GDPR

Subscribe to GDPR via RSS

On 4 September 2025, the Court of Justice of the European Union (“CJEU”) delivered a notable judgment on what is considered pseudonymised personal data under EU data protection law. While, technically speaking, the judgment concerns the interpretation of Regulation (EU) 2018/1725 (which governs the processing of personal data by the EU institutions and bodies), it fully applies to the interpretation of the concepts of personal data and pseudonymised data under Regulation (EU) 2016/679 (“GDPR”).

This question is essential for many companies operating in the EU, and in particular Life Sciences companies handling key-coded or otherwise pseudonymised patients’ personal data in the context of research and development, supply of healthcare products and related safety monitoring.Continue Reading CJEU clarifies the concept of pseudonymised data

On 21 May 2025, the European Commission published its Proposal for a Regulation (“Proposal”), amending several existing regulations, including the General Data Protection Regulation (EU) 2016/67 (“GDPR”), to simplify obligations for small and medium-sized enterprises (“SMEs”) and extend certain mitigating measures to small mid-cap enterprises (“SMCs”).Continue Reading Proposed GDPR Simplifications for SMEs and SMCs

The European Data Protection Body (EDPB) has published a study on how personal health data is and/or can be reused for scientific research in the EU under the EU General Data Protection Regulation (GDPR). The study highlights the related practical challenges due to divergent interpretations of the GDPR and national rules across EU Member States.

The key conclusions of the study are set out below:Continue Reading European Data Protection Board publishes study on secondary use of personal health data for scientific research

Clinical research studies within the NHS in England and Wales require Health Research Authority (HRA) approval, which brings together the HRA’s assessment of governance and legal compliance with the independent ethical opinion by a Research Ethics Committee (REC). The HRA has recently changed the requirements for the UK GDPR transparency wording in new health and social care research applications submitted via the Integrated Research Application System (IRAS). The HRA service had previously provided a review service for sponsors’ GDPR transparency statements. In October last year, the HRA communicated its new updated GDPR template to all sponsors. The new HRA template was developed to ensure that research participants have all the information that they need to make an informed decision about the ways in which their personal data can be used during a clinical trial.Continue Reading UK Health Research Authority GDPR wording template to be used from 1 April

In the last month, both the European Data Protection Board (“EDPB”) and the Court of Justice of the European Union (“CJEU”) provided their interpretation of key data protection concepts that are crucial for ensuring compliance with Regulation (EU) 2016/679 (“GDPR”).

In Opinion 22/2024, the EDPB provided guidance to data controllers on how to effectively oversee the activities of their (sub-)processors in a GDPR-compliant manner. The opinion was requested by the Danish data protection authority and likely related to the enforcement actions against Danish hospitals which allegedly failed to oversee processors (see our blog – https://www.biosliceblog.com/2024/02/proposed-fine-against-danish-hospital-for-failure-to-supervise-data-processors/).

In early October, the CJEU provided an answer to a key question raised by the courts in the Netherlands – can the legitimate interests legal basis be used for processing of personal data for commercial purposes (e.g., sharing with third parties for advertising and promotion) (Case C‑621/22).Continue Reading Notable developments in the interpretation of key GDPR concepts – why should Life Sciences companies care?

On 1 February 2024, the Danish Data Protection Agency announced that it reported the private hospital HP Gildhøj Privathospital ApS’s (Capio A/S) to the Danish police and recommended imposing a fine of not less than DKK 1,500,000 (over 200.000 euros). In their investigation, the Danish Data Protection Agency found that the hospital had failed to effectively supervise the data processors they used for the processing of large amounts of patients’ sensitive  personal data.Continue Reading Proposed fine against Danish hospital for failure to supervise data processors

Thank you to all who joined us for our December 13 panel titled the “Race to Regulate.” In case you missed it, unpack this year’s pivotal legal challenges impacting the 2023 — and 2024 — digital legal landscape in our Year in Review Pocket Book. Continue Reading Virtual and Digital Health Digest, December 2023

Spurred, in part, by the COVID-19 pandemic and the need for new ways to reach patients at home, 2023 saw a boom in digital technologies and healthcare solutions: one-stop-shop telemedicine platforms, app-based remote patient monitoring, direct-to-consumer online pharmacies, software-based medical devices, and artificial intelligence/machine learning to bolster delivery of telehealth services. Then came a robust government response. In the EU and UK, regulatory bodies grappled with the introduction of machine learning, AI, and other software into healthcare services by, for example, new guidance from the EU Medical Device Coordination Group and UK Medicines and Healthcare products Regulatory Agency on software medical devices, the EU’s AI Act and the UK government’s AI White paper, the European Medicines Agency reflection paper on use of AI in the product lifecycle, the EU Data Privacy Framework and the equivalent UK-U.S. data bridge, and the European Health Data Space

We call this the “Race to Regulate.” This push-pull dynamic between digital health innovation and government regulation is key to evaluating regulatory risks in today’s shifting legal landscape. This digest seeks to keep up with these changes and provide you with an overview of the key guidelines and developments as the landscape develops. As we come to the end of 2023 and publish our latest Digest, join us on December 13 as we unpack pivotal moments in the 2023 Race to Regulate and discuss what’s next for virtual and digital health. Continue Reading Virtual and Digital Health Digest and webinar