GDPR

Subscribe to GDPR via RSS

The EU Commission has published its proposal for the “Digital Omnibus” aimed to simplify and streamline the EU rules governing artificial intelligence, data protection, cybersecurity, and data use more broadly. The proposal seeks to amend several cornerstone EU regulations, including Regulation (EU) 2016/679 (GDPR), Regulation (EU) 2024/1689 (AI Act), Regulation (EU) 2023/2854 (Data Act), Directive 2002/58/EC (e-Privacy Directive) and Directive (EU) 2022/2555 (NIS2). The proposal also foresees the repeal of the fairly recent Regulation (EU) 2022/868 (Data Governance Act).

Below is a high-level snapshot of the proposal, ahead of a more detailed advisory we will publish.

The proposal will now moves through what is expected to be a challenging legislative procedure and policy and political discussions with the European Parliament and the Council.

Below we set out a quick overview of the most relevant elements for companies, including medical device manufacturers and other Life Sciences companies – e.g., changes to the AI Act, updates to the GDPR, reform of the EU cookie and tracking rules, data-sharing rules, and the new single-entry point for cybersecurity and data protection incidents reporting.Continue Reading Digital Omnibus: The European Commission published its proposal to amend the GDPR, AI Act, Data Act and other related frameworks

On 4 September 2025, the Court of Justice of the European Union (“CJEU”) delivered a notable judgment on what is considered pseudonymised personal data under EU data protection law. While, technically speaking, the judgment concerns the interpretation of Regulation (EU) 2018/1725 (which governs the processing of personal data by the EU institutions and bodies), it fully applies to the interpretation of the concepts of personal data and pseudonymised data under Regulation (EU) 2016/679 (“GDPR”).

This question is essential for many companies operating in the EU, and in particular Life Sciences companies handling key-coded or otherwise pseudonymised patients’ personal data in the context of research and development, supply of healthcare products and related safety monitoring.Continue Reading CJEU clarifies the concept of pseudonymised data

On 21 May 2025, the European Commission published its Proposal for a Regulation (“Proposal”), amending several existing regulations, including the General Data Protection Regulation (EU) 2016/67 (“GDPR”), to simplify obligations for small and medium-sized enterprises (“SMEs”) and extend certain mitigating measures to small mid-cap enterprises (“SMCs”).Continue Reading Proposed GDPR Simplifications for SMEs and SMCs

The European Data Protection Body (EDPB) has published a study on how personal health data is and/or can be reused for scientific research in the EU under the EU General Data Protection Regulation (GDPR). The study highlights the related practical challenges due to divergent interpretations of the GDPR and national rules across EU Member States.

The key conclusions of the study are set out below:Continue Reading European Data Protection Board publishes study on secondary use of personal health data for scientific research

Clinical research studies within the NHS in England and Wales require Health Research Authority (HRA) approval, which brings together the HRA’s assessment of governance and legal compliance with the independent ethical opinion by a Research Ethics Committee (REC). The HRA has recently changed the requirements for the UK GDPR transparency wording in new health and social care research applications submitted via the Integrated Research Application System (IRAS). The HRA service had previously provided a review service for sponsors’ GDPR transparency statements. In October last year, the HRA communicated its new updated GDPR template to all sponsors. The new HRA template was developed to ensure that research participants have all the information that they need to make an informed decision about the ways in which their personal data can be used during a clinical trial.Continue Reading UK Health Research Authority GDPR wording template to be used from 1 April

In the last month, both the European Data Protection Board (“EDPB”) and the Court of Justice of the European Union (“CJEU”) provided their interpretation of key data protection concepts that are crucial for ensuring compliance with Regulation (EU) 2016/679 (“GDPR”).

In Opinion 22/2024, the EDPB provided guidance to data controllers on how to effectively oversee the activities of their (sub-)processors in a GDPR-compliant manner. The opinion was requested by the Danish data protection authority and likely related to the enforcement actions against Danish hospitals which allegedly failed to oversee processors (see our blog – https://www.biosliceblog.com/2024/02/proposed-fine-against-danish-hospital-for-failure-to-supervise-data-processors/).

In early October, the CJEU provided an answer to a key question raised by the courts in the Netherlands – can the legitimate interests legal basis be used for processing of personal data for commercial purposes (e.g., sharing with third parties for advertising and promotion) (Case C‑621/22).Continue Reading Notable developments in the interpretation of key GDPR concepts – why should Life Sciences companies care?

This digest covers key virtual and digital health regulatory and public policy developments during February 2024.

Of note, the UK continues to pursue a “pro innovation” flexible approach to the regulation of AI. As outlined in the UK government’s response to the public consultation, the government will develop a set of core principles for regulating AI, while leaving regulatory authorities, like the Medicines and Healthcare products Regulatory Agency (MHRA), discretion over how the principles apply in their respective sectors. A central governmental function will coordinate regulation across sectors and encourage collaboration. The government’s aim with this approach is to enable the UK to remain flexible to address the changing AI landscape, while being robust enough to address key concerns. This is in sharp contrast to the position in the EU, where the EU AI Act is reaching the conclusion of the legislative process.Continue Reading Virtual and Digital Health Digest, March 2024

A version of this article was first published in Life Sciences IP Review

There is currently no specific legislation in the UK that governs AI, or its use in healthcare. Instead, a number of general-purpose laws apply that have to be adapted to specific AI technologies. As a step towards a more coherent approach, the government recently published its response to its consultation on regulating AI in the UK.  This maintains the government’s “pro-innovation” framework of principles, to be set out in guidance rather than legislation, which will then be implemented by regulatory authorities in their respective sectors, such as by the MHRA for medicines.  The MHRA has already started this process and signalled itself as an early-adopter of the UK government’s approach. The hope is that this will lead to investment in the UK by life science companies as the UK is seen as a first-launch country for innovative technologies.Continue Reading The UK’s pro-innovation approach to AI: What does this mean for life science companies?

On 1 February 2024, the Danish Data Protection Agency announced that it reported the private hospital HP Gildhøj Privathospital ApS’s (Capio A/S) to the Danish police and recommended imposing a fine of not less than DKK 1,500,000 (over 200.000 euros). In their investigation, the Danish Data Protection Agency found that the hospital had failed to effectively supervise the data processors they used for the processing of large amounts of patients’ sensitive  personal data.Continue Reading Proposed fine against Danish hospital for failure to supervise data processors