare providers in several Member States, the health data acan application processing body wherefrom the Member State in which the coordinator of the registry is located should be responsible for providing access to data.
Amendment 432 #
Proposal for a regulation
Recital 57
Recital 57
(57) The authorisation process to gain access to personal health data in different Member States can be repetitive and cumbersome for data users. Whenever possible, synergies should be established to reduce the burden and barriers for data users. One way to achieve this aim is to adhere to the “single application” principle whereby, with one application, the data user obtain authorisation from multiple health data acapplication processing bodies in different Member States.
Amendment 433 #
Proposal for a regulation
Recital 58
Recital 58
(58) The health data acApplication processing bodies should provide information about the available datasets and their characteristics so that data users can be informed of elementary facts about the dataset and assess their possible relevance to them. For this reason, each dataset should include, at least, information concerning the source, nature of data and conditions for making data available. Therefore, an EU datasets catalogue should be established to facilitate the discoverability of datasets available in the EHDS; to help data holders to publish their datasets; to provide all stakeholders, including the general public, also taking into account people with disabilities, with information about datasets placed on the EHDS (such as quality and utility labels, dataset information sheets); to provide the data users with up-to-date data quality and utility information about datasets.
Amendment 443 #
Proposal for a regulation
Recital 64
Recital 64
(64) Certain categories of electronic health data can remain particularly sensitive even when they are in anonymised format and thus non-personal, as already specifically foreseen in the Data Governance Act. Even in situations of the use of state of the art anonymization techniques, there remains a residual risk that the capacity to re-identify could be or become available, beyond the means reasonably likely to be used. Such residual risk is present in relation to rare diseases (a life-threatening or chronically debilitating condition affecting not more than five in 10 thousand persons in the Union), where the limited numbers of case reduce the possibility to fully aggregate the published data in order to preserve the privacy of natural persons while also maintaining an appropriate level of granularity in order to remain meaningful. It can affect different types of health data depending on the level of granularity and description of the characteristics of data subjects, the number of people affected or and for instance in cases of data included in electronic health records, disease registries, biobanks, person generated data etc. where the identification characteristics are broader and where, in combination with other information (e.g. in very small geographical areas) or through the technological evolution of methods which had not been available at the moment of anonymisation, can lead to the re- identification of the data subjects using means that are beyond those reasonably likely to be used. The realisation of such risk of re-identification of natural persons would present a major concern and is likely to put the acceptance of the policy and rules on secondary use provided for in this Regulation at risk. Furthermore, aggregation techniques are less tested for non-personal data containing for example trade secrets, as in the reporting on clinical trials, and enforcement of breaches of trade secrets outside the Union is more difficult in the absence of a sufficient international protection standard. Therefore, for these types of health data, there remains a risk for re- identification after the anonymisation or aggregation, which could not be reasonably mitigated initially. This falls within the criteria indicated in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final]. These types of health data would thus fall within the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final] for transfer to third countries. The protective measures, proportional to the risk of re- identification, would need to take into account the specificities of different data categories or of different anonymization or aggregation techniques and will be detailed in the context of the Delegated Act under the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final]Therefore, appropriate anonymisation under this Regulation is only possible if it cannot be reversed in the future. In particular, in order to protect data subjects, no individual datasets may be issued in connection with secondary use under this Regulation.
Amendment 576 #
Proposal for a regulation
Article 2 – paragraph 2 – point y
Article 2 – paragraph 2 – point y
(y) ‘data holder’ means any natural or legal person, which is an entity or a body in the health or care sector, or performing research in relation to these sectors, as well as Union institutions, bodies, offices and agencies who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data, through control of the technical design of a product and related services, the ability to make available, including to register, provide, restrict access or exchange certain data;
Amendment 591 #
Proposal for a regulation
Article 2 – paragraph 2 – point aa
Article 2 – paragraph 2 – point aa
(aa) ‘data permit’ means an administrative decision issued to a data user by a health data acn application processing body or data holder to process the electronic health data specified in the data permit for the secondary use purposes specified in the data permit based on conditions laid down in this Regulation;
Amendment 597 #
(aea) ‘anonymised data’ or ‘data in anonymised format’ means personal data that have been anonymised in such a way as to prevent the data subject from being re-identified, including by drawing on state-of-the-art and future technologies and methods or other data.
Amendment 605 #
Proposal for a regulation
Article 2 – paragraph 2 – point ae b (new)
Article 2 – paragraph 2 – point ae b (new)
(aeb) ‘application processing body’ means a body set up in accordance with Article 36(1), fourth sentence, point (a), whose tasks include, in particular, checking data applications and issuing data permits.
Amendment 611 #
Proposal for a regulation
Article 2 – paragraph 2 – point ae c (new)
Article 2 – paragraph 2 – point ae c (new)
(aec) ‘pseudonymisation body’ means a body established in accordance with Article 36(1), fourth sentence, point (b), whose tasks include, in particular, the pseudonymisation of electronic health data.
Amendment 614 #
Proposal for a regulation
Article 2 – paragraph 2 – point ae d (new)
Article 2 – paragraph 2 – point ae d (new)
(aed) ‘health data access body’ means a body established in accordance with Article 36(1), fourth sentence, point (c), whose tasks include, in particular, the provision of a secure data processing environment.
Amendment 616 #
Proposal for a regulation
Article 2 – paragraph 2 – point ae e (new)
Article 2 – paragraph 2 – point ae e (new)
(aee) ‘bodies involved in accessing health data’ means bodies within the meaning of points (ag), (ah) and (ai) in so far as, in a specific case, they are involved in enabling secondary use.
Amendment 1155 #
Proposal for a regulation
Article 33 – paragraph 1 – point d
Article 33 – paragraph 1 – point d
(d) health-related administrative data for population-wide predominantly publicly funded treatments, including claims and reimbursement data;
Amendment 1160 #
Proposal for a regulation
Article 33 – paragraph 1 – point e
Article 33 – paragraph 1 – point e
Amendment 1182 #
Proposal for a regulation
Article 33 – paragraph 1 – point h
Article 33 – paragraph 1 – point h
(h) population wide electronic health data registries (public health registries);
Amendment 1189 #
Proposal for a regulation
Article 33 – paragraph 1 – point j
Article 33 – paragraph 1 – point j
(j) electronic health data from clinical trials in so far as they have been completed;
Amendment 1210 #
1a. Data in categories (b) and (l) shall only be made available if the data have been collected systematically and comprehensively from data subjects. The fact that a public body, a body governed by public law or a public undertaking within the meaning of Regulation (EU) 2022/868 [Data Governance Act] is involved in the collection of data shall not constitute predominantly public funding of data collection. Data holders shall not be obliged to make unlisted categories of data available for secondary use in accordance with the provisions of this Chapter.
Amendment 1221 #
Proposal for a regulation
Article 33 – paragraph 2
Article 33 – paragraph 2
2. The requirement in the first sentence of the first subparagraph shall not apply to data holders that qualify as micro enterprises as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC59. _________________ 59 Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 1225 #
Proposal for a regulation
Article 33 – paragraph 3
Article 33 – paragraph 3
3. The electronic health data referred to in paragraph 1 shall cover data processed for the provision of health or care or for public health, research, innovation, policy making, official statistics, patient safety or regulatory purposes, collected by entities and bodies in the health or care sectors, including public and private providers of health or care, entities or bodies performing research in relation to these sectors, and Union institutions, bodies, offices and agencies.
Amendment 1240 #
Proposal for a regulation
Article 33 – paragraph 4
Article 33 – paragraph 4
4. Electronic health data entailing protected intellectual property and trade secrets from private enterprises shall be made available for secondary use. Where such data is made available for secondary use, if and to the extent that all measures necessary to preserve the confidentiality of IP rights and trade secrets shallcan be taken., for example by taking the following measures:
Amendment 1243 #
Proposal for a regulation
Article 33 – paragraph 4 a (new)
Article 33 – paragraph 4 a (new)
4a. Extending the period for making data available to 24 months in order to allow for registration of property rights; or
Amendment 1245 #
Proposal for a regulation
Article 33 – paragraph 4 b (new)
Article 33 – paragraph 4 b (new)
4b. Processing data to ensure that trade secrets are redacted.
Amendment 1248 #
Proposal for a regulation
Article 33 – paragraph 5
Article 33 – paragraph 5
Amendment 1269 #
Proposal for a regulation
Article 33 – paragraph 6
Article 33 – paragraph 6
6. Where a public sector body obtains data in emergency situations as defined in Article 15, point (a) or (b) of the Regulation […] [Data Act COM/2022/68 final], in accordance with the rules laid down in that Regulation, it may be supported by a health data access body or a pseudonymisation body to provide technical support to process the data or combing it with other data for joint analysis.
Amendment 1278 #
Proposal for a regulation
Article 33 – paragraph 8
Article 33 – paragraph 8
Amendment 1285 #
Proposal for a regulation
Article 33 – paragraph 8 a (new)
Article 33 – paragraph 8 a (new)
8a. Electronic health data from biobanks and dedicated databases, as well as human genetic, genomic and proteomic data, may be shared by the data holder on a voluntary basis in accordance with the rules of this Regulation.
Amendment 1292 #
Proposal for a regulation
Article 34 – paragraph 1 – introductory part
Article 34 – paragraph 1 – introductory part
1. Health data acApplication processing bodies shall only providauthorise access to electronic health data referred to in Article 33 where the intended purpose of processing pursued by the applicant complies with:
Amendment 1329 #
Proposal for a regulation
Article 34 – paragraph 1 – point f
Article 34 – paragraph 1 – point f
(f) development and innovation activities for products or services contributing to public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;
Amendment 1342 #
Proposal for a regulation
Article 34 – paragraph 1 – point g
Article 34 – paragraph 1 – point g
(g) training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;
Amendment 1405 #
Proposal for a regulation
Article 35 – paragraph 1 – point e a (new)
Article 35 – paragraph 1 – point e a (new)
(ea) reconstructing the identity of natural persons from datasets shared under this Regulation;
Amendment 1411 #
Proposal for a regulation
Article 35 – paragraph 1 – point e b (new)
Article 35 – paragraph 1 – point e b (new)
(eb) profiling of natural persons solely from the datasets shared under this Regulation or in combination with other data;
Amendment 1414 #
Proposal for a regulation
Article 35 – paragraph 1 – point e c (new)
Article 35 – paragraph 1 – point e c (new)
(ec) the targeted use of data shared under this Regulation to obtain intellectual property or trade secrets of competitors or information that allows conclusions to be drawn about the business performance of a specific market operator;
Amendment 1416 #
Proposal for a regulation
Article 35 – paragraph 1 – point e d (new)
Article 35 – paragraph 1 – point e d (new)
(ed) the sale of electronic health data made available under this Regulation.
Amendment 1422 #
Proposal for a regulation
Article 36 – title
Article 36 – title
Amendment 1423 #
1. Member States shall each designate one or more health data access bodiesbodies involved in accessing health data that are responsible for granting access to electronic health data for secondary use. Member States may either establish one or more new public sector bodies or rely on existing public sector bodies or on internal services of public sector bodies or private legal persons that fulfil the conditions set out in this Article. Where a Member State designates several health data access bodiesbodies involved in accessing health data, it shall designate one health data access body to act as coordinator, with responsibility for coordinating requests with the other health data access bodies.bodies involved in accessing health data. The following legally and organisationally independent bodies may be involved in accessing electronic health data:
Amendment 1428 #
Proposal for a regulation
Article 36 – paragraph 1 a (new)
Article 36 – paragraph 1 a (new)
Amendment 1429 #
Proposal for a regulation
Article 36 – paragraph 1 b (new)
Article 36 – paragraph 1 b (new)
1b. Pseudonymisation bodies, which shall be administered by national public bodies; the European Union shall also create an independent European pseudonymisation body.
Amendment 1430 #
Proposal for a regulation
Article 36 – paragraph 1 c (new)
Article 36 – paragraph 1 c (new)
1c. Access bodies, which shall be administered by national public bodies.
Amendment 1431 #
Proposal for a regulation
Article 36 – paragraph 2
Article 36 – paragraph 2
Amendment 1451 #
Proposal for a regulation
Article 36 – paragraph 3
Article 36 – paragraph 3
3. In the performance of their tasks, health data access bodiesthe bodies involved in accessing health data shall actively cooperate with stakeholders’ representatives, especially with representatives of patients, data holders and data users. Staff of health data access bodies shall avoid any conflicts of interest. Health data access bodiesbodies involved in accessing health data shall avoid any conflicts of interest. Bodies involved in accessing health data shall not be bound by any instructions, when making their decisions.
Amendment 1453 #
Proposal for a regulation
Article 36 – paragraph 4
Article 36 – paragraph 4
4. Member States shall communicate to the Commission the identity of the health data access bodies designated pursuant to paragraph 1 by the date of application of this Regulation. They shall also communicate to the Commission any subsequent modification of the identity of those bodies. The Commission and the Member States shall make this information publicly available.
Amendment 1455 #
Proposal for a regulation
Article 37 – title
Article 37 – title
Tasks of health data access bodiesbodies involved in accessing health data
Amendment 1457 #
Proposal for a regulation
Article 37 – paragraph 1 – introductory part
Article 37 – paragraph 1 – introductory part
1. Health data access bodiesBodies involved in accessing health data shall carry out the following tasks:
Amendment 1459 #
Proposal for a regulation
Article 37 – paragraph 1 – point a
Article 37 – paragraph 1 – point a
(a) application processing bodies shall decide on data access applications pursuant to Article 45, authorise and issue data permits pursuant to Article 46 to access electronic health data falling within their national remit for secondary use and decide on data requests in accordance with Chapter II of Regulation […] [Data Governance Act COM/2020/767 final] and this Chapter;
Amendment 1463 #
Proposal for a regulation
Article 37 – paragraph 1 – point b
Article 37 – paragraph 1 – point b
(b) access bodies shall support public sector bodies in carrying out the tasks enshrined in their mandate, based on national or Union law;
Amendment 1465 #
Proposal for a regulation
Article 37 – paragraph 1 – point c
Article 37 – paragraph 1 – point c
(c) access bodies shall support Union institutions, bodies, offices and agencies in carrying out tasks enshrined in the mandate of Union institutions, bodies, offices and agencies, based on national or Union law;
Amendment 1469 #
Proposal for a regulation
Article 37 – paragraph 1 – point d
Article 37 – paragraph 1 – point d
(d) access bodies shall process electronic health data for the purposes set out in Article 34, including the collection, combination, preparation and disclosure of those data for secondary use on the basis of a data permit;
Amendment 1472 #
Proposal for a regulation
Article 37 – paragraph 1 – point e
Article 37 – paragraph 1 – point e
(e) access bodies shall process electronic health data from other relevant data holders based on a data permit or a data request for a purposes laid down in Article 34;
Amendment 1475 #
Proposal for a regulation
Article 37 – paragraph 1 – point f
Article 37 – paragraph 1 – point f
(f) bodies involved in accessing health data shall take all measures necessary to preserve the confidentiality of IP rights and of trade secrets;
Amendment 1479 #
Proposal for a regulation
Article 37 – paragraph 1 – point g
Article 37 – paragraph 1 – point g
(g) gather and compile or provide access towhere electronic health data are not accessed directly between data holder and data user, or where the data of a number of holders need to be merged, the access bodies concerned, with the assistance of pseudonymisation bodies, shall gather and compile the necessary electronic health data from the various data holders whose electronic health data fall within the scope of this Regulation and put those data at the disposal of data users in a secure processing environment in accordance with the requirements laid down in Article 50;
Amendment 1488 #
Proposal for a regulation
Article 37 – paragraph 1 – point i
Article 37 – paragraph 1 – point i
(i) access bodies shall support the development of AI systems, the training, testing and validating of AI systems and the development of harmonised standards and guidelines under Regulation […] [AI Act COM/2021/206 final] for the training, testing and validation of AI systems in health;
Amendment 1493 #
Proposal for a regulation
Article 37 – paragraph 1 – point j
Article 37 – paragraph 1 – point j
(j) application processing bodies shall cooperate with and supervise data holders to ensure the consistent and accurate implementation of the data quality and utility label set out in Article 56;
Amendment 1495 #
Proposal for a regulation
Article 37 – paragraph 1 – point k
Article 37 – paragraph 1 – point k
(k) application processing bodies shall maintain a management system to record and process data access applications, data requests and the data permits issued and data requests answered, providing at least information on the name of the data applicant, the purpose of access the date of issuance, duration of the data permit and a description of the data application or the data request;
Amendment 1496 #
Proposal for a regulation
Article 37 – paragraph 1 – point l
Article 37 – paragraph 1 – point l
(l) application processing and access bodies shall jointly maintain a public information system to comply with the obligations laid down in Article 38;
Amendment 1499 #
Proposal for a regulation
Article 37 – paragraph 1 – point m
Article 37 – paragraph 1 – point m
(m) access bodies shall cooperate at Union and national level to lay down appropriate measures and requirements for accessing electronic health data in a secure processing environment;
Amendment 1503 #
Proposal for a regulation
Article 37 – paragraph 1 – point n
Article 37 – paragraph 1 – point n
(n) access bodies shall cooperate at Union and national level and provide advice to the Commission on techniques and best practices for electronic health data use and management;
Amendment 1505 #
Proposal for a regulation
Article 37 – paragraph 1 – point o
Article 37 – paragraph 1 – point o
(o) access bodies shall facilitate cross- border access to electronic health data for secondary use hosted in other Member States through HealthData@EU and cooperate closely with each other and with the Commission.;
Amendment 1507 #
Proposal for a regulation
Article 37 – paragraph 1 – point q – introductory part
Article 37 – paragraph 1 – point q – introductory part
(q) application processing bodies shall make public, through electronic means:
Amendment 1512 #
Proposal for a regulation
Article 37 – paragraph 1 – point q – point iii
Article 37 – paragraph 1 – point q – point iii
Amendment 1515 #
Proposal for a regulation
Article 37 – paragraph 1 – point q a (new)
Article 37 – paragraph 1 – point q a (new)
(qa) access bodies shall make public through electronic means the sanctions imposed under Article 43;
Amendment 1516 #
Proposal for a regulation
Article 37 – paragraph 1 – point r
Article 37 – paragraph 1 – point r
(r) bodies involved in accessing health data shall fulfil obligations towards natural persons pursuant to Article 38;
Amendment 1518 #
Proposal for a regulation
Article 37 – paragraph 1 – point s
Article 37 – paragraph 1 – point s
(s) access bodies shall, if they have reasonable grounds to suspect an infringement, request from data users and data holders all the relevant information to verify the implementation of this Chapter;
Amendment 1519 #
Proposal for a regulation
Article 37 – paragraph 1 – point t
Article 37 – paragraph 1 – point t
(t) bodies involved in accessing health data shall fulfil any other tasks related to making available the secondary use of electronic health data in the context of this Regulation to the extent that these tasks fall within their remit.
Amendment 1522 #
Proposal for a regulation
Article 37 – paragraph 2 – introductory part
Article 37 – paragraph 2 – introductory part
2. In the exercise of their tasks, health data access bodies shallbodies involved in accessing health data shall proceed as follows:
Amendment 1525 #
Proposal for a regulation
Article 37 – paragraph 2 – point b
Article 37 – paragraph 2 – point b
(b) access bodies shall inform the relevant supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 where a health data access body has imposed penalties or other measures pursuant to Article 43 in relation to processing personal electronic health data and where such processing refers to an attempt to re-identify an individual or unlawful processing of personal electronic health data;
Amendment 1527 #
Proposal for a regulation
Article 37 – paragraph 2 – point c
Article 37 – paragraph 2 – point c
(c) bodies involved in accessing health data shall cooperate with stakeholders, including patient organisations, representatives from natural persons, health professionals, researchers, and ethical committees, where applicable in accordance with Union and national law;
Amendment 1530 #
Proposal for a regulation
Article 37 – paragraph 2 – point d
Article 37 – paragraph 2 – point d
(d) bodies involved in accessing health data shall cooperate with other national competent bodies, including the national competent bodies supervising data altruism organisations under Regulation […] [Data Governance Act COM/2020/767 final], the competent authorities under Regulation […] [Data Act COM/2022/68 final] and the national competent authorities for Regulations (EU) 2017/745 and Regulation […] [AI Act COM/2021/206 final] .
Amendment 1535 #
Proposal for a regulation
Article 37 – paragraph 4
Article 37 – paragraph 4
4. The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list of tasks in paragraph 1 of this Article, to reflect the evolution of activities performed by health data access bodies in the field of health covered by this Regulation.
Amendment 1539 #
Proposal for a regulation
Article 38 – title
Article 38 – title
Obligations of health data access bodiesbodies involved in accessing health data towards natural persons
Amendment 1541 #
Proposal for a regulation
Article 38 – paragraph 1 – introductory part
Article 38 – paragraph 1 – introductory part
1. Health data acApplication processing bodies shall make publicly available and easily searchable the conditions under which electronic health data is made available for secondary use, with information concerning:
Amendment 1561 #
Proposal for a regulation
Article 38 – paragraph 2
Article 38 – paragraph 2
2. Health data access bodiesBodies involved in accessing health data shall not be obliged to provide the specific information under Article 14 of Regulation (EU) 2016/679 to each natural person concerning the use of their data for projects subject to a data permit and. Application processing bodies shall provide general public information on all the data permits issued pursuant to Article 46.
Amendment 1570 #
Proposal for a regulation
Article 38 – paragraph 3
Article 38 – paragraph 3
3. Where a health data acn application processing body is informed by a data user of a finding that may impact on the health of a natural person, the health data access body mayit may, together with the pseudonymisation body and the data holder, inform the natural person and his or her treating health professional about that finding.
Amendment 1578 #
Proposal for a regulation
Article 38 – paragraph 4
Article 38 – paragraph 4
4. Member States shall regularly inform the public at large about the role and benefits of health data access bodiesbodies involved in accessing health data.
Amendment 1588 #
Proposal for a regulation
Article 39 – title
Article 39 – title
Reporting by health data access bodiesbodies involved in accessing health data
Amendment 1589 #
Proposal for a regulation
Article 39 – paragraph 1 – introductory part
Article 39 – paragraph 1 – introductory part
1. Each health data access bodybody involved in accessing health data shall publish an annual activity report which shall contain at least the following in relation to its respective tasks:
Amendment 1592 #
Proposal for a regulation
Article 39 – paragraph 1 – point b
Article 39 – paragraph 1 – point b
Amendment 1601 #
Proposal for a regulation
Article 39 – paragraph 2
Article 39 – paragraph 2
2. The reports shall be transmitted to the Commission.
Amendment 1605 #
Proposal for a regulation
Article 39 – paragraph 3
Article 39 – paragraph 3
3. The Commission is empowered to adopt delegated acts in accordance with Article 67 to modify the content of the annual activity reports.
Amendment 1606 #
Proposal for a regulation
Article 40 – paragraph 1
Article 40 – paragraph 1
1. When processing personal electronic health data, data altruism organisations shall comply with the rules set out in Chapter IV of Regulation […] [Data Governance Act COM/2020/767 final]. Where data altruism organisations process personal electronic health data using a secure processing envirThis Regulation shall be without prejudice to the processing of datasets based on conmsent, such environments shall also comply with the requirements set out in Article 50 of this Regulationincluding in particular altruistic consent pursuant to [Data Governance Act COM/2020/767 final].
Amendment 1614 #
Proposal for a regulation
Article 41 – paragraph 1
Article 41 – paragraph 1
1. Where a data holder is obliged to make electronic health data available under Article 33 or under other Union law or national legislation implementing Union law, it shall cooperate in good faith with the health data access bodies or data users, where relevant.
Amendment 1618 #
Proposal for a regulation
Article 41 – paragraph 2
Article 41 – paragraph 2
2. The data holder shall communicate to the health data acapplication processing body a general description of the dataset it holds in accordance with Article 55.
Amendment 1621 #
Proposal for a regulation
Article 41 – paragraph 3
Article 41 – paragraph 3
3. Where a data quality and utility label accompanies the dataset pursuant to Article 56, the data holder shall provide sufficient documentation to the health data acapplication processing body for that body to confirm the accuracy of the label.
Amendment 1625 #
Proposal for a regulation
Article 41 – paragraph 4
Article 41 – paragraph 4
4. The data holder shall put the electronic health data at the disposal of the health data access body within 2 months from receivWhere the data holder has a processing environment that meets the conditions of the secure processing environment in accordance with Article 50, the data holder shall make the electronic health data available to the data user through that processing environment, using the pseudonymisation body as an intermediary; where the data holder does not have such a processing environment, the data holder shall put the electronic health data at the disposal of the health data access body, using the pseudonymisation body as an intermediary. The electronic health data shall be made available by the data holder withing the request from the health data acwo months of receipt of the application from the application processing body. In exceptional cases, thate two-month period may be extended by the health data access body for an additional period of 2 monthsa further two months by the application processing body.
Amendment 1628 #
Proposal for a regulation
Article 41 – paragraph 7
Article 41 – paragraph 7
Amendment 1635 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. HApplication processing bodies, health data access bodies and single data holders may charge fees for making electronic health data available for secondary use. Any fees shall include and be derived from the costs related to conducting the procedure for requests, including for assessing a data application or a data request, granting, refusing or amending a data permit pursuant to Articles 45 and 46 or providing an answer to a data request pursuant to Article 47, in accordance with Article 6 of Regulation […] [Data Governance Act COM/2020/767 final]
Amendment 1653 #
Proposal for a regulation
Article 42 – paragraph 5
Article 42 – paragraph 5
5. Where data holders and data users do not agree on the level of the fees within 1 month of the data permit being granted, the health data acapplication processing body may set the fees in proportion to the cost of making available electronic health data for secondary use. Where the data holder or the data user disagree with the fee set out by the health data acapplication processing body, they shall have access to dispute settlement bodies set out in accordance with Article 10 of the Regulation […] [Data Act COM/2022/68 final].
Amendment 1661 #
Proposal for a regulation
Article 43 – paragraph 2
Article 43 – paragraph 2
2. When requesting from data users and data holders as well as other bodies involved in accessing health data the information that is necessary to verify compliance with this Chapter, the health data access bodies shall be proportionate to the performance of the compliance verification task.
Amendment 1668 #
Proposal for a regulation
Article 43 – paragraph 4
Article 43 – paragraph 4
4. Health data access bodies shall have the power to revokdeclare the data permit issued pursuant to Article 46 invalid and stop the affected electronic health data processing operation carried out by the data user in order to ensure the cessation of the non- compliance referred to in paragraph 3, immediately or within a reasonable time limit, and shall take appropriate and proportionate measures aimed at ensuring compliant processing by the data users. In this regard, the health data access bodies shall be able, where appropriate, to revokdeclare the data permit invalid and to exclude the data user from any access to electronic health data for a period of up to 5 years.
Amendment 1694 #
Proposal for a regulation
Article 44 – paragraph 1
Article 44 – paragraph 1
1. The health data access body or the data holder shall ensure that access is only provided to requested electronic health data relevant for the purpose of processing indicated in the data access application by the data user and in line with the data permit granted.
Amendment 1700 #
Proposal for a regulation
Article 44 – paragraph 2
Article 44 – paragraph 2
2. The health data access bodies or data holders shall provide the electronic health data in an anonymised format, where appropriate using the pseudonymisation body as an intermediary, where the purpose of processing by the data user can be achieved with such data, taking into account the information provided by the data user.
Amendment 1712 #
Proposal for a regulation
Article 44 – paragraph 3
Article 44 – paragraph 3
3. Where the purpose of the data user’s processing cannot be achieved with anonymised data, taking into account the information provided by the data user, the health data access bodies or the data holder shall provide access to electronic health data in pseudonymised format. The information necessary to reverse the pseudonymisation shall be available only to the healpseudonymisation body or the data access bodyholder. Data users shall not re- identify the electronic health data provided to them in pseudonymised format. The data user’s failure to respect the healpseudonymisation body’s or the data access bodyholder’s measures ensuring pseudonymisation shall be subject to appropriate penalties.
Amendment 1764 #
Proposal for a regulation
Article 45 – paragraph 3
Article 45 – paragraph 3
3. Data users seeking access to electronic health data from more than one Member State shall submit a single application to one of the concerned health data acapplication processing bodies of their choice which shall be responsible for sharing the request with other health data acapplication processing bodies and authorised participants in HealthData@EU referred to in Article 52, which have been identified in the data access application. For requests to access electronic health data from more than one Member States, the health data acapplication processing body shall notify the other relevant health data acapplication processing bodies of the receipt of an application relevant to them within 15 days from the date of receipt of the data access application.
Amendment 1772 #
Proposal for a regulation
Article 45 – paragraph 4 – point a
Article 45 – paragraph 4 – point a
(a) a description of how the processing would comply withthe legal basis on which the processing is to be carried out within the meaning of Article 6(1) of Regulation (EU) 2016/679;
Amendment 1781 #
Proposal for a regulation
Article 45 – paragraph 5 – subparagraph 2
Article 45 – paragraph 5 – subparagraph 2
Where the public sector bodies and the Union institutions, bodies, offices and agencies intend to access the electronic health data in pseudonymised format, a description of how the processing would comply with Article 6(1) of Regulation (EU) 2016/679the legal basis on which the processing is to be carried out within the meaning orf Article 56(1) of Regulation (EU) 2018/1725, as applicable,6/679 shall also be provided.
Amendment 1795 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. Health data acApplication processing bodies shall assess if the application fulfils one of the purposes listed in Article 34(1) of this Regulation, if the requested data is necessary for the purpose listed in the application and if the requirements in this Chapter are fulfilled by the applicant. If that is the case, the health data acapplication processing body shall issue a data permit.
Amendment 1810 #
Proposal for a regulation
Article 46 – paragraph 2
Article 46 – paragraph 2
2. Health data acApplication processing bodies shall refuse all applications including one or more purposes listed in Article 35 or where requirements in this Chapter are not met.
Amendment 1820 #
Proposal for a regulation
Article 46 – paragraph 3
Article 46 – paragraph 3
3. A health data acn application processing body shall issue or refuse a data permit within 2 months of receiving the data access application. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final], the health data access body may extend the period for responding to a data access application by 2 additional months where necessary, taking into account the complexity of the request. In such cases, the health data acapplication processing body shall notify the applicant as soon as possible that more time is needed for examining the application, together with the reasons for the delay. Where a health data acn application processing body fails to provide a decision within the time limit, the data permit shall be issued.
Amendment 1823 #
Proposal for a regulation
Article 46 – paragraph 4
Article 46 – paragraph 4
4. Following the issuance of the data permit, the health data acapplication processing body shall immediately request the electronic health data from the data holdercall on the data holder to transmit the electronic health data to the health data access body, or to make it available to the data user, via the pseudonymisation body without delay. The health data access body or the data holder shall make available the electronic health data to the data user within 2 months after receiving them from the data holders, unless the health data access body specifies that it will provide the data within a longer specified timeframe.
Amendment 1828 #
Proposal for a regulation
Article 46 – paragraph 5
Article 46 – paragraph 5
5. When the health data acapplication processing body refuses to issue a data permit, it shall provide a justification for the refusal to the applicant.
Amendment 1853 #
Proposal for a regulation
Article 46 – paragraph 11
Article 46 – paragraph 11
11. Data users shall make public the results or output of the secondary use of electronic health data, including information relevant for the provision of healthcare, no later than 18 months after the completion of the electronic health data processing or after having received the answer to the data request referred to in Article 47. Those results or output shall only contain anonymised data. The data user shall inform the health data acapplication processing bodies from which a data permit was obtained and support them to make the information public on thealth data ac application processing bodies’ websites or on a central website. Whenever the data users have used electronic health data in accordance with this Chapter, they shall acknowledge the electronic health data sources and the fact that electronic health data has been obtained in the context of the EHDS.
Amendment 1856 #
Proposal for a regulation
Article 46 – paragraph 12
Article 46 – paragraph 12
12. Data users shall inform the health data acapplication processing body of any clinically significant findings that may influence the health status of the natural persons whose data are included in the dataset.
Amendment 1857 #
Proposal for a regulation
Article 46 – paragraph 14
Article 46 – paragraph 14
14. The liability of health data access bodies as joint controlleror of the data holder as joint controller, depending on who makes the data available to the data user, is limited to the scope of the issued data permit until the completion of the processing activity.
Amendment 1865 #
Proposal for a regulation
Article 47 – paragraph 1
Article 47 – paragraph 1
(1) Any natural or legal person may submit a data request for the purposes referred to in Article 34. A health data access body shall only provide an answer to a data request which is transmitted to it by the application processing body in an anonymised statistical format and the data user shall have no access to the electronic health data used to provide this answer.
Amendment 1874 #
Proposal for a regulation
Article 48
Article 48
Amendment 1887 #
Proposal for a regulation
Article 49
Article 49
Access to electronic health data from a (1) access to electronic health data only from a single data holder in a single Member State, by way of derogation from Article 45(1), that applicant may file a data access application or a data request directly to the data holder. The data access application shall comply with the requirements set out in Article 45 and the data request shall comply with requirements in Article 47. Multi-country requests and requests requiring a combination of datasets from severalrticle 49 deleted single data holder Where an applicant requests In such case, the data holders shall be addressed to health data access bodies. (2) issue a data permit in accordance with Article 46 or provide an answer to a data request in accordance with Article 47. The data holder shall then provide access to the electronic health data in a secure processing environment in compliance with Article 50 and may charge fees in accordance with Article 42. (3) 51, the single data provider and the data user shall be deemed joint controllers. (4) shall inform the relevant health data access body by electronic means of all data access applications filed and all the data permits issued and the data requests fulfilled under this Article in order to enable the health data access body to fulfil its obligations under Article 37(1) and Article 39. may By way of derogation from Article Within 3 months the data holder
Amendment 1907 #
Proposal for a regulation
Article 50 – paragraph 2
Article 50 – paragraph 2
(2) The health data access bodies shall ensure that electronic health data can be uploaded by data holders and can be accessed by the data user in a secure processing environment. The data users shall only be able to download non- personal electronic health data from the secure processing environment. Initially personal data may only be downloaded by data users if anonymised in accordance with this Regulation; this is usually the case only for aggregated data from at least 100 individual datasets.
Amendment 1920 #
Proposal for a regulation
Article 51 – paragraph 1
Article 51 – paragraph 1
(1) The health data access bodies and the data users, including Union institutions, bodies, offices and agencies, shall be deemed joint controllers of electronic health data processed in accordance with data permit. In the event that the data holder provides access to the electronic health data to the data user without going through the health data access bodies, the data holder and data user shall be joint controllers of the electronic health data processed in accordance with the data permit.
Amendment 1928 #
(3) Union institutions, bodies, offices and agencies in the health sector involved in research, health policy or analysis, shall be authorised participants of HealthData@EU.
Amendment 1930 #
Proposal for a regulation
Article 52 – paragraph 4
Article 52 – paragraph 4
(4) Health-related research infrastructures or similar structures whose functioning is based on Union law and which support the use of electronic health data in the health sector for research, policy making, statistical, patient safety or regulatory purposes shall be authorised participants of HealthData@EU.
Amendment 1937 #
Proposal for a regulation
Article 52 – paragraph 7
Article 52 – paragraph 7
(7) The Commission is empowered to adopt delegated acts in accordance with Article 67 in order to amend this Article to add or remove categories of authorised health sector participants in HealthData@EU, taking into account the opinion of the joint controllership group pursuant to Article 66 of this Regulation.
Amendment 1940 #
Proposal for a regulation
Article 52 – paragraph 8
Article 52 – paragraph 8
(8) The Member States and the Commission shall set up HealthData@EU to support and facilitate the cross-border access to electronic health data for secondary use in the health sector, connecting the national contact points for secondary use of electronic health data of all Member States and authorised participants in that infrastructure.
Amendment 1968 #
Proposal for a regulation
Article 53 – paragraph 1
Article 53 – paragraph 1
(1) In the case of cross-border registries and databases, the health data acapplication processing body in which the data holder is registered shall be competent to decide on data access applications to providand to arrange access to electronic health data through the health data access body. Where the registry has joint controllers, the health data access body that shall provide access to electronic health data shall be the body in the Member State where one of the joint controllers is established.
Amendment 1969 #
Proposal for a regulation
Article 53 – paragraph 2
Article 53 – paragraph 2
(2) Where registries or databases from a number of Member States organise themselves into a single network of registries or databases at Union level, the associated registries may designate one of their members as a coordinator to ensure the provision of data from the registries’ network for secondary use. The health data acapplication processing body of the Member State in which the coordinator of the network is located shall be competent to decide on the data access applications to providarrange access to electronic health data for the network of registries or databases.
Amendment 1973 #
Proposal for a regulation
Article 54 – paragraph 1
Article 54 – paragraph 1
(1) When handling an access application for cross-border access to electronic health data for secondary use, health data acapplication processing bodies and relevant authorised participants shall remain responsible for taking decisions to grant or refuse access to electronic health data within their remit in accordance with the requirements for access laid down in this Chapter.
Amendment 1974 #
Proposal for a regulation
Article 54 – paragraph 2
Article 54 – paragraph 2
(2) A data permit issued by one concerned health data acapplication processing body may benefit from mutual recognition by the other concerned health data acapplication processing bodies.
Amendment 1978 #
Proposal for a regulation
Article 55 – paragraph 1
Article 55 – paragraph 1
(1) The health data acapplication processing bodies shall inform the data users about the available datasets and their characteristics through a metadata catalogue. Each dataset shall include information concerning the source, the scope, the main characteristics, nature of electronic health data and conditions for making electronic health data available.
Amendment 2014 #
Proposal for a regulation
Article 62 – paragraph 5
Article 62 – paragraph 5
(5) The digital health authorities, health data access bodiesbodies involved in accessing health data, data users shall inform the data holder about the existence of a request of a third- country administrative authority to access its data before complying with that request, except where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity.
Amendment 2077 #
Proposal for a regulation
Article 67 – paragraph 2
Article 67 – paragraph 2
(2) The power to adopt delegated acts referred to in Articles 5(2), 10(3), 25(3), 32(4), 33(7), 37(4), 39(3), 41(7), 45(7), 46(8), 52(7), 56(4) shall be conferred on the Commission for an indeterminate period of time from the date of entry into force of this Regulation.