Data protection

Subscribe to Data protection via RSS

On 5 March 2025, Regulation 2025/327 (EHDS Regulation), creating a European Health Data Space (EHDS), was published in the European Union Official Journal (EU Official Journal), marking the end of the legislative process of the EHDS Regulation.

As set out in a previous blog, the EHDS Regulation allows Life Sciences companies to apply for

Members of the European Parliament (MEPs) have voted overwhelmingly in favour of the pharmaceutical reform package following a debate on 10 April.

The vote is a key step in the passage of the new Directive and Regulation, which together form the EU’s revisions to the General Pharmaceutical Legislation (GPL). These revisions are part of the overall EU pharmaceutical strategy that was announced by the European Commission in November 2020, with the core GPL amendments proposals published in April 2023.

With the vote, the European Parliament has now endorsed the position adopted by the Environment, Public Health and Food Safety Committee on 19 March 2024. The Committee had amended the Commission’s proposal in several respects. Overall, the Parliament’s amendments are aimed at encouraging and fostering more innovation in the EU, and industry will be pleased that some of its core concerns have been addressed, although significant areas of uncertainty remain.

The adoption of the package is likely to be delayed by the European Parliament elections in June this year. The reforms will be taken up by the new Parliament after the elections, and so it is difficult to see any agreement being reached before 2026.

Below is a summary of the Parliament’s position in some of the key area. This summary is, however, not exhaustive but rather highlights topics that have been subject to increased interest for industry and extensive discussions in the European Parliament.Continue Reading European Parliament backs reforms to the EU Regulatory Framework for Medicinal Products

On 1 February 2024, the Danish Data Protection Agency announced that it reported the private hospital HP Gildhøj Privathospital ApS’s (Capio A/S) to the Danish police and recommended imposing a fine of not less than DKK 1,500,000 (over 200.000 euros). In their investigation, the Danish Data Protection Agency found that the hospital had failed to effectively supervise the data processors they used for the processing of large amounts of patients’ sensitive  personal data.Continue Reading Proposed fine against Danish hospital for failure to supervise data processors

On 7 July 2021, the European Data Protection Board (EDPB) adopted the final version of its guidelines 07/2021 on the concepts of controller and processor in the General Data Protection Regulation (GDPR) (Guidelines), following a period of public consultation regarding the first draft of the Guidelines (about which we reported in an earlier blogpost). As discussed below, the final Guidelines have considerable significance for the life sciences sector.

Another key GDPR development that is directly relevant for the life sciences sector and international transfers of personal health data (e.g., conduct of cross-border clinical trials) is the adoption of the new version of the standard contractual clauses (New SCCs) published by the European Commission (EC) on 4 June 2021. The second part of this blogpost outlines some key takeaways of the New SCCs. (We provide a more detailed analysis of the design, scope and main content of the New SCCs in our related advisory.)Continue Reading Recent GDPR developments relevant for the life sciences sector

On 7 September 2020, the European Data Protection Board (EDPB) initiated a public consultation on draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Any interested party could provide comments by 19 October 2020 using the dedicated form.

The draft Guidelines contain elements that are of interest for companies active in the life science sector as they may have an impact on comapnies’ day-to-day research and commercial activities in the EU and their compliance with Regulation (EU) 2016/679 (GDPR).
Continue Reading Draft EU guidelines on the concepts of controller and processor—key elements for life sciences companies

Apologies that it has been a while since we’ve posted! We have lots in the pipeline, starting with this webinar.

Data and Its Impact on Medical Technology Companies Doing Business in the EU

Today’s medical technology industry is being transformed by data—clinical data, vigilance data, real world data and personal data. As such, there is

On 23 January 2019, the European Data Protection Board (EDPB) adopted an Opinion on the interplay between the Clinical Trials Regulation (CTR), which is likely to become applicable in 2020 (if not later), and the European General Data Protection Regulation (GDPR). The Opinion focusses on an area provoking much discussion since the GDPR came into force; that is, as we discussed in our previous blog, which legal bases under the GDPR are appropriate for processing personal data in the context of clinical trials?

Continue Reading GDPR and clinical trials—more clarity?

Data-driven technologies, particularly artificial intelligence and other complex algorithms, have the potential to enhance patient care and catalyse medical breakthroughs. However, these technologies are heavily reliant on data, which poses challenges in ensuring that patient information is handled in a safe, secure and legally compliant way.

In response to early issues with the deployment of artificial intelligence and other algorithmic tools in healthcare, on 5 September 2018 the UK Department of Health & Social Care (DH) published an Initial Code of Conduct for Developers and Suppliers of Data-driven Health and Care Technology (the Code). The Code is not legally binding but aims to raise standards by establishing best practices.Continue Reading UK guidance for developers of health care software and technologies

The General Data Protection Regulation (GDPR) entered into force on 25 May 2018 and, in the absence of any transition period, companies are now expected to be in full compliance with the new requirements. However, with key guidance from regulators only recently released or still in progress, and national implementing legislation enacted at the eleventh hour, developing a GDPR-compliant approach to consent in the context of clinical trials remains an ongoing project. This post reviews the guidance available to date.
Continue Reading Clinical trial consents under the EU GDPR: where do we stand?