GDPR

Subscribe to GDPR via RSS

The EU Commission has published its proposal for the “Digital Omnibus” aimed to simplify and streamline the EU rules governing artificial intelligence, data protection, cybersecurity, and data use more broadly. The proposal seeks to amend several cornerstone EU regulations, including Regulation (EU) 2016/679 (GDPR), Regulation (EU) 2024/1689 (AI Act), Regulation (EU) 2023/2854 (Data Act), Directive 2002/58/EC (e-Privacy Directive) and Directive (EU) 2022/2555 (NIS2). The proposal also foresees the repeal of the fairly recent Regulation (EU) 2022/868 (Data Governance Act).

Below is a high-level snapshot of the proposal, ahead of a more detailed advisory we will publish.

The proposal will now moves through what is expected to be a challenging legislative procedure and policy and political discussions with the European Parliament and the Council.

Below we set out a quick overview of the most relevant elements for companies, including medical device manufacturers and other Life Sciences companies – e.g., changes to the AI Act, updates to the GDPR, reform of the EU cookie and tracking rules, data-sharing rules, and the new single-entry point for cybersecurity and data protection incidents reporting.Continue Reading Digital Omnibus: The European Commission published its proposal to amend the GDPR, AI Act, Data Act and other related frameworks

On 4 September 2025, the Court of Justice of the European Union (“CJEU”) delivered a notable judgment on what is considered pseudonymised personal data under EU data protection law. While, technically speaking, the judgment concerns the interpretation of Regulation (EU) 2018/1725 (which governs the processing of personal data by the EU institutions and bodies), it fully applies to the interpretation of the concepts of personal data and pseudonymised data under Regulation (EU) 2016/679 (“GDPR”).

This question is essential for many companies operating in the EU, and in particular Life Sciences companies handling key-coded or otherwise pseudonymised patients’ personal data in the context of research and development, supply of healthcare products and related safety monitoring.Continue Reading CJEU clarifies the concept of pseudonymised data

On 21 May 2025, the European Commission published its Proposal for a Regulation (“Proposal”), amending several existing regulations, including the General Data Protection Regulation (EU) 2016/67 (“GDPR”), to simplify obligations for small and medium-sized enterprises (“SMEs”) and extend certain mitigating measures to small mid-cap enterprises (“SMCs”).Continue Reading Proposed GDPR Simplifications for SMEs and SMCs

The European Data Protection Body (EDPB) has published a study on how personal health data is and/or can be reused for scientific research in the EU under the EU General Data Protection Regulation (GDPR). The study highlights the related practical challenges due to divergent interpretations of the GDPR and national rules across EU Member States.

The key conclusions of the study are set out below:Continue Reading European Data Protection Board publishes study on secondary use of personal health data for scientific research

Clinical research studies within the NHS in England and Wales require Health Research Authority (HRA) approval, which brings together the HRA’s assessment of governance and legal compliance with the independent ethical opinion by a Research Ethics Committee (REC). The HRA has recently changed the requirements for the UK GDPR transparency wording in new health and social care research applications submitted via the Integrated Research Application System (IRAS). The HRA service had previously provided a review service for sponsors’ GDPR transparency statements. In October last year, the HRA communicated its new updated GDPR template to all sponsors. The new HRA template was developed to ensure that research participants have all the information that they need to make an informed decision about the ways in which their personal data can be used during a clinical trial.Continue Reading UK Health Research Authority GDPR wording template to be used from 1 April

In the last month, both the European Data Protection Board (“EDPB”) and the Court of Justice of the European Union (“CJEU”) provided their interpretation of key data protection concepts that are crucial for ensuring compliance with Regulation (EU) 2016/679 (“GDPR”).

In Opinion 22/2024, the EDPB provided guidance to data controllers on how to effectively oversee the activities of their (sub-)processors in a GDPR-compliant manner. The opinion was requested by the Danish data protection authority and likely related to the enforcement actions against Danish hospitals which allegedly failed to oversee processors (see our blog – https://www.biosliceblog.com/2024/02/proposed-fine-against-danish-hospital-for-failure-to-supervise-data-processors/).

In early October, the CJEU provided an answer to a key question raised by the courts in the Netherlands – can the legitimate interests legal basis be used for processing of personal data for commercial purposes (e.g., sharing with third parties for advertising and promotion) (Case C‑621/22).Continue Reading Notable developments in the interpretation of key GDPR concepts – why should Life Sciences companies care?

On 1 February 2024, the Danish Data Protection Agency announced that it reported the private hospital HP Gildhøj Privathospital ApS’s (Capio A/S) to the Danish police and recommended imposing a fine of not less than DKK 1,500,000 (over 200.000 euros). In their investigation, the Danish Data Protection Agency found that the hospital had failed to effectively supervise the data processors they used for the processing of large amounts of patients’ sensitive  personal data.Continue Reading Proposed fine against Danish hospital for failure to supervise data processors

Thank you to all who joined us for our December 13 panel titled the “Race to Regulate.” In case you missed it, unpack this year’s pivotal legal challenges impacting the 2023 — and 2024 — digital legal landscape in our Year in Review Pocket Book. Continue Reading Virtual and Digital Health Digest, December 2023