	EHDS Reference

EHDS-Index Training

Home \| Ringholm bv \| Learn * Share * Connect \| info@ringholm.com

GDPR

General Data Protection Regulation

In short: The GDPR (Regulation (EU) 2016/679) is the main text of Union data protection law. It sets out rights for natural persons whose personal data are processed and obligations on the controllers and processors who process them.

(From the EU FAQ / March 2025): Regarding primary use, the EHDS complements the rights of natural persons provided by the GDPR relating to their personal data in specific categories of data relating to health. The EHDS complements for example natural persons' right of access to their own data.

Under the GDPR, they can ask for access to their personal data a controller holds about them. This is a broad right, allowing the person to ask for access to all (or parts of) the personal data that controller holds about them. To reply to access requests, the controller will have to search for and collate the data across their organisation. This takes time and effort. That's why under the GDPR, controllers have up to a month to reply to access requests and can either refuse to act on or charge a fee for overly repetitive or manifestly unfounded requests.

However, in the health sector, people often need certain data right now and cannot afford to wait. That's why the EHDS establishes an additional targeted right of individuals to freely access certain categories of their own electronic health data, such as the patient summary. Access needs to be provided immediately, in practice using a kind of self-service portal. This then removes the need for the controller / healthcare provider to manually search for and collate the data. That's why there is no possibility for them to refuse frequent requests or charge for them.

The supervisory authorities in charge of the GDPR will also monitor the implementation of this new right under the EHDS. Regarding controllers' and processors' obligations, the EHDS sets out specific tasks for entities processing personal data.

The GDPR sets out conditions for the lawful processing of personal data - in simple words, 'what counts as a valid reason to process personal data?. The processing of personal electronic health data under the EHDS fits into these conditions.

The GDPR also has specific requirements for lifting the general prohibition on processing special categories of personal data, such as health data. Often, this requires the implementation of appropriate safeguards (see e.g. Article 9(2)(j) GDPR).

Discussion

The EHDS strengthens the GDPR rights of the patients/citizens when it coems to healthcare data:

Patient data access rights - Article 3 , patient representatives Article 4 , right to insert information into an EHR Article 5 , right to request data corrections Article 6 , data portability rights Article 7 , right to obtain access logging Article 9 .
Note that these could be supported by individual EHRs, and/or by the national healthcare data infrastructure of a member state - this would depend on how a member state decides to support these rights. Some rights will have repercussions for all EHRs however (regardless of the kind of national data exchange architecture - e.g. right to insert data Article 5 , data corrections Article 6 ).

Ringholm advertisement for the EHDS-on-FHIR training course.

Feedback

Please e-mail ehds@ringholm.com should the information on this page be incorrect or incomplete; we welcome your suggestions to improve its content.

About Ringholm bv

Ringholm bv is a group of European experts in the field of messaging standards and systems integration in healthcare IT. We provide the industry's most advanced training courses and consulting on healthcare information exchange standards.