Contact
Contact us

The European Health Data Space (EHDS): What Impact for Healthcare Professionals?

  • Published: April 1, 2025

I. Presentation of the EHDS Regulation

As part of its digital strategy, the European Union is developing several European data spaces1 aimed at facilitating data sharing across various sectors such as the environment, agriculture, and social services2.

The Regulation 2025/3273 on the European Health Data Space (“EHDS”) is part of this European strategy and is the first sector-specific space implemented, dedicated to health data.

Published on March 5, 2025, in the Official Journal of the EU, this regulation aims to improve access, exchange, and reuse of health data within the EU by building upon existing regulations4 such as the GDPR, the Data Governance Act, the Data Act, and the NIS2 Directive.

1. Objectives of the EHDS

The EHDS aims to address three major challenges5:

  • Ensure that citizens have direct and simplified access to their health data across the EU;
  • Ensure continuity of care within the EU by allowing healthcare professionals in the 27 Member States to access their patients’ health data;
  • Create a secure and harmonized framework for the reuse of pseudonymized health data for research, innovation, and public policy purposes, including obligations for making data available for these secondary purposes (Art 51).

2. Different Aspects of the EHDS

The regulation is structured around four main axes:

  • The first concerns the primary use of health data (Chapter II), which involves using health data for patient care. For example, this includes the processing of electronic health data for care purposes to assess, maintain, or restore a patient’s health. This primary use is broad and can also include prescribing, dispensing, supplying medicines and medical devices, as well as social, administrative, or reimbursement services related to care (Art 2.2.d);
  • The second aspect focuses on secondary use (Chapter IV), which involves providing access to and leveraging health data for secondary purposes such as research and innovation, particularly in developing new treatments and medicines. This use is termed “secondary” because it does not directly serve patient care but rather involves processing health data subsequently for research, innovation, and public health policy purposes (Art 2.2.e);
  • The certification of digital health tools and their market introduction (Chapter III);
  • More general rules defining governance, training, implementation deadlines, and penalties for non-compliance with provisions (see, among others, Chapters V, VI, and VIII).

II. Main Obligations of the Regulation

  • Healthcare providers must implement new patient rights, such as access to their health data (Art 3), data portability (Art 7), and opt-out mechanisms for electronic health records (Art 10);
  • Manufacturers of electronic health record (EHR) systems are subject to numerous obligations (Art 30), particularly regarding interoperability and compatibility (e.g., maintaining software compliance throughout the lifecycle), conformity and certification (e.g., CE marking), documentation and information (e.g., establishing and updating technical documentation), security (e.g., taking corrective measures in case of non-compliance, including product withdrawal or recall), and monitoring and complaint management (e.g., setting up complaint channels and informing distributors).
  • Health data holders are required to make certain electronic health datasets available (e.g., EHR data, pathogen data, etc.) for secondary purposes such as scientific research and policy development (Art 53), with protections for trade secrets and intellectual property (Art 52).
  • Data users (Art 2.2.u), such as researchers and institutions, will need to obtain data processing authorizations (Art 2.2.v) from national health data access bodies for any secondary use.

III. A Health Data Space Ensuring a High Level of Data Protection

1. Integration of the EHDS with the GDPR

The regulation on the European Health Data Space ensures a high level of data protection by building upon other European regulations, such as the GDPR6, which serves as the benchmark for protecting personal data. The GDPR defines health data as sensitive data7 that requires enhanced protection.

In a FAQ published on March 5, 20258, dedicated to the EHDS, the European Commission provided clarifications on the interplay between these two regulations (pt 56). Currently, patients’ rights over their health data are primarily governed by the GDPR, allowing them to access and obtain a copy of their personal data. However, exercising this “primary” right of access has limitations, such as response times that can extend up to one month. The CNIL specifies that this deadline is reduced to 8 days for health data, particularly medical records9. In practice, organizations must compile data and allocate resources to respond to requests, and they may refuse access or apply fees for excessive or repeated requests.

In its FAQ, the Commission acknowledges that immediate access to health data is crucial in the healthcare domain. Therefore, the EHDS establishes an additional right of access, allowing individuals to freely and immediately access their electronic health data (Art 3). This avoids the need for manual data search and compilation. Here, data controllers cannot refuse frequent requests or charge for data access.

The GDPR strictly regulates the processing of health data, which is generally prohibited unless exceptions apply under its Article 9. Appropriate safeguards must be implemented for processing health data (recital 52). The EHDS aligns with this by limiting and defining the purposes for which electronic health data can be processed for secondary use (Art 53), establishing authorization procedures for data processing by users (Art 68), mandating protection measures such as the use of secure environments (Art 73), and other provisions that contribute to a high level of data protection.

In addition to the European framework proposed by the EHDS, learn how to properly anonymize personal data and respect the right to be forgotten to fully comply with legal requirements.

2. Authorizations for Processing: Ensuring a High Level of Data Protection for Secondary Uses

By requiring a prior authorization procedure for any secondary processing, the EHDS regulation strengthens the protection of health data.

The EHDS introduces an additional safeguard for the secondary use of data. Before granting authorization for secondary processing, a body responsible for access to health data (Art 55) verifies that all criteria of Article 68 of the EHDS are met. This includes ensuring the compliance of processing purposes with those defined by the regulation, the proportionality of the requested data, and the implementation of technical and organizational measures strictly adhered to before processing begins. Additionally, the regulation mandates the pseudonymization or anonymization of data (Art 66.3 and Art 68.1.c) for any secondary processing, enhancing data protection. These mechanisms either replace directly identifying data with indirectly identifying data10 or make it irreversibly impossible to identify an individual from a dataset11. Consequently, data is better protected, and identifying individuals becomes more complex or even impossible.

While the GDPR provides a robust framework for processing health data with preventive mechanisms such as Data Protection Impact Assessments (DPIAs) or authorizations for health data processing issued by the CNIL, the EHDS regulation appears to go beyond what the GDPR stipulates. By requiring prior authorization for any secondary processing of health data, subject to meeting all conditions set out in Article 68, authorization can be denied if even one criterion is not met. Conversely, authorization can be granted to those who fully meet all criteria.

Aumans Law Firm: Specialists in IT/Data, Data Protection, and DPO Outsourcing

As a law firm specializing in IT/Data and data protection, we are at your service to support you in all your projects. Whether you are a startup, an SME, or a group of companies, our expertise will help you navigate the complex landscape of regulations and compliance with confidence. Contact a data protection expert lawyer to secure your projects today.

Sources :

  1. https://esante.gouv.fr/espace-europeen-donnees-sante#content-41683 ↩︎
  2. https://eur-lex.europa.eu/legal-content/FR/TXT/HTML/?uri=OJ:L_202500327 – Règlement EHDS – considérant 80 ↩︎
  3. https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=celex%3A32025R0327 – Règlement EHDS ↩︎
  4. https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space-regulation-ehds_fr ↩︎
  5. https://esante.gouv.fr/espace-europeen-donnees-sante#content-41697 ↩︎
  6. https://esante.gouv.fr/espace-europeen-donnees-sante#content-41697 – RGPD ↩︎
  7. https://eur-lex.europa.eu/eli/reg/2016/679/oj?locale=fr – RGPD, Art 9.1 ↩︎
  8. https://health.ec.europa.eu/latest-updates/frequently-asked-questions-european-health-data-space-2025-03-05_en?prefLang=fr ↩︎
  9. https://www.cnil.fr/fr/cnil-direct/question/exercice-des-droits-informatique-et-libertes-dans-quel-delai-doit-me-repondre ↩︎
  10. https://www.cnil.fr/fr/tag/pseudonymisation ↩︎
  11. https://www.cnil.fr/fr/technologies/lanonymisation-de-donnees-personnelles ↩︎

AUMANS AVOCATS (formerly FOUSSAT AVOCATS & DEROULEZ AVOCATS)
AARPI
Paris +33 (0)1 85 08 54 76 / Lyon +33 (0)4 28 29 14 92 /
Marseille +33 (0)4 84 25 67 89 / Bruxelles +32 (0)2 318 18 36

Contact us

Categories

Share

Related Articles

RGDP Définition

What is GDPR?

4 July 2025

Introduction : The main principles of the GDPR. Today we will discuss the principles of the GDPR. When we talk

Read more »
All our blog articles