Is outsourcing the solution to data protection compliance during a downturn?

November 14, 2022

The Digital Markets Act and GDPR – Considerations for ‘gatekeepers’

December 12, 2022

What is the European Health Data Space and what does it mean for your organisation?

November 28, 2022

What is the European Health Data Space?

Adopted in January 2025, the European Health Data Space (EHDS) Regulation establishes a common framework for accessing, sharing, and reusing electronic health data across EU Member States. It supports individuals in controlling their personal health data and enables its responsible secondary use for research, innovation, public health, and policymaking.

The Regulation seeks to improve health outcomes and build a more connected, resilient European healthcare ecosystem.

Most provisions apply from March 2027, but certain obligations, such as those regarding secondary use of health data, will have a phased implementation between 2029 and 2031.

Who benefits from the European Health Data Space?

The EHDS is designed to deliver value across healthcare and research environments. Those benefiting include:

Patients – gaining secure access to their electronic health records across all EU Member States, helping them manage their healthcare anywhere
Health professionals – more informed, timely care through seamless cross-border access to patient data
Healthcare providers – improved interoperability and smoother data exchange across organisations
Researchers – access to harmonised datasets for large-scale, public interest studies
Policymakers and regulators – reliable, aggregated data to inform evidence-based policies and decisions
Industries and developers – facilitating the design, testing, and production of medical devices, digital health tools, and AI-driven innovations

Any criticisms being raised?

Despite promising major advances in patient care and research, some healthcare professionals, privacy advocates, and patient groups have raised concerns around the scale of data sharing, commercial use, and safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... for sensitive health information.

How will data be protected?

Data protection is a central pillar of the EHDS, which builds on and complements the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR). It updates existing data protection rules to enable EU-wide responsible reuse of health data for public interest purposes. Rather than relying solely on individual consent or national frameworks, secondary uses will be authorised by default across the EU under strict conditions. These will be supported by clear governance, transparency, and accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. requirements.

Each Member State must designate a national Health Data Access Body (HDAB). Working together through the EHDS Board, these bodies will coordinate implementation, develop technical standards, and ensure consistent interpretation of the rules. They will also work closely with Data Protection Authorities (DPAs) and the European Data Protection Board (EDPB) to uphold individuals’ rights and monitor the responsible use of health data.

Organisations participating in the EHDS are expected to demonstrate accountability by maintaining clear governance structures, conducting regular risk assessments, and ensuring transparency in how data is collected, shared, and reused.

Primary use of health data under the EHDS

The EHDS gives patients greater control over their health information so they can access and share it safely across Europe.

Under the Regulation, individuals have the right to:

Access their personal electronic health data when needed, free of charge
Obtain an electronic copy of their data in a structured, commonly used format
Request transmission of their personal electronic health data to another healthcare professional or organisation within the EU

These rights build on the GDPR’s data portability principle but go further by introducing a common EU format for electronic health records. Member States must achieve full interoperability by March 2029, ensuring seamless and secure cross-border data exchange.

By the same date, the exchange of core health data, including medical summaries, prescriptions, lab results, and imaging, will become mandatory under a harmonised European standard.

Secondary use of health data under the EHDS

Beyond direct patient care, the EHDS enables the reuse of health data for clearly defined purposes that serve the public interest, such as clinical research, innovation, and policymaking. Authorised organisations, such as researchers and public bodies, may apply to a Health Data Access Body (HDAB) for permission to use pseudonymised or anonymisedAnonymised refers to data that has undergone a process of transformation to remove or alter personal data in such a way that individuals can no longer be identified from it, and it is impossible for that process to be reversed and the data to be re-identified. Anonymised data is considered non-personal and falls outside the scope of the GDPR. data.

Permitted purposes include:

Scientific research
Innovation in public health
Policymaking
The development or testing of AI models and medical products

This framework is expected to widen access to high-quality datasets that can help accelerate clinical trials. Researchers will gain better ways to identify eligible trial populations and have access to data that directly supports their studies. This will strengthen evidence generation and contribute to the development of safer, more effective health technologies.

However, secondary use remains tightly controlled under EHDS. Health data cannot be used for advertising, decisions affecting individuals, or increasing insurance premiums. Data protection authorities and advocacy groups have also raised concerns about the inclusion of data from medical devices, digital health tools, and wearables, given their capacity to collect highly granular personal information.

Individuals must be clearly informed about how data from such devices is processed, and strong safeguards must be applied to ensure compliance with the GDPR principles of fairness, transparency, and purpose limitationThe second principle of the GDPR, requiring organisations to only process personal data for the specific purpose for which it was collected..

What does this mean for Life Sciences organisations?

The EHDS represents a major development for Life Sciences and pharmaceutical organisations conducting research or clinical trials in the EU. By improving access to harmonised, high-quality datasets, it could streamline study design, accelerate recruitment, and enhance the reliability of evidence used to support new treatments and medical technologies.

Organisations classified as data holders under the EHDS may soon face new legal obligations to share health data for approved secondary uses, once authorised by the relevant HDAB. With this in mind, it is advisable to review data retentionData retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed. and anonymisation practices now to ensure data can be shared securely, appropriately, and without delay when requests come in.

GDPR and lawful basis requirements

The EHDS does not remove existing GDPR obligations. Clinical trial sponsors still need a valid lawful basis for any secondary use of health data and must continue to follow national rules that govern the processing of sensitive health information, which can differ across Member States.

Read our blog for further information on choosing the right lawful basis for clinical trial data processing.

Cross-border research

The EHDS leaves room for Member State discretion in certain areas, reflecting the EU’s principle of subsidiarity. It remains to be seen how existing national frameworks for secondary reuse, such as France’s CNIL MR-004, will be adapted to align with the EHDS. As a result, cross-border research will continue to require careful consideration of local laws, ethics approvals, and governance processes, particularly around consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed., transparency, and data sharing.

In practice, this means Life Sciences organisations can expect a more consistent approach to secondary use processing across the EU. However, compliance will remain complex and will need to be managed strategically from the outset of each project. Success will depend on early planning, robust data governance, and close alignment between compliance and research teams.

If your organisation processes health data in the EU and would like expert support preparing for the EHDS, contact us to find out how we can help.

Enquire

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us

Email Call