GDPR and EHDS (Regulation on Health Data of the European Space (EHDS): Which rules for the processing of health data in Europe?

The entry into force of Regulation 2025/327¹ concerning the European Health Data Space (“EEDS” or “EHDS”) on 26 March 2025 constitutes a major advancement in the development of a common framework for access, exchange and reuse of health data within the EU. With this new regulation, the European Union intends to initiate a fundamental transformation of the data governance framework. This is a true specialization of data protection law to serve European sectoral policies. Consequently, this new text does not constitute a rupture with the GDPR², but rather overlays itself upon it.

I – EHDS and RGPD: Clarifications from the European Commission?

To support the implementation of the EHDS Regulation, the European Commission has published a FAQ³, dated March 5, 2025, which provides numerous useful clarifications. This document plays a key role, including clarifying the relationships between the GDPR, the General Data Protection Framework and the more targeted framework that the EHDS constitutes.

The Commission emphasizes a key point: GDPR is the primary framework applicable in relation to the protection of personal data (FAQ, Q57). In other words, the classic principles of lawfulness, minimization, purpose limitation, accuracy, security, rights of the persons concerned, etc., retain all their scope within the framework of the EHDS. However, and this is where the subtlety begins, the EHDS introduces specific obligations adapted to the realities of the healthcare sector.

Let’s take the example of the right to data portability, as strengthened by Article 7 of the eHealth Data Sharing Regulation (EHDS). This right goes beyond what is provided for in the GDPR, as here it applies independently of the legal basis for the processing at stake. Indeed, unlike the GDPR, which requires this right to be linked to a specific legal basis (consent or contract), the EHDS extends this right to portability (FAQ, Q11). Furthermore, this new right covers not only the data provided directly by the patient, as provided for in the GDPR (e.g., when a patient reports knee pain), but also extends to observed data (e.g., a knee X-ray image) and inferred data (e.g., a diagnosis concerning the patient’s knee). We observe here a shift towards an expanded portability, designed to facilitate continuity of care across the European Union.

Another illustration, while GDPR allows patients to access their health data (right of access), the time to exercise this “primary” right of access can be long and extend to up to one month. The CNIL sets this deadline at eight days for health data, particularly that of medical records⁴. In practice, to respond to this type of request, data controllers must compile, manually search the data and may potentially charge or refuse to honor requests if they are excessive or repeated. The EHDS introduces another approach, with an additional right – free and immediate – to electronic health data (Art 3 EHDS), which eliminates the need to search and compile data manually. In this context, data controllers will be unable to refuse or charge for access to the data. Ultimately, as indicated by the ministry of health’s website section dedicated to EHDS “These rights [EHDS] complement and strengthen the rights already provided for by GDPR.”⁵

In one word, the FAQ confirms that EHDS does not intend to exclude GDPR, but rather to supplement it by adapting it to the specific issues of health data, in terms of care and research.

II – Health data governance: roles and responsibilities

The FAQ allows for a better understanding of the choices made by the Commission. It does not simply juxtapose two regimes, but proposes a framework in which the GDPR and the EHDS mutually reinforce each other.

On one hand, the EHDS is based on a dedicated governance, with new structures such as “Health Data Access Bodies” (HDAB) or organizations responsible for access to health data (Article 55 EHDS), tasked with managing requests for access to health data for secondary use, particularly for research (FAQ, Q35 and 36). Before granting any authorization for secondary processing, the relevant organization ensures that all criteria of Article 68 of the EHDS are met. This includes, for example, the conformity of the processing purposes with those provided for by the EHDS Regulation, the proportionality of the data requested, as well as the implementation of technical and organizational measures that must be respected even before the start of the processing.

Furthermore, the Commission promotes normative and technical interoperability, for example by imposing the “EEHRxF” format for the exchange of data between electronic health record (EHR) systems (FAQ, Q16). This requirement exceeds the provisions of the GDPR, which remains silent on the formats to be used, but it aims to make effective the right to portability, cross-border access to healthcare, and homogeneous interoperability between systems. In this regard, the Commission specifies that “EEHRxF will be a common language that EHR systems will need to be able to understand each other.”

These orientations demonstrate that EHDS was designed as a functional tool, with the idea that sectoral oversight enables a better response to the expectations of healthcare stakeholders while maintaining a high level of protection.

To avoid any risk related to a potential breach of personal data, full compliance with the GDPR and the EHDS will be indispensable.

III – Digital Health Professionals: How to Prepare?

In this context, professionals – whether they are data controllers, DPOs, digital solutions providers or healthcare facilities – must adapt to a dual compliance logic.

It is their first task to ensure compliance with the basic obligations of the GDPR: identification of legal bases, documentation of implemented processing activities, respect of access, rectification, erasure, and management of subcontractors, etc…

But they must also integrate the specificities of the EHDS Regulation, which imposes new procedures such as:

• To implement secure access services for patients as well as healthcare professionals (FAQ, Q7);
• Ensure that electronic health record systems are capable of reading and exporting data in the EEHRxF format, a necessary condition to guarantee interoperability (FAQ, Q16).
• To be able to manage requests for access restrictions to data, while implementing a “brise glace” mechanism allowing healthcare professionals to access all information necessary for patient care, including in critical situations, such as when an unconscious patient arrives at the emergency room (FAQ, Q12).
• Anticipate the controlled re-use of data for secondary purposes, in connection with competent national authorities, etc. (FAQ, Q35).

With the introduction of EHDS, the compliance logic evolves and no longer relies solely on the data controller (e.g., a hospital or healthcare professional), but also on its ability to adapt to a regulatory framework that overlaps and to ensure interoperability with other European systems.

To anticipate the new EHDS regulations, professionals will be interested in conducting a GDPR audit upstream in order to measure their initial compliance.

IV – What is the legal framework for access to health data for secondary use?

The EHDS Regulation represents a major advancement in the regulation of the secondary use of personal health electronic data, that is, their processing for purposes other than direct care: research, public health policy, health innovation, or the development of medical devices.

Specifically, any request for access to this data for secondary purposes must go through specific organizations called Health Data Access Bodies (HDAB), designated by the Member States. Article 33 of the EHDS Regulation lists the legitimate purposes of such access: “improvement of care, monitoring of medicine safety, development of health policies, official statistics, health artificial intelligence, etc.”

A researcher or industrial wishing to reuse this data will not be able to address a hospital or data provider directly. He must submit a complete request to the HDAB, justifying the purpose, proportionality and safeguards implemented. For this purpose, Article 68 of the Regulation provides strict criteria: pseudonymization, transparent documentation, restricted access, enhanced security, etc.

This system does not repeal the GDPR but integrates with it: explicit consent from the individuals concerned is not always required, provided that the processing activities comply with the legal bases provided for (public interest or scientific research). This illustrates the sectoral specialization of data protection law at the European level.

Finally, HealthData@EU – a secure network mentioned in Article 55 – will play a key role in the cross-border circulation of personal data for secondary purposes. It guarantees controlled and secure access throughout the Union, while ensuring the harmonization of practices.

V – Impacts for citizens and their electronic medical file

One of the major innovations of the EHDS lies in the strengthened access of citizens to their electronic health records, through integrated national platforms within the European “MyHealth@EU” portal.

Each citizen of the Union will thus have the right to immediate, secure, free and standardized access to their electronic medical record (EMR), including prescriptions, examination results, medical history, diagnoses, vaccinations, etc. This right is enshrined in Article 3 of the EHDS Regulation. Unlike the GDPR, which sometimes imposes delays, the EHDS introduces a logic of immediate transparency.

National systems will need to be compatible with a unique European format, called EEHRxF (European Electronic Health Record Exchange Format), enabling cross-border portability of data. This means that a patient treated in Rome or Paris will be able, in case of emergency, to instantly transmit their medical history to a hospital service in Berlin or Lisbon. This mechanism is one of the pillars of the interoperability logic promoted by the regulation.

The regulation also provides for a right of restriction of access, allowing the individual to limit the visibility of certain sensitive information, unless there is a vital necessity (the “break glass” principle, Article 14). The patient thus retains strengthened control over their data, without compromising the continuity of care.This framework promotes the emergence of new personalized digital healthcare services, while consolidating the protection of personal data in a particularly sensitive sector.

Support compliance with the EHDS and GDPR with a law firm.

The entry into force of the EHDS marks a decisive step in the legal structuring of health data in Europe. It imposes on stakeholders in the sector a dual requirement: to ensure strengthened compliance with GDPR principles, while also integrating the new sectoral obligations arising from the EHDS, whether relating to interoperability, portability, or secure access to electronic health data.

Given this increasing complexity, healthcare establishments, independent practitioners, healthcare software publishers, or pharmaceutical industries have all reason to anticipate these developments, both to avoid legal risks and to take advantage of the opportunities offered by health data economy.

Our firm assists its clients in implementing compliance with their data processing operations, legal analysis of digital devices, drafting internal policies, and dialogue with competent authorities. We also intervene in the context of disputes or audits relating to the processing of health data, whether before the CNIL or competent courts.

Do not hesitate to contact us to assess your situation, secure your projects or obtain tailored legal support in the context of the EHDS implementation.

Sources:

1. https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=OJ:L_202500327 – Regulation (EU) 2025/327 of 11 February 2025 concerning the European Health Data Space (EHDS) ↩︎
2. https://eur-lex.europa.eu/eli/reg/2016/679/oj?locale=fr – Regulation (EU) No 2016/679 of 27 April 2016 concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data (GDPR) ↩︎
3. https://health.ec.europa.eu/document/download/4dd47ec2-71dd-49fc-b036-ad7c14f6ed68_en?filename=ehealth_ehds_qa_en.pdf&prefLang=fr – European Commission, Frequently Asked Questions on the European Health Data Space (FAQ) ↩︎
4. CNIL, “Computer and Liberties” Rights Exercise: Within what timeframe must I be responded to? ↩︎
5. European Health Data Space – Ministry of Health ↩︎