EHDS: what is the impact for DPOs in the health sector?

The European Health Data Area (EHDS) is redefining the rules of the game when it comes to processing health data. For DPOs, this means new responsibilities, especially around governance, security, secondary use of data, and patient rights.

‍

DPO notice: In summary, a lot of work and more complexity for the DPO!

‍

Key points to remember:

‍

• The EHDS complements the RGPD to structure the exchange of health data at the European level
• The role of the DPO extends to the governance, security and compliance of EHDS treatments
• Concrete actions need to be initiated now: audit, AIPD, training, documentation
• Increased ethical vigilance is required for the treatment of minors and vulnerable persons.
• Collaboration with national platforms and authorities is becoming essential

‍

Note that Adequacy includes a Health module capable of offering the various health standards, including the various MRs.

‍

‍

Understanding the EHDS: origins, objectives and scope

‍

‍

The European Health Data Space (EHDS) represents a major advance in the governance of health data at the European level. Supported by the European Commission, this system is formalized by Regulation (EU) 2025/327 published in the Official Journal of the EU on 5 March 2025, which aims to provide a harmonized framework for the access, exchange and reuse of health data in the Member States.

‍

Regulatory origins and strategic ambitions

‍

The EHDS is in line with several European initiatives, including the RGPD (General Data Protection Regulation) and the eHealth directives. The ambition is twofold: to promote secure access to health data to improve care (primary use) and to stimulate innovation through their reuse (secondary use). With the opening of direct public access to certain categories of health data, the system is taking a new step in terms of transparency and the democratization of information. Through this framework, the Commission wants to create a genuine interoperable and sovereign data infrastructure at EU level.

‍

The EHDS regulation came into force on 26 March 2025, marking the start of a gradual transition period. In particular, it provides for:

‍

• The creation of a common technical and legal framework
• The definition of European interoperability standards
• The establishment of a European data governance body

‍

For DPOs, this implies a strong expectation of the internal transformations to be made.

‍

What types of data are involved?

‍

The EHDS regulation concerns exclusively electronic health data, including in particular:

This data is considered to be sensitive data within the meaning of article 9 of the GDPR. Therefore, their treatment requires strengthened supervision, as explained here.

‍

Distinction between primary and secondary use

‍

The regulation clearly distinguishes between two types of uses:

EHDS and digital sovereignty

‍

The EHDS introduces the concept of national data access platforms, linked to a centralized European infrastructure. This decentralized but coordinated governance aims to guarantee the technological independence and sovereignty of the Member States.

‍

For healthcare institutions and DPOs, this means:

‍

• The obligation to register certain treatments with their national platform
• The establishment of secure data transmission channels
• Possible participation in European audits or controls

‍

RGPD vs EHDS

‍

‍

Role and responsibilities of the DPO in the context of the EHDS

‍

‍

The implementation of the EHDS requires a significant evolution in the role of the DPO within health institutions. While the GDPR already conferred a transversal compliance mission, the arrival of this new sectoral regulation places the DPO at the heart of health data governance systems.

‍

From GDPR compliance to EHDS coordination

‍

The RGPD establishes general principles (minimization, purpose, security...) that the DPO is responsible for enforcing. With the EHDS, these principles must be applied in a more constrained and harmonized framework at European level. The DPO becomes the key interlocutor between the institution, the national EHDS platforms and the competent supervisory authorities.

‍

This increase in complexity requires a detailed understanding of the scope of application, in particular for:

‍

• Treatments integrated into EMR systems
• Data transmitted for research or public health policy purposes
• Supervision of pseudonymization prior to any secondary use

‍

Impact Assessment (AIPD): a reinforced obligation

‍

In the context of the EHDS, DPAs take on strategic importance. Any treatment falling within the field of secondary use must be the subject of a rigorous evaluation, including in particular:

‍

• Identifying the risks of re-identification
• Cross-border flows within the EU
• The compatibility of secondary purposes with the initial framework

‍

The DPO must ensure that these analyses are not perceived as simple documentary formalities but as decision-making tools in the validation of projects involving health data.

‍

Treatment register: developments with the EHDS

‍

The processing register provided for in article 30 of the RGPD must be enriched to include EHDS specificities:

‍New specific EHDS obligations to be followed by the DPO

Cooperation with European and national authorities

‍

The DPO must strengthen its interactions with several entities:

‍

• CNIL: for formalities related to warehouses (declarations or specific authorizations)
• EHDS European Committee: who will centralize certain interoperability and access decisions
• Joint data controllers: in particular in GHT or inter-establishment projects
• Ethical committees: guarantors of the legitimacy of secondary uses

‍

‍

Governance, Security, and Interoperability: Challenges for DPOs

‍

‍

Data security: strengthened requirements

‍

The processing of sensitive data in a context of cross-border sharing involves reinforced security measures. The EHDS regulation requires:

‍

Access governance and patient rights

‍

The logic of a European data space involves careful management of access rights. Patients should be able to exercise their GDPR rights, even in the context of cross-border treatment. The role of the DPO includes:

‍

• Supervision of patient information mechanisms
• Checking the granularity of accesses by role
• Controlling the traceability of accesses and consultations
• Regular review of conservation policies

‍

Local EHDS governance model

‍

‍

Anticipating the implementation of EHDS: best practices

‍

‍

Internal health data audit: where do you start?

‍

The first instinct of the DPO must be to map the treatments potentially concerned. Audit steps:

‍

1. Identify treatments related to the medical file, PMSI, research, teaching

2. Distinguish between primary use (care) and secondary use (studies, innovation)

3. Verify existing cross-border exchanges (European projects, partnerships)

4. Document via a summary table by treatment

‍

Adapting privacy policies

‍

Information policies must evolve to include:

‍

• The secondary purposes provided by the EHDS
• National access platforms
• Specific opposition rights
• Shelf life according to uses

‍

Concrete actions to be implemented

‍

EHDS and sensitive data: reinforced ethical vigilance

‍

‍

High-risk treatments for minors and vulnerable persons

‍

Data relating to the health of minors or vulnerable persons require particular vigilance within the EHDS framework. The DPO must ensure that:

‍

• The legal basis invoked is strictly in accordance
• Specific risks are identified in the AIPD
• Strengthened pseudonymization measures are in place.

‍

Precautions for EHDS processing of sensitive data

‍

FAQ — EHDS and DPO

‍

‍

• Does the EHDS replace the RGPD in the health sector?

No The EHDS complements the RGPD with rules specific to the health field, in particular for the secondary use of data.

‍

• Do DPOs need to be certified or trained specifically?

No, no mandatory certification is planned. But specific training on EHDS bonds is highly recommended.

‍

• Do we need to review all existing AIPDs?

Yes. Treatments falling within the scope of EHDS require a reassessment of the existing impact assessment.

‍

• What are the sanctions in case of non-compliance with EHDS?

The sanctions follow the GDPR regime: up to 20 million euros or 4% of global annual turnover.

‍

• Who is responsible in case of unsecured cross-border sharing?

The data controller remains responsible, in coordination with the national EHDS platform and the subcontractors involved.

‍

‍

Sources and references

‍

‍

1. Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 relating to the European health data space. Official Journal of the European Union, 5 March 2025.
2. European Commission (2025). European Health Data Space Regulation (EHDS). Available at: https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space-regulation-ehds_en
3. Health Data Hub (2025). Publication of the regulation on the European Health Data Area (EHDS) in the Official Journal of the EU. March 2025.
4. Ministry of Labor, Health, Solidarity and Families (2025). The European health data space. July 2025.
5. McDermott Will & Emery (2025). European Health Data Space Regulation enters into force. May 2025.
6. Arnold & Porter (2025). European Health Data Space Regulation Published in the EU Official Journal. March 2025.