Index 
 Previous 
 Next 
 Full text 
Procedure : 2022/0140(COD)
Document stages in plenary
Document selected : A9-0395/2023

Texts tabled :

A9-0395/2023

Debates :

PV 12/12/2023 - 9
CRE 12/12/2023 - 9

Votes :

PV 13/12/2023 - 10.1
CRE 13/12/2023 - 10.1
Explanations of votes
PV 24/04/2024 - 7.18

Texts adopted :

P9_TA(2023)0462
P9_TA(2024)0331

Texts adopted
PDF 703kWORD 286k
Wednesday, 13 December 2023 - Strasbourg
European Health Data Space
P9_TA(2023)0462A9-0395/2023

Amendments adopted by the European Parliament on 13 December 2023 on the proposal for a regulation of the European Parliament and of the Council on the European Health Data Space (COM(2022)0197 – C9-0167/2022 – 2022/0140(COD))(1)

(Ordinary legislative procedure: first reading)

Text proposed by the Commission   Amendment
Amendment 1
Proposal for a regulation
Recital 1
(1)  The aim of this Regulation is to establish the European Health Data Space (‘EHDS’) in order to improve access to and control by natural persons over their personal electronic health data in the context of healthcare (primary use of electronic health data), as well as for other purposes that would benefit the society such as research, innovation, policy-making, patient safety, personalised medicine, official statistics or regulatory activities (secondary use of electronic health data). In addition, the goal is to improve the functioning of the internal market by laying down a uniform legal framework in particular for the development, marketing and use of electronic health record systems (‘EHR systems’) in conformity with Union values.
(1)  The aim of this Regulation is to establish the European Health Data Space (‘EHDS’) in order to improve access to and control by natural persons over their personal electronic health data in the context of healthcare (primary use of electronic health data), as well as for better achieving other purposes in the health sector that would benefit society such as research such as innovation, policy-making, health threats preparedness and response, patient safety, personalised medicine, official statistics or regulatory activities (secondary use of electronic health data). In addition, the goal is to improve the functioning of the internal market by laying down a uniform legal and technical framework in particular for the development, marketing and use of electronic health record systems (‘EHR systems’) in conformity with Union values.
Amendment 2
Proposal for a regulation
Recital 1 a (new)
(1a)  The EHDS is intended to constitute a key component in the creation of a strong and resilient European Health Union to better protect the health of Union citizens, prevent and address future pandemics and improve the resilience of Union healthcare systems.
Amendment 3
Proposal for a regulation
Recital 1 b (new)
(1b)  This Regulation should complement Union programmes such as the EU4Health Programme, Digital Europe Programme, Connecting Europe Facility and Horizon Europe. The Commission should ensure that Union programmes complement and facilitate the implementation of the European Health Data Space.
Amendment 4
Proposal for a regulation
Recital 2
(2)  The COVID-19 pandemic has highlighted the imperative of having timely access to electronic health data for health threats preparedness and response, as well as for diagnosis and treatment and secondary use of health data. Such timely access would have contributed, through efficient public health surveillance and monitoring, to a more effective management of the pandemic, and ultimately would have helped to save lives. In 2020, the Commission urgently adapted its Clinical Patient Management System, established by Commission Implementing Decision (EU) 2019/126941 , to allow Member States to share electronic health data of COVID-19 patients moving between healthcare providers and Member States during the peak of the pandemic, but this was only an emergency solution, showing the need for a structural approach at Member States and Union level.
(2)  The COVID-19 pandemic has highlighted the imperative of having timely access to quality electronic health data for health threats preparedness and response, as well as for prevention, diagnosis and treatment through the secondary use of health data. Such timely access can potentially contribute, through efficient public health surveillance and monitoring, to a more effective management of the pandemic, to a reduction of costs and to improving the response to health threats and ultimately can help to save more lives in the future. In 2020, the Commission urgently adapted its Clinical Patient Management System, established by Commission Implementing Decision (EU) 2019/126941, to allow Member States to share electronic health data of COVID-19 patients moving between healthcare providers and Member States during the peak of the pandemic, but this was only an emergency solution, showing the need for a structural and consistent approach at Member States and Union level on access to electronic health data in order to steer effective policy responses and contribute to high standards of human health.
__________________
__________________
41 Commission Implementing Decision (EU) 2019/1269 of 26 July 2019 amending Implementing Decision 2014/287/EU setting out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating such Networks (OJ L 200, 29.7.2019, p. 35).
41 Commission Implementing Decision (EU) 2019/1269 of 26 July 2019 amending Implementing Decision 2014/287/EU setting out criteria for establishing and evaluating European Reference Networks and their Members and for facilitating the exchange of information and expertise on establishing and evaluating such Networks (OJ L 200, 29.7.2019, p. 35).
Amendment 5
Proposal for a regulation
Recital 3
(3)  The COVID-19 crisis strongly anchored the work of the eHealth Network, a voluntary network of digital health authorities, as the main pillar for the development of mobile contact tracing and warning applications and the technical aspects of the EU Digital COVID Certificates. It also highlighted the need for sharing electronic health data that are findable, accessible, interoperable and reusable (‘FAIR principles’), and ensuring that electronic health data are as open as possible and as closed as necessary. Synergies between the EHDS, the European Open Science Cloud42 and the European Research Infrastructures should be ensured, as well as lessons learned from data sharing solutions developed under the European COVID-19 Data Platform.
(3)  The COVID-19 crisis strongly anchored the work of the eHealth Network, a voluntary network of digital health authorities, as the main pillar for the development of mobile contact tracing and warning applications and the technical aspects of the EU Digital COVID Certificates. It also highlighted the need for sharing electronic health data that are findable, accessible, interoperable and reusable (‘FAIR principles’), and ensuring that the necessary electronic health data are available while respecting the principle of data minimisation. Synergies between the EHDS, the European Open Science Cloud42 and the European Research Infrastructures should be ensured, as well as lessons learned from data sharing solutions developed under the European COVID-19 Data Platform.
__________________
__________________
42 EOSC Portal (eosc-portal.eu).
42 EOSC Portal (eosc-portal.eu).
Amendment 6
Proposal for a regulation
Recital 3 a (new)
(3a)  Given the sensitivity of personal health data, this Regulation seeks to provide sufficient safeguards at both Union and national level to ensure a high degree of data protection, security, confidentiality and ethical use. Such safeguards are necessary to promote trust in safe handling of the health data of natural persons for primary and secondary uses. To achieve those objectives, pursuant to Article 9(4) of Regulation (EU) 2016/679, Member States can impose further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
Amendment 7
Proposal for a regulation
Recital 4
(4)  The processing of personal electronic health data is subject to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council43 and, for Union institutions and bodies, Regulation (EU) 2018/1725 of the European Parliament and of the Council44 . References to the provisions of Regulation (EU) 2016/679 should be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions and bodies, where relevant.
(4)  The processing of personal electronic health data is subject to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council43, Regulation (EU) 2018/1725 of the European Parliament and of the Council44, as regards Union institutions, bodies, offices and agencies, and Regulation (EU) 2022/86844a of the European Parliament and of the Council. References to the provisions of Regulation (EU) 2016/679 should be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions, bodies, offices and agencies, where relevant. In relation to mixed datasets, where personal and non-personal data are inextricably linked, and where it is difficult to distinguish between those categories thereby resulting in the possibility of inferring personal data from non-personal data, the provisions of Regulation (EU) 2016/679 and of this Regulation concerning personal electronic health data should apply.
__________________
__________________
43 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
43 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
44 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
44 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
44a Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (OJ L 152, 3.6.2022, p. 1).
Amendment 8
Proposal for a regulation
Recital 4 a (new)
(4a)  The implementation of the EHDS should take into consideration the European ethical principles for digital health adopted by the eHealth network1a on 26 January 2022. Monitoring the application of those ethical principles should be one of the tasks of the EHDS Board.
__________________
1a Established following Article 14 of Directive 2011/24/EU on the application of patients' rights in cross-border healthcare.
Amendment 9
Proposal for a regulation
Recital 5
(5)  More and more Europeans cross national borders to work, study, visit relatives or to travel. To facilitate the exchange of health data, and in line with the need for empowering citizens, they should be able to access their health data in an electronic format that can be recognised and accepted across the Union. Such personal electronic health data could include personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status, personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, as well as data determinants of health, such as behaviour, environmental, physical influences, medical care, social or educational factors. Electronic health data also includes data that has been initially collected for research, statistics, policy making or regulatory purposes and may be made available according to the rules in Chapter IV. The electronic health data concern all categories of those data, irrespective to the fact that such data is provided by the data subject or other natural or legal persons, such as health professionals, or is processed in relation to a natural person’s health or well-being and should also include inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automatic means.
(5)  More and more Europeans cross national borders to work, study, visit relatives or to travel. To facilitate the exchange of health data, and in line with the need for empowering citizens, they should be able to access their health data in an electronic format that can be recognised and accepted across the Union. Such personal electronic health data could include personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status, personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, as well as data determinants of health, such as behaviour, environmental, physical influences, medical care, social or educational factors. Electronic health data also includes data that has been initially collected for research, statistics, health threat assessment, policy making or regulatory purposes and may be made available according to the rules in Chapter IV. The electronic health data concern all categories of those data, irrespective to the fact that such data is provided by the data subject or other natural or legal persons, such as health professionals, or is processed in relation to a natural person’s health or well-being and should also include inferred and derived data, such as diagnostics, tests and medical examinations, as well as data observed and recorded by automatic means.
Amendment 10
Proposal for a regulation
Recital 5 a (new)
(5a)  The scope of this Regulation should not cover natural persons who are not Union citizens, or third-country nationals not legally residing on the territory of the Member States. Therefore, where Member States require electronic registration of health data or where health data holders register health data regarding those natural persons, processors can only process the electronic health data of such persons, in accordance with Articles 6(1) and 9(2) of Regulation (EU) 2016/679 including for any secondary use.
Amendment 11
Proposal for a regulation
Recital 7
(7)  In health systems, personal electronic health data is usually gathered in electronic health records, which typically contain a natural person’s medical history, diagnoses and treatment, medications, allergies, immunisations, as well as radiology images and laboratory results, spread between different entities from the health system (general practitioners, hospitals, pharmacies, care services). In order to enable that electronic health data to be accessed, shared and changed by the natural persons or health professionals, some Member States have taken the necessary legal and technical measures and set up centralised infrastructures connecting EHR systems used by healthcare providers and natural persons. Alternatively, some Member States support public and private healthcare providers to set up personal health data spaces to enable interoperability between different healthcare providers. Several Member States have also supported or provided health data access services for patients and health professionals (for instance through patients or health professional portals). They have also taken measures to ensure that EHR systems or wellness applications are able to transmit electronic health data with the central EHR system (some Member States do this by ensuring, for instance, a system of certification). However, not all Member States have put in place such systems, and the Member States that have implemented them have done so in a fragmented manner. In order to facilitate the free movement of personal health data across the Union and avoid negative consequences for patients when receiving healthcare in cross-border context, Union action is needed in order to ensure individuals have improved acess to their own personal electronic health data and are empowered to share it.
(7)  In health systems, personal electronic health data is usually gathered in electronic health records, which typically contain a natural person’s medical history, diagnoses and treatment, medications, allergies, immunisations, as well as radiology images and laboratory results, and other complementary diagnosis and therapeutics results, spread between different entities from the health system (general practitioners, hospitals, pharmacies, care services). In order to enable that electronic health data to be accessed, shared and changed by the natural persons or health professionals, some Member States have taken the necessary legal and technical measures and set up centralised infrastructures connecting EHR systems used by healthcare providers and natural persons. Alternatively, some Member States support public and private healthcare providers to set up personal health data spaces to enable interoperability between different healthcare providers. Several Member States have also supported or provided health data access services for patients and health professionals (for instance through patients or health professional portals). They have also taken measures to ensure that EHR systems or wellness applications are able to transmit electronic health data with the central EHR system (some Member States do this by ensuring, for instance, a system of certification). However, not all Member States have put in place such systems, and the Member States that have implemented them have done so in a fragmented manner. In order to facilitate the free movement of personal health data across the Union and avoid negative consequences for patients when receiving healthcare in cross-border context, Union action is needed in order to ensure individuals have improved access to their own personal electronic health data and are empowered to share it. To that end, Member States should ensure a common standard is in place for the exchange of electronic health data to ensure and facilitate its transfer and translation into the Union’s official languages. In this respect, appropriate funding and support at Union and national level should be fairly distributed and considered as a means of reducing fragmentation, heterogeneity, and division and to achieve a system that is user-friendly and intuitive in all Member States.
Amendment 12
Proposal for a regulation
Recital 9
(9)  At the same time, it should be considered that immediate access to certain types of personal electronic health data may be harmful for the safety of natural persons, unethical or inappropriate. For example, it could be unethical to inform a patient through an electronic channel about a diagnosis with an incurable disease that is likely to lead to their swift passing instead of providing this information in a consultation with the patient first. Therefore, a possibility for limited exceptions in the implementation of this right should be ensured. Such an exception may be imposed by the Member States where this exception constitutes a necessary and proportionate measure in a democratic society, in line with the requirements of Article 23 of Regulation (EU) 2016/679. Such restrictions should be implemented by delaying the display of the concerned personal electronic health data to the natural person for a limited period. Where health data is only available on paper, if the effort to make data available electronically is disproportionate, there should be no obligation that such health data is converted into electronic format by Member States. Any digital transformation in the healthcare sector should aim to be inclusive and benefit also natural persons with limited ability to access and use digital services. Natural persons should be able to provide an authorisation to the natural persons of their choice, such as to their relatives or other close natural persons, enabling them to access or control access to their personal electronic health data or to use digital health services on their behalf. Such authorisations may also be useful for convenience reasons in other situations. Proxy services should be established by Member States to implement these authorisations, and they should be linked to personal health data access services, such as patient portals on patient-facing mobile applications. The proxy services should also enable guardians to act on behalf of their dependent children; in such situations, authorisations could be automatic. In order to take into account cases in which the display of some personal electronic health data of minors to their guardians could be contrary to the interests or will of the minor, Member States should be able to provide for such limitations and safeguards in national law, as well as the necessary technical implementation. Personal health data access services, such as patient portals or mobile applications, should make use of such authorisations and thus enable authorised natural persons to access personal electronic health data falling within the remit of the authorisation, in order for them to produce the desired effect.
(9)  At the same time, it should be considered that immediate access of natural persons to certain types of their personal electronic health data may be harmful for the safety of natural persons, unethical or inappropriate. For example, it could be unethical to inform a patient through an electronic channel about a diagnosis with an incurable disease that is likely to lead to their swift passing instead of providing this information in a consultation with the patient first. Therefore, a possibility for limited exceptions in the implementation of this right should be ensured. Such an exception may be imposed by the Member States where this exception constitutes a necessary and proportionate measure in a democratic society, in line with the requirements of Article 23 of Regulation (EU) 2016/679. Such restrictions should be implemented by delaying the display of the concerned personal electronic health data to the natural person for a limited period, for instance until the moment where the patient and the health professional get in contact. Member States should be encouraged to require that health data available prior to the implementation of this Regulation be converted into an electronic format through a process facilitated by Member States. Any digital transformation in the healthcare sector should aim to be inclusive and benefit also natural persons with limited ability to access and use digital services. Natural persons should be able to provide an authorisation to the natural persons of their choice, such as to their relatives or other close natural persons, enabling them to access or control access to their personal electronic health data or to use digital health services on their behalf. Such authorisations may also be useful for convenience reasons in other situations. Proxy services should be established by Member States to implement these authorisations, and they should be linked to personal health data access services, such as patient portals on patient-facing mobile applications. The proxy services should also enable guardians to act on behalf of their dependent children; in such situations, authorisations could be automatic. In order to take into account cases in which the display of some personal electronic health data of minors to their guardians could be contrary to the interests or will of the minor, Member States should be able to provide for such limitations and safeguards in national law, as well as the necessary technical implementation. Personal health data access services, such as patient portals or mobile applications, should make use of such authorisations and thus enable authorised natural persons to access personal electronic health data falling within the remit of the authorisation, in order for them to produce the desired effect.
Amendment 13
Proposal for a regulation
Recital 10
(10)  Some Member States allow natural persons to add electronic health data to their EHRs or to store additional information in their separate personal health record that can be accessed by health professionals. However, this is not a common practice in all Member States and therefore should be established by the EHDS across the EU. Information inserted by natural persons may not be as reliable as electronic health data entered and verified by health professionals, therefore it should be clearly marked to indicate the source of such additional data. Enabling natural persons to more easily and quickly access their electronic health data also further enables them to notice possible errors such as incorrect information or incorrectly attributed patient records and have them rectified using their rights under Regulation (EU) 2016/679. In such cases, natural person should be enabled to request rectification of the incorrect electronic health data online, immediately and free of charge, for example through the personal health data access service. Data rectification requests should be assessed and, where relevant, implemented by the data controllers on case by case basis, if necessary involving health professionals.
(10)  Some Member States allow natural persons to add electronic health data to their EHRs or to store additional information in their separate personal health record that can be accessed by health professionals. However, this is not a common practice in all Member States and therefore should be established by the EHDS across the EU. Information inserted by natural persons may not be as reliable as electronic health data entered and verified by health professionals and does not have the same clinical or legal value as information provided by a health professional, therefore it should be clearly marked to indicate the source of such additional data and should be validated only by a health professional. More specifically, relevant fields in the EHR should be clearly marked. Enabling natural persons to more easily and quickly access their electronic health data also further enables them to notice possible errors such as incorrect information or incorrectly attributed patient records and have them rectified using their rights under Regulation (EU) 2016/679. In such cases, natural person should be enabled to request rectification of the incorrect electronic health data online, immediately and free of charge, for example through the personal health data access service. Data rectification requests should be assessed and, where relevant, implemented by the data controllers on case by case basis, if necessary involving health professionals, with a relevant specialisation, responsible for the natural person’s treatment.
Amendment 14
Proposal for a regulation
Recital 11
(11)  Natural persons should be further empowered to exchange and to provide access to personal electronic health data to the health professionals of their choice, going beyond the right to data portability as established in Article 20 of Regulation (EU) 2016/679. This is necessary to tackle objective difficulties and obstacles in the current state of play. Under Regulation (EU) 2016/679, portability is limited only to data processed based on consent or contract, which excludes data processed under other legal bases, such as when the processing is based on law, for example when their processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. It only concerns data provided by the data subject to a controller, excluding many inferred or indirect data, such as diagnoses, or tests. Finally, under Regulation (EU) 2016/679, the natural person has the right to have the personal data transmitted directly from one controller to another only where technically feasible. That Regulation, however, does not impose an obligation to make this direct transmission technically feasible. All these elements limit the data portability and may limit its benefits for provision of high-quality, safe and efficient healthcare services to the natural person.
(11)  Natural persons should be further empowered to exchange and to provide access to personal electronic health data to the health professionals of their choice, going beyond the right to data portability as established in Article 20 of Regulation (EU) 2016/679 and to download their health data. This is necessary to tackle objective difficulties and obstacles in the current state of play. Under Regulation (EU) 2016/679, portability is limited only to data processed based on consent or contract, which excludes data processed under other legal bases, such as when the processing is based on law, for example when their processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. It only concerns data provided by the data subject to a controller, excluding many inferred or indirect data, such as diagnoses, or tests. Finally, under Regulation (EU) 2016/679, the natural person has the right to have the personal data transmitted directly from one controller to another only where technically feasible. That Regulation, however, does not impose an obligation to make this direct transmission technically feasible. All these elements limit the data portability and may limit its benefits for provision of high-quality, safe and efficient healthcare services to the natural person.
Amendment 15
Proposal for a regulation
Recital 12
(12)  Natural persons should be able to exercise control over the transmission of personal electronic health data to other healthcare providers. Healthcare providers and other organisations providing EHRs should facilitate the exercise of this right. Stakeholders such as healthcare providers, digital health service providers, manufacturers of EHR systems or medical devices should not limit or block the exercise of the right of portability because of the use of proprietary standards or other measures taken to limit the portability. For these reasons, the framework laid down by this Regulation builds on the right to data portability established in Regulation (EU) 2016/679 by ensuring that natural persons as data subjects can transmit their electronic health data, including inferred data, irrespective of the legal basis for processing the electronic health data. This right should apply to electronic health data processed by public or private controllers, irrespective of the legal basis for processing the data under in accordance with the Regulation (EU) 2016/679. This right should apply to all electronic health data.
(12)  Natural persons should be able to exercise control over the transmission of personal electronic health data to other healthcare providers. Healthcare providers and other organisations providing EHRs should facilitate the exercise of this right. Stakeholders such as healthcare providers, digital health service providers, manufacturers of EHR systems or medical devices should not limit or block the exercise of the right of portability because of the use of proprietary standards or other measures taken to limit the portability. In accordance with Regulation (EU) 2016/679, healthcare providers should follow the data minimisation principle when accessing personal health data, limiting the data accessed to data that are strictly necessary and justified for a given service. For these reasons, the framework laid down by this Regulation builds on the right to data portability established in Regulation (EU) 2016/679 by ensuring that natural persons as data subjects can transmit their electronic health data, including inferred data, irrespective of the legal basis for processing the electronic health data. This right should apply to electronic health data processed by public or private controllers, irrespective of the legal basis for processing the data under in accordance with the Regulation (EU) 2016/679. This right should apply to all electronic health data.
Amendment 16
Proposal for a regulation
Recital 13
(13)  Natural persons may not want to allow access to some parts of their personal electronic health data while enabling access to other parts. Such selective sharing of personal electronic health data should be supported. However, such restrictions may have life threatening consequences and, therefore, access to personal electronic health data should be possible to protect vital interests as an emergency override. According to Regulation (EU) 2016/679, vital interests refer to situations in which it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal electronic health data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. More specific legal provisions on the mechanisms of restrictions placed by the natural person on parts of their personal electronic health data should be provided by Member States in national law. Because the unavailability of the restricted personal electronic health data may impact the provision or quality of health services provided to the natural person, he/she should assume responsibility for the fact that the healthcare provider cannot take the data into account when providing health services.
(13)  Natural persons may not want to allow access to some parts of their personal electronic health data while enabling access to other parts. Such selective sharing of personal electronic health data should be supported. However, natural persons should be informed of the patient safety risks associated with limiting access to health data. However, such restrictions may have life threatening consequences and, therefore, access to personal electronic health data should be possible to protect vital interests as an emergency override. According to Regulation (EU) 2016/679, vital interests refer to situations in which it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal electronic health data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. More specific legal provisions on the mechanisms of restrictions placed by the natural person on parts of their personal electronic health data should be provided by Member States in national law, in particular as regards medical liability in the event that restrictions have been placed by the natural person, Because the unavailability of the restricted personal electronic health data may impact the provision or quality of health services provided to the natural person, he/she should assume responsibility for the fact that the healthcare provider cannot take the data into account when providing health services.
Amendment 17
Proposal for a regulation
Recital 14
(14)  In the context of the EHDS, natural persons should be able to exercise their rights as they are enshrined in Regulation (EU) 2016/679. The supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679 should remain competent, in particular to monitor the processing of personal electronic health data and to address any complaints lodged by the natural persons. In order to carry out their tasks in the health sector and uphold the natural persons’ rights, digital health authorities should cooperate with the supervisory authorities under Regulation (EU) 2016/679.
(14)  In the context of the EHDS, natural persons should be able to exercise their rights under this Regulation without prejudice to Regulation (EU) 2016/679. The supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679 should remain competent, in particular to monitor the processing of personal electronic health data and to address any complaints lodged by the natural persons. In order to carry out their tasks in the health sector and uphold the natural persons’ rights, digital health authorities should cooperate with the supervisory authorities under Regulation (EU) 2016/679.
Amendment 18
Proposal for a regulation
Recital 15
(15)  Article 9(2), point (h), of Regulation (EU) 2016/679 provides for exceptions where the processing of senstitive data is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health care or treatment or the management of health care systems and services on the basis of Union or Member State law. This Regulation should provide conditions and safeguards for the processing of electronic health data by healthcare providers and health professionals in line with Article 9(2), point (h), of Regulation (EU) 2016/679 with the purpose of accessing personal electronic health data provided by the natural person or transmitted from other healthcare providers. However, this Regulation should be without prejudice to the national laws concerning the processing of health data, including the legislation establishing categories of health professionals that can process different categories of electronic health data.
(15)  Article 9(2), point (h), of Regulation (EU) 2016/679 provides for exceptions where the processing of sensitive data is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health care or treatment or the management of health care systems and services on the basis of Union or Member State law. This Regulation should provide conditions and safeguards for the processing of electronic health data by healthcare providers and health professionals in line with Article 9(2), point (h), of Regulation (EU) 2016/679 with the purpose of accessing personal electronic health data provided by the natural person or transmitted from other healthcare providers. However, this Regulation should be without prejudice to the national laws concerning the processing of health data outside the scope of this Regulation, including for other secondary use purposes established by this Regulation, including the legislation establishing categories of health professionals that can process different categories of electronic health data.
Amendment 19
Proposal for a regulation
Recital 16
(16)  Timely and full access of health professionals to the medical records of patients is fundamental for ensuring continuity of care and avoiding duplications and errors. However, due to a lack of interoperability, in many cases, health professionals cannot access the complete medical records of their patients and cannot make optimal medical decisions for their diagnosis and treatment, which adds considerable costs for both health systems and natural persons and may lead to worse health outcomes for natural persons. Electronic health data made available in interoperable format, which can be transmitted between healthcare providers can also reduce the administrative burden on health professionals of manually entering or copying health data between electronic systems. Therefore, health professionals should be provided with appropriate electronic means, such as health professional portals, to use personal electronic health data for the exercise of their duties. Moreover, the access to personal health records should be transparent to the natural persons and natural persons should be able to exercise full control over such access, including by limiting access to all or part of the personal electronic health data in their records. Health professionals should refrain from hindering the implementation of the rights of natural persons, such as refusing to take into account electronic health data originating from another Member State and provided in the interoperable and reliable European electronic health record exchange format.
(16)  Timely and full access of health professionals to the medical records of patients is fundamental for ensuring continuity of care, avoiding duplications and errors and reducing costs. However, due to a lack of interoperability, in many cases, health professionals cannot access the complete medical records of their patients and cannot make optimal medical decisions for their diagnosis and treatment, which adds considerable costs for both health systems and natural persons and may lead to worse health outcomes for natural persons. Electronic health data made available in interoperable format, which can be transmitted between healthcare providers can also reduce the administrative burden on health professionals of manually entering or copying health data between electronic systems. Therefore, health professionals should be provided with appropriate electronic means, such as appropriate electronic and digital devices and health professional portals, to use personal electronic health data for the exercise of their duties on a need-to-know basis. Moreover, the access to personal health records should be transparent to the natural persons and natural persons should be able to exercise full control over such access, including by limiting access to all or part of the personal electronic health data in their records. Health professionals should refrain from hindering the implementation of the rights of natural persons, such as refusing to take into account electronic health data originating from another Member State and provided in the interoperable and reliable European electronic health record exchange format. This Regulation should not be construed or interpreted as limiting the obligation of health professionals to comply with the applicable law, codes of conduct, deontological guidelines or other provisions governing ethical conduct with respect to sharing or accessing information, particularly in life-threatening or extreme situations. For that purpose, providers of electronic health records should keep a record of who has accessed data in the previous 36 months and which data they accessed.
Amendment 20
Proposal for a regulation
Recital 16 a (new)
(16a)  Health professionals are faced with a profound change in the context of digitalisation and implementation of the EHDS. Health professionals need to develop their digital health literacy and digital skills. Therefore, health professionals who qualify as micro enterprises, as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC1a, should be temporarily exempted from the obligations laid down in this Regulation, in order to avoid a disproportionate administrative burden for micro enterprises. During the period of exemption, Member States should enable health professionals working as micro enterprises to take digital literacy courses to be able to prepare to work in EHR systems.
_____
1a Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium sized enterprises (OJ L 124, 20.5.2003, p. 36)
Amendment 21
Proposal for a regulation
Recital 17
(17)  The relevance of different categories of electronic health data for different healthcare scenarios varies. Different categories have also achieved different levels of maturity in standardisation, and therefore the implementation of mechanisms for their exchange may be more or less complex depending on the category. Therefore, the improvement of interoperability and data sharing should be gradual and prioritisation of categories of electronic health data is needed. Categories of electronic health data such as patient summary, electronic prescription and dispensation, laboratory results and reports, hospital discharge reports, medical images and reports have been selected by the eHealth Network as most relevant for the majority of healthcare situations and should be considered as priority categories for Member States to implement access to them and their transmission. When further needs for the exchange of more categories of electronic health data are identified for healthcare purposes, the list of priority categories should be expanded. The Commission should be empowered to extend the list of priority categories, after analysing relevant aspects related to the necessity and possibility for the exchange of new datasets, such as their support by systems established nationally or regionally by the Member States. Particular attention should be given to the data exchange in border regions of neighbouring Member States where the provision of cross-border health services is more frequent and needs even quicker procedures than across the Union in general.
(17)  The relevance of different categories of electronic health data for different healthcare scenarios varies. Different categories have also achieved different levels of maturity in standardisation, and therefore the implementation of mechanisms for their exchange may be more or less complex depending on the category. Therefore, the improvement of interoperability and data sharing should be gradual and prioritisation of categories of electronic health data is needed. Categories of electronic health data such as patient summary, electronic prescription and dispensation, laboratory results and reports, hospital discharge reports, medical images and reports have been selected by the eHealth Network as most relevant for the majority of healthcare situations and should be considered as priority categories for Member States to implement access to them and their transmission. When further needs for the exchange of more categories of electronic health data are identified for healthcare purposes, the list of priority categories should be expanded, after analysing relevant aspects related to the necessity and possibility for the exchange of new datasets, such as their support by systems established nationally or regionally by the Member States. Particular attention should be given to the data exchange in border regions of neighbouring Member States where the provision of cross-border health services is more frequent and needs even quicker procedures than across the Union in general.
Amendment 22
Proposal for a regulation
Recital 19
(19)  The level of availability of personal health and genetic data in an electronic format varies between Member States. The EHDS should make it easier for natural persons to have those data available in electronic format. This would also contribute to the achievement of the target of 100% of Union citizens having access to their electronic health records by 2030, as referred to in the Policy Programme “Path to the Digital Decade”. In order to make electronic health data accesible and transmissible, such data should be accessed and transmitted in an interoperable common European electronic health record exchange format, at least for certain categories of electronic health data, such as patient summaries, electronic prescriptions and dispensations, medical images and image reports, laboratory results and discharge reports, subject to transition periods. Where personal electronic health data is made available to a healthcare provider or a pharmacy by a natural person, or is transmitted by another data controller in the European electronic health record exchange format, the electronic health data should be read and accepted for the provision of healthcare or for dispensation of a medicinal product, thus supporting the provision of the health care services or the dispensation of the electronic prescription. Commission Recommendation (EU) 2019/24345 provides the foundations for such a common European electronic health record exchange format. The use of European electronic health record exchange format should become more generalised at EU and national level. While the eHealth Network under Article 14 of Directive 2011/24/EU of the European Parliament and of the Council46 recommended Member States to use the European electronic health record exchange format in procurements, in order to improve interoperability, uptake was limited in practice, resulting in fragmented landscape and uneven access to and portability of electronic health data.
(19)  The level of availability of personal health and genetic data in an electronic format varies between Member States. The EHDS should make it easier for natural persons to have those data available in electronic format as well as for them to have better control over accessing and sharing their personal electronic health data. This would also contribute to the achievement of the target of 100% of Union citizens having access to their electronic health records by 2030, as referred to in the Policy Programme “Path to the Digital Decade”. In order to make electronic health data accessible and transmissible, such data should be accessed and transmitted in an interoperable common European electronic health record exchange format, at least for certain categories of electronic health data, such as patient summaries, electronic prescriptions and dispensations, medical images and image reports, laboratory results and discharge reports, subject to transition periods. Where personal electronic health data is made available to a healthcare provider or a pharmacy by a natural person, or is transmitted by another data controller in the European electronic health record exchange format, the electronic health data should be read and accepted for the provision of healthcare or for dispensation of a medicinal product, thus supporting the provision of the health care services or the dispensation of the electronic prescription. Commission Recommendation (EU) 2019/24345 provides the foundations for such a common European electronic health record exchange format. The interoperability of the EHDS should contribute to a high quality of European health data sets. The use of European electronic health record exchange format should become more generalised at EU and national level. While the eHealth Network under Article 14 of Directive 2011/24/EU of the European Parliament and of the Council46 recommended Member States to use the European electronic health record exchange format in procurements, in order to improve interoperability, uptake was limited in practice, resulting in fragmented landscape and uneven access to and portability of electronic health data.
__________________
__________________
45 Commission Recommendation (EU) 2019/243 of 6 February 2019 on a European Electronic Health Record exchange format (OJ L 39, 11.2.2019, p. 18).
45 Commission Recommendation (EU) 2019/243 of 6 February 2019 on a European Electronic Health Record exchange format (OJ L 39, 11.2.2019, p. 18).
46 Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45).
46 Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45).
Amendment 23
Proposal for a regulation
Recital 20
(20)  While EHR systems are widely spread, the level of digitalisation of health data varies in Member States depending on data categories and on the coverage of healthcare providers that register health data in electronic format. In order to support the implementation of data subjects’ rights of access to and exchange of electronic health data, Union action is needed to avoid further fragmentation. In order to contribute to a high quality and continuity of healthcare, certain categories of health data should be registered in electronic format systematically and according to specific data quality requirements. The European electronic health record exchange format should form the basis for specifications related to the registration and exchange of electronic health data. The Commission should be empowered to adopt implementing acts for determining additional aspects related to the registration of electronic health data, such as categories of healthcare providers that are to register health data electronically, categories of data to be registered electronically, or data quality requirements.
(20)  While EHR systems are widely spread, the level of digitalisation of health data varies in Member States depending on data categories and on the coverage of healthcare providers that register health data in electronic format. In order to support the implementation of data subjects’ rights of access to and exchange of electronic health data, Union action is needed to avoid further fragmentation. In order to contribute to a high quality and continuity of healthcare, certain categories of health data should be registered in electronic format systematically and according to specific data quality requirements. The European electronic health record exchange format should form the basis for specifications related to the registration and exchange of electronic health data. The Commission should be empowered to adopt delegated acts for determining data quality requirements.
Amendment 24
Proposal for a regulation
Recital 20 a (new)
(20a)  In order to support the successful implementation of the EHDS and the creation of effective conditions for European health data cooperation, the Commission and Member States should agree on time-based targets to implement conditions for improved health data interoperability across the Union with a range of objectives and milestones, including in respect of disease-specific registry interoperability, which should be reviewed and assessed in an annual report.
Amendment 25
Proposal for a regulation
Recital 21
(21)  Under Article 168 of the Treaty Member States are responsible for their health policy, in particular for decisions on the services (including telemedicine) that they provide and reimburse. Different reimbursement policies should, however, not constitute barriers to the free movement of digital health services such as telemedicine, including online pharmacy services. When digital services accompany the physical provision of a healthcare service, the digital service should be included in the overall care provision.
(21)  Under Article 168 of the Treaty on the Functioning of the European Union (TFEU), Member States are responsible for their health policy, in particular for decisions on the services that they provide and reimburse. Different reimbursement policies should, however, not constitute barriers to the free movement of digital health services such as telemedicine, including online pharmacy services. When digital services accompany the physical provision of a healthcare service, the digital service should be included in the overall care provision. Telemedicine is becoming an increasingly important tool that can provide patients with access to care and tackle inequities and has the potential to reduce health inequalities and reinforce the free movement of Union citizens across borders. Digital and other technological tools can facilitate the provision of care in remote regions. However, telemedicine should not be viewed as a replacement for in-person medicine, as there are certain conditions and procedures that require in-person physical examination and intervention.
Amendment 26
Proposal for a regulation
Recital 22
(22)  Regulation (EU) No 910/2014 of the European Parliament and of the Council47 lays down the conditions under which Members States perform identification of natural persons in cross-border situations using identification means issued by another Member State, establishing rules for the mutual recognition of such electronic identification means. The EHDS requires a secure access to electronic health data, including in cross-border scenarios where the health professional and the natural person are from different Member States, to avoid cases of unauthorised access. At the same time, the existence of different means of electronic identification should not be a barrier for exercising the rights of natural persons and health professionals. The rollout of interoperable, cross-border identification and authentication mechanisms for natural persons and health professionals across the EHDS requires strengthening cooperation at Union level in the European Health Data Space Board (‘EHDS Board’).As the rights of the natural persons in relation to the access and transmission of personal electronic health data should be implemented uniformly across the Union, a strong governance and coordination is necessary at both Union and Member State level. Member States should establish relevant digital health authorities for the planning and implementation of standards for electronic health data access, transmission and enforcement of rights of natural persons and health professionals. In addition, governance elements are needed in Member States to facilitate the participation of national actors in the cooperation at Union level, channelling expertise and advising the design of solutions necessary to achieve the goals of the EHDS. Digital health authorities exist in most of the Member States and they deal with EHRs, interoperability, security or standardisation. Digital health authorities should be established in all Member States, as separate organisations or as part of the currently existing authorities.
(22)  Regulation (EU) No 910/2014 of the European Parliament and of the Council47 lays down the conditions under which Members States perform identification of natural persons in cross-border situations using identification means issued by another Member State, establishing rules for the mutual recognition of such electronic identification means. The EHDS requires a secure access to electronic health data, including in cross-border scenarios where the health professional and the natural person are from different Member States, to avoid cases of unauthorised access. At the same time, the existence of different means of electronic identification should not be a barrier for exercising the rights of natural persons and health professionals. Therefore, natural persons and health professionals should have the right to electronic identification using any recognised electronic identification, including eID schemes where such are offered. The rollout of interoperable, cross-border identification and authentication mechanisms for natural persons and health professionals across the EHDS requires strengthening cooperation at Union level in the European Health Data Space Board (‘EHDS Board’). As the rights of the natural persons in relation to the access and transmission of personal electronic health data should be implemented uniformly across the Union, a strong governance and coordination is necessary at both Union and Member State level.
__________________
__________________
47 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).
47 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).
Amendment 27
Proposal for a regulation
Recital 22 a (new)
(22a)  Member States should establish relevant digital health authorities for the planning and implementation of standards for electronic health data access and transmission and the enforcement of the rights of natural persons and health professionals. In addition, governance elements are needed in Member States to facilitate the participation of national actors in the cooperation at Union level, channelling expertise and advising on the design of solutions necessary to achieve the goals of the EHDS. Digital health authorities exist in most of the Member States and they deal with EHRs, interoperability, security or standardisation. Digital health authorities should be established in all Member States, as separate organisations or as part of currently existing authorities.
Amendment 28
Proposal for a regulation
Recital 23
(23)  Digital health authorities should have sufficient technical skills, possibly bringing together experts from different organisations. The activities of digital health authorities should be well-planned and monitored in order to ensure their efficiency. Digital health authorities should take necessary measures to ensuring rights of natural persons by setting up national, regional, and local technical solutions such as national EHR, patient portals, data intermediation systems. When doing so, they should apply common standards and specifications in such solutions, promote the application of the standards and specifications in procurements and use other innovative means including reimbursement of solutions that are compliant with interoperability and security requirements of the EHDS. To carry out their tasks, the digital health authorities should cooperate at national and Union level with other entities, including with insurance bodies, healthcare providers, manufacturers of EHR systems and wellness applications, as well as stakeholders from health or information technology sector, entities handling reimbursement schemes, health technology assessment bodies, medicinal products regulatory authorities and agencies, medical devices authorities, procurers and cybersecurity or e-ID authorities.
(23)  Digital health authorities should have sufficient technical skills, possibly bringing together experts from different organisations. The activities of digital health authorities should be well-planned and monitored in order to ensure their efficiency. Digital health authorities should take necessary measures to ensuring rights of natural persons by setting up national, regional, and local technical solutions such as national EHR, patient portals, data intermediation systems. When doing so, they should apply common standards and specifications in such solutions, promote the application of the standards and specifications in procurements and use other innovative means including reimbursement of solutions that are compliant with interoperability and security requirements of the EHDS. Member States should ensure that appropriate training initiatives are undertaken. In particular, health professionals should be informed and trained with respect to their rights and obligations under this Regulation. To carry out their tasks, the digital health authorities should cooperate at national and Union level with other entities, including with insurance bodies, healthcare providers, health professionals, manufacturers of EHR systems and wellness applications, as well as other stakeholders from health or information technology sector, entities handling reimbursement schemes, health technology assessment bodies, medicinal products regulatory authorities and agencies, medical devices authorities, procurers and cybersecurity or e-ID authorities.
Amendment 29
Proposal for a regulation
Recital 24
(24)  Access to and transmission of electronic health data is relevant in cross-border healthcare situations, as it may support continuity of healthcare when natural persons travel to other Member States or change their place of residence. Continuity of care and rapid access to personal electronic health data is even more important for residents in border regions, crossing the border frequently to get health care. In many border regions, some specialised health care services may be available closer across the border rather than in the same Member State. An infrastructure is needed for the transmission of personal electronic health data across borders, in situations where a natural person is using services of a healthcare provider established in another Member State. A voluntary infrastructure for that purpose, MyHealth@EU, has been established as part of the actions provided for in Article 14 of Directive 2011/24/EU. Through MyHealth@EU, Member States started to provide natural persons with the possibility to share their personal electronic health data with healthcare providers when travelling abroad. To further support such possibilities, the participation of Member States in the digital infrastructure MyHealth@EU should become mandatory. All Member States should join the infrastructure and connect healthcare providers and pharmacies to it, as this is necessary for the implementation of the rights of natural persons to access and make use of their personal electronic health data regardless of the Member State. The infrastructure should be gradually expanded to support further categories of electronic health data.
(24)  Access to and transmission of electronic health data is relevant in cross-border healthcare situations, as it may support continuity of healthcare when natural persons travel to other Member States or change their place of residence. Continuity of care and rapid access to personal electronic health data is even more important for residents in border regions, crossing the border frequently to get health care. In many border regions, some specialised health care services may be available closer across the border rather than in the same Member State. An infrastructure is needed for the transmission of personal electronic health data across borders, in situations where a natural person is using services of a healthcare provider established in another Member State. A voluntary infrastructure for that purpose, MyHealth@EU, has been established as part of the actions provided for in Article 14 of Directive 2011/24/EU. Through MyHealth@EU, Member States started to provide natural persons with the possibility to share their personal electronic health data with healthcare providers when travelling abroad. To further support such possibilities, the participation of Member States in the digital infrastructure MyHealth@EU should become mandatory. All Member States should join the infrastructure and connect healthcare providers and pharmacies to it, as this is necessary for the implementation of the rights of natural persons to access and make use of their personal electronic health data regardless of the Member State. The infrastructure should be gradually expanded to support further categories of electronic health data, and funding as well as other means of support at Union level should be considered.
Amendment 30
Proposal for a regulation
Recital 25
(25)  In the context of MyHealth@EU, a central platform should provide a common infrastructure for the Member States to ensure connectivity and interoperability in an efficient and secure way. In order to guarantee compliance with data protection rules and to provide a risk management framework for the transmission of personal electronic health data, the Commission should, by means of implementing acts, allocate specific responsibilities among the Member States, as joint controllers, and prescribe its own obligations, as processor.
(25)  In the context of MyHealth@EU, a central platform should provide a common infrastructure for the Member States to ensure connectivity and interoperability in an efficient and secure way. In order to guarantee compliance with data protection rules and to provide a risk management framework for the transmission of personal electronic health data, the Commission should, by means of implementing acts, allocate specific responsibilities with time-based targets among the Member States, as joint controllers, and prescribe its own obligations, as processor.
Amendment 31
Proposal for a regulation
Recital 26
(26)  In addition to services in MyHealth@EU for the exchange of personal electronic health data based on the European electronic health record exchange format, other services or supplementary infrastructures may be needed for example in cases of public health emergencies or where the architecture of MyHealth@EU is not suitable for the implementation of some use cases. Examples of such use cases include support for vaccination card functionalities, including the exchange of information on vaccination plans, or verification of vaccination certificates or other health-related certificates. This would be also important for introducing additional functionality for handling public health crises, such as support for contact tracing for the purposes of containing infectious diseases. Connection of national contact points for digital health of third countries or interoperability with digital systems established at international level should be subject to a check ensuring the compliance of the national contact point with the technical specifications, data protection rules and other requirements of MyHealth@EU. A decision to connect a national contact point of a third country should be taken by data controllers in the joint controllership group for MyHealth@EU.
(26)  In addition to services in MyHealth@EU for the exchange of personal electronic health data based on the European electronic health record exchange format, other services or supplementary infrastructures may be needed for example in cases of public health emergencies or where the architecture of MyHealth@EU is not suitable for the implementation of some use cases. Examples of such use cases include support for vaccination card functionalities, including the exchange of information on vaccination plans, or verification of vaccination certificates or other health-related certificates. This would be also important for introducing additional functionality for handling public health crises, such as support for contact tracing for the purposes of containing infectious diseases.
Amendment 32
Proposal for a regulation
Recital 34 a (new)
(34a)  EHR systems could qualify as medical devices under Regulation (EU) 2017/745 or in-vitro diagnostic devices under Regulation (EU) 2017/746 of the European Parliament and of the Council1a. While those EHR systems need to fulfil the requirements under each applicable regulation, Member States should take appropriate measures to ensure that the respective conformity assessment is carried out as a joint or coordinated procedure, as appropriate, inter alia by encouraging the same notified bodies to become responsible for the conformity assessment under each applicable regulation.
_____
1a Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176).
Amendment 33
Proposal for a regulation
Recital 35
(35)  Users of wellness applications, such as mobile applications, should be informed about the capacity of such applications to be connected and to supply data to EHR systems or to national electronic health solutions, in cases where data produced by wellness applications is useful for healthcare purposes. The capability of those applications to export data in an interoperable format is also relevant for data portability purposes. Where applicable, users should be informed about the compliance of such applications with interoperability and security requirements. However, given the large number of wellness applications and the limited relevance for healthcare purposes of the data produced by many of them, a certification scheme for these applications would not be proportionate. A voluntary labelling scheme should therefore be established as an appropriate mechanism for enabling the transparency for the users of wellness applications regarding compliance with the requirements, thereby supporting users in their choice of appropriate wellness applications with high standards of interoperability and security. The Commission may set out in implementing acts the details regarding the format and content of such label.
(35)  Users of wellness applications, such as mobile applications, should be informed about the capacity of such applications to be connected and to supply data to EHR systems or to national electronic health solutions, in cases where data produced by wellness applications is useful for healthcare purposes. The capability of those applications to export data in an interoperable format is also relevant for data portability purposes. Where applicable, users should be informed about the compliance of such applications with interoperability and security requirements. However, given the large number of wellness applications and the limited relevance for healthcare purposes of the data produced by many of them, a certification scheme for these applications would not be proportionate. A mandatory labelling scheme for wellness applications claiming interoperability with EHR systems should therefore be established as an appropriate mechanism for enabling the transparency for the users of wellness applications regarding compliance with the requirements, thereby supporting users in their choice of appropriate wellness applications with high standards of interoperability and security. The Commission should set out in implementing acts the details regarding the format and content of such label.
Amendment 34
Proposal for a regulation
Recital 36 a (new)
(36a)  The uptake of real-world data and real-world evidence, including patient-reported outcomes, for evidence-based regulatory and policy purposes as well as for research, health technology assessment and clinical objectives should be encouraged. Real-world data and real-world evidence have the potential to complement health data currently made available.
Amendment 35
Proposal for a regulation
Recital 37
(37)  For the secondary use of the clinical data for research, innovation, policy making, regulatory purposes, patient safety or the treatment of other natural persons, the possibilities offered by Regulation (EU) 2016/679 for a Union law should be used as a basis and rules and mechanisms and providing suitable and specific measures to safeguard the rights and freedoms of the natural persons. This Regulation provides the legal basis in accordance with Articles 9(2) (g), (h), (i) and (j) of Regulation (EU) 2016/679 for the secondary use of health data, establishing the safeguards for processing, in terms of lawful purposes, trusted governance for providing access to health data (through health data access bodies) and processing in a secure environment, as well as modalities for data processing, set out in the data permit. At the same time, the data applicant should demonstrate a legal basis pursuant to Article 6 of Regulation (EU) 2016/679, based on which they could request access to data pursuant to this Regulation and should fulfil the conditions set out in Chapter IV. More specifically: for processing of electronic health data held by the data holder pursuant to this Regulation, this Regulation creates the legal obligation in the sense of Article 6(1) point (c) of Regulation (EU) 2016/679 for disclosing the data by the data holder to health data access bodies, while the legal basis for the purpose of the initial processing (e.g. delivery of care) is unaffected. This Regulation also meets the conditions for such processing pursuant to Articles 9(2) (h),(i),(j) of the Regulation (EU) 2016/679. This Regulation assigns tasks in the public interest to the health data access bodies (running the secure processing environment, processing data before they are used, etc.) in the sense of Article 6(1)(e) of Regulation (EU) 2016/679 to the health data access bodies, and meets the requirements of Article 9(2)(h),(i),(j) of the Regulation (EU) 2016/679. Therefore, in this case, this Regulation provides the legal basis under Article 6 and meets the requirements of Article 9 of that Regulation on the conditions under which electronic health data can be processed. In the case where the user has access to electronic health data (for secondary use of data for one of the purposes defined in this Regulation), the data user should demonstrate its legal basis pursuant to Articles 6(1), points (e) or (f), of Regulation (EU) 2016/679 and explain the specific legal basis on which it relies as part of the application for access to electronic health data pursuant to this Regulation: on the basis of the applicable legislation, where the legal basis under Regulation (EU) 2016/679 is Article 6(1), point (e), or on Article 6(1), point (f), of Regulation (EU) 2016/679. If the user relies upon a legal basis offered by Article 6(1), point (e), it should make reference to another EU or national law, different from this Regulation, mandating the user to process personal health data for the compliance of its tasks. If the lawful ground for processing by the user is Article 6(1), point (f), of Regulation (EU) 2016/679, in this case it is this Regulation that provides the safeguards. In this context, the data permits issued by the health data access bodies are an administrative decision defining the conditions for the access to the data.
(37)  For the secondary use of personal electronic health data for research, innovation, policy making, regulatory purposes, patient safety or the treatment of other natural persons, the possibilities offered by Regulation (EU) 2016/679 for a Union law should be used as a basis for rules and mechanisms providing suitable and specific measures to safeguard the rights and freedoms of the natural persons. For the purpose of processing electronic health data for secondary use, one of the legal bases set out in Article 6(1), points (a), (c), (e) or (f), of Regulation (EU) 2016/679 combined with Article 9(2) of that Regulation should be required. The most relevant processing condition listed in Article 9(2) of Regulation (EU) 2016/679 in this context is that of substantial public interest, the provision of health or social care, public interest in the area of public health and research. Hence, this Regulation provides the legal basis in accordance with Article 6 and Articles 9(2) (g), (h), (i) and (j) of Regulation (EU) 2016/679 for the secondary use of health data, establishing the safeguards for processing, in terms of lawful purposes, trusted governance for providing access to health data (through health data access bodies) and processing in a secure environment, as well as modalities for data processing, set out in the data permit. More specifically, for processing of electronic health data held by the health data holder pursuant to this Regulation, this Regulation creates the legal obligation in the sense of Article 6(1), point (c), of Regulation (EU) 2016/679 for disclosing the data by the health data holder to health data access bodies, while the legal basis for the purpose of the initial processing (e.g. delivery of care) is unaffected. This Regulation assigns tasks in the public interest to the health data access bodies (running the secure processing environment, processing data before they are used, etc.) in the sense of Article 6(1), point (e), of Regulation (EU) 2016/679 and meets the requirements of Article 9(2), points (g) to (j), of the Regulation (EU) 2016/679. At the same time, the health data access body should verify the compliance with Article 6 of Regulation (EU) 2016/679, combined with Article 9(2) thereof, based on which they should be able to issue a data permit for the processing of personal electronic health data pursuant to this Regulation that should fulfil the requirements and conditions set out in Chapter IV of this Regulation.
Amendment 36
Proposal for a regulation
Recital 37 a (new)
(37a)  In the case where the health data user has access to electronic health data for secondary use of data for one of the purposes defined in this Regulation, the health data user should demonstrate the specific legal ground on which it relies as part of the application for access to electronic health data pursuant to this Regulation, namely, on the basis of the applicable law, where the legal basis under Regulation (EU) 2016/679 is Article 6(1), point (e), or Article 6(1), point (f), thereof. If the health data user relies upon the ground provided for in Article 6(1), point (e), it should make reference to another Union or national law, requiring the user to process personal health data for the compliance of its tasks. If the ground for processing by the health data user is Article 6(1), point (f), of Regulation (EU) 2016/679, appropriate and necessary safeguards should be determined in accordance with this Regulation. In this context, the data permits issued by the health data access bodies should be an administrative decision defining the conditions for the access to the data.
Amendment 37
Proposal for a regulation
Recital 38
(38)  In the context of the EHDS, the electronic health data already exists and is being collected by healthcare providers, professional associations, public institutions, regulators, researchers, insurers etc. in the course of their activities. Some categories of data are collected primarily for the provisions of healthcare (e.g. electronic health records, genetic data, claims data, etc.), others are collected also for other purposes such as research, statistics, patient safety, regulatory activities or policy making (e.g. disease registries, policy making registries, registries concerning the side effects of medicinal products or medical devices, etc.). For instance, European databases that facilitate data (re)use are available in some areas, such as cancer (European Cancer Information System) or rare diseases (European Platform on Rare Disease Registration, ERN registries, etc.). These data should also be made available for secondary use. However, much of the existing health-related data is not made available for purposes other than that for which they were collected. This limits the ability of researchers, innovators, policy-makers, regulators and doctors to use those data for different purposes, including research, innovation, policy-making, regulatory purposes, patient safety or personalised medicine. In order to fully unleash the benefits of the secondary use of electronic health data, all data holders should contribute to this effort in making different categories of electronic health data they are holding available for secondary use.
(38)  In the context of the EHDS, the electronic health data already exists and is being collected by healthcare providers, professional associations, public institutions, regulators, researchers, insurers etc. in the course of their activities. Some categories of data are collected primarily for the provisions of healthcare (e.g. electronic health records, genetic data, claims data, etc.), others are collected also for other purposes such as research, statistics, patient safety, regulatory activities or policy making (e.g. disease registries, policy making registries, registries concerning the side effects of medicinal products or medical devices, etc.). For instance, European databases that facilitate data (re)use are available in some areas, such as cancer (European Cancer Information System) or rare diseases (European Platform on Rare Disease Registration, ERN registries, etc.). These data should also be made available for secondary use. However, much of the existing health-related data is not made available for purposes other than that for which they were collected. This limits the ability of researchers, innovators, policy-makers, regulators and doctors to use those data for different purposes, including research, innovation, policy-making, regulatory purposes, patient safety or personalised medicine. In order to fully unleash the benefits of the secondary use of electronic health data, all health data holders should contribute to this effort in making different categories of electronic health data they are holding available for secondary use provided that such effort is always made through effective and secured processes, such as aggregation and randomisation, and with due respect for professional duties, such as confidentiality duties.
Amendment 38
Proposal for a regulation
Recital 39
(39)  The categories of electronic health data that can be processed for secondary use should be broad and flexible enough to accommodate the evolving needs of data users, while remaining limited to data related to health or known to influence health. It can also include relevant data from the health system (electronic health records, claims data, disease registries, genomic data etc.), as well as data with an impact on health (for example consumption of different substances, homelessness, health insurance, minimum income, professional status, behaviour, including environmental factors (for example, pollution, radiation, use of certain chemical substances). They can also include person-generated data, such as data from medical devices, wellness applications or other wearables and digital health applications. The data user who benefits from access to datasets provided under this Regulation could enrich the data with various corrections, annotations and other improvements, for instance by supplementing missing or incomplete data, thus improving the accuracy, completeness or quality of data in the dataset. To support the improvement of the original database and further use of the enriched dataset, the dataset with such improvements and a description of the changes should be made available free of charge to the original data holder. The data holder should make available the new dataset, unless it provides a justified notification against it to the health data access body, for instance in cases of low quality of the enrichment. Secondary use of non-personal electronic data should also be ensured. In particular, pathogen genomic data hold significant value for human health, as proven during the COVID-19 pandemic. Timely access to and sharing of such data has proven to be essential for the rapid development of detection tools, medical countermeasures and responses to public health threats. The greatest benefit from pathogen genomics effort will be achieved when public health and research processes share datasets and work mutually to inform and improve each other.
(39)  The categories of electronic health data that can be processed for secondary use should be broad and flexible enough to accommodate the evolving needs of health data users, while remaining limited to data related to health or known to influence health. It can also include relevant data from the health system (electronic health records, claims data, disease registries, genomic data etc.), as well as data with an impact on health (for example consumption of different substances, socio-economic status, behaviour, including environmental factors (for example, pollution, radiation, use of certain chemical substances). They can also include automatically generated data from medical devices and person-generated data, such as wellness applications. The health data user who benefits from access to datasets provided under this Regulation could enrich the data with various corrections, annotations and other improvements, for instance by supplementing missing or incomplete data, thus improving the accuracy, completeness or quality of data in the dataset. Health data users should be encouraged to report critical errors in datasets to health data access bodies. To support the improvement of the original database and further use of the enriched dataset, the dataset with such improvements and a description of the changes should be made available free of charge to the original data holder. The data holder should make available the new dataset, unless it provides a justified notification against it to the health data access body, for instance in cases of low quality of the enrichment. Secondary use of non-personal electronic data should also be ensured. In particular, pathogen genomic data hold significant value for human health, as proven during the COVID-19 pandemic. Timely access to and sharing of such data has proven to be essential for the rapid development of detection tools, medical countermeasures and responses to public health threats. The greatest benefit from pathogen genomics effort will be achieved when public health and research processes share datasets and work mutually to inform and improve each other.
Amendment 39
Proposal for a regulation
Recital 39 a (new)
(39a)  In order to guarantee trust in the patient-physician relationship, the principle of professional secrecy and the patient's right to confidentiality should be safeguarded when digitalising healthcare services. A relationship of trust between patients and health professionals and healthcare providers and other holders of personal health data is a paramount element of the provision of health or social care or treatment. It is within that context that the patient or the legal representative of the patient should have a say in the processing of their health data for secondary use in the form of a right to opt-out of the processing of all or parts of their health data for secondary use for some or all purposes. An easily understandable and accessible opt-out mechanism in a user-friendly format should be provided for in this regard. However, due to the sensitive nature of human genetic, genomic and proteomic data, data from biobanks and to the nature of the use of data from wellness applications, it is appropriate to provide that the secondary use of such data can only occur following the consent of the natural person concerned in accordance with Article 4(11) of the Regulation (EU) 2016/679. An opt-in mechanism whereby data subjects explicitly consent or give their permission to the processing of part or all of such data for some or all secondary use purposes should be envisaged. Where data subjects explicitly consent to the use of parts or all of this data for some or all secondary use purposes, they should be made aware of the sensitive nature of the data they are sharing. Moreover, it is imperative to provide natural persons with sufficient information regarding their right to opt-out, including on the possibility of reconsidering their choice of opting-out and agreeing to some or all of their health data being processed for secondary use at a later point.
Amendment 40
Proposal for a regulation
Recital 40
(40)  The data holders can be public, non for profit or private health or care providers, public, non for profit and private organisations, associations or other entities, public and private entities that carry out research with regards to the health sector that process the categories of health and health related data mentioned above. In order to avoid a disproportionate burden on small entities, micro-enterprises are excluded from the obligation to make their data available for secondary use in the framework of EHDS. The public or private entities often receive public funding, from national or Union funds to collect and process electronic health data for research, statistics (official or not) or other similar purposes, including in area where the collection of such data is fragmented of difficult, such as rare diseases, cancer etc. Such data, collected and processed by data holders with the support of Union or national public funding, should be made available by data holders to health data access bodies, in order to maximise the impact of the public investment and support research, innovation, patient safety or policy making benefitting the society. In some Member States, private entities, including private healthcare providers and professional associations, play a pivotal role in the health sector. The health data held by such providers should also be made available for secondary use. At the same time, data benefiting from specific legal protection such as intellectual property from medical device companies or pharmaceutical companies often enjoy copyright protection or similar types of protection. However, public authorities and regulators should have access to such data, for instance in the event of pandemics, to verify defective devices and protect human health. In times of severe public health concerns (for example, PIP breast implants fraud) it appeared very difficult for public authorities to get access to such data to understand the causes and knowledge of manufacturer concerning the defects of some devices. The COVID-19 pandemic also revealed the difficulty for policy makers to have access to health data and other data related to health. Such data should be made available for public and regulatory activities, supporting public bodies to carry out their legal mandate, while complying with, where relevant and possible, the protection enjoyed by commercial data. Specific rules in relation to the secondary use of health data should be provided. Data altruism activities may be carried out by different entities, in the context of Regulation […] [Data Governance Act COM/2020/767 final] and taking into account the specificities of the health sector.
(40)  The health data holders in the context of secondary use of electronic health data can be public, non for profit or private health or care providers, public, non for profit and private organisations, associations or other entities, public and private entities that carry out research with regards to the health sector that process the categories of health and health related data mentioned above To the extent that they process personal electronic health data, health data holders are controllers within the meaning of Regulation (EU) 2016/679 in the health or care sector. In order to avoid a disproportionate burden on small entities, micro-enterprises are excluded from the obligation to make their data available for secondary use in the framework of EHDS. Health data access bodies should provide specific support to small enterprises, in particular medical practitioners and pharmacies, in complying with their obligation to make data available for secondary use. The public or private entities often receive public funding, from national or Union funds to collect and process electronic health data for research, statistics (official or not) or other similar purposes, including in area where the collection of such data is fragmented of difficult, such as rare diseases, cancer etc. Such data, collected and processed by health data holders with the support of Union or national public funding, should be made available by health data holders to health data access bodies, in order to maximise the impact of the public investment and support research, innovation, patient safety or policy making benefitting the society. In some Member States, private entities, including private healthcare providers and professional associations, play a pivotal role in the health sector. The health data held by such providers should also be made available for secondary use. At the same time, data benefiting from specific legal protection such as intellectual property from medical device companies or pharmaceutical companies often enjoy copyright protection or similar types of protection and should be made available while taking all necessary measures to protect such rights. However, public authorities and regulators should have access to such data, for instance in the event of pandemics, to verify defective devices and protect human health. In times of severe public health concerns (for example, PIP breast implants fraud) it appeared very difficult for public authorities to get access to such data to understand the causes and knowledge of manufacturer concerning the defects of some devices. The COVID-19 pandemic also revealed the difficulty for policy makers to have access to health data and other data related to health. Such data should be made available for public and regulatory activities, supporting public bodies to carry out their legal mandate, while complying with, where relevant and possible, the protection enjoyed by commercial data. Specific rules in relation to the secondary use of health data should be provided. Data altruism activities may be carried out by different entities, in the context of Regulation […] [Data Governance Act COM/2020/767 final] and taking into account the specificities of the health sector.
Amendment 41
Proposal for a regulation
Recital 40 a (new)
(40a)  Different demographic groups have varying degrees of digital literacy, which can affect natural persons’ ability to exercise their rights to control their electronic health data. In addition to the right for natural persons to authorise another natural person of their choice to access or control their electronic health data on their behalf, Member States should create targeted national digital literacy programmes, including programmes to maximise social inclusion and to ensure all natural persons can effectively exercise their rights under this Regulation. Member States should also provide patient-centric guidance to natural persons in relation to the use of electronic health records and primary use of their personal electronic health data. Guidance should be tailored to the patient’s level of digital health literacy, with specific attention to be given to the needs of vulnerable groups.
Amendment 42
Proposal for a regulation
Recital 40 b (new)
(40b)  Clinical trials and studies are of utmost importance in fostering innovation within the Union for the benefit of Union patients. In order to incentivise continuous Union leadership in this domain, the sharing of the clinical trials data through the EHDS for secondary use should be consistent with the relevant transparency provisions laid down in Union law including Regulation (EU) .../... [proposal for a Regulation on blood, tissue, cells and organs (SoHO) COM(2022)338 final], Regulations (EC) No 726/20041a and (EU) 2019/61b of the European Parliament and of the Council and Directive 2001/83/EC of the European Parliament and of the Council1c regarding veterinary and human medicines and establishing the EMA, Regulation (EC) No 141/2000 of the European Parliament and of the Council1d related to medicinal products for rare diseases (‘orphan medicines’), Regulation (EC) No 1901/2006 of the European Parliament and of the Council1e on medicinal products for children, Regulation (EC) No 1394/2007 of the European Parliament and of the Council1f on advanced therapy medicinal products, Regulation (EU) No 536/2014 of the European Parliament and of the Council1g on clinical trials, Regulation (EU) No 2017/745 and Regulation (EU) No 2017/746.
______
1a Regulation (EC) No 726/2004 of the European Parliament and of the Council of 31 March 2004 laying down Community procedures for the authorisation and supervision of medicinal products for human and veterinary use and establishing a European Medicines Agency (OJ L 136, 30.4.2004, p. 1).
1b Regulation (EU) 2019/6 of the European Parliament and of the Council of 11 December 2018 on veterinary medicinal products and repealing Directive 2001/82/EC (OJ L 4, 7.1.2019, p. 43).
1c Directive 2001/83/EC of the European Parliament and of the Council of 6 November 2001 on the Community code relating to medicinal products for human use (OJ L 311, 28.11.2001, p. 67).
1d Regulation (EC) No 141/2000 of the European Parliament and of the Council of 16 December 1999 on orphan medicinal products (OJ L 18, 22.1.2000, p. 1).
1e Regulation (EC) No 1901/2006 of the European Parliament and of the Council of 12 December 2006 on medicinal products for paediatric use and amending Regulation (EEC) No 1768/92, Directive 2001/20/EC, Directive 2001/83/EC and Regulation (EC) No 726/2004 (OJ L 378, 27.12.2006, p. 1).
1f Regulation (EC) No 1394/2007 of the European Parliament and of the Council of 13 November 2007 on advanced therapy medicinal products and amending Directive 2001/83/EC and Regulation (EC) No 726/2004 (OJ L 324, 10.12.2007, p. 121).
1g Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC (OJ L 158, 27.5.2014, p. 1).
Amendment 43
Proposal for a regulation
Recital 41
(41)  The secondary use of health data under EHDS should enable the public, private, not for profit entities, as well as individual researchers to have access to health data for research, innovation, policy making, educational activities, patient safety, regulatory activities or personalised medicine, in line with the purposes set out in this Regulation. Access to data for secondary use should contribute to the general interest of the society. Activities for which access in the context of this Regulation is lawful may include using the electronic health data for tasks carried out by public bodies, such as exercise of public duty, including public health surveillance, planning and reporting duties, health policy making, ensuring patient safety, quality of care, and the sustainability of health care systems. Public bodies and Union institutions, bodies, offices and agencies may require to have regular access to electronic health data for an extended period of time, including in order to fulfil their mandate, which is provided by this Regulation. Public sector bodies may carry out such research activities by using third parties, including sub-contractors, as long as the public sector body remain at all time the supervisor of these activities. The provision of the data should also support activities related to scientific research (including private research), development and innovation, producing goods and services for the health or care sectors, such as innovation activities or training of AI algorithms that could protect the health or care of natural persons. In some cases, the information of some natural persons (such as genomic information of natural persons with a certain disease) could support the diagnosis or treatment of other natural persons. There is a need for public bodies to go beyond the emergency scope of Chapter V of Regulation […] [Data Act COM/2022/68 final]. However, the public sector bodies may request the support of health data access bodies for processing or linking data. This Regulation provides a channel for public sector bodies to obtain access to information that they require for fulfilling their tasks assigned to them by law, but does not extend the mandate of such public sector bodies. Any attempt to use the data for any measures detrimental to the natural person, to increase insurance premiums, to advertise products or treatments, or develop harmful products should be prohibited.
(41)  The secondary use of health data under EHDS should enable the public, private, not for profit entities, as well as individual researchers, with a demonstrated link to the field of public health, to have access to health data for research, innovation, policy making, educational activities, patient safety, regulatory activities or personalised medicine, in line with the purposes set out in this Regulation. Access to data for secondary use should contribute to the general interest of the society. In particular, the secondary use of health data for research and development purposes should contribute to a benefit to society in the form of new medicines, medical devices, health care products and services at affordable and fair prices for Union citizens, as well as to enhancing access to and the availability of such products and services in all Member States. Activities for which access in the context of this Regulation is lawful may include using the electronic health data for tasks carried out by public bodies, such as exercise of public duty, including public health surveillance, planning and reporting duties, health policy making, ensuring patient safety, quality of care, and the sustainability of health care systems. Public bodies and Union institutions, bodies, offices and agencies may require to have regular access to electronic health data for an extended period of time, including in order to fulfil their mandate, which is provided by this Regulation. Public sector bodies may carry out such research activities by using third parties, including sub-contractors, as long as the public sector body remain at all time the supervisor of these activities. The provision of the data should also support activities related to scientific research (including private research, development and innovation, producing goods and services for the health or care sectors, such as innovation activities or training of artificial intelligence algorithms that could protect the health or care of natural persons). In some cases, the information of some natural persons (such as genomic information of natural persons with a certain disease) could support the diagnosis or treatment of other natural persons. There is a need for public bodies to go beyond the emergency scope of Chapter V of Regulation […] [Data Act COM/2022/68 final]. However, the public sector bodies may request the support of health data access bodies for processing or linking data. This Regulation provides a channel for public sector bodies to obtain access to information that they require for fulfilling their tasks assigned to them by law, but does not extend the mandate of such public sector bodies. Any attempt to use the data for any measures detrimental to the natural person, to increase insurance premiums, to advertise products or treatments, to automate individual decision-making, to re-identify natural persons, or develop harmful products should be prohibited.
Amendment 44
Proposal for a regulation
Recital 42
(42)  The establishment of one or more health data access bodies, supporting access to electronic health data in Member States, is an essential component for promoting the secondary use of health-related data. Member States should therefore establish one or more health data access body, for instance to reflect their constitutional, organisational and administrative structure. However, one of these health data access bodies should be designated as a coordinator in case there are more than one data access body. Where a Member State establishes several bodies, it should lay down rules at national level to ensure the coordinated participation of those bodies in the EHDS Board. That Member State should in particular designate one health data access body to function as a single contact point for the effective participation of those bodies, and ensure swift and smooth cooperation with other health data access bodies, the EHDS Board and the Commission. Health data access bodies may vary in terms of organisation and size (spanning from a dedicated full-fledged organization to a unit or department in an existing organization) but should have the same functions, responsibilities and capabilities. Health data access bodies should not be influenced in their decisions on access to electronic data for secondary use. However, their independence should not mean that the health data access body cannot be subject to control or monitoring mechanisms regarding its financial expenditure or to judicial review. Each health data access body should be provided with the financial and human resources, premises and infrastructure necessary for the effective performance of its tasks, including those related to cooperation with other health data access bodies throughout the Union. Each health data access body should have a separate, public annual budget, which may be part of the overall state or national budget. In order to enable better access to health data and complementing Article 7(3) of Regulation […] of the European Parliament and of the Council [Data Governance Act COM/2020/767 final], Member States should entrust health data access bodies with powers to take decisions on access to and secondary use of health data. This could consist in allocating new tasks to the competent bodies designated by Member States under Article 7(1) of Regulation […] [Data Governance Act COM/2020/767 final] or in designating existing or new sectoral bodies responsible for such tasks in relation to access to health data.
(42)  The establishment of one or more health data access bodies, supporting access to electronic health data in Member States, is an essential component for promoting the secondary use of health-related data. Member States should therefore establish one or more health data access body, for instance to reflect their constitutional, organisational and administrative structure. However, one of these health data access bodies should be designated as a coordinator in case there are more than one data access body. Where a Member State establishes several bodies, it should lay down rules at national level to ensure the coordinated participation of those bodies in the EHDS Board. That Member State should in particular designate one health data access body to function as a single contact point for the effective participation of those bodies, and ensure swift and smooth cooperation with other health data access bodies, the EHDS Board and the Commission. Health data access bodies may vary in terms of organisation and size (spanning from a dedicated full-fledged organization to a unit or department in an existing organization) but should have the same functions, responsibilities and capabilities. Health data access bodies should not be influenced in their decisions on access to electronic data for secondary use, Members of the governance and decision-making bodies and staff of each health data access body should therefore refrain from any action that is incompatible with their duties and should not engage in any incompatible occupation. However, their independence should not mean that the health data access body cannot be subject to control or monitoring mechanisms regarding its financial expenditure or to judicial review. Each health data access body should be provided with the financial, technical and human resources, ethics bodies, premises and infrastructure necessary for the effective performance of its tasks, including those related to cooperation with other health data access bodies throughout the Union and have separate structures for application processing on the one hand, and anonymisation, pseudonymisation and re-identification on the other hand. Each health data access body should have a separate, public annual budget, which may be part of the overall state or national budget. In order to enable better access to health data and complementing Article 7(3) of Regulation […] of the European Parliament and of the Council [Data Governance Act COM/2020/767 final], Member States should entrust health data access bodies with powers to take decisions on access to and secondary use of health data. This could consist in allocating new tasks to the competent bodies designated by Member States under Article 7(1) of Regulation […] [Data Governance Act COM/2020/767 final] or in designating existing or new sectoral bodies responsible for such tasks in relation to access to health data. Given the central role of the health data access bodies in the context of secondary use of electronic health data, and especially regarding the decision-making on granting or refusing a health data permit and preparing the data to make them available to health data users, the members and staff of such bodies should have the necessary qualifications, experience and skills, including legal and technical expertise as regards the protection of personal data, specifically data concerning health, and expertise in the areas of ethics, healthcare, scientific research, cybersecurity, protection of intellectual property and trade secrets, artificial intelligence and other relevant areas. In addition, the decision-making process regarding the granting or refusal of the health data permit should involve ethical considerations. The staff of health access bodies should not have any conflict of interest that is prejudicial to their independence and the impartiality of their conduct.
Amendment 45
Proposal for a regulation
Recital 43
(43)  The health data access bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, the health data access bodies should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation. The health data access bodies should also cooperate with stakeholders, including patient organisations. Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulation (EU) 2016/679 apply and the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 should be tasked with enforcing these rules. Moreover, given that health data are sensitive data and in a duty of loyal cooperation, the health data access bodies should inform the data protection authorities of any issues related to the data processing for secondary use, including penalties. In addition to the tasks necessary to ensure effective secondary use of health data, the health data access body should strive to expand the availability of additional health datasets, support the development of AI in health and promote the development of common standards. They should apply tested techniques that ensure electronic health data is processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data. Health data access bodies can prepare datasets to the data user requirement linked to the issued data permit. This includes rules for anonymization of microdata sets.
(43)  The health data access bodies should monitor the application of Chapter IV of this Regulation and contribute to its consistent application throughout the Union. For that purpose, the health data access bodies should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation. The health data access bodies should also cooperate with stakeholders, including patient organisations. The selection procedure for health stakeholders should be transparent, public and free of any conflict of interest. Since the secondary use of health data involves the processing of personal data concerning health, the relevant provisions of Regulation (EU) 2016/679 apply and the supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 should remain the only authorities competent for enforcing these rules. Moreover, given that health data are sensitive data and in a duty of loyal cooperation, the health data access bodies should inform the data protection authorities of any issues related to the data processing for secondary use, including administrative fines and enforcement measures. In addition to the tasks necessary to ensure effective secondary use of health data, the health data access body should strive to expand the availability of additional health datasets, and promote the development of common standards. They should apply tested state-of-the-art techniques that ensure electronic health data is processed in a manner that preserves the privacy of the information contained in the data for which secondary use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data. In that regard, health data access bodies should cooperate across borders and agree on common definitions and techniques. Health data access bodies can prepare datasets to the data user requirement linked to the issued data permit. This includes rules for anonymisation of microdata sets.
Amendment 46
Proposal for a regulation
Recital 44
(44)  Considering the administrative burden for health data access bodies to inform the natural persons whose data are used in data projects within a secure processing environment, the exceptions provided for in Article 14(5) of Regulation (EU) 2016/679 should apply. Therefore, health data access bodies should provide general information concerning the conditions for the secondary use of their health data containing the information items listed in Article 14(1) and, where necessary to ensure fair and transparent processing, Article 14(2) of Regulation (EU) 2016/679, e.g. information on the purpose and the data categories processed. Exceptions from this rule should be made when the results of the research could assist in the treatment of the natural person concerned. In this case, the data user should inform the health data access body, which should inform the data subject or his health professional. Natural persons should be able to access the results of different research projects on the website of the health data access body, ideally in an easily searchable manner. The list of the data permits should also be made public. In order to promote transparency in their operation, each health data access body should publish an annual activity report providing an overview of its activities.
(44)  Health data access bodies should comply with the obligations laid down in Article 14 of Regulation (EU) 2016/679 and inform the natural persons whose data are used in data projects within a secure processing environment. The exceptions provided for in Article 14(5) of Regulation (EU) 2016/679 could apply. Where such exceptions are applied, health data access bodies should provide general information concerning the conditions for the secondary use of their health data containing the information items listed in Article 14(1) and, where necessary to ensure fair and transparent processing, Article 14(2) of Regulation (EU) 2016/679, e.g. information on the purpose and the data categories processed, enabling natural persons to understand whether their data are being made available for secondary use pursuant to data permits. Exceptions from this rule should be made when the results of the research could assist in the treatment of the natural person concerned. In this case, the health data user should inform the health data access body, which should inform the health professional treating the natural person concerned or, in the event that the treating health professional is not traceable, the natural person, with due regard for their stated wish not to be informed, while fully respecting the principles of medical confidentiality and professional secrecy. Natural persons should be able to access the results of different research projects on the website of the health data access body, ideally in an easily searchable manner. The list of the data permits should also be made public. In order to promote transparency in their operation, each health data access body should publish an annual activity report providing an overview of its activities.
Amendment 47
Proposal for a regulation
Recital 46
(46)  In order to support the secondary use of electronic health data, the data holders should refrain from withholding the data, requesting unjustified fees that are not transparent nor proportionate with the costs for making data available (and, where relevant, with marginal costs for data collection), requesting the data users to co-publish the research or other practices that could dissuade the data users from requesting the data. Where ethical approval is necessary for providing a data permit, its evaluation should be based on its own merits. On the other hand, Union institutions, bodies, offices and agencies, including EMA, ECDC and the Commission, have very important and insightful data. Access to data of such institutions, bodies, offices and agencies should be granted through the health data access body where the controller is located.
(46)  In order to support the secondary use of electronic health data, the data holders should refrain from withholding the data, requesting unjustified fees that are not transparent nor proportionate with the costs for making data available (and, where relevant, with marginal costs for data collection), requesting the data users to co-publish the research or other practices that could dissuade the data users from requesting the data. Where ethical approval is necessary for providing a data permit, its evaluation should be based on its own merits. On the other hand, public sector bodies and Union institutions, bodies, offices and agencies with a legal mandate in the field of public health, have very important and insightful data. Access to data of such institutions, bodies, offices and agencies should be granted through the health data access body where the controller is located.
Amendment 48
Proposal for a regulation
Recital 47
(47)  Health data access bodies and single data holders should be allowed to charge fees based on the provisions of Regulation […] [Data Governance Act COM/2020/767 final] in relation to their tasks. Such fees may take into account the situation and interest of SMEs, individual researchers or public bodies. Data holders should be allowed to also charge fees for making data available. Such fees should reflect the costs for providing such services. Private data holders may also charge fees for the collection of data. In order to ensure a harmonised approach concerning fee policies and structure, the Commission may adopt implementing acts. Provisions in Article 10 of the Regulation [Data Act COM/2022/68 final] should apply for fees charged under this Regulation.
(47)  Health data access bodies should be allowed to charge fees based on the applicable provisions under this Regulation and the provisions of Regulations (EU) .../... […] [Data Governance Act COM/2020/767 final] and (EU) .../... […] [Data Act COM/2022/68 final] in relation to their tasks. Such fees may take into account the situation and interest of SMEs, individual researchers or public bodies. Health data holders should be allowed to also charge fees for making data available. Such fees should reflect the costs for providing such services. Private health data holders may also charge fees for the collection of data. In order to ensure a harmonised approach concerning fee policies and structure, the Commission should adopt implementing acts. Provisions in Article 10 of the Regulation [Data Act COM/2022/68 final] should apply for fees charged under this Regulation. Public sector bodies and Union institutions, bodies, offices and agencies with a legal mandate in the field of public health should not be charged fees.
Amendment 49
Proposal for a regulation
Recital 48
(48)  In order to strengthen the enforcement of the rules on the secondary use of electronic health data, appropriate measures that can lead to penalties or temporary or definitive exclusions from the EHDS framework of the data users or data holders that do not comply with their obligations. The health data access body should be empowered to verify compliance and give data users and holders the opportunity to reply to any findings and to remedy any infringement. The imposition of penalties should be subject to appropriate procedural safeguards in accordance with the general principles of law of the relevant Member State, including effective judicial protection and due process.
(48)  In order to strengthen the enforcement of the rules on the secondary use of electronic health data, appropriate measures should be envisaged that can lead to administrative fines or enforcement measures by health data access bodies or temporary or definitive exclusions from the EHDS framework of the health data users or health data holders that do not comply with their obligations. The health data access body should be empowered to verify compliance and give health data users and holders the opportunity to reply to any findings and to remedy any infringement. When deciding on the amount of the administrative fine or enforcement measure for each individual case, health data access bodies should take into account the margins for costs and criteria set out in this Regulation.
Amendment 50
Proposal for a regulation
Recital 49
(49)  Given the sensitivity of electronic health data, it is necessary to reduce risks on the privacy of natural persons by applying the data minimisation principle as set out in Article 5 (1), point (c) of Regulation (EU) 2016/679. Therefore, the use of anonymised electronic health data which is devoid of any personal data should be made available when possible and if the data user asks it. If the data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of this type of data for the planned data processing activity. The personal electronic health data should only be made available in pseudonymised format and the encryption key can only be held by the health data access body. Data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, subject to administrative or possible criminal penalties, where the national laws foresee this. However, this should not prevent, in cases where the results of a project carried out based on a data permit has a health benefit or impact to a concerned natural person (for instance, discovering treatments or risk factors to develop a certain disease), the data users would inform the health data access body, which in turn would inform the concerned natural person(s). Moreover, the applicant can request the health data access bodies to provide the answer to a data request, including in statistical form. In this case, the data users would not process health data and the health data access body would remain sole controller for the data necessary to provide the answer to the data request.
(49)  Given the sensitivity of electronic health data, it is necessary to reduce risks on the privacy of natural persons by applying the data minimisation principle as set out in Article 5 (1), point (c) of Regulation (EU) 2016/679. Therefore, common standards for data anonymisation should be further developed and the use of anonymised electronic health data which is devoid of any personal data should be made available when possible. If the data user needs to use personal electronic health data, it should clearly indicate in its request the justification for the use of this type of data for the planned data processing activity and the health data access body should determine the validity of that justification. The personal electronic health data should only be made available in pseudonymised format and the encryption key can only be held by the health data access body. When providing access to an anonymised or pseudonymised dataset, a health data access body should use state-of-the-art anonymisation or pseudonymisation technology, ensuring to the maximum extent possible that natural persons cannot be re-identified. Health data users should not attempt to re-identify natural persons from the dataset provided under this Regulation, subject to administrative fines and the enforcement measures laid down in this Regulation or possible criminal penalties, where the national laws foresee this. However, this should not prevent, in cases where the results of a project carried out based on a data permit has a significant health benefit or impact to a concerned natural person (for instance, discovering treatments or risk factors to develop a certain disease), the health data users to inform the health data access body, which in turn would inform the treating health professional of the concerned natural person or, in the event that the treating health professional is not traceable, the natural person, with due regard for any stated wish not to be informed. To that end, the health data user should be guided by ethical principles, and guidelines from EMA and the ECDC as regards what constitutes a significant finding. Moreover, a health data applicant can request the health data access bodies to provide the answer to a health data request, including in an anonymised or aggregated statistical format. In this case, the health data user would not process health data and the health data access body would remain sole controller for the data necessary to provide the answer to the health data request.
Amendment 51
Proposal for a regulation
Recital 50
(50)  In order to ensure that all health data access bodies issue permits in a similar way, it is necessary to establish a standard common process for the issuance of data permits, with similar requests in different Member States. The applicant should provide health data access bodies with several information elements that would help the body evaluate the request and decide if the applicant may receive a data permit for secondary use of data, also ensuring coherence between different health data access bodies. Such information include: the legal basis under Regulation (EU) 2016/679 to request access to data (exercise of a task in the public interest assigned by law or legitimate interest), purposes for which the data would be used, description of the needed data and possible data sources, a description of the tools needed to process the data, as well as characteristics of the secure environment that are needed. Where data is requested in pseudonymised format, the data applicant should explain why this is necessary and why anonymous data would not suffice. An ethical assessment may be requested based on national law. The health data access bodies and, where relevant data holders, should assist data users in the selection of the suitable datasets or data sources for the intended purpose of secondary use. Where the applicant needs anonymised statistical data, it should submit a data request application, requiring the health data access body to provide directly the result. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data application, as well as data request.
(50)  In order to ensure that all health data access bodies issue permits in a similar way, it is necessary to establish a standard common process for the issuance of data permits, with similar requests in different Member States. The health data applicant should provide health data access bodies with several information elements that would help the body evaluate the application and decide if the applicant may receive a data permit for secondary use of data, also ensuring coherence between different health data access bodies. Such information includes: the legal basis under Regulation (EU) 2016/679 to request access to data (exercise of a task in the public interest assigned by law or legitimate interest), purposes for which the data would be used, the identity of the health data applicant as well as the specific persons who are authorised to have access to the electronic health data in the secure processing environment and how they are qualified vis-à-vis the intended secondary use, description of the needed data and possible data sources, a description of the tools needed to process the data, as well as characteristics of the secure environment that are needed, a description of the safeguards planned to prevent any other use, misuse or possible re-identification, and an explanation of the expected benefits of the secondary use. Where data is requested in pseudonymised format, the health data applicant should explain why this is necessary and why anonymous data would not suffice. An ethical assessment may be requested based on national law. A thorough assessment of the health data access applications and documents submitted by the health data applicant should be required and the health data access body should only issue a data permit if all the conditions set out in this Regulation are met. The health data access body and, where relevant health data holders, should assist health data users in the selection of the suitable datasets or data sources for the intended purpose of secondary use. Where the health applicant needs data in an anonymised and aggregated statistical format, it should submit a data request application, requiring the health data access body to provide directly the result. A refusal of a data permit by the health data body should not preclude the health data applicant from submitting a new data access application. In order to ensure a harmonised approach between health data access bodies and to limit an unnecessary administrative burden for the health data applicants to the greatest extent possible, the Commission should support the harmonisation of health data access applications, as well as health data requests, including by establishing, by means of implementing acts, templates for health data access applications and requests.
Amendment 52
Proposal for a regulation
Recital 50 a (new)
(50a)  A standard ethics assessment should be carried out by ethics bodies within health data access bodies. Such assessment should be an important part of the process. However, where the health data applicant had previously obtained the approval of the competent ethics committee in accordance with national law for research purposes for which they are requesting data through the EHDS, the health data applicant should make that information available to the health data access body as part of the data access application.
Amendment 53
Proposal for a regulation
Recital 51
(51)  As the resources of health data access bodies are limited, they can apply prioritisation rules, for instance prioritising public institutions before private entities, but they should not make any discrimination between the national or from organisations from other Member States within the same category of priorities. The data user should be able to extend the duration of the data permit in order, for example, to allow access to the datasets to reviewers of scientific publication or to enable additional analysis of the dataset based on the initial findings. This would require an amendment of the data permit and may be subject to an additonal fee. However, in all the cases, the data permit should reflect theses additionals uses of the dataset. Preferably, the data user should mention them in their initial request for the issuance of the data permit. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data permit.
(51)  As the resources of health data access bodies are limited, they can apply prioritisation rules, for instance prioritising public institutions before private entities, but they should not make any discrimination between the national or from organisations from other Member States within the same category of priorities. The health data user should be able to extend the duration of the data permit in order, for example, to allow access to the datasets to reviewers of scientific publication or to enable additional analysis of the dataset based on the initial findings. This would require an amendment of the health data permit and may be subject to an additional fee. However, in all the cases, the data permit should reflect theses additional uses of the dataset. Preferably, the health data user should mention them in their initial request for the issuance of the data permit. In order to ensure a harmonised approach between health data access bodies, the Commission should support the harmonisation of data permit.
Amendment 54
Proposal for a regulation
Recital 52
(52)  As the COVID-19 crisis has shown, the Union institutions, bodies, offices and agencies, especially the Commission, need access to health data for a longer period and on a recurring basis. This is may be the case not only in specific circumstances in times of crisis but also to provide scientific evidence and technical support for Union policies on a regular basis. Access to such data may be required in specific Member States or throughout the whole territory of the Union.
(52)  As the COVID-19 crisis has shown, the Union institutions, bodies, offices and agencies with a legal mandate in the field of public health, especially the Commission, need access to health data for a longer period and on a recurring basis. This may be the case not only for specific circumstances stipulated by Union or national law in times of crisis but also to provide scientific evidence and technical support for Union policies on a regular basis. Access to such data may be required in specific Member States or throughout the whole territory of the Union.
Amendment 55
Proposal for a regulation
Recital 53
(53)  For requests to access electronic health data from a single data holder in a single Member State and in order to alieviate the administrative burden for heath data access bodies of managing such request, the data user should be able to request this data directly from the data holder and the data holder should be able to issue a data permit while complying with all the requirements and safeguards linked to such request and permit. Multi-country requests and requests requiring combination of datasets from several data holders should always be channelled through health data access bodies. The data holder should report to the health data access bodies about any data permits or data requests they provide.
deleted
Amendment 56
Proposal for a regulation
Recital 54
(54)  Given the sensitivity of electronic health data, data users should not have an unrestricted access to such data. All secondary use access to the requested electronic health data should be done through a secure processing environment. In order to ensure strong technical and security safeguards for the electronic health data, the health data access body or, where relevant, single data holder should provide access to such data in a secure processing environment, complying with the high technical and security standards set out pursuant to this Regulation. Some Member States took measures to locate such secure environments in Europe. The processing of personal data in such a secure environment should comply with Regulation (EU) 2016/679, including, where the secure environment is managed by a third party, the requirements of Article 28 and, where applicable, Chapter V. Such secure processing environment should reduce the privacy risks related to such processing activities and prevent the electronic health data from being transmitted directly to the data users. The health data access body or the data holder providing this service should remain at all time in control of the access to the electronic health data with access granted to the data users determined by the conditions of the issued data permit. Only non-personal electronic health data which do not contain any electronic health data should be extracted by the data users from such secure processing environment. Thus, it is an essential safeguard to preserve the rights and freedoms of natural persons in relation to the processing of their electronic health data for secondary use. The Commission should assist the Member State in developing common security standards in order to promote the security and interoperability of the various secure environments.
(54)  Given the sensitivity of electronic health data, data users should not have an unrestricted access to such data, in accordance with the data minimisation principle. All secondary use access to the requested electronic health data should be done through a secure processing environment. In order to ensure strong technical and security safeguards for the electronic health data, the health data access body should provide access to such data in a secure processing environment, complying with the high technical and security standards set out pursuant to this Regulation. Some Member States took measures to locate such secure environments in Europe. The processing of personal data in such a secure environment should comply with Regulation (EU) 2016/679, including, where the secure environment is managed by a third party, the requirements of Article 28 and, where applicable, Chapter V. Nevertheless, in order to ensure the proper supervision and security of personal data, such environments need to be located in the Union if they are used to access personal health data. Such secure processing environment should reduce the privacy risks related to such processing activities and prevent the electronic health data from being transmitted directly to the data users. The health data access body or the data holder providing this service should remain at all time in control of the access to the electronic health data with access granted to the data users determined by the conditions of the issued data permit. Only non-personal electronic health data which do not contain any electronic health data should be extracted by the data users from such secure processing environment. Thus, it is an essential safeguard to preserve the rights and freedoms of natural persons in relation to the processing of their electronic health data for secondary use. The Commission should assist the Member State in developing common security standards in order to promote the security and interoperability of the various secure environments.
Amendment 57
Proposal for a regulation
Recital 55
(55)  For the processing of electronic health data in the scope of a granted permit, the health data access bodies and the data users should be joint controllers in the sense of Article 26 of Regulation (EU) 2016/679, meaning that the obligations of joint controllers under that Regulation will apply. To support health data access bodies and data users, the Commission should, by means of an implementing act, provide a template for the joint controller arrangements health data access bodies and data users will have to enter into. In order to achieve an inclusive and sustainable framework for multi-country secondary use of electronic health data, a cross-border infrastructure should be established. HealthData@EU should accelerate the secondary use of electronic health data while increasing legal certainty, respecting the privacy of natural persons and being interoperable. Due to the sensitivity of health data, principles such as “privacy by design” and “bring questions to data instead of moving data” should be respected whenever possible. Authorised participants in HealthData@EU could be health data access bodies, research infrastructures established as an European Research Infrastructure Consortium (‘ERIC’) under Council Regulation (EC) No 723/200950 or similar structures established under another Union legislation, as well as other types of entities, including infrastructures under the European Strategy Forum on Research Infrastructures (ESFRI), infrastructures federated under the European Open Science Cloud (EOSC). Other authorised participants should obtain the approval of the joint controllership group for joining HealthData@EU. On the other hand, HealthData@EU should enable the secondary use of different categories of electronic health data, including linking of the health data with data from other data spaces such as environment, agriculture, social etc. The Commission could provide a number of services within HealthData@EU, including supporting the exchange of information amongst health data access bodies and authorised participants for the handling of cross-border access requests, maintaining catalogues of electronic health data available through the infrastructure, network discoverability and metadata queries, connectivity and compliance services. The Commission may also set up a secure environment, allowing data from different national infrastructures to be transmitted and analysed, at the request of the controllers. The Commission digital strategy promote the linking of the various common European data spaces. For the health sector, interoperability with the sectors such as the environmental, social, agricultural sectors may be relevant for additional insights on health determinants. For the sake of IT efficiency, rationalisation and interoperability of data exchanges, existing systems for data sharing should be reused as much as possible, like those being built for the exchange of evidences under the once only technical system of Regulation (EU) 2018/1724 of the European Parliament and of the Council51 .
(55)  For the processing of electronic health data in the scope of a granted permit, the health data holders, the health data access bodies and the health data users should each, in turn, be deemed a controller for a specific part of the process and according to their respective roles therein. The health data holder should be deemed controller for the disclosure of the requested personal electronic health data to the health data access body, while the health data access body should in turn be deemed controller for the processing of the personal electronic health data when preparing the data and making them available to the health data user. The health data user should be deemed controller for the processing of personal electronic health data in pseudonymised form in the secure processing environment pursuant to its data permit. The health data access body should be deemed a processor for processing carried out by the health data user pursuant to a data permit in the secure processing environment. HealthData@EU should accelerate the secondary use of electronic health data while increasing legal certainty, respecting the privacy of natural persons and being interoperable. Due to the sensitivity of health data, principles such as “privacy by design”, “privacy by default”, and “bring questions to data instead of moving data” should be respected whenever possible. Authorised participants in HealthData@EU could be health data access bodies, research infrastructures established as an European Research Infrastructure Consortium (‘ERIC’) under Council Regulation (EC) No 723/200950 or similar structures established under another Union legislation, as well as other types of entities, including infrastructures under the European Strategy Forum on Research Infrastructures (ESFRI), infrastructures federated under the European Open Science Cloud (EOSC). Other authorised participants should obtain the approval of the joint controllership group for joining HealthData@EU. On the other hand, HealthData@EU should enable the secondary use of different categories of electronic health data, including linking of the health data with data from other data spaces such as environment, agriculture, social etc. The Commission could provide a number of services within HealthData@EU, including supporting the exchange of information amongst health data access bodies and authorised participants for the handling of cross-border access requests, maintaining catalogues of electronic health data available through the infrastructure, network discoverability and metadata queries, connectivity and compliance services. The Commission may also set up a secure environment, allowing data from different national infrastructures to be transmitted and analysed, at the request of the controllers. The Commission digital strategy promote the linking of the various common European data spaces. For the health sector, interoperability with the sectors such as the environmental, social, agricultural sectors may be relevant for additional insights on health determinants. For the sake of IT efficiency, rationalisation and interoperability of data exchanges, existing systems for data sharing should be reused as much as possible, like those being built for the exchange of evidences under the once only technical system of Regulation (EU) 2018/1724 of the European Parliament and of the Council51 .
__________________
__________________
50 Council Regulation (EC) No 723/2009 of 25 June 2009 on the Community legal framework for a European Research Infrastructure Consortium (ERIC) (OJ L 206, 8.8.2009, p. 1).
50 Council Regulation (EC) No 723/2009 of 25 June 2009 on the Community legal framework for a European Research Infrastructure Consortium (ERIC) (OJ L 206, 8.8.2009, p. 1).
51 Regulation (EU) 2018/1724 of the European Parliament and of the Council of 2 October 2018 establishing a single digital gateway to provide access to information, to procedures and to assistance and problem-solving services and amending Regulation (EU) No 1024/2012 (OJ L 295, 21.11.2018, p. 1).
51 Regulation (EU) 2018/1724 of the European Parliament and of the Council of 2 October 2018 establishing a single digital gateway to provide access to information, to procedures and to assistance and problem-solving services and amending Regulation (EU) No 1024/2012 (OJ L 295, 21.11.2018, p. 1).
Amendment 58
Proposal for a regulation
Recital 59
(59)  Information on the quality and utility of datasets increases the value of outcomes from data intensive research and innovation significantly, while, at the same time, promoting evidence-based regulatory and policy decision-making. Improving the quality and utility of datasets through informed customer choice and harmonising related requirements at Union level, taking into account existing Union and international standards, guidelines, recommendations for data collection and data exchange (i.e. FAIR principles: Findable, Accessible, Interoperable and Reusable), benefits also data holders, health professionals, natural persons and the Union economy overall. A data quality and utility label for datasets would inform data users about the quality and utility characteristics of a dataset and enable them to choose the datasets that best fit their needs. The data quality and utility label should not prevent datasets from being made available through the EHDS, but provide a transparency mechanism between data holders and data users. For example, a dataset that does not fulfil any requirement of data quality and utility should be labelled with the class representing the poorest quality and utility, but should still be made available. Expectations set in frameworks described in Article 10 of Regulation […] [AI Act COM/2021/206 final] and its relevant documentation specified in Annex IV should be taken into account when developing the data quality and utility framework. Member States should raise awareness about the data quality and utility label through communication activities. The Commission could support these activities.
(59)  Information on the quality and utility of datasets increases the value of outcomes from data intensive research and innovation significantly, while, at the same time, promoting evidence-based regulatory and policy decision-making. Improving the quality and utility of datasets through informed customer choice and harmonising related requirements at Union level, taking into account existing Union and international standards, guidelines, recommendations for data collection and data exchange (i.e. FAIR principles: Findable, Accessible, Interoperable and Reusable), benefits also data holders, health professionals, natural persons and the Union economy overall. A data quality and utility label for datasets would inform data users about the quality and utility characteristics of a dataset and enable them to choose the datasets that best fit their needs. The data quality and utility label should not prevent datasets from being made available through the EHDS, but provide a transparency mechanism between data holders and data users. For example, a dataset that does not fulfil any requirement of data quality and utility should be labelled with the class representing the poorest quality and utility, but should still be made available. Expectations set in frameworks described in Article 10 of Regulation […] [AI Act COM/2021/206 final] and its relevant documentation specified in Annex IV should be taken into account when developing the data quality and utility framework. The labels should be subject to the evaluation by the health data access bodies. Member States should raise awareness about the data quality and utility label through communication activities. The Commission could support these activities.
Amendment 59
Proposal for a regulation
Recital 61
(61)  Cooperation and work is ongoing between different professional organisations, the Commission and other institutions to set up minimum data fields and other characteristics of different datasets (registries for instance). This work is more advanced in areas such as cancer, rare diseases, and statistics and shall be taken into account when defining new standards. However, many datasets are not harmonised, raising comparability issues and making cross-border research difficult. Therefore, more detailed rules should be set out in implementing acts to ensure a harmonised provision, coding and registration of electronic health data. Member States should work towards delivering sustainable economic and social benefits of European electronic health systems and services and interoperable applications, with a view to achieving a high level of trust and security, enhancing continuity of healthcare and ensuring access to safe and high-quality healthcare.
(61)  Cooperation and work is ongoing between different professional organisations, the Commission and other institutions to set up minimum data fields and other characteristics of different datasets (registries for instance). This work is more advanced in areas such as cancer, rare diseases, cardiovascular and metabolic diseases, risk factor assessment, and statistics and shall be taken into account when defining new standards and disease-specific harmonised templates for structured data elements. However, many datasets are not harmonised, raising comparability issues and making cross-border research difficult. Therefore, more detailed rules should be set out in implementing acts to ensure a harmonised provision, coding and registration of electronic health data. Member States should work towards delivering sustainable economic and social benefits of European electronic health systems and services and interoperable applications, with a view to achieving a high level of trust and security, enhancing continuity of healthcare and ensuring access to safe and high-quality healthcare. Existing health data infrastructures and registries put in place by institutions and stakeholders can contribute to defining and implementing data standards, to ensuring interoperability and should be leveraged to allow for continuity and build on existing expertise.
Amendment 60
Proposal for a regulation
Recital 62 a (new)
(62a)  Improving digital health literacy for both natural persons and their health professionals is key in order to achieve trust, safety and appropriate use of health data and thus to achieve successful implementation of this Regulation. Improving digital health literacy is fundamental in order to empower natural persons to have true control over their health data and actively manage their health and care, and understand the implications of the management of such data for both primary and secondary use. Member States, including regional and local authorities, should therefore support digital health literacy and public awareness, while ensuring that the implementation of this Regulation contributes to reducing inequalities and does not discriminate against people lacking digital skills. Particular attention should be given to persons with disabilities and vulnerable groups including migrants and the elderly. Health professionals and IT operators should have sufficient training in working with new digital infrastructures to ensure cybersecurity and ethical management of health data.
Amendment 61
Proposal for a regulation
Recital 63
(63)  The use of funds should also contribute to attaining the objectives of the EHDS. Public procurers, national competent authorities in the Member States, including digital health authorities and health data access bodies, as well as the Commission should make references to applicable technical specifications, standards and profiles on interoperability, security and data quality, as well as other requirements developed under this Regulation when defining the conditions for public procurement, calls for proposals and allocation of Union funds, including structural and cohesion funds.
(63)  The use of funds should also contribute to attaining the objectives of the EHDS. Public procurers, national competent authorities in the Member States, including digital health authorities and health data access bodies, as well as the Commission should make references to applicable technical specifications, standards and profiles on interoperability, security and data quality, as well as other requirements developed under this Regulation when defining the conditions for public procurement, calls for proposals and allocation of Union funds, including structural and cohesion funds. To procure or fund services provided by controllers and processors established in the Union that process personal electronic health data, they should be required to demonstrate that they will store the data in the Union and that they are not subject to third country law that conflicts with Union data protection rules. Union funds should be distributed transparently and sufficiently among the Member States, ensuring it is adequate and taking into account different levels of health system digitalisation and the costs involved in making national data infrastructures interoperable and compatible with the requirements of the EHDS. Making data available for secondary use requires additional resources for healthcare systems, in particular public systems. That additional burden for public entities should be addressed and minimised to the greatest possible extent during the implementation phase of the EHDS.
Amendment 62
Proposal for a regulation
Recital 63 a (new)
(63a)  The economic costs of implementing this Regulation should be borne at both Member State and Union level, and a fair sharing of that burden between national and Union funds should be found. The initial Union funding to achieve a timely application of the EHDS is limited to what can be mobilised under the 2021-2027 Multiannual Financial Framework (MFF) where EUR 220 million can be made available under the EU4Health and Digital Europe programmes. The successful and coherent application of the EHDS across all Member States will however require higher funding. The implementation of the EHDS requires appropriate investments in capacity building and training and a well-funded commitment to public consultation and engagement. The Commission should therefore mobilise further resources for the EHDS as part of the review of the 2021-2027 MFF and for the forthcoming MFF under the principle that new initiatives should be matched with new funding.
Amendment 63
Proposal for a regulation
Recital 64 a (new)
(64a)  The functioning of the EHDS involves processing of a large quantity of personal and non-personal health data of a highly sensitive nature. Article 8(3) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) requires control over the processing of such health data by an independent authority. The control of the compliance with the requirements of protection and security by an independent supervisory authority, carried out on the basis of Union law, is an essential component of the protection of individuals with regard to the processing of personal data and cannot be fully ensured in the absence of a requirement to retain the electronic health data in question within the Union. Therefore, taking into account the need to mitigate the risks of unlawful access and ineffective supervision, in compliance with the principle of proportionality, this Regulation should require Member States to store electronic health data within the Union. Such storage requirements should ensure a uniform high level of protection for data subjects across the Union, preserve the proper functioning of the internal market, in line with Article 114 TFEU, which constitutes the legal basis of this Regulation, and serve to enhance citizens’ trust in the EHDS.
Amendment 64
Proposal for a regulation
Recital 64 b (new)
(64b)  The obligation to store electronic health data in the Union does not preclude transfers of those data to third countries or international organisations by means of granting access to electronic health data. Access to data through the secure processing environment can entail the transfer of personal data, as defined in Chapter V of Regulation (EU) 2016/679. It is possible to reconcile a general requirement to store personal data in the Union with specific transfers being allowed in compliance with Union law on personal data protection, for instance in the context of scientific research, provision of care or international cooperation. In particular, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union under Regulation (EU) 2016/679 should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. Transfers of personal health data to third countries and international organisations can only be carried out in full compliance with Chapter V of Regulation (EU) 2016/679. For instance, controllers and processors processing personal electronic health data remain subject to Article 48 of that Regulation on transfers or disclosures not authorised by Union law and should comply with this provision in the case of an access request stemming from a third country. In accordance with the conditions of Article 9(4) of Regulation (EU) 2016/679, Member States can maintain or introduce further conditions, including limitations, in relation to transfers of personal health data to third countries or international organisations.
Amendment 65
Proposal for a regulation
Recital 64 c (new)
(64c)  Access to electronic health data for entities from third countries should take place only on the basis of the reciprocity principle. Making available of health data to a third country can take place only where the Commission has established by means of a delegated act that the third country concerned allows for the use of health data by Union entities under the same conditions and with the same safeguards as within the Union. The Commission should monitor that list and provide for a periodic review thereof. Where the Commission finds that a third country no longer ensures access on the same terms, that third country should be removed from that list.
Amendment 66
Proposal for a regulation
Recital 65
(65)  In order to promote the consistent application of this Regulation, a European Health Data Space Board (EHDS Board) should be set up. The Commission should participate in its activities and chair it. It should contribute to the consistent application of this Regulation throughout the Union, including by helping Member State to coordinate the use of electronic health data for healthcare, certification, but also concerning the secondary use of electronic health data. Given that, at national level, digital health authorities dealing with the primary use of electronic health data may be different to the health data access bodies dealing with the secondary use of electronic health data, the functions are different and there is a need for distinct cooperation in each of these areas, the EHDS Board should be able to set up subgroups dealing with these two functions, as well as other subgroups, as needed. For an efficient working method, the digital health authorities and health data access bodies should create networks and links at national level with different other bodies and authorities, but also at Union level. Such bodies could comprise data protection authorities, cybersecurity, eID and standardisation bodies, as well as bodies and expert groups under Regulations […], […], […] and […] [Data Governance Act, Data Act, AI Act and Cybersecurity Act].
(65)  In order to promote the consistent application of this Regulation, including cross-border interoperability of health data, and potential mechanisms of funding support to ensure equal development of data systems across the Union in respect of the primary and secondary use of electronic health data, a European Health Data Space Board (EHDS Board) should be set up. The Commission should participate in its activities and chair it. The EHDS Board should contribute to the consistent application of this Regulation throughout the Union, including by helping Member State to coordinate the use of electronic health data for healthcare, certification, but also concerning the secondary use of electronic health data. Given that, at national level, digital health authorities dealing with the primary use of electronic health data may be different to the health data access bodies dealing with the secondary use of electronic health data, the functions are different and there is a need for distinct cooperation in each of these areas, the EHDS Board should be able to set up subgroups dealing with these two functions, as well as other subgroups, as needed. For an efficient working method, the digital health authorities and health data access bodies should create networks and links at national level with different other bodies and authorities, but also at Union level. Such bodies could comprise data protection authorities, cybersecurity, eID and standardisation bodies, as well as bodies and expert groups under Regulations […], […], […] and […] [Data Governance Act, Data Act, AI Act and Cybersecurity Act]. The EHDS Board should operate in line with its Code of Conduct, impartially, independently, in the public interest and transparently, with open publication of meeting dates and minutes of its discussions as well as of an annual report. It is furthermore appropriate to lay down sufficient guarantees to ensure that members of the EHDS Board do not have any conflicts of interest.
Amendment 67
Proposal for a regulation
Recital 65 a (new)
(65a)  An advisory forum should be set up to advise the EHDS Board in the fulfilment of its tasks by providing stakeholder input on matters pertaining to this Regulation. The advisory forum should be composed of representatives of patients, consumers, health professionals, industry, scientific researchers and academia. It should have a balanced composition and represent the views of different relevant stakeholders. Both commercial and non-commercial interests should be represented.
Amendment 68
Proposal for a regulation
Recital 66 a (new)
(66a)  Any natural person should have the right to lodge a complaint with a digital health authority or with a health data access body, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the natural person considers that his or her rights under this Regulation have been infringed or where the digital health authority or health data access body does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the natural person. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The digital health authority or health data access body should inform the natural person of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another digital health authority or health data access body, intermediate information should be given to the natural person. In order to facilitate the submission of complaints, each digital health authority and health data access body should take measures such as providing a complaint submission form which can also be completed electronically, without excluding the possibility of using other means of communication. Where the complaint concerns the rights of natural persons, the health data access body should inform the supervisory authorities under Regulation (EU) 2016/679 and send them a copy of the complaint .
Amendment 69
Proposal for a regulation
Recital 66 b (new)
(66b)  Where a natural person considers that his or her rights under this Regulation have been infringed, he or she should have the right to mandate a not-for-profit body, organisation or association which is constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of personal data, to lodge a complaint on his or her behalf.
Amendment 70
Proposal for a regulation
Recital 66 c (new)
(66c)  Any natural or legal person has the right to bring an action for annulment of decisions of the EHDS Board before the Court of Justice under the conditions provided for in Article 263 TFEU. As addressees of such decisions, the digital health authorities or health data access bodies concerned which wish to challenge them have to bring an action within two months of being notified of them, in accordance with Article 263 TFEU. In accordance with Article 263 TFEU, a health data holder, a health data applicant, a health data user or a complainant can bring an action for annulment against the decisions of the EHDS Board which concern them within two months of their publication on the website of the EHDS Board. Without prejudice to this right under Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a digital health authority or health data access body which produces legal effects concerning that person. Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the health data access body or the dismissal or rejection of complaints. However, the right to an effective judicial remedy does not encompass measures taken by digital health authorities and health data access bodies which are not legally binding, such as opinions issued or advice provided. Proceedings against a digital health authority or health data access body should be brought before the courts of the Member State where the digital health authority or health data access body is established and should be conducted in accordance with that Member State's procedural law. Those courts should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them. Where a complaint has been rejected or dismissed by a digital health authority or health data access body, the complainant can bring proceedings before the courts in the same Member State.
Amendment 71
Proposal for a regulation
Recital 66 d (new)
(66d)  Where a court seised of proceedings against a decision by a digital health authority or health data access body has reason to believe that proceedings concerning the same access to electronic health data by the same health data user, such as for the same purpose for processing for secondary use, are brought before a competent court in another Member State, it should contact that court in order to confirm the existence of such related proceedings. If related proceedings are pending before a court in another Member State, any court other than the court first seised should be able to stay its proceedings or be able to, on request of one of the parties, decline jurisdiction in favour of the court first seised if that court has jurisdiction over the proceedings in question and its law permits the consolidation of such related proceedings. Proceedings should be deemed to be related where they are so closely connected that it is expedient to hear and determine them together in order to avoid the risk of irreconcilable judgments resulting from separate proceedings.
Amendment 72
Proposal for a regulation
Recital 66 e (new)
(66e)  For proceedings against a health data holder or health data user, the plaintiff should have the choice of bringing the action before the courts of the Member States where the health data holder or health data user has an establishment or where the natural person resides, unless the health data holder is a public authority of a Member State acting in the exercise of its public powers.
Amendment 73
Proposal for a regulation
Recital 66 f (new)
(66f)  The digital health authority, health data access body, health data holder or health data user should compensate any damage which a person could suffer as a result of processing that infringes this Regulation. The digital health authority, health data access body, health data holder or health data user should be exempt from liability if it proves that it was not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or national law. Processing that infringes this Regulation should also include processing that infringes delegated and implementing acts adopted in accordance with this Regulation and national law specifying rules related to this Regulation. Natural persons should receive full and effective compensation for the damage they have suffered. Where digital health authorities, health data access bodies, health data holders or health data users are involved in the same processing, each actor should be held liable for the entire extent of the damage. However, where they are joined to the same judicial proceedings, in accordance with Member State law, it should be possible to apportion compensation according to the responsibility of each digital health authority, health data access body, health data holder or health data user for the damage caused by the processing, provided that full and effective compensation of the natural person who suffered the damage is ensured. Any digital health authority, health data access body, health data holder or health data user which has paid full compensation should be able to subsequently institute recourse proceedings against other digital health authorities, health data access bodies, health data holders or health data users involved in the same processing.
Amendment 74
Proposal for a regulation
Recital 66 g (new)
(66g)  Where specific rules on jurisdiction are contained in this Regulation, in particular as regards proceedings seeking a judicial remedy including compensation, against a digital health authority, health data access body, health data holder or health data user, general jurisdiction rules such as those of Regulation (EU) No 1215/2012 of the European Parliament and of the Council1a should not prejudice the application of such specific rules.
____________
1a Regulation (EU) No 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (OJ L 351, 20.12.2012, p. 1).
Amendment 75
Proposal for a regulation
Recital 66 h (new)
(66h)  In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of, appropriate measures imposed by the digital health authority or health data access body pursuant to this Regulation. In the case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden for a natural person, it should be possible to issue a reprimand instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, the degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the digital health authority or health data access body, compliance with measures ordered against the health data holder or health data user, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties, including administrative fines, should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.
Amendment 76
Proposal for a regulation
Recital 66 i (new)
(66i)  Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Such criminal penalties could also involve the deprivation of profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.
Amendment 77
Proposal for a regulation
Recital 66 j (new)
(66j)  It is appropriate to lay down provisions enabling health data access bodies to apply administrative fines for certain infringements of this Regulation whereby certain infringements are to be regarded as serious infringements, such as the re-identification of natural persons, downloading personal health data outside of the secure processing environment and processing of data for prohibited uses or outside a data permit. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent health data access body in each individual case, taking into account all the relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the health data access body should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism could also be used to promote the consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the health data access bodies or of other penalties under this Regulation.
Amendment 78
Proposal for a regulation
Recital 66 k (new)
(66k)  The legal systems of Denmark and Estonia do not provide for administrative fines as set out in this Regulation. It should be possible to apply the rules on administrative fines in a manner such that in Denmark the fine is imposed by competent national courts as a criminal penalty, and that in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the health data access body initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.
Amendment 79
Proposal for a regulation
Recital 66 l (new)
(66 l)  Where this Regulation does not harmonise administrative penalties or where necessary in other cases, for example in cases of serious infringements of this Regulation, Member States should implement a system which provides for effective, proportionate and dissuasive penalties. The nature of such penalties, criminal or administrative, should be determined by national law.
Amendment 80
Proposal for a regulation
Recital 69 a (new)
(69a)  In accordance with Article 42 of Regulation (EU) 2018/1725, the Commission should, when preparing delegated acts or implementing acts, consult the European Data Protection Supervisor where there is an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data, and where such an act is of particular importance for the protection of individuals’ rights and freedoms with regard to the processing of personal data, the Commission can also consult the European Data Protection Board. The Commission should moreover consult the European Data Protection Board in the cases specified in Regulation (EU) 2016/679 and when relevant in the context of this Regulation.
Amendment 81
Proposal for a regulation
Recital 70
(70)  Member States should take all necessary measures to ensure that the provisions of this Regulation are implemented, including by laying down effective, proportionate and dissuasive penalties for their infringement. For certain specific infringements, Member States should take into account the margins and criteria set out in this Regulation.
(70)  Member States should take all necessary measures to ensure that the provisions of this Regulation are implemented, including by laying down effective, proportionate and dissuasive penalties for their infringement. When deciding on the amount of the penalty for each individual case Member States should take into account the margins and criteria set out in this Regulation. Re-identification of natural persons should be considered a particularly serious breach of this Regulation. Member States should be able to consider criminalising re-identification by health data users so that it serves as a deterrent measure.
Amendment 82
Proposal for a regulation
Recital 71
(71)  In order to assess whether this Regulation reaches its objectives effectively and efficiently, is coherent and still relevant and provides added value at Union level the Commission should carry out an evaluation of this Regulation. The Commission should carry out a partial evaluation of this Regulation 5 years after its entry into force, on the self-certification of EHR systems, and an overall evaluation 7 years after the entry into force of this Regulation. The Commission should submit reports on its main findings following each evaluation to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions.
(71)  In order to assess whether this Regulation reaches its objectives effectively and efficiently, is coherent and still relevant and provides added value at Union level the Commission should carry out an evaluation of this Regulation. The Commission should carry out a partial evaluation of this Regulation 5 years after its entry into force, and an overall evaluation 7 years after the entry into force of this Regulation. The Commission should submit reports on its main findings following each evaluation to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions.
Amendment 83
Proposal for a regulation
Recital 74
(74)  The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered an opinion on […].
(74)  The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered Joint opinion 03/2022 on 12 July 2022.
Amendment 84
Proposal for a regulation
Recital 76
(76)  Given the need for technical preparation, this Regulation should apply from [12 months after entry into force],
(76)  Given the need for technical preparation, this Regulation should apply from [24 months after entry into force],
Amendment 85
Proposal for a regulation
Article 1 – paragraph 2 – point a
(a)  strengthens the rights of natural persons in relation to the availability and control of their electronic health data;
(a)  specifies the rights of natural persons in relation to the availability, sharing and control of their electronic health data;
Amendment 86
Proposal for a regulation
Article 1 – paragraph 3 – point a
(a)  manufacturers and suppliers of EHR systems and wellness applications placed on the market and put into service in the Union and the users of such products;
(a)  manufacturers and suppliers of EHR systems and wellness applications, and of products claiming interoperability with EHR systems, placed on the market and put into service in the Union and the users of such products;
Amendment 87
Proposal for a regulation
Article 1 – paragraph 4
4.  This Regulation shall be without prejudice to other Union legal acts regarding access to, sharing of or secondary use of electronic health data, or requirements related to the processing of data in relation to electronic health data, in particular Regulations (EU) 2016/679, (EU) 2018/1725, […] [Data Governance Act COM/2020/767 final] and […] [Data Act COM/2022/68 final].
4.  This Regulation shall be without prejudice to other Union legal acts regarding access to, sharing of or secondary use of electronic health data, or requirements related to the processing of data in relation to electronic health data, in particular Regulations (EU) 2016/679, (EU) 2018/1725, (EU) 2022/868 and […] [Data Act COM/2022/68 final] and Directive 2002/58/EC of the European Parliament and of the Council1a.
_____________
1a Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).
Amendment 88
Proposal for a regulation
Article 1 – paragraph 4 a (new)
4a.  References to the provisions of Regulation (EU) 2016/679 shall be understood also as references to the corresponding provisions of Regulation (EU) 2018/1725 for Union institutions and bodies, where relevant.
Amendment 89
Proposal for a regulation
Article 1 – paragraph 5 a (new)
5a.  This Regulation shall be without prejudice to Regulation (EU) No 536/2014 and Directive (EU) 2016/9431a.
_______________
1a Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ L 157, 15.6.2016, p. 1).
Amendment 90
Proposal for a regulation
Article 2 – paragraph 1 – point c
(c)  the definitions of ‘data’, ‘access’, ‘data altruism’, ‘public sector body’ and ‘secure processing environment’, pursuant to Article 2 (1), (8), (10), (11) and (14) of [Data Governance Act COM/2020/767 final];
(c)  the definitions of ‘data’, ‘access’, ‘data altruism’, ‘public sector body’ and ‘secure processing environment’, pursuant to Article 2, points (1), (8), (10), (11) and (14) of Regulation (EU) 2022/868;
Amendment 91
Proposal for a regulation
Article 2 – paragraph 2 – point a
(a)  ‘personal electronic health data’ means data concerning health and genetic data as defined in Regulation (EU) 2016/679, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services, processed in an electronic form;
(a)  ‘personal electronic health data’ means data concerning health and genetic data as defined in Regulation (EU) 2016/679, that are processed in an electronic form;
Amendment 92
Proposal for a regulation
Article 2 – paragraph 2 – point b
(b)  ‘non-personal electronic health data’ means data concerning health and genetic data in electronic format that falls outside the definition of personal data provided in Article 4(1) of Regulation (EU) 2016/679;
(b)  ‘non-personal electronic health data’ means data concerning health and aggregated genetic data in electronic format that falls outside the definition of personal data provided in Article 4, point (1), of Regulation (EU) 2016/679; where personal and non-personal data in a data set are inextricably linked, the entire dataset shall be processed as personal electronic health data;
Amendment 93
Proposal for a regulation
Article 2 – paragraph 2 – point d
(d)  ‘primary use of electronic health data’ means the processing of personal electronic health data for the provision of health services to assess, maintain or restore the state of health of the natural person to whom that data relates, including the prescription, dispensation and provision of medicinal products and medical devices, as well as for relevant social security, administrative or reimbursement services;
(d)  ‘primary use of electronic health data’ means the processing of electronic health data for the provision of health services to assess, maintain or restore the state of health of the natural person to whom that data relates, including the prescription, dispensation and provision of medicinal products and medical devices, as well as for relevant social security, administrative or reimbursement services;
Amendment 94
Proposal for a regulation
Article 2 – paragraph 2 – point e
(e)  ‘secondary use of electronic health data’ means the processing of electronic health data for purposes set out in Chapter IV of this Regulation. The data used may include personal electronic health data initially collected in the context of primary use, but also electronic health data collected for the purpose of the secondary use;
(e)  ‘secondary use of electronic health data’ means the processing of electronic health data for purposes set out in Chapter IV of this Regulation. The data used may include personal electronic health data initially collected in the context of primary use, but also electronic health data collected for the purpose of Chapter IV of this Regulation;
Amendment 95
Proposal for a regulation
Article 2 – paragraph 2 – point j
(j)  ‘health professional access service’ means a service, supported by an EHR system, that enables health professionals to access data of natural persons under their treatment;
(j)  ‘health professional access service’ means a service, supported by an EHR system, that enables health professionals to access data of natural persons under their care;
Amendment 96
Proposal for a regulation
Article 2 – paragraph 2 – point k
(k)  ‘data recipient’ means a natural or legal person that receives data from another controller in the context of the primary use of electronic health data;
(k)  ‘health data recipient’ means a recipient as defined in Article 4, point (9), of Regulation (EU) 2016/679, in the context of the primary use of electronic health data;
Amendment 97
Proposal for a regulation
Article 2 – paragraph 2 – point l
(l)  ‘telemedicine’ means the provision of healthcare services, including remote care and online pharmacies, through the use of information and communication technologies, in situations where the health professional and the patient (or several health professionals) are not in the same location;
(l)  ‘telemedicine’ means the provision of healthcare services, including remote care through the use of information and communication technologies, in situations where the health professional and the patient (or several health professionals) are not in the same location;
Amendment 98
Proposal for a regulation
Article 2 – paragraph 2 – point m
(m)  ‘EHR’ (electronic health record) means a collection of electronic health data related to a natural person and collected in the health system, processed for healthcare purposes;
(m)  ‘EHR’ (electronic health record) means a collection of electronic health data related to a natural person and collected in the health system, processed for the purpose of the provision of healthcare services;
Amendment 99
Proposal for a regulation
Article 2 – paragraph 2 – point n
(n)  ‘EHR system’ (electronic health record system) means any appliance or software intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records;
(n)  ‘EHR system’ (electronic health record system) means any product (hardware or software) primarily intended by the manufacturer to be used for storing, intermediating, importing, exporting, converting, editing or viewing electronic health records between health professionals or that can be reasonably expected by the manufacturer to be used for those purposes;
Amendment 100
Proposal for a regulation
Article 2 – paragraph 2 – point o
(o)  ‘wellness application’ means any appliance or software intended by the manufacturer to be used by a natural person for processing electronic health data for other purposes than healthcare, such as well-being and pursuing healthy life-styles;
deleted
Amendment 101
Proposal for a regulation
Article 2 – paragraph 2 – point q – introductory part
(q)  ‘serious incident’ means any malfunction or deterioration in the characteristics or performance of an EHR system made available on the market that directly or indirectly leads, might have led or might lead to any of the following:
(q)  ‘serious incident’ means any malfunction or deterioration in the characteristics or performance of an EHR system made available on the market that directly or indirectly leads, has led or is likely to lead to any of the following:
Amendment 102
Proposal for a regulation
Article 2 – paragraph 2 – point q – point i
(i)  the death of a natural person or serious damage to a natural person’s health;
(i)  the death of a natural person or serious damage to a natural person’s health or rights;
Amendment 103
Proposal for a regulation
Article 2 – paragraph 2 – point y
(y)  ‘data holder’ means any natural or legal person, which is an entity or a body in the health or care sector, or performing research in relation to these sectors, as well as Union institutions, bodies, offices and agencies who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data, through control of the technical design of a product and related services, the ability to make available, including to register, provide, restrict access or exchange certain data;
(y)  ‘health data holder’ means any natural or legal person, which is an entity or a body in the health, social security or care sector or in the reimbursement services sector, or performs research in relation to these sectors, as well as Union institutions, bodies, offices and agencies, and which, in accordance with this Regulation, applicable Union law or national legislation implementing Union law:
(i)  is a controller as set out in Regulation (EU) 2016/679 and has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, to process personal electronic health data; or
(ii)  has the ability to make available, including to register, provide, restrict access or exchange non-personal electronic health data, through control of the technical design of a product and related services;
Amendment 104
Proposal for a regulation
Article 2 – paragraph 2 – point z
(z)  ‘data user’ means a natural or legal person who has lawful access to personal or non-personal electronic health data for secondary use;
(z)  ‘health data user’ means a natural or legal person, as well as a Union institution, body, office or agency, which has been granted lawful access, in accordance with this Regulation, to electronic health data for secondary use pursuant to a data permit or a health data request;
Amendment 105
Proposal for a regulation
Article 2 – paragraph 2 – point z a (new)
(za)  ‘health data applicant’ means any natural or legal person with a demonstrable professional link to the areas of health care, public health or medical research and that submits an application for health data;
Amendment 106
Proposal for a regulation
Article 2 – paragraph 2 – point aa
(aa)  ‘data permit’ means an administrative decision issued to a data user by a health data access body or data holder to process the electronic health data specified in the data permit for the secondary use purposes specified in the data permit based on conditions laid down in this Regulation;
(aa)  ‘health data permit’ means an administrative decision issued to a data user by a health data access body or data holder to process the electronic health data specified in the data permit for the secondary use purposes specified in the data permit based on conditions laid down in this Regulation;
Amendment 107
Proposal for a regulation
Article 2 – paragraph 2 – point a ea (new)
(aea)  ‘wellness application’ means any appliance or software intended by the manufacturer to be used by a natural person for processing electronic health data specifically for providing information on, managing, maintaining or improving the health of individual persons, or the delivery of care.
Amendment 108
Proposal for a regulation
Article 3 – paragraph 2
2.  Natural persons shall have the right to receive an electronic copy, in the European electronic health record exchange format referred to in Article 6, of at least their electronic health data in the priority categories referred to in Article 5.
2.  Natural persons shall have the right to receive an electronic copy, in the European electronic health record exchange format referred to in Article 6, of at least their electronic health data, or at the request of the natural person, a printed copy thereof, in accordance with Article 15(3) of Regulation (EU) 2016/679.
Amendment 109
Proposal for a regulation
Article 3 – paragraph 2 a (new)
2a.  The rights referred to in paragraphs 1 and 2 shall be deemed complementary to and be without prejudice to the rights and obligations established by Article 15 of Regulation (EU) 2016/679.
Amendment 110
Proposal for a regulation
Article 3 – paragraph 3
3.  In accordance with Article 23 of Regulation (EU) 2016/679, Member States may restrict the scope of this right whenever necessary for the protection of the natural person based on patient safety and ethics by delaying their access to their personal electronic health data for a limited period of time until a health professional can properly communicate and explain to the natural person information that can have a significant impact on his or her health.
3.  In accordance with Article 23(1) , point (i), of Regulation (EU) 2016/679, Member States may restrict the scope of rights referred to in this Article whenever necessary for the protection of the natural person based on patient safety and ethics by delaying their access to their personal electronic health data for a limited period of time until a health professional can properly communicate and explain to the natural person information that can have a significant impact on him or her.
Amendment 111
Proposal for a regulation
Article 3 – paragraph 4
4.  Where the personal health data have not been registered electronically prior to the application of this Regulation, Member States may require that such data is made available in electronic format pursuant to this Article. This shall not affect the obligation to make personal electronic health data registered after the application of this Regulation available in electronic format pursuant to this Article.
deleted
Amendment 112
Proposal for a regulation
Article 3 – paragraph 5 – subparagraph 1 – point a
(a)  establish one or more electronic health data access services at national, regional or local level enabling the exercise of rights referred to in paragraphs 1 and 2;
(a)  establish one or more electronic health data access services at national, regional or local level enabling the exercise of rights referred to in this Article;
Amendment 113
Proposal for a regulation
Article 3 – paragraph 5 – subparagraph 1 – point b
(b)  establish one or more proxy services enabling a natural person to authorise other natural persons of their choice to access their electronic health data on their behalf.
(b)  establish one or more proxy services enabling a natural person to legally authorise other natural persons of their choice to access their electronic health data on their behalf for a specified or indeterminate period and if needed, for a specific purpose only, or enabling legal representatives of patients to access electronic health data of the natural persons whose affairs they administer, in accordance with national law.
Amendment 114
Proposal for a regulation
Article 3 – paragraph 5 – subparagraph 2
The proxy services shall provide authorisations free of charge, electronically or on paper. They shall enable guardians or other representatives to be authorised, either automatically or upon request, to access electronic health data of the natural persons whose affairs they administer. Member States may provide that authorisations do not apply whenever necessary for reasons related to the protection of the natural person, and in particular based on patient safety and ethics. The proxy services shall be interoperable among Member States.
The proxy services shall provide authorisations in a transparent and easily understandable way, free of charge, electronically or on paper. Natural persons and those acting on their behalf shall be informed about their authorisation rights, how to exercise them, and what they can expect from the authorisation process.
The electronic health data access services as well as the proxy services shall be easily accessible for persons with disabilities, vulnerable groups or persons with low digital literacy.
The proxy services shall enable legal representatives of patients to be authorised, either automatically or upon request, to access electronic health data of the natural persons whose affairs they administer either for a specific purpose and time period or without limitation for the purpose of such administration. Member States may provide that authorisations do not apply whenever necessary for reasons related to the protection of the natural person, and in particular based on patient safety and ethics. The proxy services shall be interoperable among Member States.
The proxy services shall provide an easy complaint mechanism with a contact point designated to inform individuals of a way to seek redress or remedy if they believe that their authorisation rights have been violated.
Amendment 115
Proposal for a regulation
Article 3 – paragraph 5 a (new)
5a.  In addition to the electronic services referred to in this Article, Member States shall also establish easily accessible support services for natural persons with adequately trained staff dedicated to assisting them with exercising their rights referred to in this Article.
Amendment 116
Proposal for a regulation
Article 3 – paragraph 6
6.  Natural persons may insert their electronic health data in their own EHR or in that of natural persons whose health information they can access, through electronic health data access services or applications linked to these services. That information shall be marked as inserted by the natural person or by his or her representative.
6.  Natural persons may insert their electronic health data in their own EHR or in that of natural persons whose health information they can access, through electronic health data access services and applications linked to these services. That information shall be marked as inserted by the natural person or by their legal representative and as non-validated. That information shall only be considered as a clinical fact if validated by a health professional. Without prejudice to the right to insert data, health professionals shall not be obliged to validate any inserted data in the EHR.
Amendment 117
Proposal for a regulation
Article 3 – paragraph 6 a (new)
6a.  Natural persons shall have the right to download their electronic health data from their own EHR or the data of natural persons whose health information they can access through electronic health data access services and applications linked to these services.
Amendment 118
Proposal for a regulation
Article 3 – paragraph 7
7.  Member States shall ensure that, when exercising the right to rectification under Article 16 of Regulation (EU) 2016/679, natural persons can easily request rectification online through the electronic health data access services referred to in paragraph 5, point (a), of this Article.
7.  Member States shall ensure that electronic health data services referred to in paragraph 5, point (a), of this Article allow for the possibility for natural persons to easily request rectification of their personal data online as a way to exercise their right to rectification under Article 16 of Regulation (EU) 2016/679. Natural persons shall not have the possibility of directly changing data inserted by health professionals. Such rectifications of clinical facts shall be validated, without undue delay, by a registered healthcare professional with a relevant specialisation who is responsible for the natural person’s treatment. The original data holder shall be responsible for the rectification.
Amendment 119
Proposal for a regulation
Article 3 – paragraph 8 – subparagraph 1
Natural persons shall have the right to give access to or request a data holder from the health or social security sector to transmit their electronic health data to a data recipient of their choice from the health or social security sector, immediately, free of charge and without hindrance from the data holder or from the manufacturers of the systems used by that holder.
Natural persons shall have the right to request a health data holder from the health or social security sector or reimbursement services, to transmit all or part of their electronic health data to a health data recipient of their choice from the health or social security sector or reimbursement services, immediately, free of charge and without hindrance from the data holder or from the manufacturers of the systems used by that holder. The health data recipient shall be clearly identified by the natural persons to the health data holder and their affiliation to the health or social security sector shall be demonstrated. Health data holders and their processors shall comply with the request and shall transmit the data in the format provided for in Article 5.
Amendment 120
Proposal for a regulation
Article 3 – paragraph 8 – subparagraph 2
Natural persons shall have the right that, where the data holder and the data recipient are located in different Member States and such electronic health data belongs to the categories referred to in Article 5, the data holder shall transmit the data in the European electronic health record exchange format referred to in Article 6 and the data recipient shall read and accept it.
Natural persons shall have the right that, where the health data holder and the health data recipient are located in different Member States and such electronic health data belongs to the categories referred to in Article 5, the health data holder shall transmit the data in the European electronic health record exchange format referred to in Article 6 and the health data recipient shall read and accept it.
Amendment 121
Proposal for a regulation
Article 3 – paragraph 8 – subparagraph 3
By way of derogation from Article 9 of Regulation […] [Data Act COM/2022/68 final], the data recipient shall not be required to compensate the data holder for making electronic heath data available.
By way of derogation from Article 9 of Regulation […] [Data Act COM/2022/68 final], the health data recipient shall not be required to compensate the health data holder for making electronic health data available. A health data holder, a health data recipient or a third party shall not directly or indirectly charge data subjects a fee, compensation or costs for sharing data or accessing it.
Amendment 122
Proposal for a regulation
Article 3 – paragraph 9
9.  Notwithstanding Article 6(1), point (d), of Regulation (EU) 2016/679, natural persons shall have the right to restrict access of health professionals to all or part of their electronic health data. Member States shall establish the rules and specific safeguards regarding such restriction mechanisms.
9.  Without prejudice to Article 6(1), point (d), of Regulation (EU) 2016/679, natural persons shall have the right to restrict access of specific health professionals or categories of health professionals to all or part of their electronic health data. When restricting the information, natural persons shall be made aware that restricting access may impact the provision of healthcare provided to them. Such restrictions shall apply also for cross-border transfers of electronic health data. The fact that a restriction has been made by the natural person shall not be visible to healthcare providers.
Member States shall establish the rules and specific safeguards regarding such restriction mechanisms. Those rules shall include the possibility of modifying restrictions and of restricting access to anyone except the health professional who inserted the electronic health data. Those rules shall also establish the conditions of medical liability as a consequence of applying restrictions to electronic health data. The Commission shall establish guidelines regarding the implementation of this paragraph.
Amendment 123
Proposal for a regulation
Article 3 – paragraph 10
10.  Natural persons shall have the right to obtain information on the healthcare providers and health professionals that have accessed their electronic health data in the context of healthcare. The information shall be provided immediately and free of charge through electronic health data access services.
10.  Natural persons shall have the right to obtain information, including through automatic notifications, on the healthcare providers and health professionals that have accessed their electronic health data, including access provided in accordance with Article 4(4), and on the substance of the accessed data. Natural persons shall have the possibility of disabling those notifications. In order to demonstrate compliance with this right, all relevant entities shall maintain a system of automated recording for at least three years showing who and when has accessed electronic health data. The information shall be provided immediately and free of charge through electronic health data access services. Member States may provide for restrictions to this right in exceptional circumstances, where there are factual indications that disclosure would endanger the vital interests or rights of the health professional or the care of the natural person.
Amendment 124
Proposal for a regulation
Article 3 – paragraph 11
11.  The supervisory authority or authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall also be responsible for monitoring the application of this Article, in accordance with the relevant provisions in Chapters VI, VII and VIII of Regulation (EU) 2016/679. They shall be competent to impose administrative fines up to the amount referred to in Article 83(5) of that Regulation. Those supervisory authorities and the digital health authorities referred to in Article 10 of this Regulation shall, where relevant, cooperate in the enforcement of this Regulation, within the remit of their respective competences.
11.  The supervisory authority or authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall also be responsible for monitoring the application of this Article, in accordance with the relevant provisions in Chapters VI, VII and VIII of Regulation (EU) 2016/679.
Amendment 125
Proposal for a regulation
Article 3 – paragraph 12
12.  The Commission shall, by means of implementing acts, determine the requirements concerning the technical implementation of the rights set out in this Article. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
12.  The Commission shall, by means of implementing acts, determine the requirements concerning the technical implementation of the rights set out in this Article, including technical and organisational measures to ensure the process of authentication of the authorised person referred to in paragraph 5, point (b), of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 68(2a).
Amendment 126
Proposal for a regulation
Article 3 – paragraph 12 a (new)
12a.  Member States, including regional and local authorities, shall provide easily understandable information to natural persons in relation to the use of the electronic health records and primary use of their personal electronic health data laid down in this Article. Such guidance shall take into account different user groups, including persons with disabilities and vulnerable groups, without compromising the quality and the scope of the information.
Amendment 127
Proposal for a regulation
Article 4 – paragraph -1 (new)
-1.  Access to EHR for primary use shall be strictly limited to healthcare providers.
Amendment 128
Proposal for a regulation
Article 4 – paragraph 1 – point a
(a)  have access to the electronic health data of natural persons under their treatment, irrespective of the Member State of affiliation and the Member State of treatment;
(a)  have access, based on the data minimisation and purpose limitation principles, to the electronic health data of natural persons under their treatment and exclusively for the purpose of that treatment, including relevant administration, irrespective of the Member State of affiliation and the Member State of treatment, in accordance with Article 9(2), point (h), of Regulation 2016/679;
Amendment 129
Proposal for a regulation
Article 4 – paragraph 2
2.  In line with the data minimisation principle provided for in Regulation (EU) 2016/679, Member States may establish rules providing for the categories of personal electronic health data required by different health professions. Such rules shall not be based on the source of electronic health data.
2.  In line with the data minimisation and purpose limitation principles provided for in Regulation (EU) 2016/679, Member States shall establish rules providing for the categories of personal electronic health data required by different categories of health professions or different healthcare tasks. Such rules shall not be based on the source of electronic health data.
Amendment 130
Proposal for a regulation
Article 4 – paragraph 2 a (new)
2a.  In the case of treatment in a Member State other than the Member State of affiliation, the rules referred to in paragraphs 1a and 2 of the Member States of treatment shall apply.
Amendment 131
Proposal for a regulation
Article 4 – paragraph 2 b (new)
2b.  The Commission shall issue guidelines for the implementation of paragraphs 1, 2 and 2a, including time limitations for the access by health professionals to electronic health data of natural persons.
Amendment 132
Proposal for a regulation
Article 4 – paragraph 3
3.  Member States shall ensure that access to at least the priority categories of electronic health data referred to in Article 5 is made available to health professionals through health professional access services. Health professionals who are in possession of recognised electronic identification means shall have the right to use those health professional access services, free of charge.
3.  Member States and, where appropriate, local or regional authorities shall ensure that access to at least the priority categories of electronic health data referred to in Article 5 is made available to health professionals, including for cross-border care, through health professional access services, where the processing of health data is necessary and for the purposes of Article 9(2), point (h), of Regulation 2016/679. Health professionals who are in possession of recognised electronic identification means shall have the right to use those health professional access services, free of charge.
The electronic health data in the electronic health records shall be structured in a user-friendly manner to allow for easy use by health professionals.
Amendment 133
Proposal for a regulation
Article 4 – paragraph 3 a (new)
3a.  Member States shall establish policies aimed at providing health professionals with the digital skills, competences, infrastructures and tools required to fulfil the obligations set out in paragraph 1.
Amendment 134
Proposal for a regulation
Article 4 – paragraph 4
4.  Where access to electronic health data has been restricted by the natural person, the healthcare provider or health professionals shall not be informed of the content of the electronic health data without prior authorisation by the natural person, including where the provider or professional is informed of the existence and nature of the restricted electronic health data. In cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person, the healthcare provider or health professional may get access to the restricted electronic health data. Following such access, the healthcare provider or health professional shall inform the data holder and the natural person concerned or his/her guardians that access to electronic health data had been granted. Member States’ law may add additional safeguards.
4.  Where access to electronic health data has been restricted by the natural person, the healthcare provider or health professionals shall not be informed of the restricted content of the electronic health data without prior explicit consent pursuant to Article 9(2), point (a), of Regulation (EU) 2016/679 by the natural person. In cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person, the healthcare provider or health professional may get access to the restricted electronic health data. Following such access, the healthcare provider or health professional shall inform the data holder and the natural person concerned or his/her guardians that access to electronic health data had been granted. Member States’ law may add additional safeguards.
Amendment 135
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1 – introductory part
Where data is processed in electronic format, Member States shall implement access to and exchange of personal electronic health data for primary use fully or partially falling under the following categories:
1.  Where data is processed in electronic format, Member States shall implement access to and exchange of personal electronic health data for primary use fully or partially falling under the following categories making use of the International Classification of Diseases (ICD) codes, where applicable:
Amendment 136
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1 – point e
(e)  laboratory results;
(e)  laboratory results, medical test results and other complementary and diagnostic results;
Amendment 137
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1 – point f
(f)  discharge reports.
(f)  patient discharge reports;
Amendment 138
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1 – point f a (new)
(fa)  medical directives of the natural persons and information about consent for substances of human origin and organ donations.
Amendment 139
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 2
The main characteristics of the categories of electronic health data in the first subparagraph shall be as set out in Annex I.
The main characteristics of the categories of electronic health data in the first subparagraph shall be as set out in Annex I and limited to those categories.
Amendment 140
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 3
Access to and exchange of electronic health data for primary use may be enabled for other categories of personal electronic health data available in the EHR of natural persons.
Member States may provide for access to and exchange of electronic health data for primary use for other categories of personal electronic health data available in the EHR of natural persons.
Amendment 141
Proposal for a regulation
Article 5 – paragraph 2
2.  The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list of priority categories of electronic health data in paragraph 1. Such delegated acts may also amend Annex I by adding, modifying or removing the main characteristics of the priority categories of electronic health data and indicating, where relevant, deferred application date. The categories of electronic health data added through such delegated acts shall satisfy the following criteria:
2.  The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend Annex I by adding, modifying or removing the main characteristics of the priority categories of electronic health data, as laid down in paragraph 1.
(a)  the category is relevant for health services provided to natural persons;
(b)  according to the most recent information, the category is used in a significant number of EHR systems used in Member States;
(c)  international standards exist for the category that have been examined for the possibility of their application in the Union.
Amendment 142
Proposal for a regulation
Article 6 – paragraph 1 – introductory part
1.  The Commission shall, by means of implementing acts, lay down the technical specifications for the priority categories of personal electronic health data referred to in Article 5, setting out the European electronic health record exchange format. The format shall include the following elements:
1.  The Commission shall, by means of implementing acts, lay down the technical specifications for the priority categories of personal electronic health data referred to in Article 5, setting out the European electronic health record exchange format, taking into account its Recommendation (EU) 2019/243. The format shall include the following elements:
Amendment 143
Proposal for a regulation
Article 6 – paragraph 1 – point a
(a)  datasets containing electronic health data and defining structures, such as data fields and data groups for the content representation of clinical content and other parts of the electronic health data;
(a)  harmonised datasets containing electronic health data and defining structures, such as minimum data fields and data groups for the content representation of clinical content and other parts of the electronic health data, which can be enlarged to include disease-specific data;
Amendment 144
Proposal for a regulation
Article 6 – paragraph 1 – point c
(c)  technical specifications for the exchange of electronic health data, including its content representation, standards and profiles.
(c)  technical interoperability specifications for the exchange of electronic health data, including its content representation, standards and profiles, and for the translation of electronic health data.
Amendment 145
Proposal for a regulation
Article 6 – paragraph 1 – subparagraph 1 (new)
The Commission shall ensure that those implementing acts contain the latest versions of healthcare coding systems and nomenclatures and that they are updated regularly in order to keep up with the revisions of the healthcare coding systems and nomenclatures.
Amendment 146
Proposal for a regulation
Article 6 – paragraph 2
2.  Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2). Member States shall ensure that where the priority categories of personal electronic health data referred to in Article 5 are provided by a natural person directly or transmitted to a healthcare provider by automatic means in the format referred to in paragraph 1, such data shall be read and accepted by the data recipient.
2.  Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 68(2a).
Amendment 147
Proposal for a regulation
Article 6 – paragraph 3
3.  Member States shall ensure that the priority categories of personal electronic health data referred to in Article 5 are issued in the format referred to in paragraph 1 and such data shall be read and accepted by the data recipient.
3.  Member States shall ensure that the priority categories of personal electronic health data referred to in Article 5 are issued in the format referred to in paragraph 1 across the continuum of care and such data shall be read and accepted by the data recipient.
Amendment 148
Proposal for a regulation
Article 7 – paragraph 1
1.  Member States shall ensure that, where data is processed in electronic format, health professionals systematically register the relevant health data falling under at least the priority categories referred to in Article 5 concerning the health services provided by them to natural persons, in the electronic format in an EHR system.
1.  Member States shall ensure that, where health data is processed, health professionals register the relevant health data falling under at least the priority categories referred to in Article 5 concerning the health services provided by them to natural persons, in the electronic format in an EHR system.
Amendment 555
Proposal for a regulation
Article 7 – paragraph 1 a (new)
1a.   Member States may provide for natural persons to have the right to object to the registration of their personal health data in an EHR system.
If a Member State provides for such a right, it shall establish the rules and specific safeguards regarding such objection mechanisms.
Amendment 149
Proposal for a regulation
Article 7 – paragraph 3 – subparagraph 1
3.  The Commission shall, by means of implementing acts, determine the requirements for the registration of electronic health data by healthcare providers and natural persons, as relevant. Those implementing acts shall establish the following:
3.  The Commission shall adopt delegated acts in accordance with Article 67 to supplement this Regulation by determining the data quality requirements for the electronic registration of health data by healthcare providers and natural persons, as relevant.
(a)  categories of healthcare providers that are to register health data electronically;
(b)  categories of health data that are to be registered systematically in electronic format by healthcare providers referred to in point (a);
(c)  data quality requirements pertaining to the electronic registration of health data.
Amendment 150
Proposal for a regulation
Article 7 – paragraph 3 – subparagraph 2
Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
When health data are registered or updated, electronic health records shall identify the health professional, time and health care provider that carried out the registration or the update. Member States may provide for other aspects of data registration to be recorded.
Amendment 151
Proposal for a regulation
Article 7 – paragraph 3 a (new)
3a.  Where the personal health data have not been registered electronically prior to the application of this Regulation, Member States may require that such data be made available in electronic format pursuant to this Article. This shall not affect the obligation to make personal electronic health data, registered after the application of this Regulation, available in electronic format, pursuant to this Article.
Amendment 152
Proposal for a regulation
Article 8 – paragraph 1
Where a Member State accepts the provision of telemedicine services, it shall, under the same conditions, accept the provision of the services of the same type by healthcare providers located in other Member States.
Where a Member State accepts the provision of telemedicine services, it shall, under the same conditions and in a non-discriminatory manner, accept the provision of the services of the same type by healthcare providers located in other Member States, without prejudice to the same rights and obligations to access and register electronic health data.
Amendment 153
Proposal for a regulation
Article 9 – paragraph 1
1.  Where a natural person uses telemedicine services or personal health data access services referred to in Article 3(5), point (a), that natural person shall have the right to identify electronically using any electronic identification means which is recognised pursuant to Article 6 of Regulation (EU) No 910/2014.
1.  Where a natural person or a health professional uses, telemedicine services or personal health data access services referred to in Article 3(5), point (a), Article 4(3) and where applicable, Article 8 that natural person or health professional shall have the right to identify electronically using any electronic identification means which is recognised pursuant to Article 6 of Regulation (EU) No 910/2014, including eID schemes where such systems are offered.
Amendment 154
Proposal for a regulation
Article 9 – paragraph 2
2.  The Commission shall, by means of implementing acts, determine the requirements for the interoperable, cross-border identification and authentication mechanism for natural persons and health professionals, in accordance with Regulation (EU) No 910/2014 as amended by [COM(2021) 281 final]. The mechanism shall facilitate the transferability of electronic health data in a cross-border context. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
2.  The Commission shall adopt delegated acts in accordance with Article 67 to supplement this Regulation by determining the requirements for the interoperable, cross-border identification and authentication mechanism for natural persons and health professionals, in accordance with Regulation (EU) No 910/2014. The mechanism shall facilitate the transferability of electronic health data in a cross-border context.
Amendment 155
Proposal for a regulation
Article 9 – paragraph 3
3.  The Commission shall implement services required by the interoperable, cross-border identification and authentication mechanism referred to in paragraph 2 of this Article at Union level, as part of the cross-border digital health infrastructure referred to in Article 12(3).
3.  The Commission, in cooperation with Member States, shall implement services required by the interoperable, cross-border identification and authentication mechanism referred to in paragraph 2 of this Article at Union level, as part of the cross-border digital health infrastructure referred to in Article 12(3).
Amendment 156
Proposal for a regulation
Article 9 – paragraph 4
4.  The digital health authorities and the Commission shall implement the cross-border identification and authentication mechanism at Union and Member States’ level, respectively.
4.  Member States’ competent authorities and the Commission shall implement the cross-border identification and authentication mechanism at Union and Member States’ level, respectively, in accordance with Regulation (EU) No 910/2014.
Amendment 157
Proposal for a regulation
Article 10 – paragraph 2 – introductory part
2.  Each digital health authority shall be entrusted with the following tasks:
2.  Each digital health authority shall be entrusted with the following tasks and powers:
Amendment 158
Proposal for a regulation
Article 10 – paragraph 2 – point b
(b)  ensure that complete and up to date information about the implementation of rights and obligations provided for in in Chapters II and III is made readily available to natural persons, health professionals and healthcare providers;
(b)  ensure that complete and up to date information about the implementation of rights and obligations provided for in in Chapters II and III is made readily available to natural persons, health professionals and healthcare providers and that appropriate training initiatives are undertaken at the local, regional and national level;
Amendment 159
Proposal for a regulation
Article 10 – paragraph 2 – point h
(h)  contribute, at Union level, to the development of the European electronic health record exchange format and to the elaboration of common specifications addressing interoperability, security, safety or fundamental right concerns in accordance with Article 23 and of the specifications of the EU database for EHR systems and wellness applications referred to in Article 32;
(h)  contribute, at Union level, and, where relevant, in cooperation at local and regional level within the Member States, to the development of the European electronic health record exchange format and to the elaboration of common specifications addressing quality, interoperability, security, safety, ease of use, accessibility, non-discrimination or fundamental right concerns in accordance with Article 23 and of the specifications of the EU database for EHR systems and wellness applications referred to in Article 32;
Amendment 160
Proposal for a regulation
Article 10 – paragraph 2 – point k
(k)  offer, in compliance with national legislation, telemedicine services and ensure that such services are easy to use, accessible to different groups of natural persons and health professionals, including natural persons with disabilities, do not discriminate and offer the possibility of choosing between in person and digital services;
(k)  offer, in compliance with national legislation, telemedicine services and ensure that such services are easy to use, accessible and equitable to different groups of natural persons and health professionals, including natural persons with disabilities, under the same non-discriminatory conditions and offer the possibility of choosing between in person and digital services;
Amendment 161
Proposal for a regulation
Article 10 – paragraph 2 – point m
(m)  cooperate with other relevant entities and bodies at national or Union level, to ensure interoperability, data portability and security of electronic health data, as well as with stakeholders representatives, including patients’ representatives, healthcare providers, health professionals, industry associations;
(m)  cooperate with other relevant entities and bodies at local, regional, national or Union level, to ensure interoperability, data portability and security of electronic health data;
Amendment 162
Proposal for a regulation
Article 10 – paragraph 3
3.  The Commission is empowered to adopt delegated acts in accordance with Article 67 to supplement this Regulation by entrusting the digital health authorities with additional tasks necessary to carry out the missions conferred on them by this Regulation and to modify the content of the annual report.
deleted
Amendment 163
Proposal for a regulation
Article 10 – paragraph 3 a (new)
3a.  The digital health authorities and the data protection authorities shall consult each other and cooperate in the enforcement of this Regulation, within the remit of their respective competences.
Amendment 164
Proposal for a regulation
Article 10 – paragraph 5
5.  In the performance of its tasks, the digital health authority shall actively cooperate with stakeholders’ representatives, including patients’ representatives. Members of the digital health authority shall avoid any conflicts of interest.
5.  Members of the digital health authority shall avoid any conflicts of interest. Members shall not have financial or other interests in industries or economic activities which could affect their impartiality. They shall undertake to act in the public interest and in an independent manner, and shall make an annual declaration of their financial interests. All indirect interests which could relate to such industries or economic activities shall be entered in a register available to the public, upon request. The Commission may adopt guidance on what is likely to constitute a conflict of interest together with the procedure to be followed in such cases.
Amendment 165
Proposal for a regulation
Article 10 – paragraph 5 a (new)
5a.  In the performance of their tasks, the digital health authorities shall actively cooperate and consult with relevant stakeholders’ representatives, including patients’ representatives, health care providers and health professionals’ representatives, including health professional associations, consumer organisations and industry associations. Stakeholders shall declare any conflict of interest.
Amendment 166
Proposal for a regulation
Article 11 – paragraph 1
1.  Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the digital health authority. Where the complaint concerns the rights of natural persons pursuant to Article 3 of this Regulation, the digital health authority shall inform the supervisory authorities under Regulation (EU) 2016/679.
1.  Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the digital health authority, where their rights laid down in this Regulation are affected. Where the complaint concerns the rights of natural persons pursuant to Article 3 of this Regulation or Regulation (EU) 2016/679, the digital health authority shall send a copy of the complaint to and consult with the competent supervisory authority under Regulation (EU) 2016/679 in order to facilitate its assessment and investigation. The decision of the digital health authority shall not prejudice any measures taken by the data protection authorities, which shall be competent to treat the complaint in separate proceedings, pursuant to their tasks and powers under Regulation (EU) 2016/679.
Amendment 167
Proposal for a regulation
Article 11 – paragraph 2
2.  The digital health authority with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken.
2.  The digital health authority with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken, including, where applicable, that the complaint was referred to the relevant supervisory authority under Regulation (EU) 2016/679, and that the supervisory authority will, from that moment on, be the sole point of contact for the complainant in that matter.
Amendment 168
Proposal for a regulation
Article 11 – paragraph 3 a (new)
3a.  Each digital health authority shall facilitate submitting complaints, in particular by providing a complaint submission form which can also be completed electronically, without excluding the possibility of using other means of communication.
Amendment 169
Proposal for a regulation
Article 11 a (new)
Article 11a
Right to an effective judicial remedy against a digital health authority
1.  Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a digital health authority concerning them.
2.  Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy where the digital health authority which is competent pursuant to Article 10 does not handle a complaint or does not inform the natural or legal person within three months about the progress or outcome of the complaint lodged pursuant to Article 11.
3.  Proceedings against a digital health authority shall be brought before the courts of the Member States where the digital health authority is established.
Amendment 170
Proposal for a regulation
Article 12 – paragraph 4
4.  The Commission shall, by means of implementing acts, adopt the necessary measures for the technical development of MyHealth@EU, detailed rules concerning the security, confidentiality and protection of electronic health data and the conditions and compliance checks necessary to join and remain connected to MyHealth@EU and conditions for temporary or definitive exclusion from MyHealth@EU. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
4.  The Commission shall, by means of implementing acts, adopt the necessary measures for the technical development of MyHealth@EU, detailed rules concerning the security, confidentiality and protection of electronic health data and the conditions and compliance checks necessary to join and remain connected to MyHealth@EU and conditions for temporary or definitive exclusion from MyHealth@EU. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 68(2a). The implementing act shall include the target implementation dates, including for cross border health data interoperability, in consultation with the EHDS board. The European Union Agency for Cyber Security (ENISA) shall be consulted and closely involved in all steps of the examination procedure. Any measures adopted shall meet the highest technical standards in terms of security, confidentiality and protection of electronic health data.
Amendment 171
Proposal for a regulation
Article 12 – paragraph 6
6.  Member States shall ensure that pharmacies operating on their territories, including online pharmacies, are enabled to dispense electronic prescriptions issued by other Member States, under the conditions laid down in Article 11 of Directive 2011/24/EU. The pharmacies shall access and accept electronic prescriptions transmitted to them from other Member States through MyHealth@EU. Following dispensation of medicinal products based on an electronic prescription from another Member State, pharmacies shall report the dispensation to the Member State that issued the prescription, through MyHealth@EU.
6.  Member States shall ensure that pharmacies operating on their territories, including online pharmacies, are enabled to dispense electronic prescriptions issued by other Member States, under the conditions laid down in Article 11 of Directive 2011/24/EU. The pharmacies shall access and accept electronic prescriptions transmitted to them from other Member States through MyHealth@EU, provided that the requirements in Article 11 of Directive 2011/24/EU are fulfilled. Following dispensation of medicinal products based on an electronic prescription from another Member State, pharmacies shall report the dispensation to the Member State that issued the prescription, through MyHealth@EU.
Amendment 172
Proposal for a regulation
Article 12 – paragraph 8
8.  The Commission shall, by means of implementing acts, allocate responsibilities among controllers and as regards the processor referred to in paragraph 7 of this Article, in accordance with Chapter IV of Regulation (EU) 2016/679. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
8.  The Commission shall, by means of implementing acts, allocate responsibilities among controllers and as regards the processor referred to in paragraph 7 of this Article, in accordance with Chapter IV of Regulations (EU) 2016/679 and 2018/1725. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
Amendment 173
Proposal for a regulation
Article 13 – paragraph 3
3.  Member States and the Commission shall seek to ensure interoperability of MyHealth@EU with technological systems established at international level for the exchange of electronic health data. The Commission may adopt an implementing act establishing that a national contact point of a third country or a system established at an international level is compliant with requirements of MyHealth@EU for the purposes of the electronic health data exchange. Before adopting such an implementing act, a compliance check of the national contact point of the third country or of the system established at an international level shall be performed under the control of the Commission.
deleted
The implementing acts referred to in the first subparagraph of this paragraph shall be adopted in accordance with the procedure referred to in Article 68. The connection of the national contact point of the third country or of the system established at an international level to the central platform for digital health, as well as the decision to be disconnected shall be subject to a decision of the joint controllership group for MyHealth@EU referred to in Article 66.
The Commission shall make the list of implementing acts adopted pursuant to this paragraph publicly available.
Amendment 174
Proposal for a regulation
Article 14 – paragraph 2
2.  This Chapter shall not apply to general software used in a healthcare environment.
2.  This Chapter shall not apply to general software used in a healthcare environment that it is not interoperable with EHR systems.
Amendment 175
Proposal for a regulation
Article 14 – paragraph 4
4.  Providers of high-risk AI systems as defined in Article 6 of Regulation […] [AI act COM/2021/206 final], which does not fall within the scope of Regulation (EU) 2017/745, that claim interoperability of those AI systems with EHR systems will need to prove compliance with the essential requirements on interoperability laid down in Section 2 of Annex II of this Regulation. Article 23 of this Chapter shall be applicable to those high-risk AI systems.
4.  Notwithstanding the obligations laid down in Regulation [AI act COM/2021/206 final], providers of high-risk AI systems as defined in Article 6 of Regulation […] [AI act COM/2021/206 final], which do not fall within the scope of Regulation (EU) 2017/745, that claim interoperability of those AI systems with EHR systems will need to prove compliance with the essential requirements on interoperability laid down in Section 2 of Annex II of this Regulation. Article 23 of this Chapter shall be applicable to those high-risk AI systems.
Amendment 176
Proposal for a regulation
Article 15 – paragraph 1
1.  EHR systems may be placed on the market or put into service only if they comply with the provisions laid down in this Chapter.
1.  EHR systems may be placed on the market or put into service only if they comply with the provisions laid down in Section 3 of this Chapter and in Annex II.
Amendment 177
Proposal for a regulation
Article 16 – paragraph 1 – introductory part
In the information sheet, instructions for use or other information accompanying EHR systems, and in the advertising of EHR systems, it shall be prohibited to use text, names, trademarks, pictures and figurative or other signs that may mislead the user with regard to its intended purpose, interoperability and security by:
In the information sheet, instructions for use or other information accompanying EHR systems, and in the advertising of EHR systems, it shall be prohibited to use text, names, trademarks, pictures and figurative or other signs that may mislead the professional user as defined under Regulation (EU) 2018/1807 with regard to its intended purpose, interoperability and security by:
Amendment 178
Proposal for a regulation
Article 16 – paragraph 1 – point b
(b)  failing to inform the user of likely limitations related to interoperability or security features of the EHR system in relation to its intended purpose;
(b)  failing to inform the professional user of likely limitations related to interoperability or security features of the EHR system in relation to its intended purpose;
Amendment 179
Proposal for a regulation
Article 17 – paragraph 1 – point a
(a)  ensure that their EHR systems are in conformity with the essential requirements laid down in Annex II and with the common specifications in accordance with Article 23;
(a)  obtain for their EHR systems a certificate of compliance from an independent third-party body to attest their conformity with the essential requirements laid down in Annex II and with the common specifications in accordance with Article 23;
Amendment 180
Proposal for a regulation
Article 17 – paragraph 1 – point b
(b)  draw up the technical documentation of their EHR systems in accordance with Article 24;
(b)  draw up the technical documentation of their EHR systems in accordance with Article 24 before placing their systems on the market, and subsequently keep them up to date;
Amendment 181
Proposal for a regulation
Article 17 – paragraph 1 – point c
(c)  ensure that their EHR systems are accompanied, free of charge for the user, by the information sheet provided for in Article 25 and clear and complete instructions for use;
(c)  ensure that their EHR systems are accompanied, free of charge for the user, by the information sheet provided for in Article 25 and clear and complete instructions for use including in accessible formats for vulnerable groups and persons with disabilities;
Amendment 182
Proposal for a regulation
Article 17 – paragraph 1 – point d
(d)  draw up an EU declaration of conformity as referred to in Article 26;
(d)  carry out the relevant conformity assessment procedures as referred to in Article 27a and Annex IVa;
Amendment 183
Proposal for a regulation
Article 17 – paragraph 1 – point d a (new)
(da)  draw up the EU declaration of conformity in accordance with Article 26;
Amendment 184
Proposal for a regulation
Article 17 – paragraph 1 – point e
(e)  affix the CE marking in accordance with Article 27;
(e)  affix the CE marking in accordance with Article 27 after the conformity assessment procedure has been completed;
Amendment 185
Proposal for a regulation
Article 17 – paragraph 1 – point e a (new)
(ea)  indicate the name, registered trade name or registered trade mark, and the postal address and website, e-mail address or other digital contact at which they can be contacted, on the front office of the EHR system; the address shall indicate a single point at which the manufacturer can be contacted and. the contact details shall be in a language that is easily understood by users and market surveillance authorities;
Amendment 186
Proposal for a regulation
Article 17 – paragraph 1 – point g
(g)  take without undue delay any necessary corrective action in respect of their EHR systems which are not in conformity with the essential requirements laid down in Annex II, or recall or withdraw such systems;
(g)  take any necessary corrective action in respect of their EHR systems immediately, where manufacturers consider or have reasons to believe that such systems are not or no longer in conformity with the essential requirements laid down in Annex II, or recall or withdraw such systems; the manufacturers shall then inform the national authorities of the Member States in which they made their EHR systems available or put them into service of the non-conformity and of any corrective action taken;
Amendment 187
Proposal for a regulation
Article 17 – paragraph 1 – point h
(h)  inform the distributors of their EHR systems and, where applicable, the authorised representative and importers of any corrective action, recall or withdrawal;
(h)  immediately inform the distributors of their EHR systems and, where applicable, the authorised representative and importers of the non-conformity and of any corrective action, recall or withdrawal of that system;
Amendment 188
Proposal for a regulation
Article 17 – paragraph 1 – point i
(i)  inform the market surveillance authorities of the Member States in which they made their EHR systems available or put them into service of the non-conformity and of any corrective action taken;
deleted
Amendment 189
Proposal for a regulation
Article 17 – paragraph 1 – point j
(j)  upon request of a market surveillance authority, provide it with all the information and documentation necessary to demonstrate the conformity of their EHR system with the essential requirements laid down in Annex II.
(j)  upon request provide market surveillance authorities in the Member States with all the information and documentation in paper or digital format, necessary to demonstrate the conformity of the EHR system which they have placed on the market or put into service with the essential requirements laid down in Annex II and Article 27a in the official language of the Member State.
Amendment 190
Proposal for a regulation
Article 17 – paragraph 1 – point k
(k)  cooperate with market surveillance authorities, at their request, on any action taken to bring their EHR systems in conformity with the essential requirements laid down in Annex II.
(k)  cooperate with market surveillance authorities, at their request, on any action taken to bring their EHR systems which they have placed on the market or put into service in conformity with the essential requirements laid down in Annex II and Article 27a in the official language of the Member State.
Amendment 191
Proposal for a regulation
Article 17 – paragraph 1 – point k a (new)
(ka)  establish channels of complaint and keep a register of complaints, of non-conforming EHR systems, and keep distributors informed of any such monitoring.
Amendment 192
Proposal for a regulation
Article 17 – paragraph 2
2.  Manufacturers of EHR systems shall ensure that procedures are in place to ensure that the design, development and deployment of an EHR system continues to comply with the essential requirements laid down in Annex II and the common specifications referred to in Article 23. Changes in EHR system design or characteristics shall be adequately taken into account and reflected in the technical documentation.
2.  Manufacturers of EHR systems shall ensure that procedures are in place to ensure that the design, development and deployment of an EHR system continues to comply with the essential requirements laid down in Annex II and the common specifications referred to in Article 23 for EHR systems to remain in conformity with this Regulation. Changes in EHR system design or characteristics and changes in the technical standards and the technical specifications referred to in Annex II and III by reference to which the conformity of the EHR system is declared shall be adequately taken into account and reflected in the technical documentation.
Manufacturers shall establish reporting channels and ensure their accessibility to allow users to submit complaints, and shall keep a register of complaints, of non-conforming EHR systems and EHR system recalls.
Amendment 193
Proposal for a regulation
Article 17 – paragraph 3
3.  Manufacturers of EHR systems shall keep the technical documentation and the EU declaration of conformity for 10 years after the last EHR system covered by the EU declaration of conformity has been placed on the market.
3.  Manufacturers of EHR systems shall keep the technical documentation and the EU declaration of conformity at the disposal of the market surveillance authorities for at least 10 years after the last EHR system covered by the EU declaration of conformity has been placed on the market. The source code or the programming logic included in the technical documentation shall, upon a reasoned request, be made available to the competent national authorities, if that source code or programming logic is necessary in order for them to be able to check compliance with the essential requirements set out in Annex II. The personnel of competent national authorities shall observe professional secrecy with regard to all information obtained in carrying out the conformity assessment activities in accordance with Annexes IVa, except in relation to the competent authorities of the Member State in which their activities are carried out. Proprietary rights, intellectual property rights and trade secrets shall be protected. Manufacturers shall establish reporting channels and ensure their accessibility to allow users to submit complaints, keep a register of complaints, of non-conforming EHR systems and EHR systems recalls.
Amendment 194
Proposal for a regulation
Article 17 – paragraph 3 a (new)
3a.  A manufacturer of EHR systems established outside the Union shall ensure that its authorised representative has the necessary documentation readily available in order to fulfil the tasks referred to in Article 18(2).
Amendment 195
Proposal for a regulation
Article 17 – paragraph 3 b (new)
3b.  Manufacturers shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the EHR system with the essential requirements set out in Annex II and the common specifications referred to in Article 23, in a language which can be easily understood by that authority. They shall cooperate with that authority, at its request, on any measures taken to eliminate the risks posed by the EHR system, which they have placed on the market or put into service.
Amendment 196
Proposal for a regulation
Article 17 – paragraph 3 c (new)
3c.  Liability rules under Directive 85/374/EEC, shall apply to manufacturers of EHR systems without prejudice to more protective measures under national law.
Amendment 197
Proposal for a regulation
Article 18 – paragraph 2 – introductory part
2.  An authorised representative shall perform the tasks specified in the mandate received from the manufacturer. The mandate shall allow the authorised representative to do at least the following:
2.  An authorised representative shall perform the tasks specified in the mandate agreed with the manufacturer. The mandate shall allow the authorised representative to do at least the following:
Amendment 198
Proposal for a regulation
Article 18 – paragraph 2 – point a
(a)  keep the EU declaration of conformity and the technical documentation at the disposal of market surveillance authorities for the period referred to in Article 17(3);
(a)  keep the EU declaration of conformity and the technical documentation at the disposal of the Member State market surveillance authorities for the period referred to in Article 17(3);
Amendment 199
Proposal for a regulation
Article 18 – paragraph 2 – point b
(b)  further to a reasoned request from a market surveillance authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of an EHR system with the essential requirements laid down in Annex II;
(b)  further to a reasoned request from a market surveillance provide authorities of the Member States concerned a copy of the mandate with all the information and documentation necessary to demonstrate the conformity of an EHR system with the essential requirements laid down in Annex II;
Amendment 200
Proposal for a regulation
Article 18 – paragraph 2 – point b a (new)
(ba)  immediately inform the manufacturer if the authorised representative has a reason to believe that an EHR system is no longer in conformity with the essential requirements laid down in Annex II;
Amendment 201
Proposal for a regulation
Article 18 – paragraph 2 – point b b (new)
(bb)  immediately inform the manufacturer about complaints received by consumers and professional users;
Amendment 202
Proposal for a regulation
Article 18 – paragraph 2 – point c
(c)  cooperate with the market surveillance authorities, at their request, on any corrective action taken in relation to the EHR systems covered by their mandate.
(c)  cooperate with the market surveillance authorities in the Member State, at their request, on any corrective action taken in relation to the EHR systems covered by their mandate.
Amendment 203
Proposal for a regulation
Article 18 – paragraph 2 a (new)
2a.  In the event of a change of the authorised representative, the detailed arrangements for the change shall address at least the following aspects:
(a)  the date of termination of the mandate of the outgoing authorised representative and the date of the beginning of the mandate of the incoming authorised representative;
(b)  the transfer of documents, including confidentiality aspects and property rights.
Amendment 204
Proposal for a regulation
Article 19 – paragraph 2 – point a
(a)  the manufacturer has drawn up the technical documentation and the EU declaration of conformity;
(a)  the manufacturer has obtained a certificate of compliance from an independent third body to attest to the relevant conformity assessment procedure referred to in Article 27a and drawn up the EU declaration of conformity in accordance with Article 26; and drawn up the technical documentation, in accordance with Article 24, before placing their system on the market;
Amendment 205
Proposal for a regulation
Article 19 – paragraph 2 – point a a (new)
(aa)  the manufacturer is identified and an authorised representative in accordance with Article 18 has been appointed;
Amendment 206
Proposal for a regulation
Article 19 – paragraph 2 – point b
(b)  the EHR system bears the CE marking of conformity;
(b)  the EHR system bears the CE marking of conformity referred to in Article 27 after the conformity assessment procedure has been completed;
Amendment 207
Proposal for a regulation
Article 19 – paragraph 2 – point c
(c)  the EHR system is accompanied by the information sheet referred to in Article 25 and appropriate instructions for use.
(c)  the EHR system is accompanied by the information sheet referred to in Article 25 with clear and complete instructions for use including in accessible formats.
Amendment 208
Proposal for a regulation
Article 19 – paragraph 3
3.  Importers shall indicate their name, registered trade name or registered trade mark and the address at which they can be contacted in a document accompanying the EHR system.
3.  Importers shall indicate their name, registered trade name or registered trade mark and the postal address and website, e-mail address or other digital contact at which they can be contacted in a document accompanying the EHR system. The address shall indicate a single point at which the manufacturer can be contacted. The contact details shall be in a language easily understood by users and the market surveillance authorities. They shall ensure that any additional label does not obscure any information on the label provided by the manufacturer.
Amendment 209
Proposal for a regulation
Article 19 – paragraph 4
4.  Importers shall ensure that, while an EHR system is under their responsibility, the EHR system is not altered in such a way that its conformity with the essential requirements laid down in Annex II is jeopardised.
4.  Importers shall ensure that, while an EHR system is under their responsibility, the EHR system is not altered in such a way that its conformity with the essential requirements laid down in Annex II and Article 27a is jeopardised.
Amendment 210
Proposal for a regulation
Article 19 – paragraph 5
5.  Where an importer considers or has reason to believe that an EHR system is not in conformity with the essential requirements in Annex II, it shall not make that system available on the market until that system has been brought into conformity. The importer shall inform without undue delay the manufacturer of such EHR system and the market surveillance authorities of the Member State in which it made the EHR system available, to that effect.
5.  Where an importer considers or has reason to believe that an EHR system is not or no longer in conformity with the essential requirements in Annex II and Article 27a, it shall not make that system available on the market, or shall recall it or withdraw it if was already available on the market, until that system has been brought into conformity. The importer shall inform immediately the manufacturer of such EHR system and the market surveillance authorities of the Member State in which it made the EHR system available, to that effect, giving details, in particular, of the non-conformity and of any corrective measures, recall or withdrawal of that system taken. Where an importer considers or has reason to believe that an EHR system presents a risk to the health or safety of natural persons, it shall immediately inform the market surveillance authority of the Member State in which the importer is established, as well as the manufacturer and where applicable, the authorised representative.
Amendment 211
Proposal for a regulation
Article 19 – paragraph 7
7.  Importers shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation necessary to demonstrate the conformity of an EHR system in the official language of the Member State where the market surveillance authority is located. They shall cooperate with that authority, at its request, on any action taken to bring their EHR systems in conformity with the essential requirements laid down in Annex II.
7.  Importers shall, further to a reasoned request from a market surveillance authorities of Member States concerned provide it with all the information and documentation in paper or digital format necessary to demonstrate the conformity of an EHR system. They shall cooperate with that authority, at its request, and with the manufacturer and, where applicable, with the manufacturer’s authorised representative on any action taken to bring their EHR systems in conformity with the essential requirements laid down in Annex II, and Article 27a, or to ensure that their EHR systems are withdrawn or recalled.
Amendment 212
Proposal for a regulation
Article 19 – paragraph 7 a (new)
7a.  Manufacturers shall establish reporting channels and ensure their accessibility to allow users to submit complaints, keep a register of complaints, of non-conforming EHR systems and EHR systems recalls. Importers shall verify whether the established channels of complaint referred to in Article 17(2) are publicly available allowing them to submit complaints and communicate any risk related to their health and safety or to other aspects of public interest protection and of any serious incident involving an EHR system. If such channels are not available, the importer shall provide for them, taking into account the accessibility needs of vulnerable groups and persons with disabilities.
Amendment 213
Proposal for a regulation
Article 19 – paragraph 7 b (new)
7b.  Importers shall investigate complaints and information on incidents involving an EHR system they made available on the market and file those complaints, as well as of system recalls and any corrective measures taken to bring the EHR system into conformity, in the register referred to in Article 17(3d) or in their own internal register. Importers shall keep the manufacturer, distributors and, where relevant, authorised representatives informed in a timely manner of the investigation performed and of the results of the investigation.
Amendment 214
Proposal for a regulation
Article 20 – paragraph 1 – point a
(a)  the manufacturer has drawn up the EU declaration of conformity;
(a)  the manufacturer has obtained a certificate of compliance from an independent third body to attest to the relevant conformity assessment procedure referred to in Article 27a and has drawn up the EU declaration of conformity, in accordance with Article 26, and the technical documentation, in accordance with Article 24, before placing their system on the market;
Amendment 215
Proposal for a regulation
Article 20 – paragraph 1 – point b
(b)  the EHR system bears the CE marking of conformity;
(b)  the EHR system bears the CE marking of conformity referred to in Article 27 after the conformity assessment procedure has been completed;
Amendment 216
Proposal for a regulation
Article 20 – paragraph 1 – point c
(c)  the EHR system is accompanied by the information sheet referred to in Article 25 and appropriate instructions for use;
(c)  the EHR system is accompanied by the information sheet referred to in Article 25 with clear and complete instructions for use in accessible formats;
Amendment 217
Proposal for a regulation
Article 20 – paragraph 2
2.  Distributors shall ensure that, while an EHR system is under their responsibility, the EHR system is not altered in such a way that its conformity with the essential requirements laid down in Annex II is jeopardised.
2.  Distributors shall ensure that, while an EHR system is under their responsibility, the EHR system is not altered in such a way that its conformity with the essential requirements laid down in Annex II and Article 27a is jeopardised.
Amendment 218
Proposal for a regulation
Article 20 – paragraph 3
3.  Where a distributor considers or has reason to believe that an EHR system is not in conformity with the essential requirements laid down in Annex II, it shall not make the EHR system available on the market until it has been brought into conformity. Furthermore, the distributor shall inform without undue delay the manufacturer or the importer, as well as the market surveillance authorities of the Member states where the EHR system has been made available on the market, to that effect.
3.  Where a distributor considers or has reason to believe that an EHR system is not in conformity with the essential requirements laid down in Annex II and Article 27a, it shall not make the EHR system available on the market, or shall recall it or withdraw it if was already available on the market, until it has been brought into conformity. Furthermore, the distributor shall inform immediately the manufacturer or the importer, as well as the market surveillance authorities of the Member states where the EHR system has been made available on the market, to that effect. Where a distributor considers or has reason to believe that an EHR system presents a risk to the health or safety of natural persons, it shall immediately inform the market surveillance authority of the Member State in which the distributor is established, as well as the manufacturer, the importer and where applicable, the authorised representative.
Amendment 219
Proposal for a regulation
Article 20 – paragraph 4
4.  Distributors shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation necessary to demonstrate the conformity of an EHR system. They shall cooperate with that authority, at its request, on any action taken to bring their EHR systems in conformity with the essential requirements laid down in Annex II.
4.  Distributors shall, further to a reasoned request from a market surveillance authority, provide it with all the information and documentation necessary to demonstrate the conformity of an EHR system. They shall cooperate with that authority, at its request, and with the manufacturer, the importer and, where applicable, with the manufacturer’s authorised representative on any action taken to bring the EHR systems in conformity with the essential requirements laid down in Annex II or to withdraw or recall it.
Amendment 220
Proposal for a regulation
Article 21 – title
Cases in which obligations of manufacturers of an EHR system apply to importers and distributors
Cases in which obligations of manufacturers of an EHR system apply to economic operators
Amendment 221
Proposal for a regulation
Article 21 – paragraph 1
An importer or distributor shall be considered a manufacturer for the purposes of this Regulation and shall be subject to the obligations laid down in Article 17, where they made an EHR system available on the market under their own name or trademark or modify an EHR system already placed on the market in such a way that conformity with the applicable requirements may be affected.
If any economic operator other than the manufacturer makes modifications to the EHR system whilst deploying or using it, which lead to changes in the intended purpose and deployment recommendations for the EHR system as declared by the manufacturer, in any case of any malfunctioning or deterioration in performance quality due to the changes made by the economic operator during deployment or use of the EHR system contrary to the manufacturer’s recommendations for technical deployment of the system or purpose of its use, the economic operator shall be considered a manufacturer for the purposes of this Regulation and shall be subject to the obligations laid down in Article 17.
Amendment 222
Proposal for a regulation
Chapter III – Section 3 – title
Conformity of the EHR system
Conformity Assessment
Amendment 223
Proposal for a regulation
Article 23 – paragraph 1 – subparagraph 1
The Commission shall, by means of implementing acts, adopt common specifications in respect of the essential requirements set out in Annex II, including a time limit for implementing those common specifications. Where relevant, the common specifications shall take into account the specificities of medical devices and high risk AI systems referred to in paragraphs 3 and 4 of Article 14.
1.  The Commission shall, by means of implementing acts, adopt common specifications in respect of the essential requirements set out in Annex II, including a common template document and a time limit for implementing those common specifications. Where relevant, the common specifications shall take into account the specificities and verify compatibility with sectoral legislation and harmonised standards of medical devices and high risk AI systems referred to in paragraphs 3 and 4 of Article 14, including the state-of-the art standards for health informatics and the European electronic health record exchange format.
Amendment 224
Proposal for a regulation
Article 23 – paragraph 1 – subparagraph 2
Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
2.  Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2) after consultation with the EHDS board and the Advisory Forum.
Amendment 225
Proposal for a regulation
Article 23 – paragraph 4 a (new)
4a.  Where common specifications have an impact on data protection requirements for EHR systems, they shall be subject to consultation with the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) before their adoption, pursuant to Article 42(2) of Regulation (EU) 2018/1725.
Amendment 226
Proposal for a regulation
Article 23 – paragraph 5
5.  Where common specifications covering interoperability and security requirements of EHR systems affect medical devices or high-risk AI systems falling under other acts, such as Regulations (EU) 2017/745 or […] [AI Act COM/2021/206 final], the adoption of those common specifications may be preceded by a consultation with the Medical Devices Coordination Group (MDCG) referred to in Article 103 of Regulation (EU) 2017/745 or the European Artificial Intelligence Board referred to in Article 56 of Regulation […] [AI Act COM/2021/206 final], as applicable.
5.  Where common specifications covering interoperability and security requirements of EHR systems affect medical devices or high-risk AI systems falling under other acts, such as Regulations (EU) 2017/745 or […] [AI Act COM/2021/206 final], the adoption of those common specifications shall be preceded by a consultation with the Medical Devices Coordination Group (MDCG) referred to in Article 103 of Regulation (EU) 2017/745 or the European Artificial Intelligence Board referred to in Article 56 of Regulation […] [AI Act COM/2021/206 final], as applicable, as well as the EDPB referred to in Article 68 of Regulation (EU) 2016/679.
Amendment 227
Proposal for a regulation
Article 23 – paragraph 6
6.  Where common specifications covering interoperability and security requirements of medical devices or high-risk AI systems falling under other acts such as Regulation (EU) 2017/745 or Regulation […] [AI Act COM/2021/206 final], impact EHR systems, the adoption of those common specifications shall be preceded by a consultation with the EHDS Board, especially its subgroup for Chapters II and III of this Regulation.
6.  Where common specifications covering interoperability and security requirements of medical devices or high-risk AI systems falling under other acts such as Regulation (EU) 2017/745 or Regulation […] [AI Act COM/2021/206 final], impact EHR systems, the adoption of those common specifications shall be preceded by a consultation with the EHDS Board, especially its subgroup for Chapters II and III of this Regulation, and, where applicable, the EDPB referred to in Article 68 of Regulation (EU) 2016/679.
Amendment 228
Proposal for a regulation
Article 24 – paragraph 1
1.  The technical documentation shall be drawn up before the EHR system is placed on the market or put into service and shall be kept up-to-date.
1.  Manufacturers shall draw up technical documentation before the EHR system is placed on the market or put into service and shall be kept up-to-date.
Amendment 229
Proposal for a regulation
Article 24 – paragraph 2
2.  The technical documentation shall be drawn up in such a way as to demonstrate that the EHR system complies with the essential requirements laid down in Annex II and provide market surveillance authorities with all the necessary information to assess the conformity of the EHR system with those requirements. It shall contain, at a minimum, the elements set out in Annex III.
2.  The technical documentation shall be drawn up in such a way as to demonstrate that the EHR system complies with the essential requirements laid down in Annex II and provide market surveillance authorities with all the necessary information to assess the conformity of the EHR system with those requirements. It shall contain, at a minimum, the elements set out in Annex III. Where the system or any part of it complies with European standards or common specifications, the list of the relevant European standards and common specifications shall also be indicated.
Amendment 230
Proposal for a regulation
Article 24 – paragraph 2 a (new)
2a.  To ensure conformity, a single unified template for technical documentation shall be provided by the Commission.
Amendment 231
Proposal for a regulation
Article 24 – paragraph 3
3.  The technical documentation shall be drawn up in one of the official languages of the Union. Following a reasoned request from the market surveillance authority of a Member State, the manufacturer shall provide a translation of the relevant parts of the technical documentation into the official language of that Member State.
3.  The technical documentation shall be drawn up in the official language of the Member State concerned. Following a reasoned request from the market surveillance authority of a Member State, the manufacturer shall provide a translation of the relevant parts of the technical documentation into the official language of that Member State.
Amendment 232
Proposal for a regulation
Article 25 – paragraph 1
1.  EHR systems shall be accompanied by an information sheet that includes concise, complete, correct and clear information that is relevant, accessible and comprehensible to users.
1.  EHR systems shall be accompanied by an information sheet that includes concise, complete, correct and clear information that is relevant, accessible and comprehensible to professional users.
Amendment 233
Proposal for a regulation
Article 25 – paragraph 2 – point a
(a)  the identity, registered trade name or registered trademark, and the contact details of the manufacturer and, where applicable, of its authorised representative;
(a)  the identity, registered trade name or registered trademark, and the contact details of the manufacturer including the postal and e-mail address and the telephone number and, where applicable, of its authorised representative;
Amendment 234
Proposal for a regulation
Article 25 – paragraph 2 – subparagraph 1a (new)
If the EHR system is not accompanied by the information sheet referred to in this Article and by clear and complete instructions for use in accessible formats for persons with disabilities, the manufacturer of the EHR system concerned, its authorised representative and all other relevant economic operators shall be required to add to the EHR system that information sheet and those instructions for use.
Amendment 235
Proposal for a regulation
Article 26 – paragraph 3
3.  The EU declaration of conformity shall, as a minimum, contain the information set out in Annex IV and shall be translated into one or more official Union languages determined by the Member State(s) in which the EHR system is made available.
3.  The EU declaration of conformity shall, as a minimum, contain the information set out in Annex IV and shall be translated into one or more official Union languages determined by the Member State(s) in which the EHR system is made available. Manufacturers shall provide a translation of the relevant parts of the technical documentation into the official language of the Member States where they have placed products on the market.
Amendment 236
Proposal for a regulation
Article 26 – paragraph 3 a (new)
3a.  Digital EU declarations of conformity shall be made accessible online for the expected lifetime of the EHR system and in any event for at least 10 years after the placing on the market or the putting into service of the EHR system.
Amendment 237
Proposal for a regulation
Article 26 – paragraph 4
4.  By drawing up the EU declaration of conformity, the manufacturer shall assume responsibility for the conformity of the EHR system.
4.  By drawing up the EU declaration of conformity the manufacturer) shall assume responsibility for the compliance of the EHR system with the requirements laid down in this Regulation.
Amendment 238
Proposal for a regulation
Article 26 – paragraph 4 a (new)
4a.  The Commission is empowered to adopt delegated acts in accordance with Article 67 in order to amend the minimum content of the EU declaration of conformity set out in Annex IV.
Amendment 239
Proposal for a regulation
Article 26 – paragraph 4 b (new)
4b.  The Commission shall publish a standard uniformed template for the EU declaration of conformity and make it available in a digital format in all the official Union languages.
Amendment 240
Proposal for a regulation
Article 27 – paragraph 1 a (new)
1a.  The CE marking shall be affixed before making the EHR system available on the market.
Amendment 241
Proposal for a regulation
Article 27 – paragraph 2 a (new)
2a.  Where EHR systems are subject to other Union law in respect of aspects not covered by this Regulation, which also requires the affixing of the CE marking, the CE marking shall indicate that the systems also fulfil the requirements of that other law.
Amendment 242
Proposal for a regulation
Article 27 – paragraph 2 b (new)
2b.  Member States shall build upon existing mechanisms to ensure correct application of the regime governing the CE marking and shall take appropriate action in the event of improper use of that marking.
Amendment 243
Proposal for a regulation
Article 27 a (new)
Article 27a
Conformity assessment for EHR systems
1.  In order to certify the conformity of an EHR system with this Regulation, prior to placing an EHR system on the market, the manufacturer, its authorised representative, or any economic operator referred to in Article 21 shall apply for a conformity assessment procedure.
2.  The conformity assessment procedure shall require the notified body to assess:
(a)  whether the EHR system is in conformity with the requirements laid down in Annex II;
(b)  whether the EHR system is in conformity with the requirements laid down in Regulation (EU) .../... [.. (Cyber Resilience Act COM(2022)454];
(c)  whether the technical documentation is available and complete;
(d)  whether the technical design of an EHR system meets the applicable requirements of this Regulation as provided for in an EU type examination procedure laid down in Annex IVa;
The EU type-examination is the part of a conformity assessment procedure in which a notified body examines the technical design of an EHR system and verifies and attests that the technical design of the EHR system meets the applicable requirements of this Regulation.
Only after an Union wide approval has been issued, may the CE marking be affixed, together with an identification number.
3.  Notified bodies shall take into account the specific interests and needs of SMEs when setting the fees for conformity assessment and reduce those fees proportionately to their specific interests and needs.
Amendment 244
Proposal for a regulation
Article 27 aa (new)
Article 27aa
General principles of the CE marking
The CE marking shall be subject to the general principles set out in Article 30 of Regulation (EC) No 765/2008.
Amendment 245
Proposal for a regulation
Article 27 b (new)
Article 27b
Notification
Member States shall notify the Commission and the other Member States of conformity assessment bodies authorised to carry out conformity assessments in accordance with this Regulation.
Amendment 246
Proposal for a regulation
Article 27 c (new)
Article 27c
Notifying authorities
1.  Member States shall designate a notifying authority that shall be responsible for setting up and carrying out the necessary procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies, including compliance with Article 27h.
2.  Member States may decide that the assessment and monitoring referred to in paragraph 1 shall be carried out by a national accreditation body within the meaning of and in accordance with Regulation (EC) No 765/2008.
3.  Where the notifying authority delegates or otherwise entrusts the assessment, notification or monitoring referred to in paragraph 1 of this Article to a body, which is not a governmental entity that body shall be a legal entity and shall comply mutatis mutandis with the requirements laid down in Article 27e. In addition, that body shall have arrangements to cover liabilities arising out of its activities.
4.  The notifying authority shall take full responsibility for the tasks performed by the body referred to in paragraph 3.
Amendment 247
Proposal for a regulation
Article 27 d (new)
Article 27d
Requirements relating to notifying authorities
1.  A notifying authority shall be established in such a way that no conflict of interest with conformity assessment bodies occurs.
2.  A notifying authority shall be organised and operated so as to safeguard the objectivity and impartiality of its activities.
3.  A notifying authority shall be organised in such a way that each decision relating to notification of a conformity assessment body is taken by competent persons other than those who carried out the assessment of the EHR system.
4.  A notifying authority shall not offer or provide any activities that conformity assessment bodies perform, or consultancy services on a commercial or competitive basis.
5.  A notifying authority shall safeguard the confidentiality of the information it obtains.
6.  A notifying authority shall have a sufficient number of competent personnel at its disposal for the proper performance of its tasks.
Amendment 248
Proposal for a regulation
Article 27 e (new)
Article 27e
Information obligation on notifying authorities
Member States shall inform the Commission of their procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies, and of any changes thereto. The Commission shall make that information publicly available.
Amendment 249
Proposal for a regulation
Article 27 f (new)
Article 27f
Requirements relating to notified bodies
1.  For the purposes of notification, a conformity assessment body shall meet the requirements laid down in paragraphs 2 to 11.
2.  A conformity assessment body shall be established under the national law of a Member State and have legal personality.
3.  A conformity assessment body shall be a third-party body independent of the organisation or the EHR system it assesses.
4.  A conformity assessment body, its top-level management and the personnel responsible for carrying out the conformity assessment tasks shall not be the designer, manufacturer, supplier, installer, purchaser, owner, user or maintainer of an EHR system, that they assess, or the representative of any of those parties. A conformity assessment body, its top-level management and the personnel responsible for carrying out the conformity assessment tasks shall not be directly involved in the design, manufacture, marketing, installation, use or maintenance of EHR systems, or represent the parties engaged in those activities. They shall not engage in any activity that may conflict with their independence of judgement or integrity in relation to conformity assessment activities for which they are notified. This shall in particular apply to consultancy services. A conformity assessment body shall ensure that the activities of its subsidiaries or subcontractors do not affect the confidentiality, objectivity or impartiality of its conformity assessment activities.
5.  A conformity assessment body and its personnel shall carry out the conformity assessment activities with the highest degree of professional integrity and the requisite technical competence in the specific field and shall be free from all pressures and inducements, particularly financial, which might influence its judgement or the results of its conformity assessment activities, especially as regards persons or groups of persons with an interest in the results of those activities.
6.  A conformity assessment body shall be capable of carrying out all the conformity assessment activities mentioned in Annexes IVa in relation to which it has been notified, whether those tasks are carried out by the conformity assessment body itself or on its behalf and under its responsibility. At all times, and for each conformity assessment procedure and each kind of a EHR system for which it has been notified, a conformity assessment body shall have at its disposal the necessary:
(a)  personnel with technical knowledge and sufficient and appropriate experience to perform the conformity assessment activities;
(b)  descriptions of procedures in accordance with which conformity assessment is carried out, ensuring the transparency and the ability of reproduction of those procedures;
(c)  appropriate policies and procedures to distinguish between activities that it carries out as a notified body and other activities;
(d)  procedures for the performance of conformity assessment activities which take due account of the size of an undertaking, the sector in which it operates, its structure and the degree of complexity of the technology in question.
A conformity assessment body shall have the means necessary to perform the technical and administrative tasks connected with the conformity assessment activities in an appropriate manner and shall have access to all necessary equipment or facilities.
7.  The personnel responsible for carrying out conformity assessment tasks shall have the following:
(a)  sound technical and vocational training covering all the conformity assessment activities in relation to which the conformity assessment body has been notified;
(b)  satisfactory knowledge of the requirements of the assessments they carry out and adequate authority to carry out those assessments;
(c)  appropriate knowledge and understanding of the applicable harmonised standards and common specifications referred to in this Regulation, and of the relevant provisions of Union harmonisation legislation and of national legislation;
(d)  the ability to draw up certificates, records and reports demonstrating that conformity assessments have been carried out.
8.  The impartiality of a conformity assessment body, its top-level management and the personnel responsible for carrying out the conformity assessment activities shall be guaranteed.
The remuneration of the top-level management and the personnel responsible for carrying out the conformity assessment activities shall not depend on the number of conformity assessments carried out or on the results of those assessments.
9.  A conformity assessment body shall take out liability insurance unless liability is assumed by the Member State in accordance with national law, or the Member State itself is directly responsible for the conformity assessment.
10.  The personnel of a conformity assessment body shall observe professional secrecy with regard to all information obtained in carrying out the conformity assessment activities in accordance with Annexes IVa, except in relation to the competent authorities of the Member State in which its activities are carried out. Proprietary rights, intellectual property rights and trade secrets shall be protected.
11.  A conformity assessment body shall participate in, or ensure that its personnel responsible for carrying out the conformity assessment activities are informed of, the relevant standardisation activities and the activities of the notified body coordination group established under Article 27r and shall apply as general guidance the administrative decisions and documents produced as a result of the work of that group.
Amendment 250
Proposal for a regulation
Article 27 g(new)
Article 27g
Presumption of conformity of notified bodies
Where a conformity assessment body demonstrates its conformity with the criteria laid down in the relevant harmonised standards the references of which have been published in the Official Journal of the European Union, it shall be presumed to comply with the requirements set out in Article 27g in so far as the applicable harmonised standards cover those requirements.
Amendment 251
Proposal for a regulation
Article 27 h (new)
Article 27h
Use of subcontractors and subsidiaries by notified bodies
1.  Where a notified body subcontracts specific tasks connected with conformity assessment or has recourse to a subsidiary, it shall ensure that the subcontractor or the subsidiary meets the requirements set out in Article 27f and shall inform the notifying authority accordingly.
2.  A notified body shall take full responsibility for the tasks performed by subcontractors or subsidiaries wherever those are established.
3.  Activities may be subcontracted or carried out by a subsidiary only with the agreement of the client.
4.  A notified body shall keep at the disposal of the notifying authority the relevant documents concerning the assessment of the qualifications of the subcontractor or the subsidiary and the work carried out by them under Annex IVa.
Amendment 252
Proposal for a regulation
Article 27 i (new)
Article 27i
Application for notification
1.  A conformity assessment body shall submit an application for notification to the notifying authority of the Member State in which it is established.
2.  The application for notification shall be accompanied by a description of the conformity assessment activities, of the conformity assessment procedures set out in Annex IVa as well as by an accreditation certificate, where one exists, issued by a national accreditation body attesting that the conformity assessment body fulfils the requirements laid down in Article 27f.
3.  Where the conformity assessment body concerned cannot provide an accreditation certificate as referred to in paragraph 2, it shall provide the notifying authority with all the documentary evidence necessary for the verification, recognition and regular monitoring of its compliance with the requirements laid down in Article 27f.
Amendment 253
Proposal for a regulation
Article 27 j (new)
Article 27j
Notification procedure
1.  A notifying authority shall notify only conformity assessment bodies which have satisfied the requirements laid down in Article 27f.
2.  The notifying authority shall send a notification to the Commission and the other Member States of each conformity assessment body referred to in paragraph 1, using the electronic notification tool developed and managed by the Commission.
3.  The notification referred to in paragraph 2 shall include the following:
(a)  full details of the conformity assessment activities to be performed;
(b)  the relevant attestation of competence.
4.  Where a notification is not based on an accreditation certificate referred to in Article 27i(2), the notifying authority shall provide the Commission and the other Member States with documentary evidence which attests to the conformity assessment body's competence and the arrangements in place to ensure that that body will be monitored regularly and will continue to satisfy the requirements laid down in Article 27f.
5.  The conformity assessment body concerned may perform the activities of a notified body only where no objections are raised by the Commission or the other Member States within two weeks of the validation of the notification where it includes an accreditation certificate referred to in Article 27i(2), or within two months of the notification where it includes documentary evidence referred to in paragraph 4 of this Article.
Only such a body shall be considered a notified body for the purposes of this Regulation.
6.  The notifying authority shall notify the Commission and the other Member States of any subsequent relevant changes to the notification referred to in paragraph 2.
Amendment 254
Proposal for a regulation
Article 27 k (new)
Article 27k
Identification numbers and lists of notified bodies
1.  The Commission shall assign an identification number to a notified body. It shall assign a single such number even where the body is notified under several Union acts.
2.  The Commission shall make publicly available the list of notified bodies including the identification numbers that have been assigned to them and the conformity assessment activities for which they have been notified. The Commission shall ensure that the list is kept up to date.
Amendment 255
Proposal for a regulation
Article 27 l (new)
Article 27l
Changes to notification
1.  Where a notifying authority has ascertained or has been informed that a notified body no longer meets the requirements laid down in Article 27f, or that it is failing to fulfil its obligations as set out in Article 27n, the notifying authority shall restrict, suspend or withdraw the notification, as appropriate, depending on the seriousness of the failure to meet those requirements or fulfil those obligations. It shall immediately inform the Commission and the other Member States accordingly.
2.  In the event of restriction, suspension or withdrawal of notification, or where the notified body has ceased its activity, the notifying authority shall take appropriate steps to ensure that the files of that body are either processed by another notified body or kept available for the responsible notifying and market surveillance authorities at their request.
Amendment 256
Proposal for a regulation
Article 27 m (new)
Article 27m
Challenge of the competence of notified bodies
1.  The Commission shall investigate all cases where it has doubts, or a doubt is brought to its attention, regarding the competence of a notified body or the continued fulfilment by a notified body of the requirements and responsibilities to which it is subject.
2.  The notifying authority shall provide the Commission, on request, with all information relating to the basis for the notification or the maintenance of the competence of the notified body concerned.
3.  The Commission shall ensure that all sensitive information obtained in the course of its investigations is treated confidentially.
4.  Where the Commission ascertains that a notified body does not meet or no longer meets the requirements for its notification, it shall adopt an implementing act requesting the notifying authority to take the necessary corrective measures, including the withdrawal of the notification if necessary.
That implementing act shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
Amendment 257
Proposal for a regulation
Article 27 n (new)
Article 27n
Operational obligations of notified bodies
1.  A notified body shall carry out conformity assessments in accordance with the conformity assessment procedures set out in Article 27a.
2.  A notified body shall perform its activities in a proportionate manner, avoiding an unnecessary burden for economic operators, and taking due account of the size of an undertaking, the structure of the undertaking, the degree of complexity of the EHR system in question. In so doing, the notified body shall nevertheless respect the degree of rigour and the level of protection required for the compliance of the EHR system with the requirements of this Regulation.
3.  Where a notified body finds that the harmonised standards or common specifications referred in this Regulation have not been met by a manufacturer, it shall require the manufacturer to take appropriate corrective actions and shall not issue an EU type-examination certificate.
4.  Where, in the course of the monitoring of conformity following the issuance of a certificate of conformity or the adoption of an approval decision, a notified body finds that an EHR system no longer complies, it shall require the manufacturer to take appropriate corrective measures and shall suspend or withdraw the certificate of conformity or the approval decision, if necessary.
Where corrective measures are not taken or do not have the required effect, the notified body shall restrict, suspend or withdraw any certificates of conformity or approval decisions, as appropriate.
Amendment 258
Proposal for a regulation
Article 27 o (new)
Article 27o
Appeals against decisions of notified bodies
A notified body shall ensure that a transparent and accessible appeals procedure against its decisions is available.
Amendment 259
Proposal for a regulation
Article 27 p (new)
Article 27p
Information obligation on notified bodies
1.  A notified body shall inform the notifying authority of the following:
(a)  any refusal, restriction, suspension or withdrawal of a certificate of conformity or approval decision;
(b)  any circumstances affecting the scope of, or the conditions for, its notification;
(c)  any request for information which it has received from market surveillance authorities regarding its conformity assessment activities;
(d)  upon request, any conformity assessment activities performed within the scope of its notification and any other activity performed, including cross-border activities and subcontracting.
Amendment 260
Proposal for a regulation
Article 27 q (new)
Article 27q
Coordination of notified bodies
The Commission shall ensure that appropriate coordination and cooperation between notified bodies are put in place and properly operated in the form of a sectoral group of notified bodies.
Notified bodies shall participate in the work of that group, directly or by means of designated representatives.
Amendment 261
Proposal for a regulation
Article 27 r (new)
Article 27r
Exchange of experience
The Commission shall provide for the organisation of exchange of experience between the Member States' national authorities responsible for notification policy.
Amendment 262
Proposal for a regulation
Article 28 – paragraph 2
2.  Member States shall designate the market surveillance authority or authorities responsible for the implementation of this Chapter. They shall entrust their market surveillance authorities with the powers, resources, equipment and knowledge necessary for the proper performance of their tasks pursuant to this Regulation. Member States shall communicate the identity of the market surveillance authorities to the Commission which shall publish a list of those authorities.
2.  Member States shall designate the market surveillance authority or authorities responsible for the implementation of this Chapter. They shall entrust their market surveillance authorities with the necessary powers, financial resources, equipment, technical expertise, adequate staffing, and knowledge necessary for the proper performance of their tasks pursuant to this Regulation. Member States shall communicate the identity of the market surveillance authorities to the Commission which shall publish a list of those authorities.
Amendment 263
Proposal for a regulation
Article 28 – paragraph 2 a (new)
2a.  Staff of market surveillance authorities shall have no direct or indirect economic, financial or personal conflicts of interest that might be considered prejudicial to their independence and, in particular, they shall not be in a situation that may, directly or indirectly, affect the impartiality of their professional conduct.
Amendment 264
Proposal for a regulation
Article 28 – paragraph 2 b (new)
2b.  Pursuant to paragraph 2 of this Article, Member States shall determine and publish the selection procedure for market surveillance authorities. They shall ensure that the procedure is transparent and does not allow for conflicts of interest.
Amendment 265
Proposal for a regulation
Article 28 – paragraph 4 a (new)
4a.  Market surveillance authorities shall immediately inform notified bodies about manufacturers of EHR systems that no longer comply with the requirements on the declaration of conformity.
Amendment 266
Proposal for a regulation
Article 28 – paragraph 4 b (new)
4b.  When a manufacturer or, pursuant to Article 21, another economic operator fails to cooperate with market surveillance authorities or if the information and documentation provided is incomplete or incorrect, market surveillance authorities shall take all appropriate measures to prohibit or restrict the relevant EHR system from being available on the market until the manufacturer cooperates or provides complete and correct information, or to withdraw it from the market or to recall.
Amendment 267
Proposal for a regulation
Article 29 – paragraph 1
1.  Where a market surveillance authority finds that an EHR system presents a risk to the health or safety of natural persons or to other aspects of public interest protection, it shall require the manufacturer of the EHR system concerned, its authorised representative and all other relevant economic operators to take all appropriate measures to ensure that the EHR system concerned no longer presents that risk when placed on the market to withdraw the EHR system from the market or to recall it within a reasonable period.
1.  Where a market surveillance authority of one Member State has a reason to believe that an EHR system presents a risk to the health, safety or rights of natural persons, to the protection of personal data it shall carry out an evaluation in relation to the EHR system concerned covering all relevant requirements laid down in this regulation. Its authorised representatives and all other relevant economic operators shall cooperate as necessary with the market surveillance authorities for that purpose and take all appropriate measures to ensure that the EHR system concerned no longer presents that risk when placed on the market to withdraw the EHR system from the market or to recall it within a reasonable period.
The market surveillance authorities shall inform the relevant notified body accordingly.
Amendment 268
Proposal for a regulation
Article 29 – paragraph 1 a (new)
1a.  Where the market surveillance authorities consider that non-compliance is not restricted to their national territory, they shall inform the Commission and the other Member States of the results of the evaluation and of the actions which they have required the economic operator to take.
Amendment 269
Proposal for a regulation
Article 29 – paragraph 1 b (new)
1b.  Where a market surveillance authority considers or has reason to believe that an EHR system has caused damage to the health or safety of natural persons or to other aspects of public interest protection, it shall immediately provide information and documentation, as applicable, to the affected person or user and, as appropriate, other third parties affected by the damage caused to the person or user, without prejudice to data protection rules.
Amendment 270
Proposal for a regulation
Article 29 – paragraph 3
3.  The market surveillance authority shall immediately inform the Commission and the market surveillance authorities of other Member States of the measures ordered pursuant to paragraph 1. That information shall include all available details, in particular the data necessary for the identification of the EHR system concerned, the origin and the supply chain of the EHR system, the nature of the risk involved and the nature and duration of the national measures taken.
3.  The market surveillance authority, or, where applicable, the supervisory authority under Regulation (EU) 2016/679, shall immediately inform the Commission and the market surveillance authorities, or, if applicable, the supervisory authorities under Regulation (EU) 2016/679, of other Member States of the measures ordered pursuant to paragraph 1. That information shall include all available details, in particular the data necessary for the identification of the EHR system concerned, the origin and the supply chain of the EHR system, the nature of the risk involved and the nature and duration of the national measures taken.
Amendment 271
Proposal for a regulation
Article 29 – paragraph 3 a (new)
3a.  Where a finding of a market surveillance authority, or a serious incident it is informed of, concerns personal data protection, the market surveillance authority shall immediately inform and cooperate with the relevant supervisory authorities under Regulation (EU) 2016/679.
Amendment 272
Proposal for a regulation
Article 29 – paragraph 4 – subparagraph 1
Manufacturers of EHR systems placed on the market shall report any serious incident involving an EHR system to the market surveillance authorities of the Member States where such serious incident occurred and the corrective actions taken or envisaged by the manufacturer.
Manufacturers of EHR systems placed on the market shall report any serious incident involving an EHR system to the market surveillance authorities, or, in cases involving personal data, the supervisory authorities under Regulation (EU) 2016/679 of the Member States where such serious incident occurred and the corrective actions taken or envisaged by the manufacturer.
Amendment 273
Proposal for a regulation
Article 29 – paragraph 4 – subparagraph 2
Such notification shall be made, without prejudice to incident notification requirements under Directive (EU) 2016/1148, immediately after the manufacturer has established a causal link between the EHR system and the serious incident or the reasonable likelihood of such a link, and, in any event, not later than 15 days after the manufacturer becomes aware of the serious incident involving the EHR system.
Such notification shall be made, without prejudice to incident notification requirements under Directive (EU) 2016/1148, immediately after the manufacturer has established a causal link between the EHR system and the serious incident or the reasonable likelihood of such a link, and, in any event, not later than 7 days after the manufacturer becomes aware of the serious incident involving the EHR system.
Amendment 274
Proposal for a regulation
Article 29 – paragraph 5
5.  The market surveillance authorities referred to in paragraph 4 shall inform the other market surveillance authorities, without delay, of the serious incident and the corrective action taken or envisaged by the manufacturer or required of it to minimise the risk of recurrence of the serious incident.
5.  The authorities referred to in paragraph 4 shall inform the other authorities, without delay, of the serious incident and the corrective action taken or envisaged by the manufacturer or required of it to minimise the risk of recurrence of the serious incident.
Amendment 275
Proposal for a regulation
Article 30 – paragraph 1 – introductory part
1.  Where a market surveillance authority makes one of the following findings, it shall require the manufacturer of the EHR system concerned, its authorised representative and all other relevant economic operators to put an end to the non-compliance concerned:
1.  Where a market surveillance authority makes one, inter alia, of the following findings, it shall require the manufacturer of the EHR system concerned, its authorised representative and all other relevant economic operators to bring the EHR system into conformity:
Amendment 276
Proposal for a regulation
Article 30 – paragraph 1 – point a
(a)  the EHR system is not in conformity with essential requirements laid down in Annex II;
(a)  the EHR system is not in conformity with essential requirements laid down in Annex II and with the common specifications in accordance with Article 23;
Amendment 277
Proposal for a regulation
Article 30 – paragraph 1 – point b
(b)  the technical documentation is either not available or not complete;
(b)  the technical documentation is not available, not complete or not in accordance with Article 24;
Amendment 278
Proposal for a regulation
Article 30 – paragraph 1 – point c
(c)  the EU declaration of conformity has not been drawn up or has not been drawn up correctly;
(c)  the EU declaration of conformity has not been drawn up or has not been drawn up correctly as referred to in Article 26;
Amendment 279
Proposal for a regulation
Article 30 – paragraph 1 – point d a (new)
(da)  the registration obligations of Article 32 have not been fulfilled.
Amendment 280
Proposal for a regulation
Article 30 – paragraph 1 a (new)
1a.  Where, in the course of the evaluation referred to in the first subparagraph, the market surveillance authorities find that the EHR system does not comply with the requirements laid down in this Regulation, they shall require without delay the relevant economic operator to take all appropriate corrective action to bring the EHR system into compliance with those requirements, to withdraw the EHR system from the market, or to recall it within a reasonable period.
Amendment 281
Proposal for a regulation
Article 30 – paragraph 1 b (new)
1b.  Where the relevant economic operator does not take adequate corrective action within the period referred to in Article 29(1), second subparagraph, the market surveillance authorities shall take all appropriate provisional measures to prohibit or restrict the EHR system being made available on their national market, to withdraw the EHR system from that market or to recall it.
The market surveillance authorities shall inform the Commission and the other Member States, without delay, of those measures.
Amendment 282
Proposal for a regulation
Article 30 – paragraph 1 c (new)
1c.  The information referred to in paragraph 1b, second subparagraph, shall include all available details, in particular the data necessary for the identification of the noncompliant EHR system, the origin of that EHR system, the nature of the non-compliance alleged and the risk involved, the nature and duration of the national measures taken and the arguments put forward by the relevant economic operator. In particular, the market surveillance authorities shall indicate whether the noncompliance is due to any of the following:
(a)  failure of the EHR system to meet the requirements relating to the essential requirements set out in Annex II;
(b)  shortcomings in the harmonised standards referred to in Article 23;
(c)  shortcomings in the technical specifications referred to in Article 23.
Amendment 283
Proposal for a regulation
Article 30 – paragraph 1 d (new)
1d.  Member States other than the Member State initiating the procedure under this Article shall without delay inform the Commission and the other Member States of any measures adopted and of any additional information at their disposal relating to the non-compliance of the EHR system concerned, and, in the event of disagreement with the adopted national measure, of their objections.
Amendment 284
Proposal for a regulation
Article 30 – paragraph 1 e (new)
1e.  Where, within three months of receipt of the information referred to in paragraph 1b, second subparagraph, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed justified.
Amendment 285
Proposal for a regulation
Article 30 a (new)
Article 30a
Union safeguard procedure
1.  Where, on completion of the procedure set out in Article 29(2) and Article 30(1a), objections are raised against a measure taken by a Member State, or where the Commission considers a national measure to be contrary to Union law, the Commission shall without delay enter into consultation with the Member States and the relevant economic operator or operators and shall evaluate the national measure. On the basis of the results of that evaluation, the Commission shall adopt an implementing act in the form of a decision determining whether the national measure is justified or not. The Commission shall address its decision to all Member States and shall immediately communicate it to them and to the relevant economic operator or operators. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 68(2a).
2.  If the national measure is considered justified, all Member States shall take the necessary measures to ensure that the non-compliant EHR system is withdrawn from their market, and shall inform the Commission accordingly. If the national measure is considered unjustified, the Member State concerned shall withdraw that measure. Where the national measure is considered justified and the non-compliance of the EHR system is attributed to shortcomings in the harmonised standards or technical specifications referred to in this Regulation, the Commission shall apply the procedure provided for in Article 11 of Regulation (EU) No 1025/2012.
Amendment 286
Proposal for a regulation
Article 31 – title
Voluntary labelling of wellness applications
Labelling of wellness applications
Amendment 287
Proposal for a regulation
Article 31 – paragraph 1
1.  Where a manufacturer of a wellness application claims interoperability with an EHR system and therefore compliance with the essential requirements laid down in Annex II and common specifications in Article 23, such wellness application may be accompanied by a label, clearly indicating its compliance with those requirements. The label shall be issued by the manufacturer of the wellness application.
1.  Where a manufacturer of a wellness application claims interoperability with an EHR system and therefore compliance with the essential requirements laid down in Annex II and common specifications in Article 23, such wellness application shall be accompanied by a label, clearly indicating its compliance with those requirements. The label shall be issued by the manufacturer of the wellness application and the competent market surveillance authority shall be informed.
Amendment 288
Proposal for a regulation
Article 31 – paragraph 3
3.  The Commission may, by means of implementing acts, determine the format and content of the label. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
3.  The Commission shall, by means of implementing acts, determine the format and content of the label. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
Amendment 289
Proposal for a regulation
Article 31 – paragraph 4
4.  The label shall be drawn-up in one or more official languages of the Union or languages determined by the Member State(s) in which the in which the wellness application is placed on the market.
4.  The label shall be drawn-up in one or more official languages of the Union, and in the language of the Member State(s) in which the wellness application is placed on the market.
Amendment 290
Proposal for a regulation
Article 31 – paragraph 6
6.  If the wellness application is embedded in a device, the accompanying label shall be placed on the device. 2D barcodes may also be used to display the label.
6.  If the wellness application is an integral part of a device or embedded in a device after its putting into service, the accompanying label shall be shown in the application itself or placed on the device and in the case of software a digital label. 2D barcodes may also be used to display the label.
Amendment 291
Proposal for a regulation
Article 31 – paragraph 9
9.  Each distributor of a wellness application for which a label has been issued shall make the label available to customers at the point of sale in electronic form or, upon request, in physical form.
9.  Each distributor of a wellness application for which a label has been issued shall make the label available to customers at the point of sale in electronic form.
Amendment 292
Proposal for a regulation
Article 31 – paragraph 10
10.  The requirements of this Article shall not apply to wellness applications which are high-risk AI systems as defined under Regulation […] [AI Act COM/2021/206 final].
deleted
Amendment 293
Proposal for a regulation
Article 31 a (new)
Article 31a
Interoperability of wellness applications with EHR systems
1.  Manufacturers of wellness applications may claim interoperability with an EHR system, after relevant conditions are met. When this is the case, the users of such wellness applications shall be duly informed about such interoperability and its effects.
2.  The interoperability of wellness applications with EHR systems shall not mean automatic sharing or transmission of all or part of the health data from the wellness application with the EHR system. The sharing or transmission of such data shall only be possible following the consent of the natural person and in accordance with Article 3(6) of this Regulation and interoperability shall be limited exclusively to this end. The manufacturers of wellness applications claiming interoperability with an EHR system shall ensure that the user is able to choose which categories of health data from the wellness application they want to insert in the EHR system and the circumstance for that sharing or transmission.
3.  Wellness applications shall not be permitted to access the information in EHRs or extract or process information from it.
Amendment 294
Proposal for a regulation
Article 32 – paragraph 1
1.  The Commission shall establish and maintain a publicly available database with information on EHR systems for which an EU declaration of conformity has been issued pursuant to Article 26 and wellness applications for which a label has been issued pursuant to Article 31.
1.  The Commission shall establish and maintain a publicly available database with information on EHR systems for which an EU declaration of conformity has been issued pursuant to Article 26 wellness applications for which a label has been issued pursuant to Article 34.
Amendment 295
Proposal for a regulation
Article 32 – paragraph 3
3.  Medical devices or high-risk AI systems referred to in paragraphs 3 and 4 of Article 14 of this Regulation shall be registered in the database established pursuant to Regulations (EU) 2017/745 or […] [AI Act COM/2021/206 final], as applicable.
3.  Medical devices or high-risk AI systems referred to in paragraphs 3 and 4 of Article 14 of this Regulation shall also be registered in the database established pursuant to Regulations (EU) 2017/745 or […] [AI Act COM/2021/206 final], as applicable.
Amendment 296
Proposal for a regulation
Article 33 – title
Minimum categories of electronic data for secondary use
Categories of electronic health data for secondary use
Amendment 297
Proposal for a regulation
Article 33 – paragraph 1 – introductory part
1.  Data holders shall make the following categories of electronic data available for secondary use in accordance with the provisions of this Chapter:
1.  This Chapter shall apply to the following categories of electronic health data available for secondary use:
Amendment 298
Proposal for a regulation
Article 33 – paragraph 1 – point a
(a)  EHRs;
(a)  electronic health data from EHRs;
Amendment 299
Proposal for a regulation
Article 33 – paragraph 1 – point b
(b)  data impacting on health, including social, environmental behavioural determinants of health;
(b)  data on factors impacting on health, including socio-economic, environmental and behavioural determinants of health;
Amendment 300
Proposal for a regulation
Article 33 – paragraph 1 – point c
(c)  relevant pathogen genomic data, impacting on human health;
(c)  relevant pathogen data, impacting on human health;
Amendment 301
Proposal for a regulation
Article 33 – paragraph 1 – point d
(d)  health-related administrative data, including claims and reimbursement data;
(d)  healthcare-related administrative data, including claims and reimbursement data;
Amendment 302
Proposal for a regulation
Article 33 – paragraph 1 – point e
(e)  human genetic, genomic and proteomic data;
(e)  extracts from human genetic, genomic and proteomic data, such as genetic markers;
Amendment 303
Proposal for a regulation
Article 33 – paragraph 1 – point f
(f)  person generated electronic health data, including medical devices, wellness applications or other digital health applications;
(f)  automatically generated electronic health data, via medical devices;
Amendment 304
Proposal for a regulation
Article 33 – paragraph 1 – point f a (new)
(fa)  data from wellness applications;
Amendment 305
Proposal for a regulation
Article 33 – paragraph 1 – point g
(g)  identification data related to health professionals involved in the treatment of a natural person;
(g)  identification data related to healthcare providers and categories of health professionals involved in the treatment of a natural person or in research;
Amendment 306
Proposal for a regulation
Article 33 – paragraph 1 – point j
(j)  electronic health data from clinical trials;
(j)  electronic health data from clinical trials subject to transparency provisions under Union law;
Amendment 307
Proposal for a regulation
Article 33 – paragraph 1 – point l
(l)  research cohorts, questionnaires and surveys related to health;
(l)  data from research cohorts, questionnaires and surveys related to health;
Amendment 308
Proposal for a regulation
Article 33 – paragraph 1 – point n
(n)  electronic data related to insurance status, professional status, education, lifestyle, wellness and behaviour data relevant to health;
deleted
Amendment 309
Proposal for a regulation
Article 33 – paragraph 2
2.  The requirement in the first subparagraph shall not apply to data holders that qualify as micro enterprises as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC59 .
2.  The Commission, after consulting the EDPB, EDPS and the Member States, shall adopt guidelines on measures to protect the personal data of health professionals involved in the treatment of natural persons.
__________________
59 Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).
Amendment 310
Proposal for a regulation
Article 33 – paragraph 4
4.  Electronic health data entailing protected intellectual property and trade secrets from private enterprises shall be made available for secondary use. Where such data is made available for secondary use, all measures necessary to preserve the confidentiality of IP rights and trade secrets shall be taken.
deleted
Amendment 311
Proposal for a regulation
Article 33 – paragraph 5
5.  Where the consent of the natural person is required by national law, health data access bodies shall rely on the obligations laid down in this Chapter to provide access to electronic health data.
5.  Natural persons shall have the right to opt-out of the processing of their electronic health data for secondary use. Member States shall provide for an accessible and easily understandable opt-out mechanism, whereby natural persons shall be offered the possibility to explicitly express their wish not to have all or part of their personal electronic health data processed for some or all secondary use purposes. The exercise of this right to opt-out shall not affect the lawfulness of the processing that took place under Chapter IV before the individual opted-out.
Amendment 312
Proposal for a regulation
Article 33 – paragraph 5 a (new)
5a.  Without prejudice to paragraph 5, electronic health data referred to under paragraph 1, points (e), (fa) and (m), shall only be made available for secondary use after obtaining the consent of the natural person. Such an opt-in mechanism shall be easily understandable and accessible and provided in a user-friendly format whereby data subjects are made aware of the sensitive nature of the data.
Amendment 313
Proposal for a regulation
Article 33 – paragraph 7
7.  The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list in paragraph 1 to adapt it to the evolution of available electronic health data.
deleted
Amendment 314
Proposal for a regulation
Article 33 – paragraph 8
8.  Health data access bodies may provide access to additional categories of electronic health data that they have been entrusted with pursuant to national law or based on voluntary cooperation with the relevant data holders at national level, in particular to electronic health data held by private entities in the health sector.
deleted
Amendment 315
Proposal for a regulation
Article 33 a (new)
Article 33a
IP rights and trade secrets in secondary use
Electronic health data entailing content protected by intellectual property rights, trade secrets or data covered by regulatory data protection shall be made available for secondary use. In those cases, the following procedure shall apply:
(a)  health data access bodies shall take measures necessary to preserve the confidentiality of such data and to ensure such rights are not infringed;
(b)  the Commission shall, after consultation with the EHDS Board, issue guidelines on the identification of commercially confidential information. The guidelines shall outline procedural steps and measures the health data access bodies may undertake to identify and preserve the confidentiality of such information before providing data access to the health data users. The guidance shall be made publicly available;
(c)  health data holders may, when requested to make available to health data access bodies relevant electronic health data pursuant to Article 41(1) which it considers to contain content protected by intellectual property rights, trade secrets or data covered by regulatory data protection, inform the data access body that this is the case and indicate which parts of the datasets are concerned. The determination of which data contains intellectual property, trade secrets or data covered by regulatory data protection shall nevertheless rest with the health data access body;
(d)  health data holders and the health data users may conclude data sharing agreements, in order to share additional data containing protected content protected by intellectual property rights, trade secrets or data covered by regulatory data protection, that would otherwise be made available under point (a). Such agreements shall set out the relevant conditions for the use of such data. The health data holder or the health data user shall inform the health data access body of the conclusion of such an agreement. The Commission shall, by implementing acts draw up templates with standard clauses for such agreements. The implementing acts shall be adopted in accordance with the advisory procedure;
(e)  should the health data access body deem any measures under point (a) to be insufficient to ensure the protection of IP rights, the confidentiality of trade secrets or the data covered by regulatory data protection for regulatory approval, it shall refuse the granting of the relevant health data access permit to the health data user;
(f)  the decision of health data access bodies on the measures in point (a) or the refusal of the data in point (e) shall be binding. Health data holders and health data users shall have the right to lodge a complaint in accordance with Article 38a and to a judicial remedy in accordance with Article 38b regarding such decisions.
Amendment 316
Proposal for a regulation
Article 34 – paragraph 1 – introductory part
1.  Health data access bodies shall only provide access to electronic health data referred to in Article 33 where the intended purpose of processing pursued by the applicant complies with:
1.  Health data access bodies shall only provide access to electronic health data referred to in Article 33 to a health data user where the processing of the data by the data user is necessary for one of the following purposes, and in accordance with Article 6(1), point (c), and Article 9(2), points (g) to (j), of Regulation (EU) 2016/679:
Amendment 317
Proposal for a regulation
Article 34 – paragraph 1 – point a
(a)  activities for reasons of public interest in the area of public and occupational health, such as protection against serious cross-border threats to health, public health surveillance or ensuring high levels of quality and safety of healthcare and of medicinal products or medical devices;
(a)  activities for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health, public health surveillance or ensuring high levels of quality and safety of healthcare and of medicinal products or medical devices;
Amendment 318
Proposal for a regulation
Article 34 – paragraph 1 – point b
(b)  to support public sector bodies or Union institutions, agencies and bodies including regulatory authorities, in the health or care sector to carry out their tasks defined in their mandates;
(b)  to support public sector bodies and Union institutions, agencies and bodies, in the health or care sector to carry out their tasks defined in their mandates where processing is necessary for reasons of substantial public interest in the area of public health;
Amendment 319
Proposal for a regulation
Article 34 – paragraph 1 – point c
(c)  to produce national, multi-national and Union level official statistics related to health or care sectors;
(c)  to produce national, multi-national and Union level official statistics defined in Regulation (EU) No 223/20091a related to health or care sectors;
____________
1a Regulation (EC) No 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities (OJ L 87, 31.3.2009, p. 164).
Amendment 320
Proposal for a regulation
Article 34 – paragraph 1 – point d
(d)  education or teaching activities in health or care sectors;
deleted
Amendment 321
Proposal for a regulation
Article 34 – paragraph 1 – point e
(e)  scientific research related to health or care sectors;
(e)  scientific research related to health or care sectors, contributing to public health or health technology assessment, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices, with the aim of benefitting the end-users, such as patients, health professionals and health administrators, including:
(i)  development and innovation activities for products or services;
(ii)  training, testing and evaluating of algorithms, including in medical devices, in-vitro diagnostic medical devices, AI systems and digital health applications;
(iii)  university and post-university teaching activities related to scientific research.
Amendment 322
Proposal for a regulation
Article 34 – paragraph 1 – point f
(f)  development and innovation activities for products or services contributing to public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;
deleted
Amendment 323
Proposal for a regulation
Article 34 – paragraph 1 – point g
(g)  training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices;
deleted
Amendment 324
Proposal for a regulation
Article 34 – paragraph 1 – point h
(h)  providing personalised healthcare consisting in assessing, maintaining or restoring the state of health of natural persons, based on the health data of other natural persons.
(h)  improving delivery of care, treatment optimisation and providing personalised healthcare.
Amendment 325
Proposal for a regulation
Article 34 – paragraph 2
2.  Access to electronic health data referred to in Article 33 where the intended purpose of processing pursued by the applicant fulfils one of the purposes referred to in points (a) to (c) of paragraph 1 shall only be granted to public sector bodies and Union institutions, bodies, offices and agencies exercising their tasks conferred to them by Union or national law, including where processing of data for carrying out these tasks is done by a third party on behalf of that public sector body or of Union institutions, agencies and bodies.
2.  The purposes referred to in points (a) to (c) of paragraph 1 shall be reserved for public sector bodies and Union institutions, bodies, offices and agencies exercising their tasks conferred to them by Union or national law, including where processing of data for carrying out these tasks is done by a third party on behalf of that public sector body or of Union institutions, agencies and bodies.
Amendment 326
Proposal for a regulation
Article 34 – paragraph 4
4.  Public sector bodies or Union institutions, agencies and bodies that obtain access to electronic health data entailing IP rights and trade secrets in the exercise of the tasks conferred to them by Union law or national law, shall take all specific measures necessary to preserve the confidentiality of such data.
deleted
Amendment 327
Proposal for a regulation
Article 35 – paragraph -1 (new)
-1.  Secondary use of electronic health data that is not covered by the data permit pursuant to Article 46 or data requests pursuant to Article 47 shall be prohibited.
Amendment 328
Proposal for a regulation
Article 35 – paragraph -1 a (new)
-1a.  Any secondary use of electronic health data for purposes other than those referred to in Article 34 shall be prohibited.
Amendment 329
Proposal for a regulation
Article 35 – paragraph 1 – introductory part
Seeking access to and processing electronic health data obtained via a data permit issued pursuant to Article 46 for the following purposes shall be prohibited:
1.   Seeking access to and processing electronic health data obtained via a data permit issued pursuant to Article 46 or a data request granted pursuant to Article 47 for the following purposes shall be prohibited:
Amendment 330
Proposal for a regulation
Article 35 – paragraph 1 – point a
(a)  taking decisions detrimental to a natural person based on their electronic health data; in order to qualify as “decisions”, they must produce legal effects or similarly significantly affect those natural persons;
(a)  taking decisions detrimental to a natural person or group of natural persons based on their electronic health data; in order to qualify as “decisions”, they must produce legal, economic or social effects or similarly significantly affect those natural persons;
Amendment 331
Proposal for a regulation
Article 35 – paragraph 1 – point b
(b)  taking decisions in relation to a natural person or groups of natural persons to exclude them from the benefit of an insurance contract or to modify their contributions and insurance premiums;
(b)  taking decisions in relation to a natural person or groups of natural persons in relation to job offers or offering less favourable terms in the provision of goods or services, including to exclude them from the benefit of an insurance or credit contract or to modify their contributions and insurance premiums or conditions of loans, or taking any other decisions in relation to a natural person or groups of natural persons having the effect of discriminating on the basis of the health data obtained;
Amendment 332
Proposal for a regulation
Article 35 – paragraph 1 – point c
(c)  advertising or marketing activities towards health professionals, organisations in health or natural persons;
(c)  advertising or marketing activities;
Amendment 333
Proposal for a regulation
Article 35 – paragraph 1 – point e
(e)  developing products or services that may harm individuals and societies at large, including, but not limited to illicit drugs, alcoholic beverages, tobacco products, or goods or services which are designed or modified in such a way that they contravene public order or morality.
(e)  developing products or services that may harm individuals, public health or societies at large, including, but not limited to illicit drugs, alcoholic beverages, tobacco and nicotine products, weaponry or products or services which are designed or modified in such a way that they create addiction or that they contravene public order or morality;
Amendment 334
Proposal for a regulation
Article 35 – paragraph 1 – point e a (new)
(ea)  automated individual decision-making, including profiling, in accordance with Article 22 of the Regulation (EU) 2016/679, whether solely on the basis of the datasets shared under this Regulation or in combination with other data.
Amendment 335
Proposal for a regulation
Article 36 – paragraph 1
1.  Member States shall designate one or more health data access bodies responsible for granting access to electronic health data for secondary use. Member States may either establish one or more new public sector bodies or rely on existing public sector bodies or on internal services of public sector bodies that fulfil the conditions set out in this Article. Where a Member State designates several health data access bodies, it shall designate one health data access body to act as coordinator, with responsibility for coordinating requests with the other health data access bodies.
1.  Member States shall designate one or more health data access bodies responsible for the tasks and obligations referred to in Articles 37, 38 and 39 of this Regulation. Member States may either establish one or more new public sector bodies or rely on existing public sector bodies or on internal services of public sector bodies that fulfil the conditions set out in this Article.
Where a Member State designates several health data access bodies, it shall designate one health data access body to act as coordinator, with responsibility for coordinating data access applications and requests with the other health data access bodies.
Each health data access body shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the health data access bodies shall cooperate with each other and with the Commission, and, for concerns regarding data protection, with the supervisory authorities under Regulation (EU) 2016/679 as well as with the EDPB and the EDPS.
Amendment 336
Proposal for a regulation
Article 36 – paragraph 2
2.  Member States shall ensure that each health data access body is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and the exercise of its powers.
2.  Member States shall ensure that each health data access body is provided with the human and financial resources, including necessary expertise, and ethics bodies, to support their tasks as provided for in Article 37(1), points (a) and (aa), and shall guarantee that all rights of natural persons under this Chapter are respected.
Member States shall also ensure technical resources, premises and infrastructure necessary for the effective performance of its tasks and the exercise of its powers, in a timely manner.
Amendment 337
Proposal for a regulation
Article 36 – paragraph 2 a (new)
2a.  Member States shall ensure that designated separate structures are set up within health data access bodies for the authorisation of the data permit, on the one hand, and for the reception and preparation of the data set, including anonymisation, pseudonymisation of the electronic health data and possible re-identification of natural persons for the purposes of Article 33(5) and 38(3), on the other hand.
Amendment 338
Proposal for a regulation
Article 36 – paragraph 3
3.  In the performance of their tasks, health data access bodies shall actively cooperate with stakeholders’ representatives, especially with representatives of patients, data holders and data users. Staff of health data access bodies shall avoid any conflicts of interest. Health data access bodies shall not be bound by any instructions, when making their decisions.
3.  In the performance of their tasks, health data access bodies shall actively cooperate with relevant stakeholders’ representatives, especially with representatives of patients, consumers, data holders and data users.
Amendment 339
Proposal for a regulation
Article 36 – paragraph 3 a (new)
3a.  Each health data access body shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation. The members of the governance and decision-making bodies and staff of each health data access body shall, in the performance of their tasks and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect and shall neither seek nor take instructions from any natural or legal person. Members of the governance and decision-making bodies and staff of each health data access body shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.
Amendment 340
Proposal for a regulation
Article 37 – paragraph 1 – point a
(a)  decide on data access applications pursuant to Article 45, authorise and issue data permits pursuant to Article 46 to access electronic health data falling within their national remit for secondary use and decide on data requests in accordance with Chapter II of Regulation […] [Data Governance Act COM/2020/767 final] and this Chapter;
(a)  decide on data access applications pursuant to Article 45, including deciding on whether the data shall be made accessible in anonymised or pseudonymised form, based on its own thorough assessment of any reasons provided by the health data applicant pursuant to Article 45(2), point (d);
Amendment 341
Proposal for a regulation
Article 37 – paragraph 1 – point a a (new)
(aa)  assess and issue data permits pursuant to Article 46 of this Regulation and assess data request pursuant to Article 47 of this Regulation to access electronic health data falling within their national remit for secondary use and decide on data requests in accordance with Chapter II of Regulation (EU) .../... […] [Data Governance Act COM/2020/767 final] and this Chapter;
Amendment 342
Proposal for a regulation
Article 37 – paragraph 1 – point a b (new)
(ab)  request electronic health data referred to in Article 33 from relevant health data holders pursuant to a data permit or a data request granted;
Amendment 343
Proposal for a regulation
Article 37 – paragraph 1 – point d
(d)  process electronic health data for the purposes set out in Article 34, including the collection, combination, preparation and disclosure of those data for secondary use on the basis of a data permit;
(d)  process electronic health data for the purposes set out in Article 34, including the combination, preparation, anonymisation and pseudonymisation and disclosure of those data for secondary use on the basis of a data permit, while also ensuring proper security of that data;
Amendment 344
Proposal for a regulation
Article 37 – paragraph 1 – point e
(e)  process electronic health data from other relevant data holders based on a data permit or a data request for a purposes laid down in Article 34;
deleted
Amendment 345
Proposal for a regulation
Article 37 – paragraph 1 – point f
(f)  take all measures necessary to preserve the confidentiality of IP rights and of trade secrets;
(f)  take all measures necessary to preserve the confidentiality of IP rights and regulatory data protection, and the confidentiality of trade secrets as provided for in Article 33a;
Amendment 346
Proposal for a regulation
Article 37 – paragraph 1 – point g
(g)  gather and compile or provide access to the necessary electronic health data from the various data holders whose electronic health data fall within the scope of this Regulation and put those data at the disposal of data users in a secure processing environment in accordance with the requirements laid down in Article 50;
(g)  based on a data permit, put the relevant electronic health data at the disposal of data users in a secure processing environment in accordance with the requirements laid down in Article 50 and store the data for the period of the duration of the data permit;
Amendment 347
Proposal for a regulation
Article 37 – paragraph 1 – point i
(i)  support the development of AI systems, the training, testing and validating of AI systems and the development of harmonised standards and guidelines under Regulation […] [AI Act COM/2021/206 final] for the training, testing and validation of AI systems in health;
deleted
Amendment 348
Proposal for a regulation
Article 37 – paragraph 1 – point j a (new)
(ja)  support data holders that are small enterprises in accordance with Commission Recommendation 2003/361/EC, in particular medical practitioners and pharmacies, to comply with their obligations under Article 41;
Amendment 349
Proposal for a regulation
Article 37 – paragraph 1 – point k
(k)  maintain a management system to record and process data access applications, data requests and the data permits issued and data requests answered, providing at least information on the name of the data applicant, the purpose of access the date of issuance, duration of the data permit and a description of the data application or the data request;
(k)  maintain a management system to record and process data access applications, data requests, the decisions on those applications and the data permits issued and data requests answered, providing at least information on the name of the data applicant, the purpose of access the date of issuance, duration of the data permit and a description of the data application or the data request;
Amendment 350
Proposal for a regulation
Article 37 – paragraph 1 – point m
(m)  cooperate at Union and national level to lay down appropriate measures and requirements for accessing electronic health data in a secure processing environment;
(m)  cooperate at Union and national level to lay down common standards, technical requirements and appropriate measures for accessing electronic health data in a secure processing environment;
Amendment 351
Proposal for a regulation
Article 37 – paragraph 1 – point n
(n)  cooperate at Union and national level and provide advice to the Commission on techniques and best practices for electronic health data use and management;
(n)  cooperate at Union and national level and provide advice to the Commission on techniques and best practices for the secondary use and management of electronic health data;
Amendment 352
Proposal for a regulation
Article 37 – paragraph 1 – point q – point i
(i)  a national dataset catalogue that shall include details about the source and nature of electronic health data, in accordance with Articles 56 and 58, and the conditions for making electronic health data available. The national dataset catalogue shall also be made available to single information points under Article 8 of Regulation […] [Data Governance Act COM/2020/767 final];
(i)  a national dataset catalogue that shall include details about the source and nature of electronic health data, in accordance with Articles 55, 56 and 58, and the conditions for making electronic health data available. The national dataset catalogue shall also be made available to single information points under Article 8 of Regulation […] [Data Governance Act COM/2020/767 final];
Amendment 353
Proposal for a regulation
Article 37 – paragraph 1 – point q – point ii
(ii)  all data permits, requests and applications on their websites within 30 working days after issuance of the data permit or reply to a data request;
(ii)  all health data applications and requests without undue delay after their reception;
Amendment 354
Proposal for a regulation
Article 37 – paragraph 1 – point q – point ii a (new)
(iia)  all health data permits or requests granted as well as denied, together with a justification, within 30 working days of their issuance;
Amendment 355
Proposal for a regulation
Article 37 – paragraph 1 – point q – point iii
(iii)  penalties applied pursuant to Article 43;
(iii)  enforcement measures applied pursuant to Article 43 and administrative fines applied pursuant to Article 43a;
Amendment 356
Proposal for a regulation
Article 37 – paragraph 1 – point r a (new)
(ra)  monitor and supervise compliance by data users and data holders with the requirements laid down in this Chapter; monitoring and supervision shall include regular audits on health data users regarding their processing of electronic health data in the secure processing environment;
Amendment 357
Proposal for a regulation
Article 37 – paragraph 2 – point a
(a)  cooperate with supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 in relation to personal electronic health data and the EHDS Board;
(a)  cooperate with supervisory authorities under Regulation (EU) 2016/679 in relation to personal electronic health data and the EHDS Board;
Amendment 358
Proposal for a regulation
Article 37 – paragraph 2 – point a a (new)
(aa)  immediately notify the relevant supervisory authorities under Regulation (EU) 2016/679 of any potential issue related to the processing of personal electronic health data for secondary use, and exchange any relevant information at their disposal to ensure application and enforcement of this Regulation and relevant provisions of Regulation (EU) 2016/679 and this Regulation, including penalties;
Amendment 359
Proposal for a regulation
Article 37 – paragraph 2 – point b
(b)  inform the relevant supervisory authorities under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 where a health data access body has imposed penalties or other measures pursuant to Article 43 in relation to processing personal electronic health data and where such processing refers to an attempt to re-identify an individual or unlawful processing of personal electronic health data;
(b)  inform the relevant supervisory authorities under Regulation (EU) 2016/679 where a health data access body has imposed enforcement measures pursuant to Article 43 or administrative fines pursuant to Article 43a in relation to processing personal electronic health data and where such processing refers to an attempt to re-identify an individual or unlawful processing of personal electronic health data;
Amendment 360
Proposal for a regulation
Article 37 – paragraph 2 – point c
(c)  cooperate with stakeholders, including patient organisations, representatives from natural persons, health professionals, researchers, and ethical committees, where applicable in accordance with Union and national law;
(c)  cooperate with all relevant stakeholders, including patient organisations, representatives from natural persons, health professionals, researchers, and ethics committees, where applicable in accordance with Union and national law;
Amendment 361
Proposal for a regulation
Article 37 – paragraph 4
4.  The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list of tasks in paragraph 1 of this Article, to reflect the evolution of activities performed by health data access bodies.
deleted
Amendment 362
Proposal for a regulation
Article 38 – paragraph 1 – introductory part
1.  Health data access bodies shall make publicly available and easily searchable the conditions under which electronic health data is made available for secondary use, with information concerning:
1.  Health data access bodies shall make publicly available and easily searchable and accessible for natural persons the conditions under which electronic health data is made available for secondary use, with information concerning:
Amendment 363
Proposal for a regulation
Article 38 – paragraph 1 – point a
(a)  the legal basis under which access is granted;
(a)  the legal basis under which access is granted to the health data user;
Amendment 364
Proposal for a regulation
Article 38 – paragraph 1 – point c
(c)  the applicable rights of natural persons in relation to secondary use of electronic health data;
(c)  the applicable rights of natural persons in relation to secondary use of electronic health data, including the right to opt-out pursuant to Article 33(5) and the right to opt-in pursuant to Article 33(5a), and detailed information on how to exercise them;
Amendment 365
Proposal for a regulation
Article 38 – paragraph 1 – point d
(d)  the arrangements for natural persons to exercise their rights in accordance with Chapter III of Regulation (EU) 2016/679;
(d)  the modalities for natural persons to exercise their rights in accordance with Chapter III of Regulation (EU) 2016/679;
Amendment 366
Proposal for a regulation
Article 38 – paragraph 1 – point d a (new)
(da)  the identity and the contact details of the health data access body;
Amendment 367
Proposal for a regulation
Article 38 – paragraph 1 – point d b (new)
(db)  the record on who has been granted access to which sets of electronic health data and a justification regarding the purposes for processing them as referred to in Article 34(1);
Amendment 368
Proposal for a regulation
Article 38 – paragraph 2
2.  Health data access bodies shall not be obliged to provide the specific information under Article 14 of Regulation (EU) 2016/679 to each natural person concerning the use of their data for projects subject to a data permit and shall provide general public information on all the data permits issued pursuant to Article 46.
deleted
Amendment 369
Proposal for a regulation
Article 38 – paragraph 3
3.  Where a health data access body is informed by a data user of a finding that may impact on the health of a natural person, the health data access body may inform the natural person and his or her treating health professional about that finding.
3.  Where a health data access body is informed by a health data user of a significant finding related to the health of a natural person, as referred to in Article 41a(5) of this Regulation, the health data access body shall inform the treating health professional with the relevant competence of the natural person and if that health professional cannot be found, and shall inform the natural person about that finding. Natural persons shall have the right to request not to be informed of such findings. In accordance with Article 23(1), point (i), of Regulation (EU) 2016/679, Member States may restrict the scope of the obligation to inform the natural persons whenever necessary for the protection of the natural persons based on patient safety and ethics, by delaying the communication of their information until a health professional can communicate and explain to the natural persons information that potentially can have an impact on them .
Amendment 370
Proposal for a regulation
Article 38 a (new)
Article 38a
Right to lodge a complaint with a health data access body
1.  Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the health data access body, where their rights laid down in this Chapter are affected. Where the complaint concerns the rights of natural persons pursuant to Article 38(1), point (d), of this Regulation, the health data access body shall inform and send a copy of the complaint to the competent supervisory authorities under Regulation (EU) 2016/679.
2.  The health data access body with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken.
3.  Health data access bodies shall cooperate to handle and resolve complaints, including by exchanging all relevant information by electronic means, without undue delay.
4.  Each health data access body shall facilitate submitting complaints, in particular by providing a complaint submission form which can also be completed electronically, without excluding the possibility of using other means of communication.
Amendment 371
Proposal for a regulation
Article 38 b (new)
Article 38b
Right to an effective judicial remedy against a health data access body
1.  Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a health data access body concerning them.
2.  Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy where the health data access body which is competent pursuant to Article 37 does not handle a complaint or does not inform the natural or legal person within three months about the progress or outcome of the complaint lodged pursuant to Article 38a.
3.  Proceedings against a health data access body shall be brought before the courts of the Member States where the health data access body is established.
Amendment 372
Proposal for a regulation
Article 39 – paragraph 1 – introductory part
1.  Each health data access body shall publish an annual activity report which shall contain at least the following:
1.  Each health data access body shall publish an annual activity report and make it publicly available on its website, which shall contain at least the following categories of information:
Amendment 373
Proposal for a regulation
Article 39 – paragraph 1 – point a
(a)  information relating to the data access applications for electronic health data access submitted, such as the types of applicants, number of data permits granted or refused, purposes of access and categories of electronic health data accessed, and a summary of the results of the electronic health data uses, where applicable;
(a)  information relating to the data access applications and data requests for electronic health data access submitted, such as the types of applicants, number of data permits granted or refused, purposes of access and categories of electronic health data accessed, and a summary of the results of the electronic health data uses, where applicable;
Amendment 374
Proposal for a regulation
Article 39 – paragraph 1 – point c
(c)  information on the fulfilment of regulatory and contractual commitments by data users and data holders, as well as penalties imposed;
(c)  information on the fulfilment of regulatory and contractual commitments by data users and data holders, as well as the number and amount of administrative fines imposed by health data access bodies;
Amendment 375
Proposal for a regulation
Article 39 – paragraph 1 – point d
(d)  information on audits carried out on data users to ensure compliance of the processing with this Regulation,
(d)  information on audits carried out on data users to ensure compliance of the processing within the secure processing environment as referred to in Article 50 of this Regulation;
Amendment 376
Proposal for a regulation
Article 39 – paragraph 1 – point e
(e)  information on audits on compliance of secure processing environments with the defined standards, specifications and requirements;
(e)  information on internal and third party audits on compliance of secure processing environments with the defined standards, specifications and requirements, as referred to in Article 50(3) of this Regulation;
Amendment 377
Proposal for a regulation
Article 39 – paragraph 1 – point j
(j)  satisfaction from applicants requesting access to data;
deleted
Amendment 378
Proposal for a regulation
Article 39 – paragraph 1 – point l
(l)  number of data quality labels issued, disaggregated per quality category;
(l)  number of data quality labels issued by data holders, disaggregated per quality category;
Amendment 379
Proposal for a regulation
Article 39 – paragraph 2
2.  The report shall be transmitted to the Commission.
2.  The report shall be transmitted to the Commission, which shall make it publicly available on its website.
Amendment 380
Proposal for a regulation
Article 39 – paragraph 3
3.  The Commission is empowered to adopt delegated acts in accordance with Article 67 to modify the content of the annual activity report.
3.  The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend paragraph 1 of this Article by adding categories to those listed in that paragraph.
Amendment 381
Proposal for a regulation
Article 40 – paragraph 1
1.  When processing personal electronic health data, data altruism organisations shall comply with the rules set out in Chapter IV of Regulation […] [Data Governance Act COM/2020/767 final]. Where data altruism organisations process personal electronic health data using a secure processing environment, such environments shall also comply with the requirements set out in Article 50 of this Regulation.
1.  In addition to rules regarding data altruism established by Regulation (EU) 2022/868, where data altruism organisations recognised under Chapter IV of that Regulation process personal electronic health data using a secure processing environment, such environments shall also comply with the requirements set out in Article 50 of this Regulation.
Amendment 382
Proposal for a regulation
Article 40 – paragraph 2
2.  Health data access bodies shall support the competent authorities designated in accordance with Article 23 of Regulation […] [Data Governance Act COM/2020/767 final] in the monitoring of entities carrying out data altruism activities.
2.  Health data access bodies shall support the competent authorities designated in accordance with Article 23 of Regulation (EU) 2022/868 in the monitoring of entities carrying out data altruism activities, where electronic health data are concerned.
Amendment 383
Proposal for a regulation
Article 41 – title
Duties of data holders
Duties of health data holders
Amendment 384
Proposal for a regulation
Article 41 – paragraph 1
1.  Where a data holder is obliged to make electronic health data available under Article 33 or under other Union law or national legislation implementing Union law, it shall cooperate in good faith with the health data access bodies, where relevant.
1.  Health data holders shall make relevant electronic health data under Article 33 available upon request to the health data access body pursuant to a data permit issued or data request granted by such a body. Health data holders shall cooperate in good faith with the health data access bodies, where relevant.
Amendment 385
Proposal for a regulation
Article 41 – paragraph 1 a (new)
1a.  The requirement laid down in the first paragraph shall not apply to data holders that qualify as micro enterprises as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC.
Amendment 386
Proposal for a regulation
Article 41 – paragraph 1 b (new)
1b.  The health data holder shall put the electronic health data at the disposal of the health data access body within three months of receiving the request from the health data access body. In justified cases, after consultation with the health data holder concerned, that period may be extended by the health data access body for a maximum of two months. The health data access body may decide that the extension is to be shorter than two months.
Amendment 387
Proposal for a regulation
Article 41 – paragraph 1 c (new)
1c.  Paragraphs 1 and 1a of this Article constitute a legal obligation pursuant to Article 6(1), point (c), of this Regulation in combination with Article 9(2), points (g) to (j), of Regulation 2016/679 for the health data holder to disclose personal electronic health data to the health data access body.
Amendment 388
Proposal for a regulation
Article 41 – paragraph 2
2.  The data holder shall communicate to the health data access body a general description of the dataset it holds in accordance with Article 55.
2.  The health data holder shall communicate to the health data access body a general description of the dataset it holds in accordance with Article 55.
Amendment 389
Proposal for a regulation
Article 41 – paragraph 3
3.  Where a data quality and utility label accompanies the dataset pursuant to Article 56, the data holder shall provide sufficient documentation to the health data access body for that body to confirm the accuracy of the label.
3.  Where a data quality and utility label accompanies the dataset pursuant to Article 56, the health data holder shall provide sufficient documentation to the health data access body for that body to confirm the accuracy of the label.
Amendment 390
Proposal for a regulation
Article 41 – paragraph 4
4.  The data holder shall put the electronic health data at the disposal of the health data access body within 2 months from receiving the request from the health data access body. In exceptional cases, that period may be extended by the health data access body for an additional period of 2 months.
deleted
Amendment 391
Proposal for a regulation
Article 41 – paragraph 5
5.  Where a data holder has received enriched datasets following a processing based on a data permit, it shall make available the new dataset, unless it considers it unsuitable and notifies the health data access body in this respect.
5.  Where a health data holder has received enriched datasets following a processing based on a data permit, it shall make available the new dataset, unless it considers it unsuitable and notifies the health data access body in this respect.
Amendment 392
Proposal for a regulation
Article 41 – paragraph 6
6.  Data holders of non-personal electronic health data shall ensure access to data through trusted open databases to ensure unrestricted access for all users and data storage and preservation. Trusted open public databases shall have in place a robust, transparent and sustainable governance and a transparent model of user access.
6.  Health data holders of non-personal electronic health data shall ensure access to data through trusted open databases to ensure unrestricted access for all users and data storage and preservation. Trusted open public databases shall have in place a robust, transparent and sustainable governance and a transparent model of user access.
Amendment 393
Proposal for a regulation
Article 41 – paragraph 7
7.  The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the duties of the data holders in this Article, to reflect the evolution of activities performed by data holders.
deleted
Amendment 394
Proposal for a regulation
Article 41 a (new)
Article 41a
Duties of health data users
1.  Health data users may access and process the electronic health data for secondary use referred to in Article 33 only in accordance with the data permit issued by the health data access body in accordance with Article 46 of this Regulation.
2.  Health data users shall not re-identify or seek to re-identify the natural persons to whom the electronic health data which they obtained based on the data permit or data request belong. Such conduct shall be considered a serious breach of this Regulation.
3.  Health data users shall make public the results or output of the secondary use of electronic health data, including information relevant for the provision of healthcare, no later than 18 months after the completion of the electronic health data processing or after having received the answer to the data request referred to in Article 47. Those results or output shall not contain personal data. In justified cases, especially cases referred to in Article 34(1), point (e), that period may be extended by the relevant health data access body, after consultation with the health data user. The health data users shall inform the health data access bodies from which a data permit was obtained about the results or output and provide them with necessary support in order to make them public also on health data access bodies’ websites. The result shall also be made publicly available in lay summaries. Whenever the health data users have used electronic health data in accordance with this Chapter, they shall acknowledge the electronic health data sources and the fact that electronic health data has been obtained in the context of the EHDS.
4.  Without prejudice to paragraph 2, health data users shall inform the health data access body of any significant findings related to the health of the natural person whose data are included in the dataset.
5.  The ECDC and the EMA shall, in consultation and cooperation with relevant stakeholders, including representatives of patients, health professionals and researchers, create guidelines in order to help health data users to fulfil their obligation under paragraph 5, especially to determine whether their findings are clinically significant.
6.  Health data users shall cooperate in good faith with the health data access bodies, where relevant.
Amendment 395
Proposal for a regulation
Article 42 – paragraph 1
1.  Health data access bodies and single data holders may charge fees for making electronic health data available for secondary use. Any fees shall include and be derived from the costs related to conducting the procedure for requests, including for assessing a data application or a data request, granting, refusing or amending a data permit pursuant to Articles 45 and 46 or providing an answer to a data request pursuant to Article 47, in accordance with Article 6 of Regulation […] [Data Governance Act COM/2020/767 final]
1.  Health data access bodies may charge fees to health data users for making electronic health data available for secondary use. Any fees shall include and be derived from the costs related to the set up, combination, preparation, anonymisation, pseudonymisation, maintenance, tasks under Article 33a, making available or updating of the dataset and conducting the procedure for requests, including for assessing a data application or a data request, granting, refusing or amending a data permit pursuant to Articles 45 and 46 or providing an answer to a data request pursuant to Article 47, in accordance with Article 6 of Regulation […] [Data Governance Act COM/2020/767 final]. No fees shall be charged to public sector bodies and Union institutions, offices, agencies and bodies when making data available for the purposes referred to in Article 34(1), points (a), (b) and(c). No fees shall be charged to public sector bodies or Union institutions, offices, agencies and bodies with a legal mandate in the field of public health.
Amendment 396
Proposal for a regulation
Article 42 – paragraph 2
2.  Where the data in question are not held by the data access body or a public sector body, the fees may also include compensation for part of the costs for collecting the electronic health data specifically under this Regulation in addition to the fees that may be charged pursuant to paragraph 1. The part of the fees linked to the data holder’s costs shall be paid to the data holder.
2.  In the case of health data holders, where the data in question are not held by the health data access body or a public sector body or a Union institution, office, agency and body, the fees may be derived from the costs for gathering, enriching, and preparing the electronic health data specifically under this Regulation in addition to the fees that may be charged pursuant to paragraph 1. The part of the fees linked to the health data holder’s costs shall be paid to the health data holder.
Amendment 397
Proposal for a regulation
Article 42 – paragraph 4
4.  Any fees charged to data users pursuant to this Article by the health data access bodies or data holders shall be transparent and proportionate to the cost of collecting and making electronic health data available for secondary use, objectively justified and shall not restrict competition. The support received by the data holder from donations, public national or Union funds, to set up, develop or update tat dataset shall be excluded from this calculation. The specific interests and needs of SMEs, public bodies, Union institutions, bodies, offices and agencies involved in research, health policy or analysis, educational institutions and healthcare providers shall be taken into account when setting the fees, by reducing those fees proportionately to their size or budget.
4.  Any fees charged to health data users pursuant to this Article by the health data access bodies or health data holders shall be transparent, non-discriminatory, and proportionate to the cost of making electronic health data available for secondary use, objectively justified and shall not restrict competition. The support received by the health data holder from donations, public national or Union funds, to set up, develop or update that dataset shall be excluded from this calculation. The specific interests and needs of SMEs, public bodies, Union institutions, bodies, offices and agencies involved in research, health policy or analysis, academic and educational institutions, non-commercial entities and healthcare providers shall be taken into account when setting the fees, by reducing those fees proportionately to their size or budget.
Amendment 398
Proposal for a regulation
Article 42 – paragraph 5
5.  Where data holders and data users do not agree on the level of the fees within 1 month of the data permit being granted, the health data access body may set the fees in proportion to the cost of making available electronic health data for secondary use. Where the data holder or the data user disagree with the fee set out by the health data access body, they shall have access to dispute settlement bodies set out in accordance with Article 10 of the Regulation […] [Data Act COM/2022/68 final].
5.  Where health data holders and health data users do not agree on the level of the fees within 1 month of the data permit being granted, the health data access body may set the fees in proportion to the cost of making available electronic health data for secondary use. Where the health data holder or the health data user disagree with the fee set out by the health data access body, they shall have access to dispute settlement bodies set out in accordance with Article 10 of the Regulation […] [Data Act COM/2022/68 final].
Amendment 399
Proposal for a regulation
Article 42 – paragraph 6
6.  The Commission may, by means of implementing acts, lay down principles and rules for the fee policies and fee structures. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
6.  The Commission shall, by means of implementing acts, lay down principles and rules for the fee policies and fee structures, including deductions for the entities listed in paragraph 4, second sub-paragraph. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
Amendment 400
Proposal for a regulation
Article 43 – title
Penalties by health data access bodies
Enforcement by health data access bodies
Amendment 401
Proposal for a regulation
Article 43 – paragraph 1
1.  Health data access bodies shall monitor and supervise compliance by data users and data holders with the requirements laid down in this Chapter.
deleted
Amendment 402
Proposal for a regulation
Article 43 – paragraph 2
2.  When requesting from data users and data holders the information that is necessary to verify compliance with this Chapter, the health data access bodies shall be proportionate to the performance of the compliance verification task.
2.  When carrying out its monitoring and supervisory tasks to verify compliance with this Chapter, as referred to in Article 37(1), point (ra), the health data access bodies shall request information from health data holders and users that is proportionate for the performance of the task.
Amendment 403
Proposal for a regulation
Article 43 – paragraph 3
3.  Where health data access bodies find that a data user or data holder does not comply with the requirements of this Chapter, they shall immediately notify the data user or data holder of those findings and shall give it the opportunity to state its views within 2 months.
3.  Where health data access bodies find that a health data user or health data holder does not comply with the requirements of this Chapter, they shall immediately notify the health data user or health data holder of those findings and shall give it the opportunity to state its views within 4 weeks.
Where the finding of non-compliance concerns a possible breach of Regulation (EU) 2016/679, the health data access body shall immediately inform the supervisory authorities under Regulation (EU) 2016/679 and provide them with all relevant information at their disposal concerning this finding to ensure application and enforcement of the relevant provisions of that Regulation, including penalties.
Amendment 404
Proposal for a regulation
Article 43 – paragraph 4
4.  Health data access bodies shall have the power to revoke the data permit issued pursuant to Article 46 and stop the affected electronic health data processing operation carried out by the data user in order to ensure the cessation of the non-compliance referred to in paragraph 3, immediately or within a reasonable time limit, and shall take appropriate and proportionate measures aimed at ensuring compliant processing by the data users. In this regard, the health data access bodies shall be able, where appropriate, to revoke the data permit and to exclude the data user from any access to electronic health data for a period of up to 5 years.
4.  Health data access bodies shall have the power to revoke the data permit issued pursuant to Article 46 and stop the affected electronic health data processing operation carried out by the health data user in order to ensure the cessation of the non-compliance referred to in paragraph 3, immediately or without undue delay, and shall take appropriate and proportionate measures aimed at ensuring compliant processing by the health data users. In this regard, the health data access bodies shall be able, where appropriate, to revoke the data permit and to exclude the health data user from any access to electronic health data for a period of up to 5 years.
Amendment 405
Proposal for a regulation
Article 43 – paragraph 5
5.  Where data holders withhold the electronic health data from health data access bodies with the manifest intention of obstructing the use of electronic health data, or do not respect the deadlines set out in Article 41, the health data access body shall have the power to fine the data holder with fines for each day of delay, which shall be transparent and proportionate. The amount of the fines shall be established by the health data access body. In case of repeated breaches by the data holder of the obligation of loyal cooperation with the health data access body, that body can exclude the data holder from participation in the EHDS for a period of up to 5 years. Where a data holder has been excluded from the participation in the EHDS pursuant to this Article, following manifest intention of obstructing the secondary use of electronic health data, it shall not have the right to provide access to health data in accordance with Article 49.
5.  Where health data holders withhold the electronic health data from health data access bodies with the manifest intention of obstructing the use of electronic health data, or do not respect the deadlines set out in Article 41, the health data access body shall have the power to fine the health data holder with fines for each day of delay, which shall be transparent and proportionate. The amount of the fines shall be established by the health data access body. In case of repeated breaches by the health data holder of the obligation of loyal cooperation with the health data access body, that body can exclude the health data holder from submitting data access applications pursuant to Chapter IV for a period of up to 5 years, while still being obliged to make data accessible pursuant to Chapter IV, where applicable.
Amendment 406
Proposal for a regulation
Article 43 – paragraph 6
6.  The health data access body shall communicate the measures imposed pursuant to paragraph 4 and the reasons on which they are based to the data user or holder concerned, without delay, and shall lay down a reasonable period for the data user or holder to comply with those measures.
6.  The health data access body shall communicate the measures imposed pursuant to paragraphs 4 and 5 and the reasons on which they are based to the health data user or holder concerned, without delay, and shall lay down a reasonable period for the health data user or holder to comply with those measures.
Amendment 407
Proposal for a regulation
Article 43 – paragraph 7
7.  Any penalties and measures imposed pursuant to paragraph 4 shall be made available to other health data access bodies.
7.  Any enforcement measures imposed pursuant to paragraph 4 shall be notified to other health data access bodies and made publicly available on the website of the EHDS Board.
Amendment 408
Proposal for a regulation
Article 43 – paragraph 7 a (new)
7a.  The health data access body shall ensure coherent enforcement based on the provisions of this Regulation and Regulation (EU) 2016/679 by taking into account any decision or investigation ongoing in supervisory authorities.
Amendment 409
Proposal for a regulation
Article 43 – paragraph 9
9.  Any natural or legal person affected by a decision of a health data access body shall have the right to an effective judicial remedy against such decision.
deleted
Amendment 410
Proposal for a regulation
Article 43 – paragraph 10
10.  The Commission may issues guidelines on penalties to be applied by the health data access bodies.
10.  The Commission shall issue guidelines on enforcement measures to be applied by the health data access bodies, in accordance with the principles set out in Article 68a.
Amendment 411
Proposal for a regulation
Article 43 a (new)
Article43a
General conditions for the imposition of administrative fines by health data access bodies
1.  Each health data access body shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements referred to in paragraphs 4 and 5 shall in each individual case be effective, proportionate and dissuasive.
2.  Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in Article 43(4) and (5). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
(a)  the nature, gravity and duration of the infringement;
(b)  whether any penalties or administrative fines have already been applied by other competent authorities to the same infringing party for the same infringement;
(c)  the intentional or negligent character of the infringement;
(d)  any action taken by the health data holder or health data user to mitigate the damage suffered by natural persons;
(e)  the degree of responsibility of the health data user, taking into account technical and organisational measures implemented by them pursuant to Article 45(2), points (e) and (f),and Article 45(4);
(f)  any relevant previous infringements by the health data holder or health data user;
(g)  the degree of cooperation with the health data access body, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(h)  the manner in which the infringement became known to the health data access body, in particular whether, and if so to what extent, the health data user notified the infringement;
(i)  where measures referred to in Article 43(4) and (5) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j)  any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
3.  If a health data holder or health data user intentionally or negligently, for the same or linked health data permits or health data requests, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
4.  In accordance with paragraph 2, infringements of the obligations of the health data holder or health data user pursuant to Article 41 and Article 41a(1), (4), (5) and (7) shall be subject to administrative fines of up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
5.  Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines of up to EUR 20 000 000, or in the case of an undertaking, of up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher;
(a)  health data users processing electronic health data obtained via a data permit issued in line with Article 46 for the purposes referred to in Article 35;
(b)  health data users extracting personal health data outside the secure processing environment provided by the health data access body pursuant to Article 50;
(c)  re-identifying or seeking to re-identify the natural persons to whom the electronic health data which they obtained based on the data permit or data request pursuant to Article 41a(3) belong;
(d)  non-compliance with enforcement measures by the health data access body pursuant to Article 43.
6.  Without prejudice to the corrective powers of health data access bodies pursuant to Article 43, each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
7.  The exercise by the health data access body of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedies and due process.
8.  Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent health data access body and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by health data access bodies. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify the Commission of the provisions of their laws which they adopt pursuant to this paragraph by ... [date of application of this Regulation] and, without delay, any subsequent amendment law or amendment affecting them.
Amendment 412
Proposal for a regulation
Article 44 – paragraph 1
1.  The health data access body shall ensure that access is only provided to requested electronic health data relevant for the purpose of processing indicated in the data access application by the data user and in line with the data permit granted.
1.  The health data access body shall ensure that access is only provided to requested electronic health data that are adequate, relevant and limited to what is necessary in relation to the purpose of processing indicated in the data access application by the data user and in line with the data permit granted.
Amendment 413
Proposal for a regulation
Article 44 – paragraph 2
2.  The health data access bodies shall provide the electronic health data in an anonymised format, where the purpose of processing by the data user can be achieved with such data, taking into account the information provided by the data user.
2.  The health data access bodies shall provide the electronic health data in an anonymised format, in any event where the purpose of processing by the health data user can be achieved with such data, taking into account the information provided by the health data user.
Amendment 414
Proposal for a regulation
Article 44 – paragraph 3
3.  Where the purpose of the data user’s processing cannot be achieved with anonymised data, taking into account the information provided by the data user, the health data access bodies shall provide access to electronic health data in pseudonymised format. The information necessary to reverse the pseudonymisation shall be available only to the health data access body. Data users shall not re-identify the electronic health data provided to them in pseudonymised format. The data user’s failure to respect the health data access body’s measures ensuring pseudonymisation shall be subject to appropriate penalties.
3.  Where the health data user has sufficiently demonstrated that the purpose of processing cannot be achieved with anonymised data in line with Article 46(1c), taking into account the information provided by the health data user the health data access bodies shall provide access to electronic health data in pseudonymised format. The information necessary to reverse the pseudonymisation shall be available only to the health data access body. Health Data users shall not re-identify the electronic health data provided to them in anonymised or pseudonymised format.
Amendment 415
Proposal for a regulation
Article 44 – paragraph 3 a (new)
3a.  The health data user’s failure to respect the health data access body’s measures ensuring anonymisation and pseudonymisation shall be considered a particularly serious breach of this Regulation and shall be subject to effective, proportionate and dissuasive penalties.
Amendment 416
Proposal for a regulation
Article 44 – paragraph 3 b (new)
3b.  The Commission shall, by means of implementing acts, set out the procedures and requirements, and provide technical tools, for a unified procedure for anonymising and pseudonymising the electronic health data. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
Amendment 417
Proposal for a regulation
Article 45 – paragraph 1
1.  Any natural or legal person may submit a data access application for the purposes referred to in Article 34.
1.  Health data applicants may submit a data access application for the purposes referred to in Article 34.
Amendment 418
Proposal for a regulation
Article 45 – paragraph 2 – point -a (new)
(-a)  the health data applicant´s identity, description of professional functions and operations, including the identity of the natural persons who will have access to electronic health data, if a data permit is granted; the list of natural persons can be updated and in that case it shall be notified to the health data access body;
Amendment 419
Proposal for a regulation
Article 45 – paragraph 2 – point a
(a)  a detailed explanation of the intended use of the electronic health data, including for which of the purposes referred to in Article 34(1) access is sought;
(a)  a detailed explanation of the intended use of the electronic health data including for which of the purposes referred to in Article 34(1), access is necessary;
Amendment 420
Proposal for a regulation
Article 45 – paragraph 2 – point a a (new)
(aa)  a description of how the health data applicant is qualified vis-à-vis the intended purposes of data use, including professional qualifications to demonstrate appropriate expertise, consistent with ethical practice and applicable laws and regulations;
Amendment 421
Proposal for a regulation
Article 45 – paragraph 2 – point a b (new)
(ab)  an explanation of the expected benefits and how these benefits contribute to the purposes referred to in Article 34(1);
Amendment 422
Proposal for a regulation
Article 45 – paragraph 2 – point b
(b)  a description of the requested electronic health data, their format and data sources, where possible, including geographical coverage where data is requested from several Member States;
(b)  a description of the requested electronic health data, their timeframe, format and data sources, where possible, including geographical coverage where data is requested from several Member States;
Amendment 423
Proposal for a regulation
Article 45 – paragraph 2 – point c
(c)  an indication whether electronic health data should be made available in an anonymised format;
(c)  an explanation whether electronic health data needs to be made available in a pseudonymised format and why the envisaged purpose for processing cannot be pursued using anonymised data;
Amendment 424
Proposal for a regulation
Article 45 – paragraph 2 – point d
(d)  where applicable, an explanation of the reasons for seeking access to electronic health data in a pseudonymised format;
(d)  a description of the safeguards planned to prevent any other use or any misuse of the electronic health data;
Amendment 425
Proposal for a regulation
Article 45 – paragraph 2 – point e
(e)  a description of the safeguards planned to prevent any other use of the electronic health data;
(e)  a description of the safeguards proportionate to the risks, planned to protect the rights and interests of the health data holder;
Amendment 426
Proposal for a regulation
Article 45 – paragraph 2 – point f
(f)  a description of the safeguards planned to protect the rights and interests of the data holder and of the natural persons concerned;
(f)  for personal electronic health data, a description of the necessary technical and organisational measures pursuant to Article 32 of Regulation (EU) 2016/679; to protect the rights and interests of the natural persons concerned, including to prevent any re-identification of natural persons in the dataset;
Amendment 427
Proposal for a regulation
Article 45 – paragraph 2 – point g
(g)  an estimation of the period during which the electronic health data is needed for processing;
(g)  a justified estimation of the period during which the electronic health data is needed for processing;
Amendment 428
Proposal for a regulation
Article 45 – paragraph 2 – point h a (new)
(ha)  where applicable, information on the assessment of ethical aspects of the processing and details of any necessary ethics approval obtained by the competent ethics committee in line with national law, which may serve to replace their own ethics assessment;
Amendment 429
Proposal for a regulation
Article 45 – paragraph 2 – point h b (new)
(hb)  a plan defining audiences and tools to provide information publicly on the results or outcomes of the access to the data in accordance with Article 46(11);
Amendment 430
Proposal for a regulation
Article 45 – paragraph 2 – point h c (new)
(hc)  a declaration that the intended uses of the data requested do not pose a risk of stigmatisation of or causing harm to the dignity of individuals or the groups to which the dataset requested relates.
Amendment 431
Proposal for a regulation
Article 45 – paragraph 3
3.  Data users seeking access to electronic health data from more than one Member State shall submit a single application to one of the concerned health data access bodies of their choice which shall be responsible for sharing the request with other health data access bodies and authorised participants in HealthData@EU referred to in Article 52, which have been identified in the data access application. For requests to access electronic health data from more than one Member States, the health data access body shall notify the other relevant health data access bodies of the receipt of an application relevant to them within 15 days from the date of receipt of the data access application.
3.  Health data applicants seeking access to electronic health data from more than one Member State shall submit a single application to one of the concerned health data access bodies of their choice which shall be responsible for sharing the application with the other health data access bodies and authorised participants in HealthData@EU referred to in Article 52, which have been identified in the data access application. In such a case, the health data access body shall notify the other relevant health data access bodies of the receipt of an application relevant to them within 15 days from the date of receipt of the data access application.
Amendment 432
Proposal for a regulation
Article 45 – paragraph 4 – introductory part
4.  Where the applicant intends to access the personal electronic health data in a pseudonymised format, the following additional information shall be provided together with the data access application:
4.  Where the health data applicants intend to access the personal electronic health data in a pseudonymised format, the following additional information shall be provided together with the data access application:
Amendment 433
Proposal for a regulation
Article 45 – paragraph 4 – point a
(a)  a description of how the processing would comply with Article 6(1) of Regulation (EU) 2016/679;
(a)  a description of how the processing would comply with applicable Union and national law on data protection and privacy, notably Regulation (EU) 2016/679;
Amendment 434
Proposal for a regulation
Article 45 – paragraph 4 – point b
(b)  information on the assessment of ethical aspects of the processing, where applicable and in line with national law.
deleted
Amendment 435
Proposal for a regulation
Article 45 – paragraph 5 – subparagraph 2
Where the public sector bodies and the Union institutions, bodies, offices and agencies intend to access the electronic health data in pseudonymised format, a description of how the processing would comply with Article 6(1) of Regulation (EU) 2016/679 or Article 5(1) of Regulation (EU) 2018/1725, as applicable, shall also be provided.
deleted
Amendment 436
Proposal for a regulation
Article 45 – paragraph 6
6.  The Commission may, by means of implementing acts, set out the templates for the data access application referred to in this Article, the data permit referred to in Article 46 and the data request referred to in Article 47. Those implementing acts shall be adopted in accordance with the procedure referred to in Article 68(2).
6.  The Commission shall, by means of implementing acts, set out the templates for the data access application referred to in this Article, the data permit referred to in Article 46 and the data request referred to in Article 47. Those implementing acts shall be adopted in accordance with the procedure referred to in Article 68(2).
Amendment 437
Proposal for a regulation
Article 46 – paragraph 1
1.  Health data access bodies shall assess if the application fulfils one of the purposes listed in Article 34(1) of this Regulation, if the requested data is necessary for the purpose listed in the application and if the requirements in this Chapter are fulfilled by the applicant. If that is the case, the health data access body shall issue a data permit.
1.  Health data access bodies shall issue a data permit only when, after an assessment of the data access application, they find that it fulfils all of the following criteria:
(a)  the purpose described in the health data access application is one of the purposes listed in Article 34(1);
(b)   the requested data is necessary, adequate and proportionate for the purpose or purposes listed in the health data access application;
(c)  in the case of pseudonomised data, there is sufficient justification that the purpose cannot be achieved with anonymised data;
(d)  the processing complies with Article 6(1) and Article 9(2) of Regulation (EU) 2016/679 in the case of access to pseudonymised electronic health data;
(e)  the health data applicant demonstrates sufficient technical and organisational measures to prevent any other use or misuse of the electronic health data and to protect the rights and interests of the data holder and of the natural persons concerned;
(f)  the information on the assessment of ethical aspects of the processing, where applicable, is in line with national law;
(g)  all other requirements in this Chapter are fulfilled by the health data applicant.
Amendment 438
Proposal for a regulation
Article 46 – paragraph 2
2.  Health data access bodies shall refuse all applications including one or more purposes listed in Article 35 or where requirements in this Chapter are not met.
2.  Health data access bodies shall refuse all applications where requirements in this Chapter are not met.
Amendment 439
Proposal for a regulation
Article 46 – paragraph 3
3.  A health data access body shall issue or refuse a data permit within 2 months of receiving the data access application. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final], the health data access body may extend the period for responding to a data access application by 2 additional months where necessary, taking into account the complexity of the request. In such cases, the health data access body shall notify the applicant as soon as possible that more time is needed for examining the application, together with the reasons for the delay. Where a health data access body fails to provide a decision within the time limit, the data permit shall be issued.
3.  After the health data applicant has demonstrated the effective implementation of their security measures referred to in Article 45(2), points (e) and (f), the health data access body shall issue or refuse a data permit within 2 months of receiving a complete data access application. If the health data access body finds that the data access application is incomplete, it shall notify the health data applicant, who shall be given the possibility of completing their application. If the health data applicant does not fulfil this request within four weeks, a permit shall not be granted. By way of derogation from that Regulation (EU) 2022/868 the health data access body may extend the period for responding to a data access application by 2 additional months where necessary, taking into account the complexity of the request. In such cases, the health data access body shall notify the applicant as soon as possible that more time is needed for examining the application, together with the reasons for the delay.
Amendment 440
Proposal for a regulation
Article 46 – paragraph 4
4.  Following the issuance of the data permit, the health data access body shall immediately request the electronic health data from the data holder. The health data access body shall make available the electronic health data to the data user within 2 months after receiving them from the data holders, unless the health data access body specifies that it will provide the data within a longer specified timeframe.
4.  Following the issuance of the data permit, the health data access body shall immediately request the electronic health data from the data holder and inform them whether the data will be made accessible in anonymised or pseudonymised form. The health data access body shall make available the electronic health data to the health data user within 2 months after receiving them from the data holders.
Amendment 441
Proposal for a regulation
Article 46 – paragraph 5
5.  When the health data access body refuses to issue a data permit, it shall provide a justification for the refusal to the applicant.
5.  When the health data access body refuses to issue a data permit, it shall provide a justification for the refusal to the health data applicant.
Amendment 442
Proposal for a regulation
Article 46 – paragraph 6 – introductory part
6.  The data permit shall set out the general conditions applicable to the data user, in particular:
6.  The data permit shall set out the general conditions applicable to the health data user, in particular:
Amendment 443
Proposal for a regulation
Article 46 – paragraph 6 – point a
(a)  types and format of electronic health data accessed, covered by the data permit, including their sources;
(a)  categories and format of electronic health data accessed, covered by the data permit, including their sources;
Amendment 444
Proposal for a regulation
Article 46 – paragraph 6 – point b
(b)  purpose for which data are made available;
(b)  a detailed description of the purpose for which data are made available;
Amendment 445
Proposal for a regulation
Article 46 – paragraph 6 – point b a (new)
(ba)  the identity of the user as well as the concrete persons who are authorised to have access to the electronic health data in the secure processing environment;
Amendment 446
Proposal for a regulation
Article 46 – paragraph 6 – point d
(d)  information about the technical characteristics and tools available to the data user within the secure processing environment;
(d)  information about the technical characteristics and tools available to the health data user within the secure processing environment;
Amendment 447
Proposal for a regulation
Article 46 – paragraph 6 – point e
(e)  fees to be paid by the data user;
(e)  fees to be paid by the health data user;
Amendment 448
Proposal for a regulation
Article 46 – paragraph 7
7.  Data users shall have the right to access and process the electronic health data in accordance with the data permit delivered to them on the basis of this Regulation.
7.  Data users shall have the right to access and process the electronic health data in a secure processing environment in accordance with the data permit delivered to them on the basis of this Regulation.
Amendment 449
Proposal for a regulation
Article 46 – paragraph 8
8.  The Commission is empowered to adopt delegated acts to amend the list of aspects to be covered by a data permit in paragraph 7 of this Article, in accordance with the procedure set out in Article 67.
8.  The Commission is empowered to adopt delegated acts to amend the list of aspects to be covered by a data permit in paragraph 6 of this Article, in accordance with the procedure set out in Article 67.
Amendment 450
Proposal for a regulation
Article 46 – paragraph 9
9.  A data permit shall be issued for the duration necessary to fulfil the requested purposes which shall not exceed 5 years. This duration may be extended once, at the request of the data user, based on arguments and documents to justify this extension provided, 1 month before the expiry of the data permit, for a period which cannot exceed 5 years. By way of derogation from Article 42, the health data access body may charge increasing fees to reflect the costs and risks of storing electronic health data for a longer period of time exceeding the initial 5 years. In order to reduce such costs and fees, the health data access body may also propose to the data user to store the dataset in storage system with reduced capabilities. The data within the secure processing environment shall be deleted within 6 months following the expiry of the data permit. Upon request of the data user, the formula on the creation of the requested dataset shall be stored by the health data access body.
9.  A data permit shall be issued for the duration necessary to fulfil the requested purposes which shall not exceed 5 years. This duration may be extended once, at the request of the data user, based on arguments and documents to justify this extension provided, 1 month before the expiry of the data permit, for a period which cannot exceed 5 years. By way of derogation from Article 42, the health data access body may charge increasing fees to reflect the costs and risks of storing electronic health data for a longer period of time exceeding the initial 5 years. In order to reduce such costs and fees, the health data access body may also propose to the data user to store the dataset in storage system with reduced capabilities. The data within the secure processing environment shall be deleted without undue delay following the expiry of the data permit. Upon request of the data user, the formula on the creation of the requested dataset shall be stored by the health data access body.
Amendment 451
Proposal for a regulation
Article 46 – paragraph 11
11.  Data users shall make public the results or output of the secondary use of electronic health data, including information relevant for the provision of healthcare, no later than 18 months after the completion of the electronic health data processing or after having received the answer to the data request referred to in Article 47. Those results or output shall only contain anonymised data. The data user shall inform the health data access bodies from which a data permit was obtained and support them to make the information public on health data access bodies’ websites. Whenever the data users have used electronic health data in accordance with this Chapter, they shall acknowledge the electronic health data sources and the fact that electronic health data has been obtained in the context of the EHDS.
deleted
Amendment 452
Proposal for a regulation
Article 46 – paragraph 12
12.  Data users shall inform the health data access body of any clinically significant findings that may influence the health status of the natural persons whose data are included in the dataset.
deleted
Amendment 453
Proposal for a regulation
Article 46 – paragraph 14
14.  The liability of health data access bodies as joint controller is limited to the scope of the issued data permit until the completion of the processing activity.
14.  The liability of health data access bodies as controller is limited to the scope of the issued data permit until the completion of the processing activity and in accordance with Article 51.
Amendment 454
Proposal for a regulation
Article 47 – title
Data request
Health data request
Amendment 455
Proposal for a regulation
Article 47 – paragraph 1
1.  Any natural or legal person may submit a data request for the purposes referred to in Article 34. A health data access body shall only provide an answer to a data request in an anonymised statistical format and the data user shall have no access to the electronic health data used to provide this answer.
1.  The health data applicant may submit a health data request for the purposes referred to in Article 34 with the aim of obtaining an answer only in anonymised or aggregated statistical format. A health data access body shall not provide an answer to a health data request in any other format and the health data user shall have no access to the electronic health data used to provide this answer.
Amendment 456
Proposal for a regulation
Article 47 – paragraph 2 – introductory part
2.  A data request shall include the elements mentioned in paragraphs 2 (a) and (b) of Article 45 and if needed may also include:
2.  A health data request shall include the elements mentioned in paragraphs 2 (a) and (b) of Article 45 and if needed may also include:
Amendment 457
Proposal for a regulation
Article 47 – paragraph 3
3.  Where an applicant has requested a result in an anonymised form, including statistical format, based on a data request, the health data access body shall assess, within 2 months and, where possible, provide the result to the data user within 2 months.
3.  The health data access body shall assess the health data request, within 2 months and, where possible, provide the result to the health data user within 2 months.
Amendment 458
Proposal for a regulation
Article 48 – title
Making data available for public sector bodies and Union institutions, bodies, offices and agencies without a data permit
Making data available, without a data permit, for public sector bodies and Union institutions, bodies, offices and agencies with a legal mandate in the field of public health
Amendment 459
Proposal for a regulation
Article 48 – paragraph 1
By derogation from Article 46 of this Regulation, a data permit shall not be required to access the electronic health data under this Article. When carrying out those tasks under Article 37 (1), points (b) and (c), the health data access body shall inform public sector bodies and the Union institutions, offices, agencies and bodies, about the availability of data within 2 months of the data access application, in accordance with Article 9 of Regulation […] [Data Governance Act COM/2020/767 final]. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final ], the health data access body may extend the period by 2 additional months where necessary, taking into account the complexity of the request. The health data access body shall make available the electronic health data to the data user within 2 months after receiving them from the data holders, unless it specifies that it will provide the data within a longer specified timeframe.
By derogation from Article 46 of this Regulation, a health data permit shall not be required to access the electronic health data under this Article. When carrying out those tasks under Article 37 (1), points (b) and (c), the health data access body shall inform public sector bodies and Union institutions, offices, agencies and bodies with a legal mandate in the field of public health, about the availability of data within 2 months of the data access application, in accordance with Article 9 of Regulation […] [Data Governance Act COM/2020/767 final]. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final ], the health data access body may extend the period by 2 additional months where necessary, taking into account the complexity of the request. The health data access body shall make available the electronic health data to the health data user within 2 months after receiving them from the health data holders, unless it specifies that it will provide the data within a longer specified timeframe. Articles 43 and 43a shall be applicable to the situations covered under this Article.
Amendment 460
Proposal for a regulation
Article 49
Article 49
deleted
Access to electronic health data from a single data holder
1.  Where an applicant requests access to electronic health data only from a single data holder in a single Member State, by way of derogation from Article 45(1), that applicant may file a data access application or a data request directly to the data holder. The data access application shall comply with the requirements set out in Article 45 and the data request shall comply with requirements in Article 47. Multi-country requests and requests requiring a combination of datasets from several data holders shall be adressed to health data access bodies.
2.  In such case, the data holder may issue a data permit in accordance with Article 46 or provide an answer to a data request in accordance with Article 47. The data holder shall then provide access to the electronic health data in a secure processing environment in compliance with Article 50 and may charge fees in accordance with Article 42.
3.  By way of derogation from Article 51, the single data provider and the data user shall be deemed joint controllers.
4.  Within 3 months the data holder shall inform the relevant health data access body by electronic means of all data access applications filed and all the data permits issued and the data requests fulfilled under this Article in order to enable the health data access body to fulfil its obligations under Article 37(1) and Article 39.
Amendment 461
Proposal for a regulation
Article 50 – paragraph 1 – introductory part
1.  The health data access bodies shall provide access to electronic health data only through a secure processing environment, with technical and organisational measures and security and interoperability requirements. In particular, they shall take the following security measures:
1.  The health data access bodies shall provide access to electronic health data pursuant to a data permit only through a secure processing environment, with technical and organisational measures and security and interoperability requirements. In particular, they shall take the following security measures:
Amendment 462
Proposal for a regulation
Article 50 – paragraph 1 – point b
(b)  minimise the risk of the unauthorised reading, copying, modification or removal of electronic health data hosted in the secure processing environment through state-of-the-art technological means;
(b)  minimise the risk of the unauthorised reading, copying, modification or removal of electronic health data hosted in the secure processing environment through state-of-the-art technical and organisational measures;
Amendment 463
Proposal for a regulation
Article 50 – paragraph 1 – point d
(d)  ensure that data users have access only to the electronic health data covered by their data permit, by means of individual and unique user identities and confidential access modes only;
(d)  ensure that health data users have access only to the electronic health data covered by their data permit, by means of individual and unique user identities and confidential access modes only;
Amendment 464
Proposal for a regulation
Article 50 – paragraph 1 – point e
(e)  keep identifiable logs of access to the secure processing environment for the period of time necessary to verify and audit all processing operations in that environment;
(e)  keep identifiable logs of access to the secure processing environment for the period of time necessary to verify and audit all processing operations in that environment, and in any event for not shorter than one year;
Amendment 465
Proposal for a regulation
Article 50 – paragraph 1 – point f a (new)
(fa)  ensure that the secure processing environment is located within the Union.
Amendment 466
Proposal for a regulation
Article 50 – paragraph 2
2.  The health data access bodies shall ensure that electronic health data can be uploaded by data holders and can be accessed by the data user in a secure processing environment. The data users shall only be able to download non-personal electronic health data from the secure processing environment.
2.  The health data access bodies shall ensure that electronic health data from health data holders in the format determined by the data permit can be uploaded by health data holders and can be accessed by the health data user in a secure processing environment. The health data users shall only be able to download or copy non-personal electronic health data from the secure processing environment, in accordance with Article 37.
Amendment 467
Proposal for a regulation
Article 50 – paragraph 3
3.  The health data access bodies shall ensure regular audits of the secure processing environments.
3.  The health data access bodies shall ensure regular audits, including by third parties, of the secure processing environments and take immediate corrective action for any shortcomings, risks or vulnerabilities identified in the secure processing environments.
Amendment 468
Proposal for a regulation
Article 50 – paragraph 4
4.  The Commission shall, by means of implementing acts, provide for the technical, information security and interoperability requirements for the secure processing environments. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
4.  The Commission shall, by means of implementing acts, provide for the technical, organisational, information security, confidentiality, data protection and interoperability requirements for the secure processing environments, after having consulted with ENISA. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
Amendment 469
Proposal for a regulation
Article 51 – title
Joint controllers
Controllership
Amendment 470
Proposal for a regulation
Article 51 – paragraph 1
1.  The health data access bodies and the data users, including Union institutions, bodies, offices and agencies, shall be deemed joint controllers of electronic health data processed in accordance with data permit.
1.  The health data holder shall be deemed controller for data made available to the health data access body pursuant to Article 41(1) and (1a) of this Regulation. The health data access body shall be deemed controller for the processing of the personal electronic health data when fulfilling its tasks pursuant to Article 37(1), point (d), of this Regulation. The health data user shall be deemed controller for the processing of personal electronic health data in pseudonymised form in the secure processing environment pursuant to its data permit. The health data access body shall act as a processor for the processing by the health data user pursuant to a data permit in the secure processing environment.
Amendment 471
Proposal for a regulation
Article 52 – paragraph 3
3.  Union institutions, bodies, offices and agencies involved in research, health policy or analysis, shall be authorised participants of HealthData@EU.
3.  Union institutions, bodies, offices and agencies involved in health research, health policy or analysis, shall be authorised participants of HealthData@EU.
Amendment 472
Proposal for a regulation
Article 52 – paragraph 5
5.  Third countries or international organisations may become authorised participants where they comply with the rules of Chapter IV of this Regulation and provide access to data users located in the Union, on equivalent terms and conditions, to the electronic health data available to their health data access bodies. The Commission may adopt implementing acts establishing that a national contact point of a third country or a system established at an international level is compliant with requirements of HealthData@EU for the purposes of secondary use of health data, is compliant with the Chapter IV of this Regulation and provides access to data users located in the Union to the electronic health data it has access to on equivalent terms and conditions. The compliance with these legal, organisational, technical and security requirements, including with the standards for secure processing environments pursuant to Article 50 shall be checked under the control of the Commission. These implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68 (2). The Commission shall make the list of implementing acts adopted pursuant to this paragraph publicly available.
5.  Third countries or international organisations may become authorised participants where they comply with the rules of Chapter IV of this Regulation, where the transfer stemming from such connection complies with the rules in Chapter V of Regulation (EU) 2016/679 and Article 63a of this Regulation and where provide access to data users located in the Union, on equivalent terms and conditions, to the electronic health data available to their health data access bodies. The Commission may adopt implementing acts establishing that a national contact point of a third country or a system established at an international level is compliant with requirements of HealthData@EU for the purposes of secondary use of health data, is compliant with the Chapter IV of this Regulation and Chapter V of Regulation (EU) 2016/679 and provides access to data users located in the Union to the electronic health data it has access to on equivalent terms and conditions. The compliance with these legal, organisational, technical and security requirements, including with the standards for secure processing environments pursuant to Article 50 shall be checked under the control of the Commission. These implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2). The Commission shall make the list of implementing acts adopted pursuant to this paragraph publicly available.
Amendment 473
Proposal for a regulation
Article 52 – paragraph 12
12.  Member States and the Commission shall seek to ensure interoperability of HealthData@EU with other relevant common European data spaces as referred to in Regulations […] [Data Governance Act COM/2020/767 final] and […] [Data Act COM/2022/68 final].
12.  Member States and the Commission shall seek to ensure interoperability of HealthData@EU with other relevant common European data spaces as referred to in Regulations (EU) 2022/868 and […] [Data Act COM/2022/68 final].
Amendment 474
Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 – introductory part
The Commission may, by means of implementing acts, set out:
The Commission shall, by means of delegated acts, set out:
Amendment 475
Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 – point a
(a)  requirements, technical specifications, the IT architecture of HealthData@EU, conditions and compliance checks for authorised participants to join and remain connected to HealthData@EU and conditions for temporary or definitive exclusion from HealthData@EU;
(a)  requirements, technical specifications, the IT architecture of HealthData@EU, which shall ensure state-of-the-art data security, confidentiality, and protection of electronic health data in the cross border infrastructure;
Amendment 476
Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 1 – point a a (new)
(aa)  conditions and compliance checks for authorised participants to join and remain connected to HealthData@EU and conditions for temporary or definitive exclusion from HealthData@EU, including specific provisions for cases of serious misconduct or repeated violation;
Amendment 477
Proposal for a regulation
Article 52 – paragraph 13 – subparagraph 2
Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
The Commission shall consult with the ENISA in the drawing up of the delegated act.
Amendment 478
Proposal for a regulation
Article 53 – title
Access to cross-border sources of electronic health data for secondary use
Access to cross-border registries and databases for secondary use
Amendment 479
Proposal for a regulation
Article 54 – title
Mutual recognition
Cross-border access to and mutual recognition of data permits
Amendment 480
Proposal for a regulation
Article 54 – paragraph 1
1.  When handling an access application for cross-border access to electronic health data for secondary use, health data access bodies and relevant authorised participants shall remain responsible for taking decisions to grant or refuse access to electronic health data within their remit in accordance with the requirements for access laid down in this Chapter.
1.  When handling an access application for cross-border access to electronic health data for secondary use, health data access bodies and relevant authorised participants shall remain responsible for taking decisions to grant or refuse access to electronic health data within their remit in accordance with the requirements for access laid down in this Chapter. After a decision has been made regarding the granting or refusal of the health data permit, the health data access body shall inform the other health data bodies concerned by the same application about the decision.
Amendment 481
Proposal for a regulation
Article 55 – title
Dataset description
Dataset description and dataset catalogue
Amendment 482
Proposal for a regulation
Article 56 – paragraph 2 a (new)
2a.  The health data access body shall assess whether the data meets the requirements in paragraph 3 and shall revoke the label in the event the data does not meet the required quality.
Amendment 483
Proposal for a regulation
Article 56 – paragraph 3 – introductory part
3.  The data quality and utility label shall comply with the following elements:
3.  The data quality and utility label shall cover the following elements:
Amendment 484
Proposal for a regulation
Article 57 – paragraph 1
1.  The Commission shall establish an EU Datasets Catalogue connecting the national catalogues of datasets established by the health data access bodies and other authorised participants in HealthData@EU.
1.  The Commission shall establish an EU Datasets Catalogue connecting the national catalogues of datasets established by the health data access bodies and other authorised participants in HealthData@EU taking into consideration the health interoperability resources already developed across the Union.
Amendment 485
Proposal for a regulation
Article 59 – paragraph 1
The Commission shall support sharing of best practices and expertise, aimed to build the capacity of Member States to strengthen digital health systems for primary and secondary use of electronic health data. To support capacity building, the Commission shall draw up benchmarking guidelines for the primary and secondary use of electronic health data.
The Commission shall support sharing of best practices and expertise, aimed to build the capacity of Member States to strengthen digital health systems for primary and secondary use of electronic health data. To support capacity building, the Commission shall draw up benchmarking guidelines for the primary and secondary use of electronic health data. The Commission shall issue guidance with regard to compliance of data holders with the provisions of Chapter IV, taking into account the specific conditions of data holders that are civil society, researchers, medical societies and SMEs.
Amendment 486
Proposal for a regulation
Article 59 a (new)
Article 59a
Digital health literacy and digital health access
1.  In order to ensure successful implementation of the EHDS, Member States shall support digital health literacy, promote public awareness, including through educational programmes for natural persons, health professionals and stakeholders, to inform the public of the rights and obligations in the EHDS and inform natural persons of the advantages, risks and potential gains to science and society of the primary and secondary use of electronic health data, and offer free of charge accessible training to health professionals in this regard. Those programmes shall be tailored to the needs of specific groups and shall be developed and reviewed, and where necessary updated, on a regular basis in consultation and cooperation with relevant experts and stakeholders.
The Commission shall support Member States in this regard.
2.  Member States shall monitor and evaluate, on a regular basis, the digital health literacy of health professionals and natural persons, in particular about the primary and secondary use of health data, functionalities and conditions as well as rights of natural persons within the EHDS.
3.  Member States shall promote the access to the infrastructure necessary for the effective management of natural persons’ electronic health data, both within primary and secondary use.
4.  Member States shall regularly inform the public at large about the role and benefits of the secondary use of health data and the role of health data access bodies, as well as the risks and consequences linked with individual and collective digital health data rights arising from this Regulation.
Amendment 487
Proposal for a regulation
Article 60 – paragraph 2 a (new)
2a.  Public procurers, national competent authorities, including digital health authorities and health data access bodies, and the Commission shall require, as a condition to procure or fund services provided by controllers and processors established in the Union processing personal electronic health data, that such controllers and processors:
(a)  store those data in the Union, in accordance with Article 60a of this Chapter: and
(b)  have duly demonstrated that they are not subject to third country law conflicting with Union data protection rules.
Amendment 488
Proposal for a regulation
Article 60 a (new)
Article 60a
Storage of personal electronic health data
For the purposes of primary and secondary use of personal electronic health data, the storage of personal electronic health data shall exclusively take place within the territory of the Union, without prejudice to the provisions of Article 63.
Amendment 489
Proposal for a regulation
Article 61 – title
Third country transfer of non-personal electronic data
Sensitive nature of non-personal electronic health data
Amendment 490
Proposal for a regulation
Article 61 – paragraph 1
1.  Non-personal electronic data made available by health data access bodies, that are based on a natural person’s electronic data falling within one of the categories of Article 33 [(a), (e), (f), (i), (j), (k), (m)] shall be deemed highly sensitive within the meaning of Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final], provided that their transfer to third countries presents a risk of re-identification through means going beyond those likely reasonably to be used, in view of the limited number of natural persons involved in that data, the fact that they are geographically scattered or the technological developments expected in the near future.
1.  Non-personal electronic health data made available by health data access bodies, that are based on a natural person’s electronic data falling within one of the categories of Article 33 shall be deemed highly sensitive within the meaning of Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final].
Amendment 491
Proposal for a regulation
Article 61 – paragraph 2
2.  The protective measures for the categories of data mentioned in paragraph 1 shall depend on the nature of the data and anonymization techniques and shall be detailed in the Delegated Act under the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final].
2.  The protective measures for the categories of data mentioned in paragraph 1 shall be detailed in the Delegated Act under the empowerment set out in Article 5(13) of Regulation (EU) 2022/868.
Amendment 492
Proposal for a regulation
Article 63 – paragraph 1
In the context of international access and transfer of personal electronic health data, Member States may maintain or introduce further conditions, including limitations, in accordance with and under the conditions of article 9(4) of the Regulation (EU) 2016/679.
International access and transfer of personal electronic health data shall be granted in accordance with Chapter V of Regulation (EU) 2016/679. Member States may maintain or introduce further conditions on international access to, and transfer of, personal electronic health data, including limitations, in accordance with and under the conditions of article 9(4) of the Regulation (EU) 2016/679.
Amendment 493
Proposal for a regulation
Article 63 a (new)
Article 63a
Reciprocity of access to electronic health data for secondary use
1.  Notwithstanding Articles 62 and 63, only entities and bodies that are established in third countries included in the list referred to in paragraph 2 shall be allowed access to electronic health data in the secure processing environment and have the possibility of downloading non-personal electronic health data held in the Union for the purposes of secondary use.
2.  The Commission is empowered to adopt delegated acts in accordance with Article 67 supplementing this Regulation by setting up a list of third countries which are considered to provide for equivalent access to, and transfer of, electronic health data of its data holders for the purposes of secondary use of electronic health data by entities and bodies within the Union.
3.  The Commission shall monitor the list of third countries benefiting from such access, and shall provide for a periodic review of the functioning of this Article.
4.  Where the Commission considers that a third country no longer meets the requirement to be included on the list referred to in paragraph 2, it shall adopt a delegated act to remove such third country that benefits from access.
Amendment 494
Proposal for a regulation
Article 64 – paragraph 1
1.  A European Health Data Space Board (EHDS Board) is hereby established to facilitate cooperation and the exchange of information among Member States. The EHDS Board shall be composed of the high level representatives of digital health authorities and health data access bodies of all the Member States. Other national authorities, including market surveillance authorities referred to in Article 28, European Data Protection Board and European Data Protection Supervisor may be invited to the meetings, where the issues discussed are of relevance for them. The Board may also invite experts and observers to attend its meetings, and may cooperate with other external experts as appropriate. Other Union institutions, bodies, offices and agencies, research infrastructures and other similar structures shall have an observer role.
1.  A European Health Data Space Board (EHDS Board) is hereby established to facilitate cooperation and the exchange of information among Member States. The EHDS Board shall be composed of, one high level representative of digital health authorities and one high level representative of health data access bodies per Member State appointed by the Member State concerned. Where a Member State has designated several health data access bodies, the representative of the coordinating health data access body shall be a member of the EHDS Board;
Other national authorities, including market surveillance authorities referred to in Article 28, European Data Protection Board and European Data Protection Supervisor and Union agencies within the field of public health and cybersecurity shall also be invited to the meetings, where the issues discussed are of relevance for them. The Board may invite stakeholders, experts and observers to attend its meetings, and may cooperate with other external experts as appropriate. Other Union institutions, bodies, offices and agencies, research infrastructures and other similar structures may have an observer role. The EHDS Board shall invite a representative of the European Parliament to attend its meetings as an observer.
Amendment 495
Proposal for a regulation
Article 64 – paragraph 2
2.  Depending on the functions related to the use of electronic health data, the EHDS Board may work in subgroups, where digital health authorities or health data access bodies for a certain area shall be represented. The subgroups may have joint meetings, as required.
2.  Depending on the functions related to the use of electronic health data, the EHDS Board may work in subgroups, where digital health authorities or health data access bodies for a certain area shall be represented. The subgroups may have joint meetings, as required.
Members of the EHDS Board shall not have financial or other interests in industries or economic activities which could affect their impartiality. They shall undertake to act in the public interest and in an independent manner, and shall make an annual declaration of their financial interests. All indirect interests which could relate to such industries or economic activities shall be entered in a register held by the Commission which is accessible to the public, upon request, at the Commission’s offices.
The EHDS Board’s code of conduct shall make reference to the application of this Article, in particular in relation to the acceptance of gifts.
Amendment 496
Proposal for a regulation
Article 64 – paragraph 3
3.  The composition, organisation, functioning and cooperation of the sub-groups shall be set out in the rules of procedure put forward by the Commission.
3.  The EHDS Board shall adopt rules of procedure and a code of conduct, following a proposal from the Commission. Those rules of procedure shall provide for the composition, organisation, functioning and cooperation of the Board and its cooperation with the Advisory Board.
Amendment 497
Proposal for a regulation
Article 64 – paragraph 4
4.  Stakeholders and relevant third parties, including patients’ representatives, shall be invited to attend meetings of the EHDS Board and to participate in its work, depending on the topics discussed and their degree of sensitivity.
deleted
Amendment 498
Proposal for a regulation
Article 64 – paragraph 5
5.  The EHDS Board shall cooperate with other relevant bodies, entities and experts, such as the European Data Innovation Board referred to in Article 26 of Regulation […] [Data Governance Act COM/2020/767 final], competent bodies set up under Article 7 of Regulation […] [Data Act COM/2022/68 final], supervisory bodies set up under Article 17 of Regulation […] [eID Regulation], European Data Protection Board referred to in Article 68 of Regulation (EU) 2016/679 and cybersecurity bodies.
5.  The EHDS Board shall cooperate with other relevant bodies, entities and experts, such as the European Data Innovation Board referred to in Article 26 of Regulation […] [Data Governance Act COM/2020/767 final], competent bodies set up under Article 7 of Regulation […] [Data Act COM/2022/68 final], supervisory bodies set up under Article 17 of Regulation […] [eID Regulation], European Data Protection Board referred to in Article 68 of Regulation (EU) 2016/679 and cybersecurity bodies, in particular the ENISA.
Amendment 499
Proposal for a regulation
Article 64 – paragraph 7 a (new)
7a.  The EHDS Board shall publish meeting dates and minutes of the discussions and publish an annual report on its activities.
Amendment 500
Proposal for a regulation
Article 64 – paragraph 8
8.  The Commission shall, by means of implementing acts, adopt the necessary measures for the establishment, management and functioning of the EHDS Board. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
8.  The Commission shall, by means of implementing acts, adopt the necessary measures for the establishment and operations of the EHDS Board. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
Amendment 501
Proposal for a regulation
Article 64 a (new)
Article 64a
Advisory forum
1.  An advisory forum to advise the EHDS Board in the fulfilment of its tasks by providing stakeholder input in matters covered by this Regulation is hereby established.
2.  The advisory forum shall be composed of relevant stakeholders, including representatives of patients’ organisations, health professionals, industry, consumer organisations, scientific researchers and academia. The advisory forum shall have a balanced composition and represent the views of different relevant stakeholders.
Where commercial interests are represented in the advisory forum, they shall be balanced between large companies, SMEs and start-ups. Focus on primary and secondary use of electronic health data shall also be balanced.
3.  Members of the advisory forum shall be appointed by the Commission following a public call for interest and a transparent selection procedure, in consultation with the European Parliament. Members of the advisory forum shall make an annual declaration of their interests, which shall be updated whenever relevant and shall be made publicly available.
4.  The term of office of the members of the advisory forum shall be two years and it shall be renewable only once consecutively.
5.  The advisory forum may establish standing or temporary subgroups as appropriate for the purpose of examining specific questions related to the objectives of this Regulation.
6.  The advisory forum shall draw up its rules of procedure and elect one co-chair from among its members whose term of office shall be two years, renewable once. A Commission representative shall be the other co-chair.
7.  The advisory forum shall hold regular meetings. The advisory forum may invite relevant experts and other relevant stakeholders to its meetings. The Chair of the EHDS Board may attend, ex officio, the meetings of the advisory forum.
8.  In fulfilling its tasks as set out in paragraph 1, the advisory forum shall prepare opinions, recommendations or written contributions.
9.  The advisory forum shall prepare an annual report of its activities. That report shall be made publicly available.
Amendment 502
Proposal for a regulation
Article 65 – paragraph -1 (new)
-1.  The EHDS Board shall promote the consistent application of this Regulation.
Amendment 503
Proposal for a regulation
Article 65 – paragraph 1 – point b – introductory part
(b)  to issue written contributions and to exchange best practices on matters related to the coordination of the implementation at Member State level of this Regulation and of the delegated and implementing acts adopted pursuant to it, in particular as regards:
(b)  to issue written contributions and to exchange best practices on matters related to the coordination of the implementation at Member State level of this Regulation and of the delegated and implementing acts adopted pursuant to it, taking into account the regional and local level, in particular as regards:
Amendment 504
Proposal for a regulation
Article 65 – paragraph 1 – point b – point iii
(iii)  other aspects of the primary use of electronic health data.
(iii)  other aspects of the primary use of electronic health data without prejudice to the powers of the supervisory authorities pursuant to Regulation (EU) 2016/679; the written contributions of the EHDS board shall not concern the interpretation or application of rights and obligations under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.
Amendment 505
Proposal for a regulation
Article 65 – paragraph 1 – point b a (new)
(ba)  to provide guidance and recommendations to digital health authorities;
Amendment 506
Proposal for a regulation
Article 65 – paragraph 1 – point d
(d)  to share information concerning risks posed by EHR systems and serious incidents as well as their handling;
(d)  to share among the Members of the Board information concerning risks posed by EHR systems and serious incidents as well as their handling, without prejudice to the obligation to inform competent supervisory authorities pursuant to Regulation (EU) 2016/679;
Amendment 507
Proposal for a regulation
Article 65 – paragraph 1 – point e
(e)  to facilitate the exchange of views on the primary use of electronic health data with the relevant stakeholders, including representatives of patients, health professionals, researchers, regulators and policy makers in the health sector.
(e)  to facilitate the exchange of views on the primary use of electronic health data with the Advisory Forum referred to in Article 64(a), regulators and policy makers in the health sector to support the design of aligned implementation strategies, guidance and standards and to assess the needs for further improvement. In addition, the co-chairs of the advisory forum shall be invited at least once annually to a meeting of the EHDS Board to present its activities.
Amendment 508
Proposal for a regulation
Article 65 – paragraph 2 – point b – point v
(v)  the establishment and application of penalties;
deleted
Amendment 509
Proposal for a regulation
Article 65 – paragraph 2 – point b – point vi
(vi)  other aspects of the secondary use of electronic health data.
(vi)  other aspects of the secondary use of electronic health data without prejudice to the powers of the supervisory authorities pursuant to Regulation (EU) 2016/679.
Amendment 510
Proposal for a regulation
Article 65 – paragraph 2 – point c
(c)  to facilitate cooperation between health data access bodies through capacity-building, establishing the structure for annual activity reporting, peer-review of annual activity reports and exchange of information;
(c)  to facilitate cooperation and exchange of best practices between health data access bodies through capacity-building, establishing the structure for annual activity reporting, peer-review of annual activity reports and exchange of information pursuant to the obligations laid down in Article 37(1), point (q);
Amendment 511
Proposal for a regulation
Article 65 – paragraph 2 – point d
(d)  to share information concerning risks and data protection incidents related to secondary use of electronic health data, as well as their handling;
(d)  to share information concerning risks and data protection incidents related to secondary use of electronic health data, as well as their handling; without prejudice to the obligation to inform competent supervisory authorities pursuant to Regulation (EU) 2016/679;
Amendment 512
Proposal for a regulation
Article 65 – paragraph 2 – point f
(f)  to facilitate the exchange of views on the secondary use of electronic health data with the relevant stakeholders, including representatives of patients, health professionals, researchers, regulators and policy makers in the health sector.
(f)  to exchange views on the secondary use of electronic health data with the Advisory Forum referred to in Article 64(a) regulators and policy makers in the health sector, to support the design of aligned implementation strategies, guidance and standards and to assess the needs for further improvement;
Amendment 513
Proposal for a regulation
Article 65 – paragraph 2 – point f a (new)
(fa)  adopt recommendations to facilitate consistent provision of the secure processing environment compliant with the technical, information security and interoperability requirements.
Amendment 514
Proposal for a regulation
Article 65 – paragraph 2 a (new)
2a.  The EHDS board shall provide recommendations to the Commission and the Member States on the implementation and enforcement of this Regulation, including cross-border interoperability of health data, and potential mechanisms of funding support to ensure equal development of health data systems across Europe in respect of the secondary use of electronic health data, without prejudice to the competences of the EDPB, where personal electronic health data are concerned;
Amendment 515
Proposal for a regulation
Article 65 – paragraph 2 b (new)
2b.  The EHDS board may commission studies and other initiatives in order to support the implementation and development of the EHDS.
Amendment 516
Proposal for a regulation
Article 65 – paragraph 2 c (new)
2c.  The EHDS Board shall publish an annual report to include the implementation status of the EHDS and other relevant points of development, including with respect to cross-border health data interoperability, and related implementation challenges.
Amendment 517
Proposal for a regulation
Article 66 – paragraph 3
3.  Stakeholders and relevant third parties, including patients’ representatives, may be invited to attend meetings of the groups and to participate in their work.
3.  Stakeholders and relevant third parties, including patients’, health professionals’, consumers’ and industry representatives, may be invited to attend meetings of the groups and to participate in their work.
Amendment 518
Proposal for a regulation
Article 66 – paragraph 6 a (new)
6a.  The groups shall consult relevant experts when carrying out their tasks, as well as on technical implementing measures related to cybersecurity, confidentiality and data protection, in particular experts from ENISA, EDPB and EDPS.
Amendment 519
Proposal for a regulation
Article 67 – paragraph 2
2.  The power to adopt delegated acts referred to in Articles 5(2), 10(3), 25(3), 32(4), 33(7), 37(4), 39(3), 41(7), 45(7), 46(8), 52(7), 56(4) shall be conferred on the Commission for an indeterminate period of time from the date of entry into force of this Regulation.
2.  The power to adopt delegated acts referred to in Articles 5(2), 7(3), 9(2) 10(3), 13(3) 25(3), 32(4), 37(4), 39(3), 41(7), 45(7), 46(8), 52(7), 52(13), 56(4) and 63a(2) shall be conferred on the Commission for an indeterminate period of time from the date of entry into force of this Regulation.
Amendment 520
Proposal for a regulation
Article 67 – paragraph 3
3.  The power to adopt delegated acts referred to in Articles 5(2), 10(3), 25(3), 32(4), 33(7), 37(4), 39(3), 41(7), 45(7), 46(8), 52(7), 56(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
3.  The power to adopt delegated acts referred to in Articles 5(2), 7(3) 37(4), 39(3), 41(7), 45(7), 46(8), 52(7), 52(13), 56(4) and 63a(2) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
Amendment 521
Proposal for a regulation
Article 67 – paragraph 6
6.  A delegated act adopted pursuant to Articles 5(2), 10(3), 25(3), 32(4), 33(7), 37(4), 39(3), 41(7), 45(7), 46(8), 52(7), 56(4) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of 3 months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by 3 months at the initiative of the European Parliament or of the Council.
6.  A delegated act adopted pursuant to Articles 5(2), 7(3), 9(2), 13(3), 25(3), 32(4), 37(4), 39(3), 41(7), 45(7), 46(8), 52(7), 52(13), 56(4) or 63a(2) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of 3 months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by 3 months at the initiative of the European Parliament or of the Council.
Amendment 522
Proposal for a regulation
Article 68 – paragraph 2 a (new)
2a.  Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
Amendment 523
Proposal for a regulation
Article 69 – paragraph 1
Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties shall be effective, proportionate and dissuasive. Member States shall notify the Commission of those rules and measures by date of application of this Regulation and shall notify the Commission without delay of any subsequent amendment affecting them.
Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 43a, and shall take all measures necessary to ensure that they are implemented. The penalties shall be effective, proportionate and dissuasive. Member States shall notify the Commission of those rules and measures by date of application of this Regulation and shall notify the Commission without delay of any subsequent amendment affecting them.
Amendment 524
Proposal for a regulation
Article 69 a (new)
Article 69a
Right to receive compensation
Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation, in accordance with national and Union law.
Amendment 525
Proposal for a regulation
Article 69 b (new)
Article 69b
Representation of a natural person
Where a natural person considers that their rights under this Regulation have been infringed, they shall have the right to mandate a not-for-profit body, organisation or association which is constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of personal data, to lodge a complaint on their behalf or to exercise the rights referred to in Article 11a.
Amendment 526
Proposal for a regulation
Article 69 c (new)
Article 69c
Suspension of proceedings
1.  Where a competent court of a Member State seised of proceedings against a decision by a digital health authority or health data access body has reason to believe that proceedings concerning the same access to electronic health data by the same health data user, such as for the same purpose of processing for secondary use are brought before a competent court in another Member State, it shall contact that court in order to confirm the existence of such related proceedings.
2.  Where proceedings concerning the same subject matter and the same digital health authority or health data access body are pending before a court in another Member State, any court other than the court first seised may stay its proceedings or may, at the request of one of the parties, decline jurisdiction in favour of the court first seised if that court has jurisdiction over the proceedings in question and its law permits the consolidation of such related proceedings.
Amendment 527
Proposal for a regulation
Article 70 – paragraph 1
1.  After 5 years from the entry into force of this Regulation, the Commission shall carry out a targeted evaluation of this Regulation especially with regards to Chapter III, and submit a report on its main findings to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions, accompanied, where appropriate, by a proposal for its amendment. The evaluation shall include an assessment of the self-certification of EHR systems and reflect on the need to introduce a conformity assessment procedure performed by notified bodies.
1.  By 5 years from the entry into force of this Regulation, the Commission shall carry out a targeted evaluation of this Regulation especially with regards to the possibilities to further extend interoperability between EHR systems and electronic health data access services other than those established by the Member States, the possibility of expanding the access to MyHealth@EU infrastructure to third countries and international organisations, the need to update the data categories in Article 33 and the purposes of use in Article 34, the implementation and use by natural persons of the opt-out mechanism in secondary use as referred to in Article 33(5a), and opt-in mechanism in secondary use as referred to in Article 33(5b), the use and implementation of the right referred to in Article 3(9), as well as the application of fees as referred to in Article 42 and submit a report on its main findings to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions, accompanied, where appropriate, by a proposal for its amendment.
Amendment 528
Proposal for a regulation
Article 70 – paragraph 1 a (new)
1a.  By ... [please insert the date two years from the entry into force of this Regulation], the Commission shall carry out an evaluation of the Union funding attributed to the setting up and functioning of the EHDS, in particular concerning the ability of the bodies established under this Regulation to carry out their tasks and obligations under this Regulation and of Member States in relation to applying the Regulation in a uniform and coherent manner. The Commission shall submit a report on its main findings to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions, accompanied, where appropriate, by the necessary measures.
Amendment 529
Proposal for a regulation
Article 70 – paragraph 2
2.  After 7 years from the entry into force of this Regulation, the Commission shall carry out an overall evaluation of this Regulation, and submit a report on its main findings to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions, accompanied, where appropriate, by a proposal for its amendment.
2.  After 7 years from the entry into force of this Regulation, the Commission shall carry out an overall evaluation of this Regulation, and submit a report on its main findings to the European Parliament and to the Council, the European Economic and Social Committee and the Committee of the Regions, accompanied, where appropriate, by a proposal for its amendment or other appropriate measures.
Amendment 530
Proposal for a regulation
Article 71 a (new)
Article 71a
Amendments to Directive (EU) 2020/1828
In the Annex to Directive (EU) 2020/1828, the following point is added:
(XX)  Regulation (EU) XXX of the European Parliament and of the Council on the European Health Data Space.
Amendment 531
Proposal for a regulation
Article 72 – paragraph 2
It shall apply from 12 months after its entry into force.
It shall apply from 24 months after its entry into force.
Amendment 532
Proposal for a regulation
Article 72 – paragraph 3 – point b
(b)  from 3 years after date of entry into application to categories of personal electronic health data referred to in Article 5(1), points (d), (e) and (f), and to EHR systems intended by the manufacturer to process such categories of data;
(b)  from 3 years after date of entry into application to categories of personal electronic health data referred to in Article 5(1), points (d), (e) (f), and (fa) and to EHR systems intended by the manufacturer to process such categories of data;
Amendment 533
Proposal for a regulation
Article 72 – paragraph 3 – point c
(c)  from the date established in delegated acts pursuant to Article 5(2) for other categories of personal electronic health data.
deleted
Amendment 534
Proposal for a regulation
Annex I – Table A - MAIN CHARACTERISTICS OF ELECTRONIC HEALTH DATA CATEGORIES

Text proposed by the Commission

Electronic health data category

Main characteristics of electronic health data included under the category

1.  Patient summary

Electronic health data that includes important clinical facts related to an identified person and that is essential for the provision of safe and efficient healthcare to that person. The following information is part of a patient summary:

1.  Personal details

2.  Contact information

3.  Information on insurance

4.  Allergies

5.  Medical alerts

6.  Vaccination/prophylaxis information, possibly in the form of a vaccination card

7.  Current, resolved, closed or inactive problems

8.  Textual information related to medical history

9.  Medical devices and implants

10.  Procedures

11.  Functional status

12.  Current and relevant past medicines

13.  Social history observations related to health

14.  Pregnancy history

15.  Patient provided data

16.  Observation results pertaining to the health condition

17.  Plan of care

18.  Information on a rare disease such as details about the impact or characteristics of the disease

2.  Electronic prescription

Electronic health data constituting a prescription for a medicinal product as defined in Article 3(k) of Directive 2011/24/EU.

3.  Electronic dispensation

Information on the supply of a medicinal product to a natural person by a pharmacy based on an electronic prescription.

4.  Medical image and image report

Electronic health data related to the use of or produced by technologies that are used to view the human in order to prevent, diagnose, monitor, or treat medical conditions.

5.  Laboratory result

Electronic health data representing results of studies performed notably through in vitro diagnostics such as clinical biochemistry, haematology, transfusion medicine, microbiology, immunology, and others, and including, where relevant, reports supporting the interpretation of the results.

6.  Discharge report

Electronic health data related to a healthcare encounter or episode of care and including essential information about admission, treatment and discharge of a natural person.

Amendment

Electronic health data category

Main characteristics of electronic health data included under the category

1.  Patient summary

Electronic health data that includes important clinical facts related to an identified person and that is essential for the provision of safe and efficient healthcare to that person. The patient summary shall be harmonised across Member States and include a minimum data set that can be expanded to include disease-specific data. The following information is part of a patient summary:

1.  Personal details

2.  Contact information

3.  Information on insurance

4.  Allergies

5.  Medical alerts

6.  Vaccination/prophylaxis information, possibly in the form of a vaccination card

7.  Current, resolved, closed or inactive problems

8.  Textual information related to medical history

9.  Medical devices and implants

10.  Procedures

11.  Functional status

12.  Current and relevant past medicines

13.  Social history observations related to health

14.  Pregnancy history

15.  Patient provided data

16.  Observation results pertaining to the health condition

17.  Plan of care

18.  Information on a rare disease such as details about the impact or characteristics of the disease

18a.  (new) Blood type

2.  Electronic prescription

Electronic health data constituting a prescription for a medicinal product as defined in Article 3(k) of Directive 2011/24/EU.

3.  Electronic dispensation

Information on the supply of a medicinal product to a natural person by a pharmacy based on an electronic prescription.

4.  Medical image and image report

Electronic health data related to the use of or produced by technologies that are used to view the human in order to prevent, diagnose, monitor, or treat medical conditions.

5.  Laboratory result

Electronic health data representing results of studies performed notably through in vitro diagnostics such as clinical biochemistry, haematology, transfusion medicine, microbiology, immunology, and others, and including, where relevant, reports supporting the interpretation of the results.

6.  Discharge report

Electronic health data related to a healthcare encounter or episode of care and including essential information about admission, treatment and discharge of a natural person.

Amendment 535
Proposal for a regulation
Annex I – Table A - MAIN CHARACTERISTICS OF ELECTRONIC HEALTH DATA CATEGORIES

Text proposed by the Commission

Electronic health data category

Main characteristics of electronic health data included under the category

1.  Patient summary

Electronic health data that includes important clinical facts related to an identified person and that is essential for the provision of safe and efficient healthcare to that person. The following information is part of a patient summary:

1.  Personal details

2.  Contact information

3.  Information on insurance

4.  Allergies

5.  Medical alerts

6.  Vaccination/prophylaxis information, possibly in the form of a vaccination card

7.  Current, resolved, closed or inactive problems

8.  Textual information related to medical history

9.  Medical devices and implants

10.  Procedures

11.  Functional status

12.  Current and relevant past medicines

13.  Social history observations related to health

14.  Pregnancy history

15.  Patient provided data

16.  Observation results pertaining to the health condition

17.  Plan of care

18.  Information on a rare disease such as details about the impact or characteristics of the disease

2.  Electronic prescription

Electronic health data constituting a prescription for a medicinal product as defined in Article 3(k) of Directive 2011/24/EU.

3.  Electronic dispensation

Information on the supply of a medicinal product to a natural person by a pharmacy based on an electronic prescription.

4.  Medical image and image report

Electronic health data related to the use of or produced by technologies that are used to view the human in order to prevent, diagnose, monitor, or treat medical conditions.

5.  Laboratory result

Electronic health data representing results of studies performed notably through in vitro diagnostics such as clinical biochemistry, haematology, transfusion medicine, microbiology, immunology, and others, and including, where relevant, reports supporting the interpretation of the results.

6.  Discharge report

Electronic health data related to a healthcare encounter or episode of care and including essential information about admission, treatment and discharge of a natural person.

Amendment

Electronic health data category

Main characteristics of electronic health data included under the category

1.  Patient summary

Electronic health data that includes important clinical facts related to an identified person and that is essential for the provision of safe and efficient healthcare to that person. The following information is part of a patient summary:

1.  Personal details

2.  Contact information

3.  Information on insurance

4.  Allergies

5.  Medical alerts

6.  Vaccination/prophylaxis information, possibly in the form of a vaccination card

7.  Current, resolved, closed or inactive problems

8.  Textual information related to medical history

9.  Medical devices and implants

10.  Procedures

11.  Functional status

11a.  (new) Prescription, dispensation and administration of current and past medications across the continuum of care, including, hospital and ambulatory/day hospitals

12.  Current and relevant past medicines

13.  Social history observations related to health

14.  Pregnancy history

15.  Patient provided data

16.  Observation results pertaining to the health condition

17.  Plan of care

18.  Information on a rare disease such as details about the impact or characteristics of the disease

2.  Electronic prescription

Electronic health data constituting a prescription for a medicinal product as defined in Article 3(k) of Directive 2011/24/EU.

3.  Electronic dispensation

Information on the supply of a medicinal product to a natural person by a pharmacy based on an electronic prescription.

4.  Medical image and image report

Electronic health data related to the use of or produced by technologies that are used to view the human in order to prevent, diagnose, monitor, or treat medical conditions.

5.  Laboratory result

Electronic health data representing results of studies performed notably through in vitro diagnostics such as clinical biochemistry, haematology, transfusion medicine, microbiology, immunology, and others, and including, where relevant, reports supporting the interpretation of the results.

6.  Discharge report

Electronic health data related to a healthcare encounter or episode of care and including essential information about admission, treatment and discharge of a natural person.

Amendment 536
Proposal for a regulation
Annex I – Table A - MAIN CHARACTERISTICS OF ELECTRONIC HEALTH DATA CATEGORIES

Text proposed by the Commission

Electronic health data category

Main characteristics of electronic health data included under the category

1.  Patient summary

Electronic health data that includes important clinical facts related to an identified person and that is essential for the provision of safe and efficient healthcare to that person. The following information is part of a patient summary:

1.  Personal details

2.  Contact information

3.  Information on insurance

4.  Allergies

5.  Medical alerts

6.  Vaccination/prophylaxis information, possibly in the form of a vaccination card

7.  Current, resolved, closed or inactive problems

8.  Textual information related to medical history

9.  Medical devices and implants

10.  Procedures

11.  Functional status

12.  Current and relevant past medicines

13.  Social history observations related to health

14.  Pregnancy history

15.  Patient provided data

16.  Observation results pertaining to the health condition

17.  Plan of care

18.  Information on a rare disease such as details about the impact or characteristics of the disease

2.  Electronic prescription

Electronic health data constituting a prescription for a medicinal product as defined in Article 3(k) of Directive 2011/24/EU.

3.  Electronic dispensation

Information on the supply of a medicinal product to a natural person by a pharmacy based on an electronic prescription.

4.  Medical image and image report

Electronic health data related to the use of or produced by technologies that are used to view the human in order to prevent, diagnose, monitor, or treat medical conditions.

5.  Laboratory result

Electronic health data representing results of studies performed notably through in vitro diagnostics such as clinical biochemistry, haematology, transfusion medicine, microbiology, immunology, and others, and including, where relevant, reports supporting the interpretation of the results.

6.  Discharge report

Electronic health data related to a healthcare encounter or episode of care and including essential information about admission, treatment and discharge of a natural person.

Amendment

Electronic health data category

Main characteristics of electronic health data included under the category

1.  Patient summary

Electronic health data that includes important clinical facts related to an identified person and that is essential for the provision of safe and efficient healthcare to that person. The patient summary shall be harmonised across Member States and include a minimum data set that can be expanded to include disease-specific data. The following information is part of a patient summary:

1.  Personal details

2.  Contact information

3.  Information on insurance

4.  Allergies

5.  Medical alerts

6.  Vaccination/prophylaxis information, possibly in the form of a vaccination card

7.  Current, resolved, closed or inactive problems in an international classification coding system

8.  Textual information related to medical history

9.  Medical devices and implants

10.  Medical procedures

11.  Functional status

12.  Current and relevant past medicines

13.  Social history observations related to health

14.  Pregnancy history

15.  Patient provided data

16.  Observation results pertaining to the health condition

17.  Plan of care

18.  Information on a rare disease such as details about the impact or characteristics of the disease

2.  Electronic prescription

Electronic health data constituting a prescription for a medicinal product as defined in Article 3(k) of Directive 2011/24/EU.

3.  Electronic dispensation

Information on the supply of a medicinal product to a natural person by a pharmacy based on an electronic prescription.

4.  Medical image and image report

Electronic health data related to the use of or produced by technologies that are used to view the human in order to prevent, diagnose, monitor, or treat medical conditions.

5.  Laboratory result

Electronic health data representing results of studies performed notably through in vitro diagnostics such as clinical biochemistry, haematology, transfusion medicine, microbiology, immunology, and others, and including, where relevant, reports supporting the interpretation of the results.

6.  Discharge report

Electronic health data related to a healthcare encounter or episode of care and including essential information about admission, treatment and discharge of a natural person.

6a.  (new) Medical directives

Electronic health data related to the legal documentation that states a person’s wishes about receiving medical care if that person is no longer able to make medical decisions because of a serious illness or injury and that may also give a person (such as a spouse, relative, or friend) the authority to make medical decisions in such situations. Electronic health data related to the patient's will and consent in specific medical acts.

Amendment 537
Proposal for a regulation
Annex II – point 2 – point 2.3
2.3.  An EHR system that includes a functionality for entering structured personal electronic health data shall enable the entry of data structured in a structured way that supports the data sharing in a structured, commonly used and machine-readable format, enabling system to system communication.
2.3.  An EHR system that includes a functionality for entering structured personal electronic health data shall enable the entry of data structured in a structured way that supports the data sharing in a structured, commonly used, open and machine-readable format, enabling system to system communication.
Amendment 538
Proposal for a regulation
Annex II – point 2 – point 2.5
2.5.  An EHR system shall not include features that prohibit, restrict or place undue burden on authorised exporting of personal electronic health data for the reasons of replacing the EHR system by another product.
2.5.  An EHR system shall not include features that prohibit, restrict or place undue burden on authorised exporting of personal electronic health data for the reasons of replacing the EHR system by another product. Authorised exporting of personal electronic health data shall be free of charge, without undue delay, or in in any event within one month from the request and in a structured, commonly used and machine-readable format, in line with the interoperability and security requirements to be developed according to Articles 23 and 50.
Amendment 539
Proposal for a regulation
Annex II – point 2 – point 2.5 a (new)
2.5a.   An EHR system shall be developed in interoperable format that enables data portability.
Amendment 540
Proposal for a regulation
Annex II – point 3 – point 3.1
3.1.  An EHR system shall be designed and developed in such a way that it ensures safe and secure processing of electronic health data, and that it prevents unauthorised access to such data.
3.1.  An EHR system shall be designed and developed in such a way that it ensures highly safe and secure processing of electronic health data, and that it prevents unauthorised access to such data.
Amendment 541
Proposal for a regulation
Annex II – point 3 – point 3.1
3.1.  An EHR system shall be designed and developed in such a way that it ensures safe and secure processing of electronic health data, and that it prevents unauthorised access to such data.
3.1.  An EHR system shall be designed and developed in such a way that it ensures safe and secure processing of electronic health data, and that it prevents unauthorised access to such data, and that it duly takes into consideration the principles of data minimisation and data protection by design.
Amendment 542
Proposal for a regulation
Annex II – point 3 – point 3.8
3.8.  An EHR system designed for the storage of electronic health data shall support different retention periods and access rights that take into account the origins and categories of electronic health data.
3.8.  An EHR system designed for the storage of electronic health data shall support different retention periods and access rights that take into account the origins and categories of electronic health data as well as the specific purposes of data processing.
Amendment 543
Proposal for a regulation
Annex IV a (new)
ANNEX IVa
1.  EU type-examination is the part of a conformity assessment procedure in which a notified body examines the technical design of an EHR system and verifies and attests that the technical design of the EHR system meets the applicable requirements of this Regulation.
2.  EU type-examination shall be carried out by assessment of the adequacy of the technical design of the EHR system through examination of the technical documentation, plus examination of a specimen of the EHR system that is representative of the production envisaged (production type).
3.  Application for EU type-examination
The manufacturer shall lodge an application for EU type-examination with a single notified body of his or her choice. The application shall include:
(a)  the name and address of the manufacturer and, if the application is lodged by an authorised representative, the name and address of that authorised representative;
(b)  a written declaration that the same application has not been lodged with any other notified body;
(c)  the technical documentation described in Annex III;
(d)  the specimen(s) of the EHR system representative of the production envisaged. The notified body may request further specimens if needed for carrying out the test programme.
4.  EU type-examination
The notified body shall:
(a)  examine the technical documentation to assess the adequacy of the technical design of the EHR system;
(b)  verify that the EHR system has been manufactured in conformity with the technical documentation, and identify the elements that have been designed in accordance with the applicable provisions of the relevant harmonised standards or technical specifications adopted by the Commission;
(c)  carry out appropriate examinations and tests, or have them carried out, to check whether, where the manufacturer has chosen to apply the solutions in the relevant harmonised standards, those have been applied correctly;
(e)  carry out appropriate examinations and tests, or have them carried out, to check whether, where the solutions in the relevant harmonised standards or technical specifications adopted by the Commission, the solutions adopted by the manufacturer, including those in other technical specifications applied, meet the corresponding essential requirements and have been applied correctly.
5.  Evaluation report
The notified body shall draw up an evaluation report that records the activities undertaken in accordance with point 4 and their outcomes. Without prejudice to its obligations vis-à-vis the notifying authorities, as mentioned in Article 27, point (j), the notified body shall release the content of that report, in full or in part, only with the agreement of the manufacturer.
6.  EU type-examination certificate
6.1.  Where the type meets the applicable essential requirements, the notified body shall issue an EU type-examination certificate to the manufacturer. The period of validity of a newly issued certificate and, where appropriate, of a renewed certificate shall not exceed five years.
6.2.  The EU type-examination certificate shall contain at least the following information:
(a)  the name and identification number of the notified body;
(b)  the name and address of the manufacturer and, if the application is lodged by an authorised representative, the name and address of that authorised representative;
(c)  an identification of the EHR system covered by the certificate (type number);
(d)  a statement that the EHR system complies with the applicable essential requirements;
(e)  where harmonised standards or technical specifications adopted by the Commission have been fully or partially applied, the references of those standards or parts thereof;
(f)  where other technical specifications have been applied, the references of those technical specifications;
(g)  where applicable, the performance level(s) or protection class of the machinery product;
(h)  the date of issue, the date of expiry and, where appropriate, the date(s) of renewal;.
(i)  any conditions attached to the issuing of the certificate.
6.3.  Where the type does not satisfy the applicable essential requirements, the notified body shall refuse to issue an EU type-examination certificate and shall inform the applicant accordingly, giving detailed reasons for its refusal.
7.  Review of the EU type-examination certificate
7.1.  The notified body shall keep itself apprised of any changes in the generally acknowledged state of the art, which indicate that the approved type may no longer comply with the applicable essential requirements, and shall determine whether such changes require further investigation. If so, the notified body shall inform the manufacturer accordingly.
7.2.  The manufacturer shall inform the notified body that holds the technical documentation relating to the EU type- examination certificate of all modifications to the approved type and of all modifications to the technical documentation that may affect the conformity of the EHR system with the applicable essential health and safety requirements or the conditions for validity of that certificate. Such modifications shall require additional approval in the form of an addition to the original EU type-examination certificate.
7.3.  The manufacturer shall ensure that the EHR system continues to fulfil the applicable essential requirements in light of the state of the art.
7.4.  The manufacturer shall ask the notified body to review the EU type-examination certificate either:
(a)  in the case of a modification to the approved type referred to in point 7.2;
(b)  in the case of a change in the state of the art referred to in point 7.3;
(c)  at the latest, before the date of expiry of the certificate. In order to allow the notified body to fulfil its tasks, the manufacturer shall submit his or her application at the earliest 12 months and at the latest 6 months prior to the expiry date of the EU type-examination certificate.
7.5.  The notified body shall examine the EHR system type and, where necessary in the light of the changes made, carry out the relevant tests to ensure that the approved type continues to fulfil the applicable essential requirements. If the notified body is satisfied that the approved type continues to fulfil the applicable essential requirements, it shall renew the EU type-examination certificate. The notified body shall ensure that the review procedure is finalised before the expiry date of the EU type-examination certificate.
7.6.  Where the conditions referred to in points (a) and (b) of point 7.4 are not met, a simplified review procedure shall apply. The manufacturer shall supply the notified body with the following:
(a)  His or her name and address and data identifying the EU type-examination certificate concerned;
(b)  confirmation that there has been no modification to the approved type as referred to in point 7.2, nor to the relevant harmonised standards or technical specifications adopted by the Commission or other technical specifications applied;
(c)  confirmation that there has been no change in the state of the art as referred to in point 7.3;
7.7.  If, following the review, the notified body concludes that the EU type-examination certificate is no longer valid, the body shall withdraw it and the manufacturer shall cease the placing on the market of the EHR system concerned.
8.  Each notified body shall inform its notifying authority concerning the EU type-examination certificates and/or any additions thereto which it has issued or withdrawn, and shall, periodically or upon request, make available to its notifying authority the list of such certificates and/or any additions thereto refused, suspended or otherwise restricted. Each notified body shall inform the other notified bodies concerning the EU type-examination certificates and/or any additions thereto, which it has refused, withdrawn, suspended or otherwise restricted, and, upon request, concerning the EU type-examination certificates and/or additions thereto which it has issued.
The Commission, the Member States and the other notified bodies may, on request, obtain a copy of the EU type-examination certificates and/or additions thereto. On request, the Commission and the Member States may obtain a copy of the technical documentation and the results of the examinations carried out by the notified body. The notified body shall keep a copy of the EU type-examination certificate, its annexes and additions, as well as the technical file including the documentation submitted by the manufacturer, for a period of five years after the expiry of the validity of that certificate.
9.  The manufacturer shall keep a copy of the EU type-examination certificate together with the technical documentation at the disposal of the national authorities, for 10 years after the EHR system has been placed on the market.
10.  The manufacturer's authorised representative may lodge the application referred to in point 3 and fulfil the obligations set out in points 7.2, 7.4 and 9, provided that they are specified in the mandate.

(1) The matter was referred back for interinstitutional negotiations to the committees responsible, pursuant to Rule 59(4), fourth subparagraph (A9-0395/2023).

Last updated: 29 May 2024Legal notice - Privacy policy