122 Amendments of Birgit SIPPEL related to 2022/0140(COD)
Amendment 192 #
Proposal for a regulation
Recital 5
Recital 5
(5) More and more Europeans cross national borders to work, study, visit relatives or to travel. To facilitate the exchange of health data, and in line with the need for empowering citizens, they should be able to access their health data in an electronic format that can be recognised and accepted across the Union. Such personal electronic health data could include personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status, personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, as well as data determinants of health, such as behaviour, environmental, physical influences, medical care, social or educational factors. Electronic health data also includes data that has been initially collected for research, statistics, policy making or regulatory purposes and may be made available according to the rules in Chapter IV. The electronic health data concern all categories of those data, irrespective to the fact that such data is provided by the data subject or other natural or legal persons, such as health professionals, or is processed in relation to a natural person’s health or well-being and should also include inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automatic means. The wide range of data types requires regulation with differentiated access rights to protect natural persons data. This fundamentally concerns social data in particular, and mental health data in general.
Amendment 233 #
Proposal for a regulation
Recital 13
Recital 13
(13) Natural persons may not want to allow access to some parts of their personal electronic health data while enabling access to other parts. Such selective sharing of personal electronic health data should be supported. However, such restrictions may have life threatening consequences and, therefore, access to personal electronic health data should be possible to protect vital interests as an emergency override. According to Regulation (EU) 2016/679, vital interests refer to situations in which it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal electronic health data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. More specific legal provisions on the mechanisms of restrictions placed by the natural person on parts of their personal electronic health data should be provided by Member States in national law. Given the unequal access to sexual and reproductive healthcare among the Member States, natural persons should always retain the right to withhold that kind of information from their doctors. Because the unavailability of the restricted personal electronic health data may impact the provision or quality of health services provided to the natural person, he/she should assume responsibility for the fact that the healthcare provider cannot take the data into account when providing health services.
Amendment 292 #
Proposal for a regulation
Recital 27
Recital 27
(27) In order to ensure respect for the rights of natural persons and health professionals, EHR systems marketed in the internal market of the Union should be able to store and transmit, in a secure way, high quality electronic health data. This is a key principle of the EHDS to ensure the secure and free movement of electronic health data across the Union. To that end, a mandatory self-certification schemconformity assessment procedure for EHR systems processing one or more priority categories of electronic health data should be established to overcome market fragmentation while ensuring a proportionate approach. Through this self- certificationprocedure, EHR systems should prove compliance with essential requirements on interoperability and security, set at Union level. Considering the sensitive data that will be processed via these systems, a self-certification regime is not an adequate option. In relation to security, essential requirements should cover elements specific to EHR systems, as more general security properties should be supported by other mechanisms such as cybersecurity schemes under Regulation (EU) 2019/881 of the European Parliament and of the Council48. _________________ 48 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
Amendment 306 #
Proposal for a regulation
Recital 35
Recital 35
Amendment 371 #
Proposal for a regulation
Recital 43
Recital 43
(43) The health data access bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, the health data access bodies should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation. The health data access bodies should also cooperate with stakeholders, including patient organisations. Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulation (EU) 2016/679 apply and the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 should be tasked with enforcing these rules. Those supervisory authorities should remain the only competent authorities responsible for personal data protection issues and their decisions should not be conditioned or overruled by the health data access bodies. Moreover, given that health data are sensitive data and in a duty of loyal cooperation, the health data access bodies should inform the data protection authorities of any issues related to the data processing for secondary use, including penalties. In addition to the tasks necessary to ensure effective secondary use of health data, the health data access body should strive to expand the availability of additional health datasets, support the development of AI in health and promote the development of common standards. They should apply tested techniques that ensure electronic health data is processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data. Health data access bodies can prepare datasets to the data user requirement linked to the issued data permit. This includes rules for anonymization of microdata sets.
Amendment 393 #
Proposal for a regulation
Recital 49
Recital 49
(49) Given the sensitivity of electronic health data, it is necessary to reduce risks on the privacy of natural persons by asking for their explicit consent for the data to be used and by applying the data minimisation principle as set out in Article 5 (1), point (c) of Regulation (EU) 2016/679. Therefore, the use of anonymised electronic health data which is devoid of any personal data should be made available when possible and if the data user asks it. If the data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of this type of data for the planned data processing activity. The personal electronic health data should only be made available in pseudonymised format and the encryption key can only be held by the health data access body. Data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, subject to administrative or possible criminal penalties, where the national laws foresee this. However, this should not prevent, in cases where the results of a project carried out based on a data permit has a health benefit or impact to a concerned natural person (for instance, discovering treatments or risk factors to develop a certain disease), the data users would inform the health data access body, which in turn would inform the concerned natural person(s), if the natural person has agreed in advance to receive such information. Moreover, the applicant can request the health data access bodies to provide the answer to a data request, including in statistical form. In this case, the data users would not process health data and the health data access body would remain sole controller for the data necessary to provide the answer to the data request.
Amendment 414 #
Proposal for a regulation
Recital 53
Recital 53
Amendment 456 #
Proposal for a regulation
Recital 65
Recital 65
(65) In order to promote the consistent application of this Regulation, a European Health Data Space Board (EHDS Board) should be set up. The Commission should participate in its activities and chair it. It should contribute to the consistent application of this Regulation throughout the Union, including by helping Member State to coordinate the use of electronic health data for healthcare, certification, but also concerning the secondary use of electronic health data. Given that, at national level, digital health authorities dealing with the primary use of electronic health data may be different to the health data access bodies dealing with the secondary use of electronic health data, the functions are different and there is a need for distinct cooperation in each of these areas, the EHDS Board should be able to set up subgroups dealing with these two functions, as well as other subgroups, as needed. For an efficient working method, the digital health authorities and health data access bodies should create networks and links at national level with different other bodies and authorities, but also at Union level. Such bodies could comprise data protection authorities, cybersecurity, eID and standardisation bodies, as well as bodies and expert groups under Regulations […], […], […] and […] [Data Governance Act, Data Act, AI Act and Cybersecurity Act]. Given the tasks of the EHDS Board, its members should be only representatives of national or Union authorities. An advisory group with representatives of external stakeholders (such as industry, patients organisations, etc.) could be established, without voting rights in the EHDS Board.
Amendment 484 #
Proposal for a regulation
Article 1 – paragraph 3 – point a
Article 1 – paragraph 3 – point a
(a) manufacturers and suppliers of EHR systems and wellness applications placed on the market and put into service in the Union and the users of such products;
Amendment 490 #
Proposal for a regulation
Article 1 – paragraph 3 a (new)
Article 1 – paragraph 3 a (new)
3 a. This Regulation shall not affect the application of Regulations (EU) 2016/679, (EU) 2018/1725, (EU) No 536/2014 and Directive 2002/58/EC.
Amendment 491 #
Proposal for a regulation
Article 1 – paragraph 3 b (new)
Article 1 – paragraph 3 b (new)
3 b. References to the provisions of Regulation (EU) 2016/679 shall be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions and bodies, where relevant.
Amendment 492 #
Proposal for a regulation
Article 1 – paragraph 4
Article 1 – paragraph 4
4. This Regulation shall be without prejudice to other Union legal acts regarding access to, sharing of or secondary use of electronic health data, or requirements related to the processing of data in relation to electronic health data, in particular Regulations (EU) 2016/679, (EU) 2018/1725, […] [Data Governance Act COM/2020/767 final] and […] [Data Act COM/2022/68 final] and Directive 2002/58/EC.
Amendment 502 #
Proposal for a regulation
Article 2 – paragraph 1 – point a
Article 2 – paragraph 1 – point a
(a) the definitions, including those of ‘personal data’, ‘processing’, ‘pseudonymisation’, ‘controller’, ‘processor’, ‘third party’, ‘consent’, ‘genetic data’, ‘data concerning health’, ‘supervisory authority’, ‘international organisation’ in Regulation (EU) 2016/679;
Amendment 506 #
Proposal for a regulation
Article 2 – paragraph 2 – point a
Article 2 – paragraph 2 – point a
(a) ‘personal electronic health data’ means data concerning health and genetic data as defined in Regulation (EU) 2016/679, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services, processed in an electronic form;
Amendment 518 #
Proposal for a regulation
Article 2 – paragraph 2 – point b
Article 2 – paragraph 2 – point b
(b) ‘non-personal electronic health data’ means data concerning health and genetic data in electronic format that falls outside the definition of personal data provided in Article 4(1) of Regulation (EU) 2016/679;
Amendment 529 #
Proposal for a regulation
Article 2 – paragraph 2 – point e
Article 2 – paragraph 2 – point e
(e) ‘secondary use of electronic health data’ means the processing of electronic health data for purposes set out in Chapter IV of this Regulation. The data used may include personal electronic health data initially collected in the context of primary use, but also electronic health data collected for the purpose of the secondary use. Secondary use of personal electronic health data shall have Article 9(2) of Regulation (EU) 2016/679 as its legal basis;
Amendment 552 #
Proposal for a regulation
Article 2 – paragraph 2 – point m
Article 2 – paragraph 2 – point m
(m) ‘EHR’ (electronic health record) means a collection of electronic health data related to a natural person and collected in the health system, processed for the purpose of the provision of healthcare purposservices;
Amendment 563 #
Proposal for a regulation
Article 2 – paragraph 2 – point o
Article 2 – paragraph 2 – point o
Amendment 682 #
Proposal for a regulation
Article 3 – paragraph 9
Article 3 – paragraph 9
9. Notwithstanding Article 6(1), point (d), of Regulation (EU) 2016/679, natural persons shall have the right to confidentially restrict access of health professionals to all or part of their electronic health data, and the fact that such data has been restricted. Member States shall establish the rules and specific safeguards regarding such restriction mechanisms, which shall also include the possibility to exercise geographical and temporal restrictions and restrictions related to a specific category of health professionals.
Amendment 695 #
Proposal for a regulation
Article 3 – paragraph 10
Article 3 – paragraph 10
10. Natural persons shall have the right to obtainreceive automatically information on the healthcare providers and health professionals that have accessed their electronic health data in the context of healthcare. All relevant entities shall maintain a record of those who have had access to data. The information shall be provided immediately and free of charge through electronic health data access services.
Amendment 703 #
Proposal for a regulation
Article 3 – paragraph 11
Article 3 – paragraph 11
11. The supervisory authority or authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall also be responsible for monitoring the application of this Article, in accordance with the relevant provisions in Chapters VI, VII and VIII of Regulation (EU) 2016/679. They shall be competent to impose administrative fines up to the amount referred to in Article 83(5) of that Regulation. Those supervisory authorities and the digital health authorities referred to in Article 10 of this Regulation shall, where relevant, cooperate in the enforcement of this Regulation, within the remit of their respective competences.
Amendment 707 #
Proposal for a regulation
Article 3 – paragraph 12
Article 3 – paragraph 12
12. The Commission shall, by means of implementingdelegated acts, determine the requirements concerning the technical implementation of the rights set out in this Article. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2), including technical and organisational measures to ensure the process of authentication of the authorised person referred to in point (b) of paragraph 5.
Amendment 716 #
Proposal for a regulation
Article 4 – paragraph 1 – point a
Article 4 – paragraph 1 – point a
(a) have access on a need-to-know basis to the electronic health data of natural persons under their treatment, irrespective of the Member State of affiliation and the Member State of treatment;
Amendment 725 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. In line with the data minimisation principle provided for in Regulation (EU) 2016/679, Member States mayshall establish rules providing for the categories of personal electronic health data required by different health professions. Such rules shall not be based on the source of electronic health data.
Amendment 734 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. Member States shall ensure that access to at least the priority categories of electronic health data referred to in Article 5 is made available to health professionals through health professional access services, where the processing of health data is necessary. Health professionals who are in possession of recognised electronic identification means shall have the right to use those health professional access services, free of charge, where the processing of health data is necessary.
Amendment 767 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 3
Article 5 – paragraph 1 – subparagraph 3
Amendment 772 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
Amendment 797 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Member States shall ensure that, where data is processed in electronic format, health professionals systematically register the relevant health data falling under at least the priority categories referred to in Article 5 concerning the health services provided by them to natural persons, in the electronic format in an EHR system.
Amendment 869 #
Proposal for a regulation
Article 10 – paragraph 2 – point o a (new)
Article 10 – paragraph 2 – point o a (new)
(o a) promote public awareness and understanding of the benefits, risks, rules, safeguards and rights in relation to the EHDS system.
Amendment 874 #
Proposal for a regulation
Article 10 – paragraph 2 a (new)
Article 10 – paragraph 2 a (new)
2 a. Digital health authorities shall assist relevant data protection authorities so as to ensure the protection of individuals’ rights and freedoms with regard to the processing of personal data.
Amendment 876 #
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
3. The Commission is empowered to adopt delegated acts in accordance with Article 67 to supplement this Regulation by entrusting the digital health authorities with additional tasks necessary to carry out the missions conferred on them by this Regulation and to modify the content of the annual report.
Amendment 896 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the digital health authority, where their rights laid down in this Regulation are affected. Where the complaint concerns the rights of natural persons pursuant to Article 3 of this Regulation, the digital health authority shall informsend a copy of the complaint to the supervisory authorities under Regulation (EU) 2016/679. The decision of the digital health authority shall not prejudice any measures taken by the data protection authorities within their competences under Regulation (EU) 2016/679.
Amendment 905 #
Proposal for a regulation
Article 11 a (new)
Article 11 a (new)
Article 11 a Right to an effective remedy against a digital health authority 1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a digital health authority concerning them. 2. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy where the digital health authority which is competent pursuant to Article 10 does not handle a complaint or does not inform the natural or legal person within three months on the progress or outcome of the complaint lodged pursuant to Article 11. 3. Proceedings against a digital health authority shall be brought before the courts of the Member States where the digital health authority is established.
Amendment 917 #
Proposal for a regulation
Article 12 – paragraph 4
Article 12 – paragraph 4
4. The Commission shall, by means of implementing acts, adopt the necessary measures for the technical development of MyHealth@EU, detailed rules concerning the security, confidentiality and protection of electronic health data and the conditions and compliance checks necessary to join and remain connected to MyHealth@EU and conditions for temporary or definitive exclusion from MyHealth@EU. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2). The European Union Agency for Cyber Security shall be consulted and closely involved in all steps of the procedure. Any measures adopted shall meet the highest technical standards in terms of security, confidentiality and protection of electronic health data.
Amendment 940 #
Proposal for a regulation
Article 13 – paragraph 3 – subparagraph 1
Article 13 – paragraph 3 – subparagraph 1
Member States and the Commission shall seek to ensure interoperability of MyHealth@EU with technological systems established at international level for the exchange of electronic health data. The Commission may adopt an implementing delegated act establishing that a national contact point of a third country or a system established at an international level is compliant with requirements of MyHealth@EU for the purposes of the electronic health data exchange. Before adopting such an implementing delegated act, a compliance check of the national contact point of the third country or of the system established at an international level shall be performed under the control of the Commission, including on whether the health data transfer stemming from such exchange complies with the rules in Chapter V of Regulation (EU) 2016/679.
Amendment 955 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
1. EHR systems may be placed on the market or put into service only ifafter a notified body has confirmed that they comply with the provisions laid down in this Chapter.
Amendment 1053 #
Proposal for a regulation
Article 26 a (new)
Article 26 a (new)
Amendment 1081 #
Proposal for a regulation
Article 29 – paragraph 1
Article 29 – paragraph 1
1. Where a market surveillance authority, or, in cases involving personal data, a supervisory authority under Regulation (EU) 2016/679, finds that an EHR system presents a risk to the health or safety of natural persons, to the protection of personal data or to other aspects of public interest protection, it shall require the manufacturer of the EHR system concerned, its authorised representative and all other relevant economic operators to take all appropriate measures to ensure that the EHR system concerned no longer presents that risk when placed on the market to withdraw the EHR system from the market or to recall it within a reasonable period.
Amendment 1085 #
Proposal for a regulation
Article 29 – paragraph 3
Article 29 – paragraph 3
3. The market surveillance authority shall immediately inform the Commission and the market surveillance authorities, or, where applicable, the supervisory authority under Regulation (EU) 2016/679, shall immediately inform the Commission and the market surveillance authorities, or, if applicable, the supervisory authorities under Regulation (EU) 2016/679, of other Member States of the measures ordered pursuant to paragraph 1. That information shall include all available details, in particular the data necessary for the identification of the EHR system concerned, the origin and the supply chain of the EHR system, the nature of the risk involved and the nature and duration of the national measures taken.
Amendment 1087 #
Proposal for a regulation
Article 29 – paragraph 4 – subparagraph 1
Article 29 – paragraph 4 – subparagraph 1
Manufacturers of EHR systems placed on the market shall report any serious incident involving an EHR system to the market surveillance authorities, or, in cases involving personal data, the supervisory authorities under Regulation (EU) 2016/679 of the Member States where such serious incident occurred and the corrective actions taken or envisaged by the manufacturer.
Amendment 1089 #
Proposal for a regulation
Article 29 – paragraph 5
Article 29 – paragraph 5
5. The market surveillance authorities referred to in paragraph 4 shall inform the other market surveillance authorities, without delay, of the serious incident and the corrective action taken or envisaged by the manufacturer or required of it to minimise the risk of recurrence of the serious incident.
Amendment 1102 #
Proposal for a regulation
Article 31
Article 31
Amendment 1117 #
Proposal for a regulation
Article 32 – paragraph 1
Article 32 – paragraph 1
1. The Commission shall establish and maintain a publicly available database with information on EHR systems for which an EU declaration of conformity has been issued pursuant to Articles 26 and wellness applications for which a label has been issued pursuant to Article 3126a.
Amendment 1128 #
Proposal for a regulation
Article 33 – title
Article 33 – title
Amendment 1139 #
Proposal for a regulation
Article 33 – paragraph 1 – point a
Article 33 – paragraph 1 – point a
(a) EHRselectronic health data from EHRs, including the categories in Article 5 of this Regulation;
Amendment 1145 #
Proposal for a regulation
Article 33 – paragraph 1 – point b
Article 33 – paragraph 1 – point b
Amendment 1152 #
Proposal for a regulation
Article 33 – paragraph 1 – point c
Article 33 – paragraph 1 – point c
(c) relevant pathogen genomic data, impacting on human health; , provided that it is rendered anonymous;
Amendment 1157 #
Proposal for a regulation
Article 33 – paragraph 1 – point d
Article 33 – paragraph 1 – point d
(d) healthcare-related administrative data, including claims and reimbursement data;
Amendment 1168 #
Amendment 1178 #
Proposal for a regulation
Article 33 – paragraph 1 – point g
Article 33 – paragraph 1 – point g
Amendment 1197 #
Proposal for a regulation
Article 33 – paragraph 1 – point l
Article 33 – paragraph 1 – point l
(l) data from research cohorts, questionnaires and surveys related to health;
Amendment 1207 #
Proposal for a regulation
Article 33 – paragraph 1 – point n
Article 33 – paragraph 1 – point n
Amendment 1223 #
Proposal for a regulation
Article 33 – paragraph 3
Article 33 – paragraph 3
Amendment 1257 #
Proposal for a regulation
Article 33 – paragraph 5
Article 33 – paragraph 5
5. Where the consent of the natural person is required by national law, health data access bodieAn accessible and easily understandable mechanism shall be provided to natural persons, whereby they shall be asked for their consent to have their health data processed for some or all of the purposes of secondary use, by one or more data users. If a natural person does not give explicit consent, their health data shall not be processed for secondary use. Natural persons shall rely otain the obligations laid down in this Chapter to provide access to electronic health data. right to withdraw their consent at any moment. Where data users process electronic health data solely on the basis of consent within the meaning of Article 4(11) of Regulation (EU) 2016/679, the scope of all possible processing should be determined by the scope of the prior obtained consent.
Amendment 1271 #
Proposal for a regulation
Article 33 – paragraph 7
Article 33 – paragraph 7
Amendment 1280 #
Proposal for a regulation
Article 33 – paragraph 8
Article 33 – paragraph 8
Amendment 1288 #
Proposal for a regulation
Article 34 – paragraph 1 – introductory part
Article 34 – paragraph 1 – introductory part
1. Health data access bodies shall only provide access to electronic health data referred to in Article 33 where the intended purpose ofto a health data user where the processing pursuedof the data by the applicant complies withis necessary for one of the following purposes, in accordance with Article 6(1)(c) and Article 9(2)(g), (h), (i) and (j) of Regulation (EU) 2016/679:
Amendment 1294 #
Proposal for a regulation
Article 34 – paragraph 1 – point a
Article 34 – paragraph 1 – point a
(a) activities for reasons of public interest in the area of public and occupational health, such asthe protection against serious cross- border threats to health, public health surveillance orand ensuring high levels of quality and safety of healthcare and of medicinal products or medical devices;
Amendment 1299 #
Proposal for a regulation
Article 34 – paragraph 1 – point b
Article 34 – paragraph 1 – point b
(b) to support public sector bodies or Union institutions, agencies and bodies including regulatory authorities, in the health or care sector to carry out their tasks defined in their mandates, where processing is necessary for reasons of substantial public interest;
Amendment 1309 #
Proposal for a regulation
Article 34 – paragraph 1 – point d
Article 34 – paragraph 1 – point d
Amendment 1315 #
Proposal for a regulation
Article 34 – paragraph 1 – point e
Article 34 – paragraph 1 – point e
(e) scientific research related to health or care sectors, contributing to public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;
Amendment 1319 #
Proposal for a regulation
Article 34 – paragraph 1 – point f
Article 34 – paragraph 1 – point f
Amendment 1332 #
Proposal for a regulation
Article 34 – paragraph 1 – point g
Article 34 – paragraph 1 – point g
Amendment 1348 #
Proposal for a regulation
Article 34 – paragraph 1 – point h
Article 34 – paragraph 1 – point h
(h) providing personalised healthcare consisting in assessing, maintaining or restoring the state of health of natural persons, based on the health data of other natural persons.
Amendment 1356 #
Proposal for a regulation
Article 34 – paragraph 2 a (new)
Article 34 – paragraph 2 a (new)
2 a. In accordance with Article 21(6) of Regulation (EU) 2016/679, where personal data are processed for statistical or scientific research purposes as referred to in points (c), (e) and (h) of paragraph 1, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Amendment 1373 #
Proposal for a regulation
Article 35 – paragraph 1 – point a
Article 35 – paragraph 1 – point a
(a) taking any decisions detrimental related to a natural person based on their electronic health data; in order to qualify as “decisions”, they must produce legal effects or similarly significantly affect those natural persons;
Amendment 1379 #
Proposal for a regulation
Article 35 – paragraph 1 – point b
Article 35 – paragraph 1 – point b
(b) taking decisions in relation to a natural person or groups of natural persons to exclude them from the benefit of an insurance or credit contract or to modify their contributions and insurance premiums or durations of loans;
Amendment 1385 #
Proposal for a regulation
Article 35 – paragraph 1 – point c
Article 35 – paragraph 1 – point c
(c) advertising or marketing activities towards health professionals, organisations in health or natural persons;
Amendment 1399 #
Proposal for a regulation
Article 35 – paragraph 1 – point e a (new)
Article 35 – paragraph 1 – point e a (new)
(e a) calculating reimbursement, costs or expenditures relating to healthcare provision to be borne by natural persons, private or public insurance, or public bodies, including, but not limited to, the development and amendment of healthcare provider payment systems;
Amendment 1413 #
Proposal for a regulation
Article 35 – paragraph 1 – point e b (new)
Article 35 – paragraph 1 – point e b (new)
(e b) automated individual decision- making, including profiling, in accordance with Article 22 of the Regulation (EU) 2016/679.
Amendment 1435 #
Proposal for a regulation
Article 36 – paragraph 2
Article 36 – paragraph 2
2. Member States shall ensure that each health data access body is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and the exercise of its powers, including for the pseudonymisation of the electronic health data.
Amendment 1438 #
Proposal for a regulation
Article 36 – paragraph 2 a (new)
Article 36 – paragraph 2 a (new)
2 a. The Commission shall be empowered to adopt delegated acts for the provision of a uniform pseudonymisation procedure.
Amendment 1450 #
Proposal for a regulation
Article 36 – paragraph 3
Article 36 – paragraph 3
3. In the performance of their tasks, health data access bodies shall actively cooperate with stakeholders’ representatives, especially with representatives of patients, data holders and data users. Staff of health data access bodies shall avoid any conflicts of interest. Health data access bodies shall not be bound by any instructions, when making their decisions. Health data access bodies shall actively cooperate with the relevant bodies or authorities responsible for the application of EU and national data protection legislation.
Amendment 1484 #
Proposal for a regulation
Article 37 – paragraph 1 – point i
Article 37 – paragraph 1 – point i
Amendment 1491 #
Proposal for a regulation
Article 37 – paragraph 1 – point j
Article 37 – paragraph 1 – point j
(j) cooperate with and supervise data holders to, assist them in order to ensure respect of data subjects' consent as referred to in Article 33(5), and ensure the consistent and accurate implementation of the data quality and utility label set out in Article 56;
Amendment 1545 #
Proposal for a regulation
Article 38 – paragraph 1 – point c
Article 38 – paragraph 1 – point c
(c) the applicable rights of natural persons in relation to secondary use of electronic health data, including the rights laid down in Chapter III of Regulation (EU) 2016/679;
Amendment 1549 #
Proposal for a regulation
Article 38 – paragraph 1 – point d a (new)
Article 38 – paragraph 1 – point d a (new)
(d a) the identity and the contact details of the health data access body and, where applicable, other information required pursuant to Article 13(1), point (a), of Regulation (EU) 2016/679.
Amendment 1551 #
Proposal for a regulation
Article 38 – paragraph 1 – point e a (new)
Article 38 – paragraph 1 – point e a (new)
(e a) the record on who has been granted access to which sets of electronic health data and a justification regarding the purposes for processing them as referred to in Article 34(1), Union and national law.
Amendment 1555 #
Proposal for a regulation
Article 38 – paragraph 2
Article 38 – paragraph 2
Amendment 1581 #
Proposal for a regulation
Article 38 a (new)
Article 38 a (new)
Article 38 a Right to lodge a complaint with a health data access body 1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the health data access body, where their rights laid down in this Regulation are affected. Where the complaint concerns the rights of natural persons pursuant to Article 38(1), point (d), of this Regulation, the health data access body shall inform and send a copy of the complaint to the supervisory authorities under Regulation (EU) 2016/679. 2. The health data access body with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken. 3. Health data access body shall cooperate to handle and resolve complaints, including by exchanging all relevant information by electronic means, without undue delay.
Amendment 1585 #
Proposal for a regulation
Article 38 b (new)
Article 38 b (new)
Amendment 1602 #
Proposal for a regulation
Article 39 – paragraph 3
Article 39 – paragraph 3
Amendment 1693 #
Proposal for a regulation
Article 44 – paragraph 1
Article 44 – paragraph 1
1. The health data access body shall ensure that access is only provided to requested electronic health data that is necessary and relevant for the purpose of processing indicated in the data access application by the data user and in line with the data permit granted.
Amendment 1714 #
Proposal for a regulation
Article 44 – paragraph 3
Article 44 – paragraph 3
3. Where the purpose of the data user’s processing cannot be achieved with anonymised data, taking into account the information provided by the data user, the health data access bodies shall provide access to electronic health data in pseudonymised format. The information necessary to reverse the pseudonymisation shall be available only to the health data access body. Data users shall not re- identify the electronic health data provided to them in pseudonymised format. The data user’s failure to respect the health data access body’s measures ensuring anonymisation and pseudonymisation shall be subject to appropriate penalties.
Amendment 1717 #
Proposal for a regulation
Article 44 – paragraph 3 a (new)
Article 44 – paragraph 3 a (new)
3 a. Taking into account the state of the art and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the health data access body shall apply appropriate anonymisation or pseudonymisation techniques to ensure a high level of security, appropriate to the risk of re-identification.
Amendment 1728 #
Proposal for a regulation
Article 45 – paragraph 2 – point -a (new)
Article 45 – paragraph 2 – point -a (new)
(-a) a description of the applicant's identity, professional function and operation, including the identity of who will have access to the electronic health data;
Amendment 1729 #
Proposal for a regulation
Article 45 – paragraph 2 – point -a a (new)
Article 45 – paragraph 2 – point -a a (new)
(-a a) a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679, unless the data access application only concerns aggregated data that makes the re- identification of a natural person impossible;
Amendment 1730 #
Proposal for a regulation
Article 45 – paragraph 2 – point a
Article 45 – paragraph 2 – point a
(a) a detailed explanation of the intended use of the electronic health data, including for which of: (i) the purposes referred to in Article 34(1) access is sought; 9(2), points (i) and (j), of Regulation (EU) 2016/679, combined with Article 34(1); (ii) demonstrable evidence that the stated purpose is of public interest.
Amendment 1743 #
Proposal for a regulation
Article 45 – paragraph 2 – point c
Article 45 – paragraph 2 – point c
(c) an indication whether electronic health data shouldneed to be made available in an anonymised form pseudonymised format and the reason why the envisaged purpose for processing cannot be pursued using anonymised data;
Amendment 1745 #
Proposal for a regulation
Article 45 – paragraph 2 – point d
Article 45 – paragraph 2 – point d
Amendment 1747 #
Proposal for a regulation
Article 45 – paragraph 2 – point e
Article 45 – paragraph 2 – point e
(e) a description of the safeguards planned to prevent any other use or any misuse of the electronic health data, including the re-identification of natural persons in the dataset;
Amendment 1769 #
Proposal for a regulation
Article 45 – paragraph 4 – point a
Article 45 – paragraph 4 – point a
(a) a description of how the processing would comply with Article 6(1) ofapplicable Union and national law on data protection and privacy, notably Regulation (EU) 2016/679 and, where relevant, Regulation (EU) 2016/6798/1725;
Amendment 1777 #
Proposal for a regulation
Article 45 – paragraph 4 – point b
Article 45 – paragraph 4 – point b
(b) information on the assessment of ethical aspects of the processing, where applicable and in line with national law.
Amendment 1787 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. Health data access bodies shall assess if the application fulfils one of the purposes listed ingrant access to electronic health data only if the application fulfils all of the following criteria: (a) the purposes described in the data access application correspond to at least one of the purposes listed in Article 9(2) of Regulation (EU) 2016/679, combined with Article 34(1) of this Regulation, if; (b) the requested data is necessary and relevant for the purpose listdescribed in the application and if the requirements in this Chapter are fulfilldata access application; (c) the processing complies with applicable Union and national data protection law. The health data access bodies shall consult the relevant data protection authorities on this matter; (d) the information provided byin the applicant. If that is the case, the health data access body shall issue a data permit. tion demonstrates sufficient safeguards to protect the rights and interests of the data holder and of the natural persons concerned and to prevent any other use or misuse of the data, including the re-identification of natural persons.
Amendment 1805 #
Proposal for a regulation
Article 46 – paragraph 2
Article 46 – paragraph 2
2. Health data access bodies shall refuse all applications including one or more purposes listed in Article 35 or where requirements in this Chapter are not met, all applications that do not fulfill the criteria referred to in paragraph 1 or where requirements in this Chapter are not met. The data authorisation shall not be granted for personal electronic health data where the data subject has not given consent pursuant to Article 33(5).
Amendment 1818 #
Proposal for a regulation
Article 46 – paragraph 3
Article 46 – paragraph 3
3. A health data access body shall issue or refuse a data permit within 2 months of receiving the data access application. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final], the health data access body may extend the period for responding to a data access application by 2 additional months where necessary, taking into account the complexity of the request. In such cases, the health data access body shall notify the applicant as soon as possible that more time is needed for examining the application, together with the reasons for the delay. Where a health data access body fails to provide a decision within the time limit, the data permit shall be issued.
Amendment 1822 #
Proposal for a regulation
Article 46 – paragraph 3 a (new)
Article 46 – paragraph 3 a (new)
3 a. The supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 shall have the possibility to scrutinise and, if necessary, overturn any data permit request issued by a health data access body, in line with the powers conferred to them by the respective Regulations.
Amendment 1838 #
Proposal for a regulation
Article 46 – paragraph 7
Article 46 – paragraph 7
7. Data users shall have the right to access and process the electronic health data in accordance with the data permit delivered to them on the basis of this Regulation only after they have demonstrated the effective implementation of their security measures referred to in Article 45(2), points (e) and (f).
Amendment 1842 #
Proposal for a regulation
Article 46 – paragraph 9
Article 46 – paragraph 9
9. A data permit shall be issued for the duration necessary to fulfil the requested purposes which shall not exceed 5 years. This duration may be extended once, at the request of the data user, based on arguments and documents to justify this extension provided, 1 month before the expiry of the data permit, for a period which cannot exceed 5 years. By way of derogation from Article 42, the health data access body may charge increasing fees to reflect the costs and risks of storing electronic health data for a longer period of time exceeding the initial 5 years. In order to reduce such costs and fees, the health data access body may also propose to the data user to store the dataset in storage system with reduced capabilities. The data within the secure processing environment shall be deleted within 6 months followingimmediately after the expiry of the data permit. Upon request of the data user, the formula on the creation of the requested dataset shall be stored by the health data access body.
Amendment 1855 #
Proposal for a regulation
Article 46 – paragraph 12
Article 46 – paragraph 12
12. Data users shall inform the health data access body of any clinically significant findings that may influence the health status of the natural persons whose data are included in the dataset and where natural persons have explicitly given their consent.
Amendment 1878 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
Amendment 1889 #
Proposal for a regulation
Article 49
Article 49
Access to electronic health data from a 1. access to electronic health data only from a single data holder in a single Member State, by way of derogation from Article 45(1), that applicant may file a data access application or a data request directly to the data holder. The data access application shall comply with the requirements set out in Article 45 and the data request shall comply with requirements in Article 47. Multi-country requests and requests requiring a combination of datasets from several data holders shall be addressed to health data access bodies. 2. issue a data permit in accordance with Article 46 or provide an answer to a data request in accordance with Article 47. The data holder shall then provide access to the electronic health data in a secure processing environment in compliance with Article 50 and may charge fees in accordance with Article 42. 3. 51, the single data provider and the data user shall be deemed joint controllers. 4. shall inform the relevant health data access body by electronic means of all data access applications filed and all the data permits issued and the data requests fulfilled under this Article in order to enable the health data access body to fulfil its obligations under Article 37(1) and Article 39.rticle 49 deleted single data holder Where an applicant requests In such case, the data holder may By way of derogation from Article Within 3 months the data holder
Amendment 1908 #
2. The health data access bodies shall ensure that electronic health data from data holders in the format determined by the data permit can be uploaded by data holders and can be accessed by the data user in a secure processing environment. The data users shall only be able to download non- personal electronic health data from the secure processing environment.
Amendment 1919 #
Proposal for a regulation
Article 51 – paragraph 1
Article 51 – paragraph 1
1. The health data access bodies and the data users, including Union institutions, bodies, offices and agencies,data holder shall be deemed controller for the disclosure of the requested personal electronic health data to the health data access body pursuant to Article 33(1). The health data access body shall be deemed controller for the processing of the personal electronic health data when fulfilling its tasks pursuant to Article 37(1), point (d). The data user shall be deemed joint controllers of electronic health data processed in accordance with data permi for the processing of personal electronic health data in pseudonymised form in the secure processing environment pursuant to the data permit. The health data access body shall act as a processor for the health data user's processing pursuant to a data permit in the secure processing environment.
Amendment 1924 #
Proposal for a regulation
Article 51 – paragraph 2
Article 51 – paragraph 2
2. The Commission shall, by means of implementing acts, establish a template for the joint controllers’ arrangement that meets the requirements laid down in Article 28(3) of Regulation (EU) 2016/679. Those implementing acts shall be adopted in accordance with the advisory procedure set out in Article 68(2).
Amendment 1936 #
Proposal for a regulation
Article 52 – paragraph 5
Article 52 – paragraph 5
5. Third countries or international organisations may become authorised participants where they comply with the rules of Chapter IV of this Regulation, the transfer stemming from such connection complies with the rules in Chapter V of Regulation (EU) 2016/679 and provide access to data users located in the Union, on equivalent terms and conditions, to the electronic health data available to their health data access bodies. The Commission may adopt implementing acts establishing that a national contact point of a third country or a system established at an international level is compliant with requirements of HealthData@EU for the purposes of secondary use of health data, is compliant with the Chapter IV of this Regulation and Chapter V of Regulation (EU) 2016/679 and provides access to data users located in the Union to the electronic health data it has access to on equivalent terms and conditions. The compliance with these legal, organisational, technical and security requirements, including with the standards for secure processing environments pursuant to Article 50 shall be checked under the control of the Commission. These implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68 (2). The Commission shall make the list of implementing acts adopted pursuant to this paragraph publicly available.
Amendment 1938 #
Proposal for a regulation
Article 52 – paragraph 8
Article 52 – paragraph 8
8. The Member States and the Commission shall set up HealthData@EU to support and facilitate the cross-border access to electronic health data for secondary use, connecting the national contact points for secondary use of electronic health data of all Member States and authorised participants in that infrastructure. HealthData@EU shall be a non-proprietary software product developed in an open and transparent process.
Amendment 1988 #
Proposal for a regulation
Article 60 – paragraph 2 a (new)
Article 60 – paragraph 2 a (new)
2a. Public procurers, national competent authorities, including digital health authorities and health data access bodies, and the Commission shall require, as a condition to procure or fund services provided by controllers and processors established in the Union processing personal electronic health data, that such controllers and processors: (a) will store this data in the Union, in accordance with Article 60a of this Chapter, and (b) have duly demonstrated that they are not subject to third country legislation conflicting with Union data protection rules.
Amendment 1990 #
Proposal for a regulation
Article 60 a (new)
Article 60 a (new)
Article 60a Storage of electronic health data For the purposes of primary and secondary use of electronic health data, Member States shall ensure that the storage, processing and analysis of electronic health data shall be carried out exclusively within a secure location or locations within the territory of the Union, without prejudice to the possibility to transfer personal electronic health data in compliance with Chapter V of Regulation (EU) 2016/679.
Amendment 1994 #
Proposal for a regulation
Article 61 – paragraph 1
Article 61 – paragraph 1
1. Non-personal electronic data made available by health data access bodies, that are based on a natural person’s electronic data falling within one of the categories of Article 33 [(a), (e), (f), (i), (j), (k), (m)] shall be deemed highly sensitive within the meaning of Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final], provided that their transfer to third countries presents a risk of re-identification through means going beyond those likely reasonably to be used, in view of the limited number of natural persons involved in that data, the fact that they are geographically scattered or the technological developments expected in the near future.
Amendment 2004 #
Proposal for a regulation
Article 61 – paragraph 2
Article 61 – paragraph 2
2. The protective measures for the categories of data mentioned in paragraph 1 shall depend on the nature of the data and anonymization techniques and shall be detailed in the Delegated Act under the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final].
Amendment 2018 #
Proposal for a regulation
Article 63 – paragraph 1
Article 63 – paragraph 1
In the context of international access and transfer of personal electronic health data, shall be granted in accordance with Chapter V of Regulation (EU) 2016/679. Member States may maintain or introduce further conditions, including limitations, in accordance with and under the conditions of article 9(4) of the Regulation (EU) 2016/679.
Amendment 2020 #
Proposal for a regulation
Article 63 – paragraph 1 a (new)
Article 63 – paragraph 1 a (new)
Access to electronic health data for entities from third countries, for secondary use purposes, shall be possible only if the third country where an entity is established, allows access to health data of its residents for entities from the Union.
Amendment 2029 #
Proposal for a regulation
Article 64 – paragraph 1
Article 64 – paragraph 1
1. A European Health Data Space Board (EHDS Board) is hereby established to facilitate cooperation and the exchange of information among Member States. The EHDS Board shall be composed of the high level representatives of digital health authorities and health data access bodies of all the Member States and of the European Data Protection Board and the European Data Protection Supervisor. Other national authorities, including market surveillance authorities referred to in Article 28, European Data Protection Board and European Data Protection Supervisor may be invited to the meetings, where the issues discussed are of relevance for them. The Board may also invite experts and observers to attend its meetings, and may cooperate with other external experts as appropriate. Other Union institutions, bodies, offices and agencies, research infrastructures and other similar structures shall have an observer role.
Amendment 2049 #
Proposal for a regulation
Article 65 – paragraph 1 – point b – point iii
Article 65 – paragraph 1 – point b – point iii
(iii) other aspects of the primary use of electronic health data, with the exception of all matters related to personal data protection.
Amendment 2060 #
Proposal for a regulation
Article 65 – paragraph 2 – point b – point vi
Article 65 – paragraph 2 – point b – point vi
(vi) other aspects of the secondary use of electronic health data, with the exception of all matters related to personal data protection.
Amendment 2082 #
Proposal for a regulation
Article 67 – paragraph 4
Article 67 – paragraph 4
4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Inter-institutional Agreement of 13 April 2016 on Better Law-Making. In accordance with Article 42 of Regulation (EU) 2018/1725, the Commission shall consult the European Data Protection Board and European Data Protection Supervisor where the delegated acts concern data protection.
Amendment 2090 #
Proposal for a regulation
Article 69 – paragraph 1
Article 69 – paragraph 1
Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties shall be effective, proportionate and dissuasive. Member States shall notify the Commission of those rules and measures by date of application of this Regulation and shall notify the Commission without delay of any subsequent amendment affecting them. Penalties shall cover infringements not addressed by Regulation (EU) 2017/745, Regulation (EU) 2017/746, Regulation (EU) No 536/2014 and Regulation (EU) 2016/679 and shall depend on the circumstances of each individual case. When deciding whether to impose a penalty and deciding on the amount of the penalty in each individual case, due regard shall be given to the criteria stated in Article 83(2) of Regulation (EU) 2016/679, where applicable.
Amendment 2094 #
Proposal for a regulation
Article 69 a (new)
Article 69 a (new)
Article 69a Right to an effective judicial remedy against a controller or processor In accordance with Article 79 of Regulation (EU) 2016/679, without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a digital health authority pursuant to Article 11 or with a health data access body pursuant to Article 38a, each natural person shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with the Regulation.
Amendment 2097 #
Proposal for a regulation
Article 69 b (new)
Article 69 b (new)
Article 69b Right to receive compensation Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation, in accordance with national and Union law.
Amendment 2101 #
Proposal for a regulation
Article 70 – paragraph 1
Article 70 – paragraph 1
1. After 5 years from the entry into force of this Regulation, the Commission shall carry out a targeted evaluation of this Regulation especially with regards to Chapters III and IV, and submit a report on its main findings to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions, accompanied, where appropriate, by a proposal for its amendment. The evaluation shall include an assessment of the self-certification of EHR systems and reflect on the need to introduce a conformity assessment procedure performed by notified bodies.
Amendment 2108 #
Proposal for a regulation
Article 70 a (new)
Article 70 a (new)
Article 70a Amendments to Directive 2020/1828/EC In the Annex of Directive (EU) 2020/1828, the following point is added: (XX) Regulation (EU) XXX of the European Parliament and of the Council on the European Health Data Space.